installing redhat

8/10/2019 Installing RedHat

1/27

Install

Make sure your system is set to boot from CD-ROM/DVD drive first

There are also network-based and U!-based installation o"tions# $ny will work% thou&h thesetwo take additional work# On'e you boot the install media% 'ontinue#


2/27

$t the boot s'reen (ust hit enter to install in &ra"hi'al mode )default*

+ou 'an run this 'he'k if you would like# This will 'he'k the MD, Che'ksum of all of the disks#This takes a very% very% very lon& time# I normally 'hoose ki" on this ste"# If there is a mediaerror% you will know sooner and be able to "rodu'e new media in the time the 'he'k would take

to tell you it is bad#


3/27

Choose net from the .el'ome 'reen

+ou will 'hoose the lan&ua&e net# ere we will kee" the default 'hoi'e of 0n&lish )0n&lish* and'li'k net#


4/27

+ou 'an 'hoose your keyboard layout net# $&ain% here we will be a''e"tin& the default of U##0n&lish#

+ou may see this error if you have a new drive with no "artitions# .e will 'li'k yes on this onefor our eam"le# +ou may want to 'hoose no and ba'k u" your data first if this is not O1#


5/27

ere you 'an 'hoose how to "artition your hard drive# +our 'hoi'es are to remove all "artitionson the sele'ted drives and 'reate the default layout% remove 2inu "artitions on the sele'teddrives and 'reate default layout% use free s"a'e on sele'ted drives and 'reate default layout and'reate 'ustom layout# +ou 'an also 'hoose to en'ry"t the system# ere we will 'hoose removeall "artitions on the sele'ted drives and 'reate the default layout#

Two notes on en'ry"tion3

4# If you 'hoose to en'ry"t the "artitions% a "assword will need to be entered every time thesystem boots u"# This may be fine in some "la'es% but if you have a system in anunmanned data'enter% it 'ould be diffi'ult to deal with# +ou 'an make a 'hoi'e to en'ry"ta volume after installation if you re5uire en'ry"tion on some of the data#

6# On a server% disk-level en'ry"tion doesn7t &ain you mu'h# If the ma'hine is always on%the kernel always has the disks de'ry"ted# Disk-level en'ry"tion makes more sense on ala"to"#

On'e you are sure you want to "ro'eed% 'hoose yes#


6/27

8et you will have the 'han'e to set your network settin&s# If you want to 'han&e the devi'efrom DC9 to a stati' I9 address% for eam"le% 'li'k the 0dit button# +ou 'an also s"e'ify yourdomain name here by 'hoosin& to set it manually# :inally you 'an modify your default &ateway%

"rimary D8 and se'ondary D8# These final o"tions are only available if you 'hoose to 'reatea stati' I9 address# .e are leavin& this blank for this eam"le# .e will set the I9 after the

installation#


7/27

The only other se'urity related settin& you may want to 'han&e is in the 0dit menu# Disable theI9v; su""ort unless you will be usin& it# I9v; is still relatively new and there have been se'urityissues with how it is im"lemented in the kernel# Do not leave it on


8/27

8et you should 'hoose the time >one you are in# In our eam"le% we will kee" the default$meri'a/8ew?+ork 0astern Time

8et you will need to set you root "assword# This should be a "assword that is very diffi'ult to&uess and a suffi'ient len&th# .e will use the a minimum of 4, 'hara'ters in our eam"le# +ou

'an also take some further "re'autions after the installation su'h as restri'tin& root from lo&&in&in via and usin& 9$M modules to allow R$ token use#


9/27

8et% you 'an 'hoose the "a'ka&es you would like installed# ere we are buildin& a server so weare &oin& to 'hoose the erver o"tion# Do not "ut @UIs on the server builds unless it iss"e'ifi'ally re5uired# This will lower the overall foot"rint and se'urity "osture of the system#$&ain% if it7s not installed% you don7t have to worry about se'urity holes in it# I will also 'hoosethe Customi>e now o"tion so we 'an "i'k and 'hoose whi'h erver o"tions we want#

This system will be a web server# .ith that in mind% we have left the defaults u" to the erversse'tion# The "revious defaults in'lude nothin& sele'ted in Deskto" 0nvironments# Ina""li'ations% the only thin&s sele'ted by default are 0ditors and Tet based Internet# 8othin& issele'ted in the Develo"ment se'tion# The default in the ervers se'tion is everythin& sele'ted#Remove all o"tions that you will not be usin In this eam"le% we only leave .eb erversele'ted#


10/27

Under the !ase ystem% we will remove the default sele'tion of Dialu" 8etworkin& u""ort andleave the rest of the defaults# .e will leave Virtuali>ation% Clusterin& and Cluster tora&e in thedefault state of nothin& sele'ted#

ere we (ust 'hoose net to be&in the installation#


11/27

The installation will show you whi'h disks you will need to install the software you sele'ted#

0nsure you have all of the ne'essary disks and 'li'k 'ontinues# If you do not want to 'ontinueyou 'an 'hoose Reboot or if you have sele'ted somethin& by mistake or are unsure% you 'an'hoose the !a'k o"tion#

$fter the installation% 'hoose Reboot to 'om"lete the "ro'ess#


12/27

$fter the reboot% lo& in as root# Ty"e the 'ommand


13/27

AA

:or our o"tions in this eam"le we will be makin& sure the se'urity level is enabled and we willset 02inu to 9ermissive# .e "refer !astille to 02inu due to easier 'onfi&uration# .e doleave it as 9ermissive to &et the lo&&in& it "rovides#

8OT0 TO OT0R3 I disa&ree with this "ie'e of advi'e# On a "a'ka&ed system% admins arebetter served learnin& to use the BstandardB tools# Thus% on R02% they should use 02inu andon 20/Ubuntu% they should use $""$rmor# !astille may well be a &ood o"tion% but it should

be offered as an addition/o"tion to this &uide% not as the default# -osh More

Cli'k the Customi>e button on the "revious s'reen and you will see this s'reen# :or our eam"le%we need to mana&e the system so we allow as an in'omin& 'onne'tion# .e also want this to

be a web server in this eam"le so we will also allow ... )TT9* as in'omin Make the


14/27

allowan'es for the ne'essity of the system# The main thin& is to only allow what is absolutelyne'essary#

$t a later sta&e% we will 'ontrol a''ess via to only allow 'onne'tions from se'urednetworks# In order for TT9 to be fun'tional% it must by default listen to the entire Internet# does not need this# +ou must a''ess it for admin reasons% but this is from a mu'h smaller

ran&e of hosts# The 'onfi&uration should be limited to known-&ood a''ess "oints#

8et we will 'hoose 8etwork Confi&uration# .e are doin& this now in this eam"le be'ause wedid not set an I9 address in the setu"# If you did set the I9 address in the setu"% you 'an ski" thisste"#


15/27

i&hli&ht the 8etwork 'onfi&uration o"tion# it the tab key to move the fo'us to the Run Toolbutton and 'li'k enter# Choose the 0dit Devi'es o"tion#

it enter on the 0dit Devi'es menu and you should see a similar s'reen# +ou may see moreinterfa'es if your system has more installed#

it 0nter on the devi'e you want to 'onfi&ure# Remove the A from Use DC9 # 0nter the I9address% subnet mask and default &ateway of your system# $fter you are done% hit the tab key to

"ut the fo'us on the O1 button and hit enter#

it the tab key to "ut the fo'us on the ave button and hit 0nter#


16/27

9ut the fo'us on the 0dit D8 'onfi&uration o"tion and hit the 0nter key#

0nter the :D8 hostname of the system here alon& with the 9rimary D8% e'ondary D8%Tertiary D8 if you have one and any domains you would like to add in the sear'h order# Thiso"tion is useful if you have multi"le domains or subdomains in your network# $fter enterin& theinformation hit the tab key to "ut the fo'us on the O1 button and hit the 0nter key#

$fter enterin& all of this information% hit the tab key to "ut the fo'us on the aveEuit o"tionand hit the 0nter 1ey#


17/27

9ut the fo'us on the ystem ervi'es o"tion% hit the tab key to move the fo'us to the Run Toolbutton and 'li'k 0nter#

.hat servi'es you 'hoose to turn off or on here de"ends on the ty"e of system that this is# Themain idea is to turn off everythin& you 'an that you donFt need# +ou 'an always turn on thethin&s you need later# This settin& is to say what servi'es will be automati'ally started when thesystem boots# !elow is a list of thin&s I &enerally turn off on all systems# The other thin& I will

be turnin& on in this system is the $"a'he web server )'alled TT9D in this version*#

ervi'es to &enerally turn off unless s"efi'ially needed3

$9MD

!luetooth

CU9

I9;T$!20 )unless you are usin& I9v;*

ID8

80T:


18/27

8:2OC1

9CMCI$

9ORTM$9

GI80TD )unless you7re usin& an inetd-wra""ed servi'e# More on this later#*

it the tab key until the fo'us is on the uit button and hit 0nter#

$t this time you should reboot the system to ensure the 'han&es are a""lied#


19/27

+ou may be fa'ed with this s'reen after rebootin ust hit tab until the fo'us is on 0it and hitthe 0nter key#

9at'h

2o& in as root on the 'onsole#

Red at 0nter"rise 2inu v#, uses yum )like CentO and :edora*# Red at 0nter"rise 2inu u"to and in'ludin& v#H uses u"6date# Re&ardless of whi'h version of Red at is installed% thesystem "rofile will need to be re&istered with the Red at 8etwork before any O u"dates or

"at'hes 'an be downloaded and installed# To re&ister with Red at 8etwork% a user a''ount

must have already been 'reated# If you do not already have a user a''ount% &o tohtt"s3//rhn#redhat#'om/rhn/sales/2o&inInfo#do# ettin& u" a Red at 8etwork user a''ount isoutside the s'o"e of this do'ument# To re&ister the system "rofile% use the rhn?re&ister 'ommandwith the no-&ra"hi's o"tion# The s'reenshots demonstratin& the re&istration are from a R02v#H system# R02 v#, systems will look similar#

The Red at 8etwork Re&istration initial "a&e will a""ear# Read the tet before 'ontinuinUse the u"-arrow on the keyboard to move the 'ursor from the B8etB bo to the tet field% then
https://rhn.redhat.com/rhn/sales/LoginInfo.dohttps://rhn.redhat.com/rhn/sales/LoginInfo.do


20/27

use the down-arrow on the keyboard to s'roll throu&h the tet# On'e the tet has been read makesure B8etB is hi&hli&hted as above# If not% use the T$!J key to 'y'le throu&h the 'hoi'es untilthe B8etB bo is hi&hli&hted# 0nterJ or :46J will take you to the net s'reen#

The net )se'ond* s'reen is the "riva'y statement% whi'h should be read in the same fashion%then 'ontinue to the third s'reen# +ou will need your Red at 8etwork user name and "asswordfor this# The 'ursor should be in the BRed at 2o&in3B bo# 0nter your Red at 8etwork user idand "assword% usin& the T$!J key to move between the fields# Then T$!J to the BnetB boto 'ontinue and hit the 08T0RJ or :46J key#


21/27

The net s'reen doesn7t always dis"lay ni'ely# It shows a summary of the ma'hine bein&re&istered# !y default% the "rofile name is the fully-5ualified system name# This 'an be 'han&edto any tet% but make sure there is some 'orrelation between the "rofile name and the systemname or fun'tion#


22/27

On'e satisfied% &o on to the net s'reen by T$!Jin& to the B8etB bo and hittin& the08T0RJ or :46J key# The net s'reen shows a list of the R9M "a'ka&es that are installed#Red at needs to know what "a'ka&es are installed or they will not be u"dated# oftware in thelist may be desele'ted by usin& the u"-arrow or down-arrow to sele't a "a'ka&e and the9$C0J key to desele't )or resele't* individual "a'ka&es# Most times no 'han&es are made#


23/27

TO &o on% T$!J to the B8etB bo and hit 08T0RJ or :46J# The net s'reen is a'onfirmation that all information has been 'olle'ted# To a'tually send the data% T$!J to theB8etB bo and hit 08T0RJ or :46J# On'e the data is sent% the finish s'reen will a""earK hit08T0RJ or :46J to &o ba'k to the root "rom"t# 8ow that the system is re&istered% it must be

"at'hed and usually rebooted#

:or R02 versions u" to v#H% the u"6date 'ommand is used% and kernel "a'ka&es are notu"dated/installed by default# The most im"ortant o"tions to the u"6date 'ommand are --no )noG*% --list )list "a'ka&es that have u"dates*% --download )download only*% --u"date )install theu"dates* and --for'e )to for'e u"dates to "a'ka&es that are marked Bski"B like the kernel

"a'ka&es*# It7s always a &ood idea to list the "a'ka&es that will be u"&raded before a'tuallyinstallin& them# To list% at the 'ommand line "rom"t ty"e

u"6date --no --list

whi'h will &enerate the list of u"&radeable "a'ka&es#

$ll installed "a'ka&es should be u"dated ri&ht after an install# To u"date all the "a'ka&es%in'ludin& the kernel3


24/27

L8o s'reenshot until I a'tually "at'h a ma'hine --lat

:or R02 version v#,% the yum 'ommand is used% and kernel "a'ka&es *are*installed/u"datedby default# The most im"ortant yum o"tions at this "oint are 'he'k-u"date )'he'k for u"dates*and u"date )"erform the u"date*# $s stated above it7s always a &ood idea to list the "a'ka&es thatwill be u"&raded before the a'tual installation# To list% at the 'ommand line "rom"t ty"e

yum 'he'k-u"date

whi'h will &enerate the list of u"&radeable "a'ka&es#

On'e a&ain% all installed "a'ka&es should be u"dated immediately after an installation# Tou"date all the "a'ka&es on a R02 v#, system3

L8o s'reenshot until I a'tually "at'h a ma'hine --lat

On'e the ma'hine is "at'hed it should be rebooted to insure all "at'hes are "ro"erly a""lied#

8ote3 Redat has a different u"date system than CentO# omeone with a 'urrent R02subs'ri"tion should etend this se'tion#

L2eavin& the rest of this on "at'hin& in until real s'reenshots inserted#

It will ask your "ermission to 'ontinue after it 'he'ks to see what needs u"dated# Choose y andhit the 0nter key#


25/27

In some 'ases you will &et this warnin& lettin& you know there is a new @9@ key for CentO#Do not blindly a''e"t keys# The CentO Offi'ial i&nin& 1ey is O1% but other% less trustedre"ositories may not be# !e aware of what you are doin& and the ramifi'ations# :or thiseam"le% we will 'hoose y and hit enter in this situation#

$fter the u"dates have installed it will say Com"leteN $nd "ut you ba'k at your root "rom"t# +oushould reboot the system on'e a&ain to ensure that all of the u"dates are a""lied#


26/27

e'urin& .ith I9 Tables

The host-based firewall that is bundled with R02 and CentO is I9Tables# I9Tables runswithin the kernel and 'ontrols traffi' flowin& into and out of the server# :or this &uide% we onlylook at blo'kin& in'omin& traffi'% as if an atta'ker &ains root-level a''ess on the server% they 'an

disable the firewall entirely#

TODO3 "ut in eam"les for 'ommon I9Tables 'onfi&urations3

9rote't web server )TT9% TT9% limit *

9rote't email server )MT9% 9O9% IM$9% limited *

9rote't internal file server )amba% limited % CU9*

e'urity .ith 02inu

0"lanation here as to how 02inu works and how to resolve 'ommon "roblems#

e'urin& $"a'he

9ointer to the $8 do'ument on se'urin& web servi'es

e'urin& :T9

9ara&ra"h on how V:T9D works

u&&estion to move to 9ro:T9D if etended se'urity restri'tions are needed

e'urin& amba

Overview of amba and how to use it in different 'onfi&urations

Third 9arty 0tras

:undamentally% 2inu distributions are a tradeoff# +ou 'ould build everythin& yourself and &et asystem tuned 'om"letely to your needs# owever% that takes time and a fair amount ofmana&ement# If you wish to trade some of your 'ustomi>ation ability to sim"lify mana&ement%distributions offer this# In order to do this% and to "rovide reasonable su""ort% the 'om"any in'har&e of the distro must make de'isions as to what is in or out of their "arti'ular BflavorB of2inu# In &eneral% this works fine# ometimes% thou&h% it doesn7t#

That7s where third "arty re"ositories )re"os* 'ome in# These re"os are not maintained by the'om"any )Red at% in this 'ase*% but are maintained by the 'ommunity# If you use one% you areundoin& a "ortion of the tradeoff above# +ou are &ainin& 'ustomi>ation at the 'ost of sim"lemana&ement and% sometimes% se'urity# im"ly "ut% Red at doesn7t test their u"dates a&ainst

those in the re"os% so a""lyin& an u"date mi&ht break somethin## thou&h it7s unlikely# Third"art re"os also often do not have as dee" a set of tests for new "a'ka&e versions and may not stayon to" of se'urity issues as the "rimary u"date re"ositories# owever% in almost all 'ases%


27/27

installin& a "a'ka&e from a trusted re"ository is better than (ust downloadin& the "a'ka&e andinstallin& it# If you use a re"ository% you 'an &et se'urity u"dates# If you (ust download the

"a'ka&e% you have to tra'k it manually# This is often for&otten and therefore results ine"loitation#

Of 'ourse% like all of se'urity% this isn7t an all-or-nothin& deal# In many 'ases% you 'an &et hi&hly

'ustomi>able "a'ka&es with a minimal lost of se'urity and mana&ement# :or a lot of businesses%this is a no-brainer% es"e'ially if the third "arty re"ository "rovides software that the businessneeds#

There are three 'ommonly used re"os for Red at 2inu#

4* CentO 0tras

CentO is a 'lone of Red at that is Bbinary 'om"leteB# This means that runnin& CentO isalmost identi'al to runnin& Red at# +ou don7t &et the same lo&os or "aid su""ort% but if youdon7t need that% CentO makes a lot of sense# The CentO 'ommunity has "rovided a few

"a'ka&es that they feel makes runnin& their systems easier# This re"o is enabled by default% soyou 'an install a few more "a'ka&es than Red at offers by default# Of 'ourse% there is nothin&"reventin& you from addin& the CentO 0tras re"ository to a standard CentO bo#

6* CentO 9lus

If you wish to u"&rade s"e'ifi' "a'ka&es over what Red at )and therefore CentO* "rovides%you 'an use the CentO 9lus re"ository# This re"o is 8OT enabled by default% and has a hi&her'han'e of 'ausin& "roblems if you try to add it to an offi'ial Red at system# More informationis available at htt"3//wiki#'entos#or&/$dditionalResour'es/Re"ositories/CentO9lus

* R9M:or&e

R9M:or&e is a 'ollaborative re"ository intended to etend Red at or CentO# It isre'ommended that you first load CentO 0tras% so you 'an use the yum-"riorities system tomake sure that this third "arty re"o is handled "ro"erly when it 'omes to "a'ka&e de"enden'yresolution# More information is available athtt"3//wiki#'entos#or&/$dditionalResour'es/Re"ositories/R9M:or&e

installing redhat

Documents