Installation of Fedora Core 4 for a server

	Recent news WebMO 19.0 is now available for free download! WebMO 19.0 Pro and Enterprise have a variety of additional features and is available for purchase. The WebMO app is now available for iOS and Android.
March 31, 2020

Installation of Fedora Core 4

These instructions can be used to install and configure Fedora Core 4 (as a server) on a typical PC. They may need to be tweaked slightly, depending on the exact configuration of your PC.

Download the Fedora Core 4 distribution from the Fedora Project and burn the iso's to a single DVD or to 4 CD's
Install Linux
1. Turn on computer and quickly insert either cd 1 of Fedora Core 4 or the Fedora Core 4 DVD
2. Workaround: For a 64-bit x86_64 Fedora Core 4 installation, at the boot prompt, type "junk" and the press the 'Enter' key. Otherwise, the installer will crash due to a bug in the version of syslinux used by the installer. This is not a problem for 32-bit Fedora Core 4.
3. At the boot prompt, press the 'Enter' key
4. At the CD Found media test, select 'Skip' unless you're uncertain of the CD
5. At Welcome to Fedora Core, click Next
6. At Language Selection, choose English
7. At Keyboard Configuration, choose U.S. English
8. If Upgrade Examine option comes up, choose 'Install Fedora Core' which will overwrite all contents on the harddisk
9. At Installation Type, choose Custom
10. Disk Partitioning
  1. Choose Manually partition with Disk Druid
  2. A warning may come up on systems with a brand new hard drive asking if Disk Druid should initilize the drive, select yes.
  3. Highlight existing partitions and click 'Delete'; confirm 'Delete'
  4. Create the following partitions (sizes suggested for a single 250 GB disk):
    1. / (from dropdown menu) 20480 MB (20 GB)
    2. swap (under file system type) 1024 MB (or twice RAM size)
    3. /home (from dropdown menu) 102400 MB (100 GB)
    4. /scratch Click 'Fill to maximum allowable size' (about 120 GB)
  5. Accept defaults if satisfied with mount points, filesystem types, and formatting; otherwise, select each partition and click Edit
11. At Boot Loader Configuration, accept the default (use GRUB boot loader)
12. Network Configuration
  1. Select an interface from the list
  2. Click 'Edit'
    1. Uncheck 'Configure using DHCP'
    2. Set the following options: (ask you network adminstrator for correct values)
      
      IP address: {ip_address}
      Netmask: {subnet_mask}
  3. Back on the main network configuration page set the following options:
    1. Hostname: {hostname.domain}
    2. Gateway: {gateway_address}
    3. Primary DNS: {dns1_server_address}
13. Firewall Configuration
  1. Be sure that Enable Firewall is selected
  2. Check Remote Login (SSH) and Web Server (HTTP, HTTPS); if desired, also allow File Transfer (FTP) and Mail Server (SMTP)
  3. IMPORTANT: Set Enable SELinux to Disabled
14. Time Zone Selection
  1. America/Detroit (or your timezone)
  2. Check "System clock uses UTC" to enable proper handling of daylight savings
15. Set Root Password
16. Package Group Selection
  1. Desktop
    1. X Window System
    2. Gnome
    3. KDE
  2. Applications
    1. Editors (Details: Emacs, joe, and vim-enhanced only)
    2. Engineering & scientific
    3. Graphical internet (Details: remove gaim and xchat)
    4. Text-based internet (Details: elinks, fetchmail, lynx, and mutt only)
    5. Office productivity (Details: add xpdf)
    6. Sound & video (Details: add xcdroast)
    7. Authoring and Publishing
    8. Graphics
  3. Servers
    1. Server configuration tools
    2. Web server (Details: add mod_auth_mysql, php-mysql, and php-odbc)
    3. Mail Server (Details: add postfix)
    4. Windows file server
    5. FTP server
    6. MySQL Database (Details: add mod_auth_mysql and php-mysql)
  4. Development
    1. Development tools
    2. Compatibility Arch Development Support
    3. Legacy Software Support
  5. System
    1. Adminstration tools
    2. System tools (Details: add ethereal-gnome, nmap-frontend, rdesktop, tsclient)
    3. Printing support
    4. Compatability Arch Support (this option will only be available when installing a 64 bit computer using the x86_64 distribution of Fedora Core)
17. About to Install. This is the last chance to safely cancel the installation process. Click Next, and wait while partitions are formatted and packages are installed. If installing from CD's, insert disks 2, 3, and 4 when prompted and click OK. A log will be written to /root/install.log and a kickstart file will be written to /root/anaconda_ks.cfg
18. Installing Packages. Wait patiently during formatting and installation
19. Congratulations, the installation is complete. Remove CD/DVD, close the CD tray, and click 'Reboot'
First Boot
1. At Welcome screen, click Next
2. At License Agreement, select 'Yes, I agree...' and click Next
3. At Date and Time, on Network Time Protocol tab, enable Network Time Protocol, enter server name, and click Next
4. At Display, accept defaults and click Next
5. At System User , set up a user account and click Next
6. At Sound card, click Next
7. At Additional CDs, click Next
8. At Finish setup, click Next
Verify aspects of the system configuration
1. Verify the date and time
  $ date
  Adjust the date and time if necessary
  # date MMDDhhmm[YYYY].ss
  Write the new date and time to the system's CMOS clock
  # hwclock --systohc --utc
2. Verify that all of the machine's RAM and swap space has been detected
  $ free
  If Linux reports less RAM than is actually installed your system, follow instructions to specify at boot time the amount of available RAM. If swap space has not been detected, the nakke sure that the label for /etc/fstab for swap is reasonable, and use the mkswap -L command to fix the the label if necessary
3. Verify that domainname can be determined
  $ hostname -d
  If the domainname is not reported, then edit /etc/hosts so that the fully qualified domain name appears before the hostname
  # cd /etc
  # cp -p hosts hosts.000
  # vi hosts
  127.0.0.1 {hostname.domain} {hostname} localhost.localdomain localhost
4. Workaround: On 64-bit systems, insure that /var/log/lastlog is a reasonable size, i.e., not a sparse 1.2 terabyte file!
  # cd /var/log
  # ls -alFh lastlog
  -rw-r--r-- 1 root root 1.2T Sep 25 09:44 lastlog
  # rm lastlog
  # touch lastlog
  # ls -alFh lastlog
  -rw-r--r-- 1 root root 0 Sep 25 09:48 lastlog
Install update packages from RedHat
1. Point to a mirror or local yum repository by editing the files within /etc/yum.repos.d A list of mirrors is available at http://fedora.redhat.com/Download/mirrors.html
  # cd /etc/yum.repos.d
  # cp -p fedora.repo fedora.repo.000
  # cp -p fedora-updates.repo fedora-updates.repo.000
  # cp -p fedora-extras.repo fedora-extras.repo.000
  # vi fedora.repo
  comment out "mirrors" line
  uncomment baseurl line and replace "download.fedora.redhat.com" with a mirror or local site
  # vi fedora-updates.repo
  comment out "mirrors" line; uncomment and edit baseurl line
  # vi fedora-extras.repo
  comment out "mirrors" line; uncomment and edit baseurl line
2. Update packages
  # yum update rpm*
  # yum update yum*
  # yum update kernel*
  Workaround: one must reboot at this point, or subsequent yum updates will not complete properly
  # init 6
  # yum update
  should report "No Packages marked for Update/Obsoletion"
  # yum clean all
Customize Linux
1. Forward root's email
  It is critical that a human actually read root's email, so that logwatch output, system problems, or security breaches are quickly noted
  # vi /root/.forward
  {joe@university.edu}
2. Activate locate database updates
  # cd /etc
  # cp -p updatedb.conf updatedb.conf.000
  # vi updatedb.conf
  Change to
  DAILY_UPDATE=yes
3. Optionally, boot to a text console rather than a graphics console
  # cd /etc
  # cp -p inittab inittab.000
  # vi inittab
  Change to
  id:3:initdefault:
4. Optionally, install additional system level software
  1. Pine mail reader and pico editor
    # mkdir /home/download
    # cd /home/download
    for 32-bit Fedora Core
    # wget http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/fc4/i386/RPMS.dries/pine-4.64-1.2.fc4.rf.i386.rpm
    or for 64-bit Fedora Core
    # wget http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/fc4/x86_64/RPMS.dries/pine-4.64-1.2.fc4.rf.x86_64.rpm
    # rpm -ihv pine*
    # pine
    E
    Q
    Y
Turn on desired services
1. Understand background concepts about access to services
  Access to system services over the network is controlled at multiple levels:
  1. A firewall controls what packets are accepted by the system and which are dropped or rejected. The default firewall rules are defined in /etc/sysconfig/iptables, which is created during the Firewall Configuration step of the installation process. The syntax of this file is explained in the iptables man page and on the many websites devoted to explaining iptables.
  2. The software for the service must be installed on the system, which can be checked with the command "rpm -qa | grep {servicename}". Many services have both client and server rpm's, and it is the server package that must be present.
  3. The service must be started by the system. Some services (apache, ssh, samba, sendmail) are always in memory running as daemons. These may be specified to start at boot time with "/sbin/chkconfig {servicename} on|off" or controlled manually with "/sbin/service {servicename} start|stop". Other services (telnet, ftp, rsh, rexec) are controlled by the xinetd daemon. Install xinetd with "yum install xinetd". Turn on desired services by editing the appropriate file in /etc/xinet.d and setting "disable=no". Then restart the xinetd daemon with "/sbin/service xinetd restart".
  4. Access to individual services can be restricted to specific IP address. This is done most fundamentally in the firewall configuration file, which can be configured to only allow access to certain services (ports) by certain IP address ranges. This can also be done for the xinetd services with the /etc/hosts.allow and /etc/hosts.deny files. (Note that /etc/hosts.allow is processed first, and then /etc/hosts.deny. Thus, it is generally best to allow access to specific services by certain address in hosts.allow and then deny all other access in hosts.deny.) Also, some of the services (ssh, sendmail) running as permanent daemons respect /etc/hosts.allow and /etc/hosts.deny. Finally, some services (apache, samba) allow access to be restricted to certain IP addresses through their own configurations files (httpd.conf, smb.conf).
  When troubleshoting access to services, you need to consider all of the above factors. If access is denied at any level, then the service will appear to fail.
2. Ssh, sftp, and scp
  Ssh, sftp, and scp are secure shell and file transfer programs, replacing telnet and ftp. Ssh is installed by default on Fedora Core 4 systems. However, ssh client software is not part of the typical desktop PC installation (e.g. Microsoft Windows) and must be installed separately as third party software.
  If ssh service fails, make sure that the iptables firewall contains a line for service 22 (ssh) like
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
  that the ssh server software is installed
  rpm -qa | grep openssh-server
  that the ssh daemon is running
  /sbin/service sshd status
  and that either /etc/hosts.deny contains no entries or /etc/hosts.allow permits access by the client
  ALL:{network_address}/{subnet_mask}
  or
  sshd:ALL
3. Apache Web Server
  A few directories need to be set up in the skeleton profile directory (/etc/skel/) to make new user's web directory work correctly
  # cd /etc/skel/
  # mkdir public_html
  # chmod 755 public_html
  # cd public_html
  # mkdir cgi-bin
  # chmod 755 cgi-bin
  Edit the apache configuration file
  # cd /etc/httpd/conf
  # cp -p httpd.conf httpd.conf.000
  # vi httpd.conf
  In the <IfModule mod_userdir.c> section
  Comment the line
  UserDir disable
  Uncomment the line
  UserDir public_html
  Uncomment the line
  AddHandler cgi-script .cgi
  Add the lines (to bottom of file)
  <Directory /home/*/public_html/cgi-bin>
  #Enable cgi scripts in user directories
  Options ExecCGI
  </Directory>
  It is recommended that directory browsing be disabled. Search for and delete any instances of "Indexes" within "Options" statements, which can be located with
  # grep -n ^[[:space:]]*Options httpd.conf | grep Indexes
  For example, change
  Options Indexes FollowSymLinks
  to
  Options FollowSymLinks
  Make sure that the /etc/sysconfig/iptables firewall configuration file contains a line for service 80 (http) like
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
  Restart the firewall if the iptables file was edited
  # /sbin/service iptables restart
  Since web service is not started by default, start the apache server
  # /sbin/chkconfig httpd on
  # /sbin/service httpd start
  Note that suexec is turned on by default. Thus all user cgi scripts run as the user in whose directory they are installed, instead of as the 'apache' user. Suexec imposes many security restrictions upon cgi scripts. Not only must the scripts by nonwritable by others, the directory containing the cgi script must be non writable by others, e.g., mode 755. By default, directories and files are created with mode 775 in Fedora Core. Therefore, one must manually do a 'chmod 755' on any directory containing cgi scripts as well as the files themselves.
4. Samba
  Samba permits access to files on the Linux system via Windows networking. By default, Samba uses "security=user", which requires that a user have a Linux account with the same name as their Windows login name, and "encrypt passwords = yes", which requires that users (or the Linux administrator) maintain a separate samba password list on the Linux machine with the user's Window's password that is in general different than their Linux password. The following instructions configure Samba to use "security=share", which allows users to access any home directories for which they know the password (similar to Windows98 directory sharing). However, passwords for these shares are maintained separately from the Linux login passwords.
  Edit the samba configuration file
  # cd /etc/samba
  # cp -p smb.conf smb.conf.000
  # vi smb.conf
  In the [global] section
  Set
  workgroup = {workgroup}
  server string = %h
  load printers = no
  security = share
  Add
  oplocks = no
  level2 oplocks = no
  preserve case = yes
  short preserve case = yes
  Add in the [homes] section
  Set
  browseable = yes
  Add
  create mode = 0664
  directory mode = 0775
  Let samba packets across the firewall
  # vi /etc/sysconfig/iptables
  -A RH-Firewall-1-INPUT -m state --state NEW -s {network address}/{network mask} -m tcp -p tcp --dport 137:139 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -s {network address}/{network mask} -m udp -p udp --dport 137:139 -j ACCEPT
  Restart the firewall
  # /sbin/service iptables restart
  Start the samba server
  # /sbin/chkconfig smb on
  # /sbin/service smb start
  Add the samba share password
  # smbpasswd -a {user}
  Users may now change their password with
  $ smbpasswd
  Browse the samba shares from the Windows "Network Neighborhood". Shares which do not appear may be accessed from Start: Run...: \\{serverhostname}\{sharename}.
5. Sendmail (not recommended)
  By default, Fedora Core configures sendmail to only accept mail from the localhost, which should be fine in almost all cases. Since you probably already have an email account on a centralized server, you do not need to accept email from the outside world on your Linux machine. Do not allow outsiders to access sendmail unless you thoroughly understand how relaying works (which permits massive spamming), are prepared to administer an email system, and are willing to accept reponsibility for any spam forwarded by your system!
  If you do need to set up a centralized email server on your system, do the following:
  If necessary, install the sendmail configuration file package:
  # yum install sendmail-cf
  Edit the sendmail configuration file
  # cd /etc/mail
  # cp -p sendmail.cf sendmail.cf.000
  # cp -p sendmail.mc sendmail.mc.000
  # vi sendmail.mc
  dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
  # m4 sendmail.mc >/etc/sendmail.cf
  Allow external access to sendmail
  # cd /etc
  # vi hosts.allow
  sendmail:ALL
  # cd /etc/sysconfig
  # vi iptables
  -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
  # /sbin/service iptables restart
  Restart sendmail
  # /sbin/service sendmail restart
6. Pop3 and imap (not recommended)
  These mail access agents are probably only needed if sendmail has been set to allow access from other computers, i.e., the system is intended to be a mail server from which you will regularly read mail. In general, you will not do this, but would instead simply forward any mail from Linux account to an existing email account.
  $ cd ~
  $ vi .forward
  {joe@university.edu}
  If you do wish to set up pop3 or other mail retrieval services, you must install an imap package from their extras distribution:
  yum install cyrus-imapd
  or
  yum install uw-imap
  If necessary, allow external access to the service through xinetd
  # cd /etc/xinet.d
  # vi ipop3
  disable=no
  # /sbin/service xinetd restart
  /etc/hosts.allow
  # cd /etc
  # vi hosts.allow
  ipop3d:ALL
  and iptables
  # cd /etc/sysconfig
  # vi iptables
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 110 -j ACCEPT
  # /sbin/service iptables restart
  Note that the above procedure has NOT been tested!
7. Additonal comments about access control files
  1. /etc/sysconfig/iptables
    The iptables configuration file defines which IP packets are accepted, rejected, or denied by the Linux machine. It is often preferable to limit accepted packets to the local network, rather than accept them from anywhere. For example, to accept WWW packets from anywhere, but limit telnet packets to being from the local network, one would use
    -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
    -A input -s {network_address}/{subnet_mask} -d 0/0 23 -p tcp -y -j ACCEPT
    where {network_address} may be calculated from
    $ ipcalc --network {ip_address} {subnet_mask}
    {subnet_mask} may also be specified as an integer equalling the number of nonzero bits starting from the left, e.g., 255.255.255.0=24 or 255.255.255.240.0=20
    After editing /etc/sysconfig/iptables, restart the iptables service for the changes to take effect
    # /sbin/service iptables restart
  2. /etc/xinetd.d
    Filenames in this directory correspond to services that are controlled by the internet services daemon (formerly known as tcp_wrappers). Edit these files to disable (disable = yes) or enable (disable = no) these services. Restart the xinetd daemon for changes to take effect.
    # /sbin/service xinetd restart
    Access to the services is further controlled by the /etc/hosts.allow and etc/hosts.allow files as described below.
  3. /etc/hosts.allow and /etc/hosts.deny
    These files control what IP addresses are allowed to access various services on the Linux machine. It is best to allow access for various services to some IP numbers, and then to deny all other access. An example of an /etc/hosts.allow entry that permits access to all services from a limited IP address range is
    ALL: {network_address}/{subnet_mask}
    An example of an /etc/hosts.allow entry that permits access to ssh from anywhere is
    sshd: ALL
    Other services controlled by these access files include
    in.telnetd
    in.ftpd
    sendmail
    ipop3d
    If access is permitted to specific services as above, then it is recommended that the /etc/hosts.deny file consist of
    ALL: ALL
    The efect of these entries is immediate, and the xinetd daemon does not need to be restarted after making changes.
    Note that if one properly configures the iptables firewall, then these access control files are redundant and no changes are needed from the default configuration (empty, which permits access to all services by anyone).
Install and setup computational chemistry software
1. Setup scratch directory
  # cd /scratch
  # rm -r lost+found
  # chmod 777 /scratch
  # chmod +t /scratch
2. Install computational chemistry engines
  - Pre-compiled binaries save the time and trouble of downloading and compiling program source code. Instructions and pre-compiled binaries are available for the Linux operating system
    - Gamess
    - Gaussian
    - Mopac 7 or Mopac 2007
    - Molpro
    - NWChem
  - Compiling the source code allows software to be installed on a wider array of hardware and oparting systems
    - Gamess
    - Molpro
    - NWChem
    - Q-Chem
    - Tinker
3. Install WebMO
  WebMO installation instructions