Index: openacs-4/packages/acs-core-docs/www/install-redhat.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/install-redhat.html,v diff -u -r1.1.2.7 -r1.1.2.8 --- openacs-4/packages/acs-core-docs/www/install-redhat.html 4 May 2003 06:30:02 -0000 1.1.2.7 +++ openacs-4/packages/acs-core-docs/www/install-redhat.html 7 May 2003 17:40:58 -0000 1.1.2.8 @@ -1,5 +1,5 @@ -Appendix�A.�Install Red Hat 8.0
Prev Part�II.�Administrator's Guide Next

Appendix�A.�Install Red Hat 8.0

+Appendix�A.�Install Red Hat 8.0

Prev Part�II.�Administrator's Guide Next

Appendix�A.�Install Red Hat 8.0

by Joel Aufrecht
OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff. @@ -8,38 +8,38 @@ you can reformat and you want to be sure that your installation works and is secure; it should take about an hour. You can skip this section if you already have a machine ready with this - software (see the section called “Individual Programs” for details):

  • libxml2

  • tcl

  • gmake and the compile and build environment.

and these optional items

  • emacs

  • cvs

  • ImageMagick

  • DocBook and supporting software

(In my experience, it's almost always a net time savings of several hours to install a new machine from scratch compared to installing each of these packages installed independently.)

  1. Unplug the network cable from your + software (see Section�, “Individual Programs” for details):

    • libxml2

    • tcl

    • gmake and the compile and build environment.

    and these optional items

    • emacs

    • cvs

    • ImageMagick

    • DocBook and supporting software

    (In my experience, it's almost always a net time savings of several hours to install a new machine from scratch compared to installing each of these packages installed independently.)

    1. Unplug the network cable from your computer. We don't want to connect to the network until we're sure the computer is secure. - + (Wherever you see the word secure, you should always read it as, "secure enough for our purposes, given the amount of work we're willing to exert and the estimated risk and consequences.")

    2. Insert Red Hat 8.0 Disk 1 into the CD-ROM and reboot the computer

    3. At the - boot: + boot: prompt, press Enter for a graphical install. The text install is fairly different, so if you need to do that instead proceed with caution, because the guide won't match the steps.

    4. Checking the media is probably a waste of time, so when it asks press Tab and - then Enter to skip it.

    5. After the graphical introduction page loads, click Next

    6. Choose the language you want to use and then click -Next -

    7. Select the keyboard layout you will use and Click Next

    8. Choose your mouse type and Click Next

    9. Red Hat has several templates for new + then Enter to skip it.

    10. After the graphical introduction page loads, click Next

    11. Choose the language you want to use and then click +Next +

    12. Select the keyboard layout you will use and Click Next

    13. Choose your mouse type and Click Next

    14. Red Hat has several templates for new computers. We'll start with the "Server" template and then fine-tune it during the rest of the install. Choose - Server + Server and click - Next.

    15. Reformat the hard drive. If you know what you're doing, + Next.

    16. Reformat the hard drive. If you know what you're doing, do this step on your own. Otherwise: we're going to let the installer wipe out the everything on the main hard drive and then arrange things to - its liking.

      1. Choose Automatically Partition - and click Next

      2. Uncheck -Review (and modify if needed) the partitions created and click Next

      3. On the pop-up window asking "Are you sure + its liking.

        1. Choose Automatically Partition + and click Next

        2. Uncheck +Review (and modify if needed) the partitions created and click Next

        3. On the pop-up window asking "Are you sure you want to do this?" click - Yes - IF YOU ARE WIPING YOUR HARD DRIVE.

        4. Click Next on the boot loader screen

      4. Configure Networking. + Yes + IF YOU ARE WIPING YOUR HARD DRIVE.

      5. Click Next on the boot loader screen

    17. Configure Networking. Again, if you know what you're doing, do this step yourself, being sure to note the firewall holes. Otherwise, follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.

      1. DHCP is a system by which a computer that @@ -48,31 +48,31 @@ IP address (if it doesn't, it will be tricky to access the OpenACS service from the outside world), we're going to set up that address. If you don't know your netmask, 255.255.255.0 is usually a pretty safe -guess. Click Edit, uncheck Configure using DHCP -and type in your IP and netmask. Click Ok.

      2. Type in your host -name, gateway, and DNS server(s). Then click Next.

      3. We're going to use the firewall template for high +guess. Click Edit, uncheck Configure using DHCP +and type in your IP and netmask. Click Ok.

      4. Type in your host +name, gateway, and DNS server(s). Then click Next.

      5. We're going to use the firewall template for high security, meaning that we'll block almost all incoming traffic. Then we'll add a few holes to the firewall for services which we need and -know are secure. Choose High +know are secure. Choose High security level. Check -WWW, -SSH, and -Mail (SMTP). In the Other ports -box, enter 443, 8000, 8443. Click -Next. -Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.

    18. Select any additional languages you want the +WWW, +SSH, and +Mail (SMTP). In the Other ports +box, enter 443, 8000, 8443. Click +Next. +Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.

  2. Select any additional languages you want the computer to support and then click - Next

  3. Choose your time zone and click Next.

  4. Type in a root + Next

  5. Choose your time zone and click Next.

  6. Type in a root password, twice. To improve security, we're going to prevent anyone from connecting to the computer directly as root. Instead, we'll create a different user, called - remadmin, used solely to + remadmin, used solely to connect to the computer for administration. Click -Add -and enter username remadmin and a password, -twice, then click OK. Then click -Next.

  7. On the Package selection page, we're going to +Add +and enter username remadmin and a password, +twice, then click OK. Then click +Next.

  8. On the Package selection page, we're going to uncheck a lot of packages that install software we don't need, and add packages that have stuff we do need. You should install everything we're installing here or the guide may not work for you; you can @@ -81,82 +81,82 @@ risk that's still screened by the firewall, or a resource hog. Just don't install a database or web server, because that would conflict with the database and web server we'll install later. -

    check�Editors�(this�installs�emacs),
    -click�Details�next�to�Text-based�Internet,�check�lynx,�and�click�OK;
    -check�Authoring�and�Publishing�(this�installs�docbook),
    -uncheck�Server�Configuration�Tools,
    -uncheck�Web�Server,
    -uncheck�Windows�File�Server,
    -check�Development�Tools�(this�installs�gmake�and�other�build�tools),
    -uncheck�Administration�Tools,�and
    -uncheck�Printing�Support.�

    At the bottom, check Select Individual Packages and click Next

  9. We need to fine-tune the exact list of packages. +

    check�Editors�(this�installs�emacs),
    +click�Details�next�to�Text-based�Internet,�check�lynx,�and�click�OK;
    +check�Authoring�and�Publishing�(this�installs�docbook),
    +uncheck�Server�Configuration�Tools,
    +uncheck�Web�Server,
    +uncheck�Windows�File�Server,
    +check�Development�Tools�(this�installs�gmake�and�other�build�tools),
    +uncheck�Administration�Tools,�and
    +uncheck�Printing�Support.�

    At the bottom, check Select Individual Packages and click Next

  10. We need to fine-tune the exact list of packages. The same rules apply as in the last step - you can add more stuff, but you shouldn't remove anything the guide adds. We're going to go through all the packages in one big list, so select -Flat -View and wait. In a minute, a -list of packages will appear.

    uncheck�apmd�(monitors�power,�not�very�useful�for�servers),�
    -check�ImageMagick�(required�for�the�photo-album�packages,�
    -uncheckisdn4k-utils�(unless�you�are�using�isdn,�this�installs�a�useless�daemon),�
    -check�mutt�(a�mail�program�that�reads�Maildir),
    -uncheck�nfs-utils�(nfs�is�a�major�security�risk),�
    -uncheck�pam-devel�(I�don't�remember�why,�but�we�don't�want�this),�
    -uncheck�portmap,�
    -uncheck�postfix�(this�is�an�MTA,�but�we're�going�to�install�qmail�later),�
    -uncheck�rsh�(rsh�is�a�security�hole),�
    -uncheck�sendmail�(sendmail�is�an�insecure�MTA;�we're�going�to�install�qmail�instead�later),
    -check�tcl�(we�need�tcl),�and�
    -uncheck�xinetd�(xinetd�handles�incoming�tcp�connections.��We'll�install�a�different,�more�secure�program,�ucspi-tcp).
    -Click�Next

  11. Red Hat isn't completely happy with the combination +Flat +View and wait. In a minute, a +list of packages will appear.

    uncheck�apmd�(monitors�power,�not�very�useful�for�servers),�
    +check�ImageMagick�(required�for�the�photo-album�packages,�
    +uncheckisdn4k-utils�(unless�you�are�using�isdn,�this�installs�a�useless�daemon),�
    +check�mutt�(a�mail�program�that�reads�Maildir),
    +uncheck�nfs-utils�(nfs�is�a�major�security�risk),�
    +uncheck�pam-devel�(I�don't�remember�why,�but�we�don't�want�this),�
    +uncheck�portmap,�
    +uncheck�postfix�(this�is�an�MTA,�but�we're�going�to�install�qmail�later),�
    +uncheck�rsh�(rsh�is�a�security�hole),�
    +uncheck�sendmail�(sendmail�is�an�insecure�MTA;�we're�going�to�install�qmail�instead�later),
    +check�tcl�(we�need�tcl),�and�
    +uncheck�xinetd�(xinetd�handles�incoming�tcp�connections.��We'll�install�a�different,�more�secure�program,�ucspi-tcp).
    +Click�Next

  12. Red Hat isn't completely happy with the combination of packages we've selected, and wants to satisfy some dependencies. Don't let it. On the next screen, choose -Ignore Package -Dependencies and click -Next. +Ignore Package +Dependencies and click +Next.

  13. Click - Next + Next to start the copying of files.

  14. Wait. Insert Disk 2 when asked.

  15. Wait. Insert Disk 3 when asked.

  16. If you know how to use it, create a boot disk. Since you can also boot into recovery mode with the Install CDs, this is less useful than it used to be, and we - won't bother. Select No,I do not want to create a boot disk and click Next.

  17. Click Exit, remove the CD, and watch the + won't bother. Select No,I do not want to create a boot disk and click Next.

  18. Click Exit, remove the CD, and watch the computer reboot.

  19. After it finishes rebooting and shows the login - prompt, log in:

    yourserver login: root
+	  prompt, log in:
    yourserver login: root
 Password:
-[root@yourserver root]#

  20. Lock down SSH

    1. +[root@yourserver root]#

    2. Lock down SSH

      1. SSH is the protocol we use to connect securely to the computer (replacing telnet, which is insecure). sshd is the daemon that listens for incoming ssh connections. As a security precaution, we are now going to tell ssh not to allow anyone to connect directly to this computer as root. Type this into the shell: - 

        emacs /etc/ssh/sshd_config

      2. Search�for�the�word�"root"�by�typing�C-s�(that's�emacs-speak�for�control-s)�and�then�root.���
        -Change�the�line�

        #PermitRootLogin�yes
        �to�
        PermitRootLogin�no
        �and�save�and�exit�by�typing�C-x�C-s�C-x�C-c

      3. Restart sshd so that the change takes effect.
        service sshd restart

    3. Red Hat still installed a few services we -don't need, and which can be security holes. Use the service command to turn them off, and then use chkconfig to automatically edit the System V init directories to permanently (The System V init directories are the ones in /etc/rc.d. They consist of a bunch of scripts for starting and stopping programs, and directories of symlinks for each system level indicating which services should be up and down at any given service level. We'll use this system for PostGreSQL, but we'll use daemontools to perform a similar function for AOLServer. (The reason for this discrepencies is that, while daemontools is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostGreSQL the way it is.)

      [root@yourserver root]# service pcmcia stop
-[root@yourserver root]# service netfs stop
-[root@yourserver root]# chkconfig --del pcmcia
-[root@yourserver root]# chkconfig --del netfs
+    
      emacs /etc/ssh/sshd_config

    4. Search�for�the�word�"root"�by�typing�C-s�(that's�emacs-speak�for�control-s)�and�then�root.���
      +Change�the�line�

      #PermitRootLogin�yes
      �to�
      PermitRootLogin�no
      �and�save�and�exit�by�typing�C-x�C-s�C-x�C-c

    5. Restart sshd so that the change takes effect.
      service sshd restart

  21. Red Hat still installed a few services we +don't need, and which can be security holes. Use the service command to turn them off, and then use chkconfig to automatically edit the System V init directories to permanently (The System V init directories are the ones in /etc/rc.d. They consist of a bunch of scripts for starting and stopping programs, and directories of symlinks for each system level indicating which services should be up and down at any given service level. We'll use this system for PostGreSQL, but we'll use daemontools to perform a similar function for AOLServer. (The reason for this discrepencies is that, while daemontools is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostGreSQL the way it is.)

    [root@yourserver root]# service pcmcia stop
+[root@yourserver root]# service netfs stop
+[root@yourserver root]# chkconfig --del pcmcia
+[root@yourserver root]# chkconfig --del netfs
 [root@yourserver root]#
-
    service pcmcia stop
+
    service pcmcia stop
 service netfs stop
 chkconfig --del pcmcia
-chkconfig --del netfs

  22. Plug in the network cable.

  23. Verify that you have connectivity by going to another +chkconfig --del netfs

  24. Plug in the network cable.

  25. Verify that you have connectivity by going to another computer and ssh'ing to - yourserver, logging in as - remadmin, and promoting yourself to root:

    [joeuser@someotherserver]$  ssh remadmin@yourserver.test
+          yourserver, logging in as
+          remadmin, and promoting yourself to root:
    [joeuser@someotherserver]$  ssh remadmin@yourserver.test
 The authenticity of host 'yourserver.test (1.2.3.4)' can't be established.
 DSA key fingerprint is 10:b9:b6:10:79:46:14:c8:2d:65:ae:c1:61:4b:a5:a5.
-Are you sure you want to continue connecting (yes/no)? yes
+Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added 'yourserver.test (1.2.3.4)' (DSA) to the list of known hosts.
 Password:
 Last login: Mon Mar  3 21:15:27 2003 from host-12-01.dsl-sea.seanet.com
-[remadmin@yourserver remadmin]$ su -
+[remadmin@yourserver remadmin]$ su -
 Password: 
 [root@yourserver root]#

  26. Upgrade the kernel to fix a security hole. The default Red Hat 8.0 system kernel (2.4.18-14, which you can check - with uname -a) has several security problems. Download the new kernel, install it, and reboot.

    [root@yourserver root]# cd /tmp
-[root@yourserver tmp]# wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
+          with uname -a) has several security problems.  Download the new kernel, install it, and reboot.
    [root@yourserver root]# cd /tmp
+[root@yourserver tmp]# wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
 --20:39:00--  http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
            => `kernel-2.4.18-27.7.x.i686.rpm'
 Resolving updates.redhat.com... done.
@@ -168,17 +168,17 @@
 
 20:41:39 (78.38 KB/s) - `kernel-2.4.18-27.7.x.i686.rpm' saved [12736430/12736430]
 
-root@yourserver tmp]# rpm -Uvh kernel-2.4.18-27.7.x.i686.rpm
+root@yourserver tmp]# rpm -Uvh kernel-2.4.18-27.7.x.i686.rpm
 warning: kernel-2.4.18-27.7.x.i686.rpm: V3 DSA signature: NOKEY, key ID db42a60e
 Preparing...                ########################################### [100%]
    1:kernel                 ########################################### [100%]
-[root@yourserver tmp]# reboot
+[root@yourserver tmp]# reboot
 
 Broadcast message from root (pts/0) (Sat May  3 20:46:39 2003):
 
 The system is going down for reboot NOW!
 [root@yourserver tmp]#
-
    cd /tmp
+
    cd /tmp
 wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
 rpm -Uvh kernel-2.4.18-27.7.x.i686.rpm
-reboot
Prev Home Next
Backup and Recovery Up Part�III.�For OpenACS Package Developers
docs@openacs.org
View comments on this page at openacs.org
+reboot
Prev Home Next
Backup and Recovery Up Part�III.�For OpenACS Package Developers
docs@openacs.org
View comments on this page at openacs.org