Red Hat 6.1 Installation

Install from CD

This is probably the quickest installation method. If you don't have a CD but have a CD writer, you can grab an image of the Red Hat CD and burn a CD yourself. An image of the Red Hat CD can be found here: ftp://sunsite.doc.ic.ac.uk/packages/linux/redhat/redhat-6.1/iso/6.1-i386.iso

This CD image is bootable so you should be able to pop the CD into the CDROM drive of your PC and start the installation (you may have to check the boot device order in the BIOS of your PC). If you can't boot from your CD, you'll have to create a boot floppy (see below).

Installing from floppy (CD/ftp/NFS/http)

For this method you need a boot floppy. You can create a boot floppy by obtaining one of the following images: 
boot.img         Boot image to install from CD (in case you can't boot from your CD
bootnet.img      Boot image to install via ftp, NFS or HTTP
pcmcia.img       Boot image for laptops installing via ftp, NFS, HTTP (and PCMCIA CDROM drives)
To make a boot floppy from linux, issue the following command (you will need super user privilege)

dd if=boot.img of=/dev/fd0 bs=1440k

To make a boot floppy from DOS/Windows get hold of rawwrite.exe from ftp://sunsite.doc.ic.ac.uk/packages/linux/redhat/redhat-6.1/i386/dosutils, run it and follow the prompts.

Installation

Insert the CDROM or floppy disk and switch on your computer. At the LILO prompt, type "text" and hit the RETURN key. Red Hat uses a GUI installer by default, but it's slow and confusing. Text mode is far easier to use (and understand).

Boot Prompt

Follow the prompts (they're all pretty simple) TAB switches between options and RETURN selects the highlighted option.

Language Selection

Keyboard Selection

Installation Method

TCP/IP Configuration

NFS Setup

Welcome Screen

Installation Type

If your hardisk isn't yet formatted...

Disk Partitioning

At this point you will be using Disk Druid - which is horrible. Instead of using Disk Druid, I reccomend using fdisk. To use fdisk press CONTROL+ALT+F2. This will give you a console. Now type fdisk /tmp/hda

fdisk is fairly easy to use, but you must understand how PC hard disks are partitioned first.

Unix File System Configuration

The unix file system is like a tree. There's a root file system (/) from which other file systems hang. (/home, /var, /usr, /tmp etc...) A PC hard disk can contain a maximum of 4 primary partitions or 3 primary partitions and an extended partiton. An extended partition can then be split into one or more logical partitions. I'm going to give an example here for partitioning a 20 GB IDE/UDMA hard disk drive. The disk drive will be split into a root partition (2 GB), a swap partition (0.25 GB), a scratch partition (2 GB), a /tmp partiton (0.25 GB), a /var partition (0.5 GB) and two 7.5 GB partitions which will be shared over NFS as data disks (you could uses one of these partitions as /home - but for most HEP system administrators /home will be an NFS mount to a partition on a server elsewhere). Using this structure, we have to create the following: 
/tmp/hda1     /                      Primary Partition
/tmp/hda2     swap                   Primary Partition
/tmp/hda3     /scratch               Primary Partition
/tmp/hda4     Extended Partition
/tmp/hda5     /tmp                   Logical Partition
/tmp/hda6     /var                   Logical Partition
/tmp/hda7     /export/data01         Logical Partition
/tmp/hda8     /export/data02         Logical Partition
From fdisk, type m for a list of commands. Generally, the only commands you need to use are m (help), n (add new partition), d (delete partition), t (change the partition type), p (print the partition table), w (write table to disk and exit). Once you have finished partitioning you must change the partition type of the swap file system to "Linux Swap" which is type 82. To do this use the t option, select partition 2 and set this to 82.

Unfortunately, the images below don't match the partitions above - I used VMware to grab the screen shots - which is limited to a 2 GB file limit - so the images are just to get you familiar with fdisk. Here we see the creation of 3 partitions: 

/tmp/hda1     /                      Primary Partition
/tmp/hda2     swap                   Primary Partition
/tmp/hda3     /export/data01         Primary Partition

Creating Partitions

Selecting the Swap Partition

Now write the table to disk and exit (option w).... and reboot. Go through the above procedures again until you get to the Disk Druid file system configuration screen (again!) and configure the mount points.

Setting up Mount Points with Disk Druid

Formatting the Partitions

LILO is the LInux LOader - here you can specify extra options - usually there are none.

Extra LILO options

Bootloader Location

Here we decide on the label for the default kernel - this is what you type at the LILO boot prompt when you boot the computer after installation - if you don'e type anything, the default OS/Kernel will be booted. You can have other operating systems listed here (if others are installed) and other kernels too - sometimes it's useful to have a non SMP (multi CPU) kernel for debugging purposes.

Boot labels

Hostname

Mouse Selection

Clock Configuration

Root Password

Creating a default User Account

In this example we're going to configure the authentication to use NIS (Network Information System).

Authentication

Package Selection - Part 1

Package Selection - Part 2

Package Selection - Part 3

Video Card Selection

Bootdisk

Almost ready...

Formating...

Formating...<

Installing...

Monitor Selection

Screen Configuration

If you don't know the amount of memory on your video card, guess. The installer will usually probe the video card and obtain the information later - this is just a fall back in case the probing doesn't work.

Video Memory

Clockchip Setting

I prefer 16 bit colour - you don't really need any more colours - and X11 works faster at this colour depth. Make sure your monitor can handle these resolutions!

Video Modes

Starting X for the first time

What you see if you've got it right

Automatically Start X at boot time

The configuration file for X11 is /etc/X11/XF86Config - you can edit this by hand if you have problems and feel up to the task.

Information about the configuration

Installation Complete

Now that installation has finished, you can reboot. When you reboot you should see the following screen:

X11 Logon Screen

root logged on using GNOME

Post Installation

Now it's time to do the post installation. At QMW we first edit /etc/fstab - this is the file that contains information about the mounted (and mountable) file systems. It has been editited to look like this: 
# device                 mountpoint       filesystemtype    options        dump  fsckorder

/dev/hda1                 /                         ext2    defaults         1       1
/dev/hda2                 swap                      swap    defaults         0       0
/dev/hda3                 /scratch                  ext2    defaults         1       2
/dev/hda5                 /tmp                      ext2    defaults         1       2
/dev/hda6                 /var                      ext2    defaults         1       2
/dev/hda7                 /export/data01            ext2    defaults         1       2
/dev/hda8                 /export/data02            ext2    defaults         1       2
/dev/cdrom                /mnt/cdrom                iso9660 user,noauto,ro   0       0
/dev/fd0                  /mnt/floppy               vfat    user,noauto      0       0
heppcl:/export/department /mnt/linux                nfs     noauto           0       0

none                      /proc                     proc    defaults
none                      /dev/pts                 devpts   gid=5,mode=620   0       0
The only changes to the original fstab are the file system type for the floppy drive (/dev/fd0) and the addition of an NFS mount point (/mnt/linux) which is an exported file system on a NFS server (heppcl) that contains a post installtion script and default configuration files.

Make sure that the mount points (directories) /export/data01, /export/data02 and /mnt/linux exist. If not, create them.

Now mount the NFS file system which was added to /etc/fstab by doing the following:

mount /mnt/linux

The post installation script can now be accessed via /mnt/linux 

$ ls -l /mnt/linux/post-install/rh61
total 22
-rwxr-xr-x   1 root     root         6458 Jan 20 13:52 LAPTOP-RH-QMW.sh*
-rwxr-xr-x   1 root     root        10194 Feb 25 11:41 RH-QMW.sh*
drwxr-xr-x   2 root     root         1024 Nov  5 11:55 bin/
drwxr-xr-x   2 root     root         1024 Nov  4 14:02 config/
drwxr-xr-x   9 root     root         1024 Nov  5 14:07 etc/
drwxr-xr-x   2 root     root         1024 Nov  5 11:39 misc/
drwxr-xr-x   2 root     root         1024 Feb 25 13:46 usr/
So 
/mnt/linux/RH-QMW.sh
starts the post installation. This script was copied from a script originally written by Paul Raines at SLAC. You can view it by clicking here.

Run levels and init scripts

Linux uses System V init scripts. For Red Hat Linux, init scripts are stored in the directory
/etc/rc.d/init.d

Run Levels

Red Hat boots into a given runlevel (the default is configured by initdefault in /etc/inittab) Run level 6 is entered to reboot and run level 0 is entered to halt. Switching between run levels can be done using the init command. e.g. init 3 will switch linux to run level 3. A run level can also be selected at boot time from the LILO prompt. 
LILO: linux 1
Will boot linux into single user mode (assuming you've used linux as the label for the default linux kernel).

For a machine to boot into X11 (Run Level 5) by default, initdefault looks like the following in /etc/inittab:
id:5:initdefault:

/etc/rc.d/rcX.d

Each run level has a directory under /etc/rc.d which contains symbolic links to init scripts in /etc/rc.d/init.d

Run Level Description Script Directory
0 halt /etc/rc.d/rc0.d
1 Single user mode /etc/rc.d/rc1.d
2 Multiuser, without NFS /etc/rc.d/rc2.d
3 Full multiuser mode /etc/rc.d/rc3.d
4 unused /etc/rc.d/rc4.d
5 X11 /etc/rc.d/rc5.d
6 reboot /etc/rc.d/rc6.d

Scripts that begin with S are executed when entering a run level with "start" as the argument.
Scripts that begin with K are executed when entering a run level with "stop" as the argument.


K scripts are executed first.
S scripts last. Here's a directory listing for a typical run level 5 directory:

$ ls -l /etc/rc.d/rc5.d

K10pulse -> ../init.d/pulse
K20rstatd -> ../init.d/rstatd
K20rusersd -> ../init.d/rusersd
K20rwhod -> ../init.d/rwhod
K50snmpd -> ../init.d/snmpd
K55routed -> ../init.d/routed
S05kudzu -> ../init.d/kudzu
S10network -> ../init.d/network
S11portmap -> ../init.d/portmap
S16apmd -> ../init.d/apmd
S20random -> ../init.d/random
S25netfs -> ../init.d/netfs
S30syslog -> ../init.d/syslog
S40atd -> ../init.d/atd
S40crond -> ../init.d/crond
S45pcmcia -> ../init.d/pcmcia
S50inet -> ../init.d/inet
S55named -> ../init.d/named
S55sshd -> ../init.d/sshd
S60lpd -> ../init.d/lpd
S75keytable -> ../init.d/keytable
S85gpm -> ../init.d/gpm
S90vmware -> /etc/rc.d/init.d/vmware
S90xfs -> ../init.d/xfs
S91arla -> ../init.d/arla
S99linuxconf -> ../init.d/linuxconf
S99local -> ../rc.local

Configuring run levels with chkconfig

/sbin/chkconfig is a tool that eases administration by allowing the superuser to create/remove links to init scripts in the /etc/rc.d/rcX.d directories.

Near the top of each init script there's a configuration line which is read by the chkconfig command. e.g. for lpd (line printer daemon): 

$ head -7 /etc/rc.d/init.d/lpd

#!/bin/sh
#
# lpd           This shell script takes care of starting and stopping
#               lpd (printer daemon).
#
# chkconfig: 35 60 50
# description: lpd is the print daemon required for lpr to work properly.
The chkconfig entry tells the chkconfig utility to create links to the lpd init script in run levels 3 and 5 starting with priority 60 for the start up script and priority 50 for the shutdown script (since the scripts are executed in alphabetical order, S60xxx would executed before S70xxx).

chkconfig --add lpd will create the following symbolic links in /etc/rc.d/rc3.d and /etc/rc.d/rc5.d:

S60lpd -> ../init.d/lpd
and in /etc/rc.d/rc0.d and rc6.d 
K60lpd -> ../init.d/lpd
chkconfig --list lists all of the services which chkconfig knows about, and whether they are stopped or started in each runlevel. If the service name is specified, information is only displayed about that service. Consult the man page for more information.

The Red Hat Package Manager (RPM)

Red Hat pakcages are installed via RPM. An RPM is basically a collection of files and shell scripts that are executed before and after the package is installed. e.g. if I wanted to install zsh, I'd look on the Red Hat CDROM for the zsh RPM (package) or copy the zsh RPM from an ftp site containg a Red Hat distribution) and issue the following command:

$ rpm -i zsh-3.0.5-15.i386.rpm

Packages can be removed using the -e option. Here's a list of the most common (and useful) RPM commands:

Command Description
rpm -i package.rpm Installs package
rpm -qa List all installed packages
rpm -q package See if package is installed
rpm -e package Remove package
rpm -qa | grep sh List installed packages containing the letters "sh"
rpm -F package.rpm Upgrade an installed package if package.rpm is newer than the installed package
rpm -i --nodeps package.rpm Install a package without checking for dependencies

Red Hat periodically release updated packages - an easy way to install them is to copy the updated packages from an ftp site and copy them to a directory on a shared file system. You can then cd to that directory and upgrade your installed packages with the following (this is done as root using the bash shell). 

for file in `ls *.rpm`
do
echo $file
rpm -F --nodeps $file
done

NFS

To share a filesystem over NFS (so that another computer can mount it), the file system has to be exported. In the following example, the directories /export/data01 and /export/data02 will be exported to some other computers. First, you need to edit (or create) the file /etc/exports: 
# List of exported file systems
#
/export/data01          hep*.ph.qmw.ac.uk(rw)
/export/data02          hep*.ph.qmw.ac.uk(rw)
This is just a list of file systems and machines that are allowed to mount those file systems. The NFS package must be installed. For Red Hat 6.1 the following files need to be intalled: knfsd-1.4.7-7.i386.rpm and knfsd-clients-1.4.7-7.i386.rpm. They can be installed using the red hat package manager (see above). Start nfs by issuing /etc/rc.d/init.d/nfs start if it isn't already running (you can check if it's running by executing /etc/rc.d/init.d/nfs status)

If you decide to make alterations to /etc/exports, you have tell the NFS daemon to re-read it once you've altered it. This is done using the exportfs command. exportfs -r will re-export all directories listed in /etc/exports.

showmount is another useful command. showmount -e will show the list of exported file systems and showmount -d will list directories mounted by some client.

To mount an exported file system, you have to create a mount point (directory) and then use the mount command to mount it. e.g. The home file system (/home) could be an exported directory on a disk server. 

 
$ mkdir /home 
$ mount -t nfs heppcl.ph.qmw.ac.uk:/export/home /home
and you could go one step further and have this done automatically when the system boots by adding an entry to /etc/fstab (see the earlier post-install section).

Inetd

inetd is a daemon that listens for connections on certain internet ports (port numbers and their associated services are listed in /etc/services). When a connection is found on one of its ports, it decides what service the port corresponds to, and invokes a program to service the request. After the program is finished, it continues to listen on the port (except in some cases). Essentially, inetd allows running one daemon to invoke several others, reducing load on the system.

/etc/inetd.conf is a list of services that inetd will respond to - by default /etc/inetd.conf contains lots of services that you don't need. You can reduce your chances of getting hacked by reducing the number of services inetd can respond to. In the past, many linux systems have been compromised through a bug in the IMAP daemon. In such cases if inetd had been configured to ignore IMAP requests, the system would (most likely) not have been compromised. Here's a sample inetd.conf files: 

#       
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
# To re-read this file after changes, just do a 'killall -HUP inetd'
#
#echo	stream	tcp	nowait	root	internal
#echo	dgram	udp	wait	root	internal
#discard	stream	tcp	nowait	root	internal
#discard	dgram	udp	wait	root	internal
#daytime	stream	tcp	nowait	root	internal
#daytime	dgram	udp	wait	root	internal
#chargen	stream	tcp	nowait	root	internal
#chargen	dgram	udp	wait	root	internal
#time	stream	tcp	nowait	root	internal
#time	dgram	udp	wait	root	internal
#
# These are standard services.
#
#ftp	stream	tcp	nowait	root	/usr/sbin/tcpd	in.ftpd -l -a
#telnet	stream  tcp 	nowait  root    /usr/sbin/tcpd	in.telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rshd
login	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rlogind
#exec	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rexecd
#comsat	dgram	udp	wait	root	/usr/sbin/tcpd	in.comsat
#talk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd	in.talkd
#ntalk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd	in.ntalkd
#dtalk	stream	tcp	wait	nobody.tty	/usr/sbin/tcpd	in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd	ipop2d
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd	ipop3d
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd	imapd
#
# The Internet UUCP service.
#
#uucp	stream	tcp	nowait	uucp	/usr/sbin/tcpd	/usr/lib/uucp/uucico	-l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.  
#
#tftp	dgram	udp	wait	root	/usr/sbin/tcpd	in.tftpd
#bootps	dgram	udp	wait	root	/usr/sbin/tcpd	bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable 
# some or all of these services to improve security.
#
#finger	stream	tcp	nowait	nobody	/usr/sbin/tcpd	in.fingerd
#cfinger stream	tcp	nowait	root	/usr/sbin/tcpd	in.cfingerd
#systat	stream	tcp	nowait	guest	/usr/sbin/tcpd	/bin/ps	-auwwx
#netstat	stream	tcp	nowait	guest	/usr/sbin/tcpd	/bin/netstat	-f inet
#
# Authentication
#
auth	stream	tcp	wait	root	/usr/sbin/in.identd in.identd -e -o
#
#linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
#swat      stream  tcp     nowait.400      root /usr/sbin/swat swat
# End of inetd.conf
As you can see, all unnecessary services have been commented out (services like ftp, telnet, finger...)

To get inetd to re-read it's configuration file, you should do the following

$ ps -A|grep inetd
 511 ?        00:00:00 inetd
$ kill -HUP 511

This is an ideal place to start when tightening up security.