Installation of Red Hat Linux 7.

2
These instructions can be used to install and configure Red Hat Linux 7.2 on a typical PC. They may need to be tweaked slightly, depending on the exact configuration of your PC. 1. Install Linux A. Turn on computer and quickly insert disk 1 of Red Hat Linux 7.2 B. If system fails to boot Linux, insert boot disk into floppy drive and restart C. At the boot prompt, press the 'Enter' key D. Initial Selections 1. Language Selection: English 2. Keyboard Configuration: a. Model: Generic 104-key PC b. Layout: U.S. English c. Dead Keys: Disable dead keys 3. Mouse Configuration: a. Microsoft: IntelliMouse (PS/2) b. Uncheck 'Emulate 3 Buttons' E. Welcome to Red Hat Linux, click Next F. Install Options, choose Install: Custom G. Disk Partitioning 1. Choose Manually partition with Disk Druid for easy partitioning, or choose Manually partition with fdisk [experts only] for full control over the partition layout 2. Create the following partitions (sizes suggested): 1. /boot 64MB (only if your computer is pre-1999) 2. swap 1024MB (or twice RAM size) 3. / 8192MB 4. /home 8192MB 5. /scratch 1MB and Click 'Fill to maximum allowable size' 2. Accept defaults if satisfied with mount points, filesystem types, and formatting; otherwise, select each partition and click Edit Note: Only 4 primary partitions are allowed. One of these may be an extended partition, which can contain up to 12 logical partitions. Some older BIOS limitations require that the Linux /boot directory be contained in its own partition which does not extend beyond cylinder 1024. DOS/Windows requires a primary partition from which to boot, and additional drives must be logical partitions. A. Boot Loader Installation 1. Use GRUB as the boot loader 2. Install Boot Loader record on /dev/hda Master Boot Record (MBR) 3. Do not enter a GRUB password unless needed B. Network Configuration 1. Uncheck 'Configure using DHCP'

2. Make the following settings: (talk to you network adminstrator for correct values)

a. IP address: {ip_address} b. Netmask: {subnet_mask}

c. Network: xxx.xxx.xxx.xxx (Fills in automatically) d. Broadcast: xxx.xxx.xxx.xxx (Fills in automatically) e. Hostname: {hostname.domain} f. Gateway: {gateway_address} g. Primary DNS: {dns1_server_address} h. Secondary DNS: {dns2_server_address} Firewall Configuration 1. Choose Medium security 2. Choose Customize and allow incoming SSH and WWW(HTTP); if desired, also allow incoming Telnet and FTP Language Support Selection, click Next Time Zone Selection 1. America/Detroit (or your timezone) 2. Leave 'System Clock uses UTC' unchecked for Linux/Windows dual boot systems Account Configuration 1. Set root password 2. Add at least one user account Authentication Configuration, accept defaults and click Next Package Group Selection 1. Printer Support 2. Classic X Window System 3. X Window System 4. Gnome 5. KDE 6. Sound and Multimedia Support 7. Network Support 8. Messaging and Web Tools 9. Graphics and Image Manipulation 10. Windows File Server (only if you will run samba) 11. Anonymous FTP Server (not recommended) 12. Web Server 13. Authoring/Publishing 14. Emacs 15. Utilities 16. Software Development Video Card Configuration, accept default video card or choose one manually Preparing to Install. This is the last chance to safely cancel the installation process. Click Next, and wait a very long time while partitions are formatted and packages are installed. Insert disk 2 when prompted and click OK. A log will be written to /tmp/install.log Boot Disk Creation. Insert formatted floppy and click Next. Label disk as "Linux 7.2 Boot Disk for {hostname}" Monitor Selection and X Configuration 1. Choose specific monitor, or choose and appropriate Generic Monitor

B.

C. D.

E. F. G.

H. I.

J.
K.

2. Adjust syncronization rates as follows a. Horizontal sync: 30-64 kHz b. Vertical sync: 50-75 Hz 3. Customize graphics configuration as follows a. Color Depth: High Color (16 Bit) b. Screen Resolution: 1024x768 c. Desktop Environment: GNOME (default) or KDE (recommended) d. Login Type: Graphical (for use as workstation) or Text (for use as server by experts) 4. Click 'Test Setting' to test X screen settings NOTE: (Control+Alt+Backspace) exits X immediately 5. Click 'Next' L. Congratulations, Linux has been installed! Remove floppy, click Exit, and remove CD-ROM to reboot 2. Verify aspects of the system configuration A. Verify the date and time $ date Adjust the date and time if necessary # date MMDDhhmm[YYYY].ss Write the new date and time to the system's CMOS clock # clock -w B. Verify that all of the machine's RAM has been detected $ free If Linux reports less RAM than is actually installed your system, follow instructions to specify at boot time the amount of available RAM C. Verify that domainname can be determined $ hostname -d If the domainname is not reported, then edit /etc/hosts so that the fully qualified domain name appears before the hostname # cd /etc # cp -p hosts hosts.000 # vi hosts 127.0.0.1 {hostname.domain} {hostname} localhost.localdomain localhost 3. Install update packages from RedHat It is critical that any security related updates be applied to your system. Root access security holes are reguarlay uncovered, and machines connected to the internet are regularly probed for these weaknesses. It is a certainty that unpatched machines will soon be hacked. o Option A: Manual download and installation of updates 1. Visit the Redhat Errata page and determine which updates should be downloaded and applied http://www.redhat.com/apps/support/errata/ 2. Check whether or not packages are installed with # rpm -qa | grep {package} 3. Download the appropriate rpm's from Redhat ftp://ftp.redhat.com/pub/redhat/linux/updates/

or from a mirror site http://www.redhat.com/download/mirror.html 4. Install the updates # rpm -Fvh {package-version.rpm} 5. Restart your computer so that new versions of any updated services are restarted # /sbin/shutdown -r now Option B: Purchase Official Red Hat Update CD-ROM and automatic installation of updates 1. Order the most recent Update CD from http://www.redhat.com/software/linux/updatecd/ 2. Mount the Update CD # mount /mnt/cdrom 3. Run the installation program # cd /mnt/cdrom # ./install-updates Answer 'y' to all prompts 4. If the update fails during the dependency check, then the missing package(s) must be installed manually with # rpm -ivh 7.2/{package}* and ./install-updates must be run again 5. After the update is complete, restart your computer with # cd / # umount /mnt/cdrom # shutdown -r now 6. Note that the root file system may fail to unmount during shutdown and is therefore automatically checked upon restart; inodes having zero dtime will be deleted. A log of the update may be found in /tmp/update.log, and any error messages or warnings may be found in /tmp/update.err Kernal upgrades are more complex, and one should definitely read the instructions in The Official Red Hat Linux Customization Guide. A brief summary of the procedure is given here 1. Locate your boot floppy disk and verify its operation 2. Backup the previous /boot directory # mkdir /boot.000 # cd /boot # tar cf - . | (cd ../boot.000; tar xvf -) 3. Note what version of the kernel you are currently running # uname -r 4. Note what current kernel components are installed # rpm -qa | grep kernel5. Install new versions of the kernel components (only if they were already installed), using -U or --force options if necessary # rpm -ivh kernel-{new_version}.i686.rpm # rpm -Uvh kernel-headers-{new_version}.i386.rpm # rpm -ivh --force kernel-pcmcia-cs-{new_version}.i386.rpm 6. Verify that symbolic links are correct # ls -lF /boot 7. If you have a SCSI hard disk, verify that a new disk image file was created # ls -l /boot/initrd*

8. If GRUB bootloader is being used, verify and/or edit its configuration file # cd /boot/grub # cp -p grub.conf grub.conf.000 # vi grub.conf 9. If LILO boatloader is being used, verify and/or edit its configuration file, and write changes to hard disk MBR # cd /etc # cp -p lilo.conf lilo.conf.000 # vi /etc/lilo.conf # /sbin/lilo -v 10. Reboot # /sbin/shutdown -r now 11. Make a new boot floppy disk # uname -r # /sbin/mkbootdisk {new_version} 2. Customize Linux

A. Forward root's email

It is critical that a human actually read root's email, so that logwatch output, system problems, or security breaches are quickly noted # vi /root/.forward {joe@university.edu} B. Create useful mount points, for example # mkdir /mnt/zip # mount -t vfat /dev/hdd4 /mnt/zip # ls -alF /mnt/zip # umount /mnt/zip If the following line is added to /etc/fstab /dev/hdd4 /mnt/zip vfat noauto,owner 0 0 then the mount command can be simplified to # mount /mnt/zip 2. Turn on desired services A. Understand background concepts about access to services Access to system services over the network is controlled at multiple levels: 1. A firewall controls what packets are accepted by the system and which are dropped or rejected. The default firewall is defined in /etc/sysconfig/ipchains, which was created during Firewall Configuration step of the installation process. The syntax of this file is explained in the ipchains man page and on the many websites devoted to explaining ipchains and firewalls. (Note that the Linux 2.4 kernel in Red Hat Linux 7.2 also supports iptables. You may use only one type of firewall, the older default ipchains or the newer iptables.) 2. The software for the service must be installed on the system, which can be checked with the command rpm -qa | grep {servicename}. Many services have both client and server rpm's, and it is the server package that must be present. 3. The service must be started by the system. Some services (apache, ssh, samba, sendmail) are always in memory running as daemons. These may be specified to start at boot time

with /sbin/chkconfig {servicename} on|off or controlled manually with /sbin/service {servicename} start|stop. Other services (telnet, ftp, rsh, rexec) are controlled by the xinetd daemon. These may be turned on by editing the appropriate file in /etc/xinet.d and setting disable=no. Then restart the xinetd daemon with /sbin/service xinetd restart. 4. Access to services can be restricted to specific IP address. This is done most fundamentally in the firewall configuration file, which can be configured to only allow access to certain services (ports) by certain IP address ranges. This can also be done for the xinetd services with the /etc/hosts.allow and /etc/hosts.deny files. (Note that /etc/hosts.allow is processed first, and then /etc/hosts.deny. Thus, it is generally best to allow access to specific services by certain address in hosts.allow and then deny all other access in hosts.deny.) Also, some of the services (ssh, sendmail) running as permanent daemons respect /etc/hosts.allow and /etc/hosts.deny. Finally, some services (apache, samba) allow access to be restricted to certain IP addresses through their configurations files. When troubleshoting access to services, you need to consider all of the above factors. If access is denied at any level, then the service will appear to fail.

B. Telnet
Telnet is not generally recommended because login information (username and password) and all commands (su and root password) are transmitted as plain text. One should use ssh instead. However, telnet is sometimes used on a secure local network when security is less of a concern. To turn on telnet # cd /etc/xinet.d # vi telnet disable = no # /sbin/service xinetd restart If telnet fails,make sure that the iphains firewall contains a line for service 23 (telnet) like -A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT that the telnet server software is installed # rpm -qa | grep telnet-server and that either /etc/hosts.deny contains no entries or /etc/hosts.allow permits access by the client ALL:{network_address}/{subnet_mask} where {network_address} may be calculated from $ ipcalc --network {ip_address} {subnet_mask} Ftp Ftp is not generally recommended because login information (username and password) and all files are transmitted as plain text. One should use sftp instead. However, ftp is sometimes used on a secure local network when security is less of a concern. To turn on ftp # cd /etc/xinet.d # vi wu-ftp

C.

D.

E.

disable = no # /sbin/service xinetd restart If ftp fails,make sure that the iphains firewall contains a line for service 21 (ftp) like -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT that the ftp server software is installed # rpm -qa | grep wu-ftp and that either /etc/hosts.deny contains no entries or /etc/hosts.allow permits access by the client ALL:{network_address}/{subnet_mask} where {network_address} may be calculated from $ ipcalc --network {ip_address} {subnet_mask} Ssh and sftp Ssh and sftp are secure shell and file transfer programs. Ssh should be installed by default on Red Hat Linux 7.X systems. However, ssh client software is not part of the typical desktop PC installation (e.g. Microsoft Windows) and must be installed separately as third party software. If ssh fails,make sure that the iphains firewall contains a line for service 22 (ssh) like -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT that the ssh server software is installed # rpm -qa | grep openssh-server and that either /etc/hosts.deny contains no entries or /etc/hosts.allow permits access by the client ALL:{network_address}/{subnet_mask} or sshd:ALL Apache The apache web server runs as the "apache" user in Red Hat Linux 7.X. In order for apache to access a user's www files, the user's home directory must be set to mode 711 and the public_html subdirectory must be set to mode 755. Since this is not the default installation, one must become root and do a chmod 711 on all /home/user directories # cd /home # chmod 711 {user} Each user must then create a public_html directory structure $ cd ~ $ mkdir public_html $ cd public_html $ mkdir cgi-bin $ chmod 755 cgi-bin Edit the apache configuration file # cd /etc/httpd/conf # cp -p httpd.conf httpd.conf.000 # vi httpd.conf In the <IfModule mod_userdir.c> section, verify that UserDir public_html Uncomment the section <Directory /home/*/public_html> ... </Directory> Uncomment the line

F.

AddHandler cgi-script .cgi Add the lines <Directory /home/*/public_html/cgi-bin> Options ExecCGI SetHandler cgi-script </Directory> It is recommended that directory browsing be disabled. Search for and delete any instances of "Indexes" within "Options" statements, which can be located with # grep ^[[:space:]]*Options httpd.conf | grep Indexes For example, change Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec to Options MultiViews SymLinksIfOwnerMatch IncludesNoExec Make sure that the /etc/sysconfig/ipchains firewall configuration file contains a line for service 80 (http) like -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT Restart the firewall if ipchains was edited # /sbin/service ipchains restart Start the apache server # /sbin/chkconfig httpd on # /sbin/service httpd start Note that suexec is turned on by default in Red Hat Linux 7.2. Thus all user cgi scripts run as the user in whose directory they are installed, instead of as the 'apache' user. Suexec imposes many security restrictions upon cgi scripts. Not only must the scripts by nonwritable by others, the directory containing the cgi script must be non writable by others, e.g., mode 755. By default, directories are created with mode 775 in Red Hat Linux. Therefore, one must manually do a 'chmod 755' on any directory containing cgi scripts. Some administrators prefer to add the apache user to the each user's group instead of changing each user's home directory permissions # vi /etc/group {user}:x:{number}:apache # vi /etc/gshadow {user}:!::apache Samba Samba permits access to files on the Linux system via Windows networking. By default, Red Hat Linux 7.X configures Samba to use "security=user", which requires that a user have a Linux account with the same name as their Windows login name, and "encrypt passwords = yes", which requires that users (or the Linux administrator) maintain a separate samba password list on the Linux machine with the user's Window's password that is in general different than their Linux password. The following instructions configure Samba to use "security=share", which behaves more like Windows networking and allows users to access any home directories for which they know the password. However, passwords for these shares are maintained separately from the Linux login passwords. Edit the samba configuration file # cd /etc/samba # cp -p smb.conf smb.conf.000

# vi smb.conf In the [globals] section Set workgroup = {workgroup} server string = {hostname} Comment out ; printcap name = /etc/printcap ; load printers = yes Set max log size = 50 Set security = share Add browseable = yes oplocks = no level2 oplocks = no preserve case = yes short preserve case = yes In the [homes] section Add if not present valid users = %S Let samba packets across the firewall # vi /etc/sysconfig/ipchains -A input -s {network address}/{network mask} -d 0/0 137:139 -p tcp -y -j ACCEPT -A input -s {network address}/{network mask} -d 0/0 137:139 -p udp -j ACCEPT Restart the firewall # /sbin/service ipchains restart Start the samba server # /sbin/chkconfig smb on # /sbin/service smb start Add the samba share password # smbpasswd -a {user} Users may now change their password with $ smbpasswd Browse the samba shares from the Windows "Network Neighborhood". Shares which do not appear may be accessed from Start: Run...: \\ {serverhostname}\{sharename}. Some administrators prefer to set "encrypt password = no", which does not require a separate samba password list to be maintained and allows users to use their Linux passwords to access their files. This configuration is appropriate only for a system which operates on a secure local network, as the password is transmitted as plaintext (like telnet and ftp). To do this, comment out ; encrypt passwords = yes ; smb passwd file = /etc/samba/smbpasswd in smb.conf and restart the samba server. Note that post-Windows 95 machines (Windows 95SE, 98, ME, NT, 2000, XP) must be configured to transmit their passwords as plaintext by modifying their registry as described by the appropriate /usr/share/doc/samba2.2.1a/docs/*PlainPassword.reg file.

G. Sendmail (not recommended) By default, Red Hat Linux 7.1+ configures sendmail to only accept mail from the localhost, which should be fine in almost all cases. Since you probably already have an email account on a centralized server, you do not need to accept email from the outside world on your Linux machine. Do not allow outsiders to access sendmail unless you thoroughly understand how relaying works (which permits massive spamming), are prepared to administer an email system, and are willing to accept reponsibility for any spam forwarded by your system! If you do need to set up a centralized email server on your system, do the following: If necessary, install the sendmail configuration file package from distribution CDROM #1 # rpm -Uhv /mnt/cdrom/RedHat/RPMS/sendmail-cf-8.11.6-3.i386.rpm Edit the sendmail configuration file # cd /etc # cp -p sendmail.cf sendmail.cf.000 # cd /etc/mail # cp -p sendmail.mc sendmail.mc.000 # vi sendmail.mc dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') # m4 sendmail.mc >/etc/sendmail.cf Allow external access to sendmail # cd /etc # vi hosts.allow sendmail:ALL # cd /etc/sysconfig # vi ipchains -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT # /sbin/service ipchains restart Restart sendmail # /sbin/service sendmail restart H. Pop3 and imap (not recommended) These mail access agents are probably only needed if sendmail has been set to allow access from other computers, i.e., the system is intended to be a mail server from which you will regularly read mail. In general, you will not do this, but would instead simply forward any mail from Linux account to an existing email account. $ cd ~ $ vi .forward {joe@university.edu} If you do wish to set up pop3 or other mail retrieval services, do the following: Install the imap package from distribution CDROM #2 # rpm -Uhv /mnt/cdrom/RedHat/RPMS/imap-2000c-15.i386.rpm Allow external access to pop3 (and/or pop3s, imap, ...) services # cd /etc/xinet.d # vi ipop3 disable=no # /sbin/service xinetd restart # cd /etc # vi hosts.allow ipop3d:ALL

# cd /etc/sysconfig # vi ipchains -A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 110 -p udp -j ACCEPT # /sbin/service ipchains restart I. Remove anonymous ftp access Most servers prefer not provide anonymous ftp service, which would permit anyone to download files from the /var/ftp/pub directory without providing a password. Check whether anonymous ftp is installed with with $ rpm -qa | grep anonftp If so, turn off anonymous access to your Linux machine by adding the following lines to the ftp configuration files # cd /etc # cp -p ftpaccess ftpaccess.000 # vi ftpaccess #Turn off anonymous ftp defaultserver private # cp -p ftpusers ftpusers.000 # vi ftpusers anonymous ftp J. Additonal comments about access control files 1. /etc/sysconfig/ipchains The ipchains configuration file defines which IP packets are accepted, rejected, or denied by the Linux machine. It is often preferable to limit accepted packets to the local network, rather than accept them from anywhere. For example, to accept WWW packets from anywhere, but limit telnet packets to being from the local network, one would use -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT -A input -s {network_address}/{subnet_mask} -d 0/0 23 -p tcp -y -j ACCEPT where {network_address} may be calculated from $ ipcalc --network {ip_address} {subnet_mask} {subnet_mask} may also be specified as an integer equalling the number of nonzero bits starting from the left, e.g., 255.255.255.0=24 or 255.255.255.240.0=20 After editing /etc/sysconfig/ipchains, restart the ipchains service for the changes to take effect # /sbin/service ipchains restart 2. /etc/xinet.d Filenames in this directory correspond to services that are controlled by the internet services daemon (formerly known as tcp_wrappers). Edit these files to disable (disable = yes) or enable (disable = no) these services. Restart the xinetd daemon for changes to take effect. # /sbin/service xinetd restart Access to the services is further controlled by the /etc/hosts.allow and etc/hosts.allow files as described below. 3. /etc/hosts.allow and /etc/hosts.deny These files control what IP addresses are allowed to access various services on the Linux machine. It is best to allow access

3. Install

A.

B.

4. Install A.

B.

for various services to some IP numbers, and then to deny all other access. An example of an /etc/hosts.allow entry that permits access to all services from a limited IP address range is ALL: {network_address}/{subnet_mask} An example of an /etc/hosts.allow entry that permits access to ssh from anywhere is sshd: ALL Other services controlled by these access files include in.telnetd in.ftpd sendmail ipop3d If access is permitted to specific services as above, then it is recommended that the /etc/hosts.deny file consist of ALL: ALL The efect of these entries is immediate, and the xinetd daemon does not need to be restarted after making changes. Note that if one properly configures the ipchains firewall, then these access control files are redundant and no changes are needed from the default configuration (empty, which permits access to all services by anyone). additional packages and software f2c Obtain f2c-19991109-2.i386.rpm from the Red Hat Linux 7.1 Powertools CD-ROM. (Note that the Powertools CDROM is no longer produced as of Red Hat Linux 7.2, and therefore one must use the 7.1 distribution available from http://www.webmo.net/download/f2c20000510-5.i386.rpm, ftp://ftp.redhat.com/pub/redhat/linux/7.1/en/powertools/i386/RedHat /RPMS/f2c-20000510-5.i386.rpm, or ftp://ftp.rpmfind.net/linux/redhat/7.1/en/powertools/i386/RedHat/RPM S/f2c-20000510-5.i386.rpm.) # rpm -Uhv f2c-20000510-5.i386.rpm g77 g77 should be installed by default when the Software Development package group was selected during installation. Verify with $ rpm -qa | grep g77 If it is not present, install it from distribution CDROM disk #2 # rpm -Uhv /mnt/cdrom/RedHat/RPMS/gcc-g77-2.96-98.i386.rpm and setup computational chemistry software Setup scratch directory # cd /scratch # rm -r lost+found # chmod 777 /scratch # chmod +t /scratch Install computational chemistry engines Pre-compiled binaries save the time and trouble of downloading and compiling program source code. Instructions and precompiled binaries are available for the Linux operating system

1. MOPAC
MOPAC 7 pre-compiled binary for Linux 2. GAMESS GAMESS pre-compiled binary for Linux Compiling the source code allows software to be installed on a wider array of hardware and oparting systems 1. MOPAC MOPAC 7 installation instructions for Linux MOPAC 2000 installation instructions for Linux 2. GAMESS GAMESS installation instructions for Linux 3. Gaussian Gaussian 94 installation instructions for Linux Portland Group F77 compiler installation instructions for Linux Gaussian 98 installation instructions for Linux Install WebMO WebMO installation instructions