Skip to content

fedora install tutorial on a xen vps minimal installation

in my eyes i got a good and cheap vps from ispone-business.de; the xl package there. when everything turns out ok with that company than i am adding 512 Mb RAM for 60 Euro once to have one gig of RAM. i choosed fedora 9 for the os. so here is what i did: first root login:

    adduser username
passwd username
echo 'username ALL=(ALL) ALL' >> /etc/sudoers #allowes user to use sudo
su username
echo 'export PATH=$PATH:/sbin' >> ~/.bashrc #adding /sbin to my path
echo -e 'syntax on\nset number' > ~/.vimrc #this enables syntax and line numbers for vim

exit out of the system for an easy login with

asynchrounous key authentication

from the local machine:

    ssh-keygen -t rsa
ssh username@remote-host mkdir -p .ssh
cat ~/.ssh/id_rsa.pub | ssh username@remote-host 'cat >> .ssh/authorized_keys2'

i had to change permissions on the remote machine for the .ssh dir like this:

    chmod 700 ~/.ssh && chmod 640 ~/.ssh/authorized_keys2

the last thing i did was to change the port of ssh to something other than 22. Edit the

    /etc/ssh/sshd_config

and uncomment port, also set the port to something else at the top of the file. Next change the

    /etc/sysconfig/iptables

content to ACCEPT the same port (the line with -dport 22). Afterwards restart both with

    sudo service iptables condrestart && sudo service sshd restart

install X and Gnome for vnc:

    sudo yum groupinstall "X Window System" "GNOME Desktop Environment" && sudo yum install vnc-server

IMPORTANT: disable the NetworkManager on runlevel 3 :

    sudo chkconfig --level 3 NetworkManager off

or otherwise the NetworkManager shuts down the network interface while restarting because i am on a fixed network. Read this for more information. Optional you can restart the vps for testing.

Start and stop the vncserver once so it creates a .vnc dir with the xstartup file. Start it by just typing

    vncserver && vncserver -kill :1

the :1 stands for Display number one, the port for this display is 5901. The :1 and the last number of 5901 change synchronously.

i wanted gnome to be my desktop layout. If you want that too edit the

    ~/.vnc/xstartup

file and replace

    twm &

by

    exec gnome-session &

edit

    /etc/sysconfig/vncservers

    20  VNCSERVERS="1:nilsen31 2:robert31 3:partyplan"
    

    21  VNCSERVERARGS[1]="-geometry 1280x700 -nolisten tcp -nohttpd -localhost "22  VNCSERVERARGS[2]="-geometry 1280x800 -nolisten tcp -nohttpd -localhost "

and uncomment the last two lines. this enables some security settings: prevent http connctions and just allows tunnels.

Change the username and display number for your needs and set the geometry settings accordingly. The array index of the

    VNCSERVERARGS[x]
    VNCSERVERS="1:someuser1 2:someuser2 3:someuser3"
VNCSERVERARGS[1]="-geometry 1280x700 -nolisten tcp -nohttpd -localhost "
VNCSERVERARGS[2]="-geometry 1280x800 -nolisten tcp -nohttpd -localhost "
...

stands for the display number, so change it accordingly.

turn the vncserver it on with:

    sudo chkconfig vncserver on

i recommend a secure connection to your remote display. This is done by building a tunnel under the ssh connection.

Here is the quote from the ssh manual pages for the -L option: “Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.” doing this looks like this

    ssh -L 5901:localhost:5901 user@remote-host

the number before and after the hostname stands for the incoming and outgoing port. The best vnc viewer for osx is, and i tried like five of them, “chicken of the vnc”. Be sure to open the port 5901 in the iptables config file. Connect to localhost on Display 1 in the program. at my local machine i made a file called remote.sh which lets me connect quickly to the remote machine by executing it.

    echo '#!/bin/bash' > remote.sh && echo 'ssh -L 5901:localhost:5901 user@remote-host -p port-number' >> remote.sh && chmod 700 remote.sh

now i just have to type ~/rem, tab(for autocompletion) and return to get in.

install java & Co

install c/c++ first:

    sudo yum install compat-gcc-34 compat-gcc-34-c++ libstdc++.so.5

go to the /tmp dir and wget something from http://java.sun.com/javase/downloads/index.jsp

    cd /tmp
chmod u+x downloadedFile.bin #so it can be executed
./downloadedFile.bin #execute the file
echo -e 'export JAVA_HOME=/usr/local/java/jdk\nexport PATH=$PATH:$JAVA_HOME/bin' >> ~/.bashrc #set JAVA_HOME and add it to your PATH
bash #get a new instance of the shell
java -version #check if it works.

install maven2

wget maven2 from here 

    tar xjvf apache-maven-2.0.9-bin.tar.bz2 #extract the archive

move the extracted folder to /usr/local/java/maven2

    echo -e 'export MAVEN_HOME=/usr/local/java/maven2/\nexport PATH=$PATH:$MAVEN_HOME/bin' >> ~/.bashrc
bash #get a new instance of the bash
mvn -version #check if it works.

apache & mysql

    sudo yum install mysql mysql-server mysql-devel phpMyAdmin
sudo chgrp -R mysql /var/lib/mysql  && sudo chmod -R 770 /var/lib/mysql
sudo service mysqld start && sudo chkconfig mysqld on
mysqladmin -u root password changeme #set the root password
sudo service httpd start && sudo chkconfig httpd on
chkconfig --list | grep "mysqld\|httpd" #just testing

add the ports 80 and 443 to /etc/sysconfig/iptables

    -A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT


    sudo service iptables condrestart

edit /etc/httpd/conf.d/phpMyAdmin.conf for access only on 127.0.0.1 and https.

    RewriteEngine on
RewriteCond   %{SERVER_PORT}  !^443$
RewriteRule ^/phpMyAdmin(.*)$ https://%{HTTP_HOST}/phpMyAdmin$1 [L,R]

Alias /phpMyAdmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
       order deny,allow
       deny from all
       allow from 127.0.0.1
</Directory>
# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
<Directory /usr/share/phpMyAdmin/libraries>
       Order Deny,Allow
       Deny from All
       Allow from None
</Directory>

for later backup put the password for mysqldump in ~/.my.cnf
the content should look like this:

    [mysqldump]
password = cleartextpwd

afterwards set the acl to 700

    chmod 700 ~/.my.cnf

configure sendmail for authentication on an external smtp server

add the following line to /etc/mail/access

Authinfo:smtp.server.com "U:username" "P:password"

then run
makemap hash /etc/mail/access.db < /etc/mail/access

version control with subversion and trac

    sudo yum install subversion trac mod_dav_svn mod_ssl mod_python
mkdir /var/svn && cd /var/svn
svnadmin create repository

edit the new file /etc/httpd/conf.d/subversion.conf and put this content in it:

    <Location /repos>
       DAV svn
       SVNParentPath /var/svn
       # Limit write permission to list of valid users.
       AuthType Basic
       AuthName "Subversion Authorization Realm"
       AuthzSVNAccessFile /var/svn/svn.acl
       AuthUserFile /var/svn/.htpasswd
       Require valid-user
       #only SSL
       SSLRequireSSL
</Location>

generate the htpasswd file now:

    htpasswd -cb /var/svn/.htpasswd username password && chmod 700 /var/svn/.htpasswd

add the svn.acl file so you have access to every repository:

    echo -e '[/]\nusername =  rw' > /var/svn/svn.acl && chmod 700 /var/svn/svn.acl

i added a view only user to the .htpasswd and acl as well:

    htpasswd -b /var/svn/.htpasswd view only #without -c (create flag)
echo -e '[repository:/]\nview =  r' >> /var/svn/svn.acl # >> = append to file
chown -R apache.apache /var/svn

trac:

    trac-admin /var/trac/repository initenv

edit /etc/httpd/conf.d/trac.conf like this:

    <Location /trac >
        SetHandler mod_python
        PythonInterpreter main_interpreter
        PythonHandler trac.web.modpython_frontend
        PythonOption TracEnvParentDir /var/trac
        PythonOption TracUriRoot /trac
</Location>
<LocationMatch "/trac/[^/]+/login">
	AuthType Basic
	AuthName "Trac"
	AuthUserFile /var/svn/.htpasswd
	SSLRequireSSL
	Require valid-user
</LocationMatch>

backup & security

get the latest packages

    yum install yum-updatesd
service yum-updatesd start
chkconfig yum-updatesd on

encrypted sql dumps by cron

on the local machine (osx) download gnupg2
and install it. then go to the command line and type:

    gpg2 --gen-key

transfer the public key to the remote machine:

    cat ~/.gnupg/pubring.gpg | ssh username@remote-host 'cat >> ~/uidpubring.gpg'

on the remote machine:

    yum install gnupg2
gpg2 --import ~/uidpubring.gpg
gpg2 --edit-key uid #uid is the username on your local machine.

in the dialog type “trust” and select “(5) ultimate”
now you can encrypt files like this:

    gpg2 -r uid --encrypt confidental.zip

decrypt it with this command:

    gpg2 --decrypt confidental.zip.gpg > crypto.zip #this works only with the secring.gpg

now the script for mysql:

    #!/bin/bash

DATE=`date -d yesterday +%Y%m%d%H%M%S`
BAKPATH='/home/username/Documents/Backup/local/sql/'
nice -n 19 mysqldump -u dbUser -a -e --add-drop-table databasename | nice -n 19 gzip -c -9 >  ${BAKPATH}.datenbank_sqldump-${DATE}.gz_INPROGRESS
mv -f ${BAKPATH}.datenbank_sqldump-${DATE}.gz_INPROGRESS ${BAKPATH}datenbank_sqldump-${DATE}.gz
gpg2 -r uid --encrypt ${BAKPATH}datenbank_sqldump-${DATE}.gz
rm -f ${BAKPATH}datenbank_sqldump-${DATE}.gz

notice that i didn’t have to provide a password because of the ~/.my.cnf. i also added this to my cronjobs

enter the preferred command at

    crontab -e

before the command put the time to execute. check the crontab man for the syntax.
the secring.gpg is very important only with this and the passphrase you can decrypt the backup.
if you loose it you can reimport it like this:

    gpg2 --import Desktop/secring.gpg

the whole machine with rsync

the next command will backup the whole root partition. notice the p1122 for a different ssh port.

    rsync --verbose -e ssh --rsh='ssh -p1122' --exclude "/sys" --exclude "/dev"
--exclude "/proc" --recursive --progress --times --perms --links 
username@remote-host:/ /Volumes/DOS/bak/remote-host/

to restore the backup just flip the remote and local directorys,

for example here i restore the complete www directory from my external hdd to the remote machine:

     rsync --verbose -e ssh --rsh='ssh -p1122'  --recursive --progress --times
--perms --links  /Volumes/DOS/bak/remote-host/var/www username@remote-host:/var/

i also added this to my cronjobs

enter the preferred command at

    crontab -e

before the command put the time to execute. check the crontab man for the syntax.

references

  • ssh rsa authentication: http://linuxproblem.org/art_9.html
  • vnc http://tokyoahead.com/main/multifaq/index.php/65 http://ulyssesonline.com/2006/02/26/vncserver-on-
  • fedora-core-4/ echo http://www.unix.com/shell-programming-scripting/56666-new-line-
  • echo.html#post302271726 java: http://www.mjmwired.net/resources/mjm-fedora-f9.html#java
  • maven: http://beans.seartipy.com/2008/10/05/installing-sun-java-se-6-maven-2-and-tomcat-55-on-fedora-
  • htpasswd: http://linux.die.net/man/1/htpasswd
  • sql: http://www.vbulletin-germany.com/forum/showthread.php?t=17548

1 Comment

Categories: Uncategorized, X, fedora, linux, mac, networking.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

By nils
January 19, 2009 at 12:31
Comment Feed

One Response

  1. Thank You

    vpsMarch 27, 2009 @ 13:16Reply



Some HTML is OK

or, reply to this post via trackback.