For fresh install:

NOTE: on old system, get list of packages installed w/o version
numbers with
$ rpm -qa --queryformat='%{NAME}\n'|sort
After install, run same command on new system and diff to see what
optional packages need to be installed.


Install updates:
dnf -y update


If not done during installation, set fully qualified hostname in


Install extra dnf repositories, e.g., Adobe Reader. Before it was possible to install Adobe Reader using YUM/DNF, but currently there is no Adobe Reader in the 32-bit repo (no longer supported on Linux), so here are updated installation guide to get Adobe Reader working, see
cd /tmp
rpm -Uvh --nodeps AdbeRdr9.5.5-1_i486linux_enu.rpm
wget -O /opt/Adobe/Reader9/Reader/intellinux/lib/
dnf install AdbeRdr9.5.5-1_i486linux_enu.rpm
dnf install libcanberra-gtk2.i686 adwaita-gtk2-theme.i686 PackageKit-gtk3-module.i686

Get rpmfusion repo rpms from
dnf install$(rpm -E %fedora).noarch.rpm$(rpm -E %fedora).noarch.rpm

For Google Chrome:
dnf install fedora-workstation-repositories
dnf config-manager --set-enabled google-chrome
dnf install google-chrome-stable


dnf install logwatch autofs tcsh emacs yp-tools nfs-utils aspell-en gnome-tweak-tool enscript a2ps ddd cups gcc-c++ libreoffice opencv bwa vim dialog libnsl tkinter tk-devel system-config-printer sipcalc python3-seaborn python3-lxml python3-basemap python3-scikit-image python3-scikit-learn python3-sympy python3-dask+dataframe python3-nltk valgrind python3-elpy htop iotop ncurses-devel conntrack-tools pdfmod pdfshuffler

May also need glibc.i686 (for 32-bit application compatibility)

Install icedtea-web for java plugin for browsers: dnf install icedtea-web

Install Adobe Flash (going away in 2020)
rpm -ivh
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
dnf install flash-plugin alsa-plugins-pulseaudio libcurl

Install the following emacs-related RPMs (and their dependencies): 
    emacs-auctex     (this will install texlive for dependencies)
    emacs-rinari (for Ruby on Rails)
Note if emacs opens with a small/short-window, you can compile emacs with GTK2. Here is a how-to, remember to replace your usern>
dnf install rpmdevtools
Logged in as your username do the folloing:
$ dnf download --source emacs
$ rpmdev-setuptree
$ rpm -ivh emacs-nn.rc1.fcnn.src.rpm (replace nn with the version you downloaded).

Edit ~/rpmbuild/SPECS/emacs.spec .  Change the %configure spec, replacing --with-x-toolkit=gtk3 and --with-xwidgets by
--with-x-toolkit=gtk2 and --without-xwidgets respectively.

$ rpmbuild -bp  ~/rpmbuild/SPECS/emacs.spec
(Probably not necessary, but it lets you  look around before compiling.)

$ rpmbuild -bc ~/rpmbuild/SPECS/emacs.spec
This takes a few minutes.

As root:
cp ~your-username/rpmbuild/BUILD/emacs-nn/build-gtk/src/emacs /usr/local/bin/emacs-gtk2 (replace nn with the corresponding versi>

You may notice these errors in the /var/log/messages log file:
** (emacs:2176): CRITICAL **: murrine_style_draw_box: assertion 'height >= -1' failed

The fix is to edit one's theme gtk-2.0/gtkrc file, most likely in /usr/share/themes/BlueMenta/gtk-2.0/gtkrc. Change the following, changing 0 to 1:
GtkRange        ::trough-under-steppers         = 1

Install Java JDK see


Install and start ypbind:

dnf install ypbind

Edit /etc/yp.conf:
domain divscimath server
domain divscimath server

Edit /etc/sysconfig/network, add a line:
# add to the end to a static port
YPSERV_ARGS="-p 944"
YPXFRD_ARGS="-p 945"
vi /etc/sysconfig/yppasswdd
# add below to set a static port
YPPASSWDD_ARGS="--port 946"

systemctl enable ypbind.service
systemctl start ypbind.service

Start of ypbind needs to wait for network to be up and running.
Arrange for that to happen with this:

systemctl enable NetworkManager-wait-online.service

Network Services Caching Daemon
dnf install nscd
systemctl enable nscd
systemctl start nscd

systemctl restart rpcbind ypserv ypxfrd yppasswdd


Enable and start autofs:

Edit /etc/nsswitch.conf to have these:
automount:	files nis
passwd:		files nis systemd
shadow:		files nis
group:		files nis systemd
hosts:		files nis mdns4_minimal [NOTFOUND=return] dns myhostname mymachines

# systemctl enable autofs.service
# systemctl start autofs.service


Set up symlink to snapshots root:
ln -s /local/.snapshots /snapshots


Restore /etc/ssh and /root/.ssh/authorized_keys
(Find these in /snapshots.)

Make sure to set  Match Address 192.168.0.*,,150.108.68.*,150.108.64.*,10.10.1.* in  /etc/ssh/sshd_config, to allow root logins only from Fordham CIS IPs

Note: if selinux is enabled, it is necesssary afterward to do
# chcon -t etc_t file
on each file in /etc/ssh and on /etc/ssh itself.


Set up overnight dnf updates.  For example, use crontab -e to define

# snarf dnf updates every night at 1:35 am
35 01 * * * /usr/bin/dnf -y --skip-broken upgrade
# nuke dnf cache every month
35 00 1 * * /usr/bin/dnf clean all

Choose different times for different hosts to avoid network congestion.

NB you can restore from


Enable logging.

# dnf install rsyslog
# systemctl enable rsyslog 
# systemctl start rsyslog

Disable useless audit log spam see
auditctl -e 0
auditctl -D
systemctl disable auditd

Adds first rule in /etc/rsyslog.conf:

#### RULES ####

# no audit
:programname, isequal, "audit" ~

edit /etc/default/grub and add "audit=0" to the end of that line
For legacy BIOS run grub2-mkconfig --output /boot/grub2/grub.cfg
For EFI run grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg


Set up cross-campus drobo backups.  See drobo-howto.txt for details.

dnf install autofs cifs-utils samba-client

Create credentials files /etc/auto.smb.drobo-rh, drobo-lc (can copy
from any host that has one).  Make sure permission is 400 or 600 root.

Copy /etc/auto.cifs from a host that has it or from snapshot.

On all hosts except dsm:
ln -s /local/dsm/sbin/drobo-backup /usr/local/sbin
On dsm
cp ~moniot/src/sysadmin/ /usr/local/sbin/drobo-backup

Configure /etc/drobo-backup.conf or restore from a snapshot.


Restore /etc/exports from snapshot.  Enable nfs server using

systemctl enable nfs-server.service

NOTE: non-existent mount points (e.g. /mnt/cdrom) are no longer
tolerated in /etc/exports.


Systems on UPS need:
dnf -y install apcupsd apcupsd-cgi apcupsd-gui

Edit /etc/apcupsd/apcupsd.conf appropriately.  Copies of same for the
different hosts are in ~moniot/doc/sysadmin.


If local account differs from nis account (fred, nissim), make local
uid in /etc/passwd match the one in nis.


Uncomment line ``#Method = nsswitch'' in /etc/idmapd.conf.  This is
needed for correct ownership of files in NFS mounted directories.

Both machines/professors are retired: For noether and poincare: use visudo to give the local users privs
they need in /etc/sudoers.

nissim noether=/usr/bin/system-config-printer

# allow fred to change login background image
fred ALL = (gdm) NOPASSWD: /usr/local/lib/gnome/dconf-set-login-background
# allow fred to change printer configuration
fred poincare=/usr/bin/system-config-printer


For postgresql servers (dsm and erdos): 
[the following is out of date: see postgresql setup instructions]
  # service postgresql initdb
    -- set up pg_hba.conf with trust auth
  # service postgresql start
  [postgres ~] $ psql -f /var/lib/pgsql/backups/pg_dumpall.sql
  Then configure it for normal operation.
  On dsm: as postgres in ~/data:
    $ co -unormal pg_hba.conf 
    The relevant lines are:
local  all    postgres                                          ident pgmap
local  all      all                                             md5
host   all      all   md5

    Also need the following in pg_ident.conf
pgmap  postgres   postgres

  On erdos: we use ident authentication, pg_hba.conf should have:
local   all         all                               ident sameuser
host    all         all          ident sameuser
host    all         all       trust
host    all         all         ::1/128               ident sameuser
  and pg_ident.conf is default.


For dsm: install mysql.

Note: mysql is not enabled on erdos.


For dsm:
 Set up NIS service
dnf install ypserv

systemctl enable yppasswdd
systemctl start yppasswdd
systemctl enable ypfxrd
systemctl start ypfxrd

Restore /var/yp/Makefile,ypservers from snapshots.
Punch some holes in firewalld for the following services:
firewall-cmd --add-service=rpc-bind --permanent 
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --add-port=944/tcp --permanent 
firewall-cmd --add-port=944/udp --permanent 
firewall-cmd --add-port=945/tcp --permanent 
firewall-cmd --add-port=945/udp --permanent 
firewall-cmd --add-port=946/udp --permanent 

For sendmail:
firewall-cmd --permanent --add-service=smtp

on dsm since NFS uses random UDP ports, until we can find which ones/where to configure them,  you have to add IP's of servers/workstations to the "trusted zone":
firewall-cmd --permanent --zone=trusted --add-source=
firewall-cmd --permanent --zone=trusted --add-source=
firewall-cmd --reload

To debug firewalld issues, e.g., to see what port and protocal is being requested:
firewall-cmd --set-log-denied=all
And when done debugging:
firewall-cmd --set-log-denied=off


[OUT OF DATE: we now use squirrelmail.  Instructions kept in case the
problem with suidperl gets fixed.]

For dsm, install openwebmail.  This is not on an rpm: get tarball from  Untar in /var/www.  Then edit
  cgi-bin/openwebmail/etc/openwebmail.conf to set paths appropriately.
  Specify for authentication.  Create
   N.B. openwebmail requires packages perl-Text-Iconv, perl-suidperl


For dsm, install squirrelmail and dovecot
dnf install squirrelmail
dnf install dovecot

Install VirtualBox.  First copy the repo /etc/yum.repos.d/virtualbox.repo
then do "dnf install VirtualBox-4.2" or whatever the version number is
(just "dnf install VirtualBox" does not work.)
Also needs "dnf install kernel-devel" for the vboxdrv kernel module.
For lab machines, read virtualbox-howto.pdf for how to make it
For faculty machines, read virtualbox-howto.pdf for how to make it
Install /usr/local/sbin/vboxcheckup and set up cron job to run nightly.
Restore /etc/profile.d/vbox.{csh,sh} from snapshot.


For dsm, restore /etc/hosts, passwd, group, /usr/local/adm from snapshots
N.B. can't use shadow with openwebmail
Set up httpd service.
Restore /var/www, including /var/www/cgi-bin/ and /var/www/html/js/cryptpass.js
Need to install packages mod_auth_kerb mod_auth_mysql mod_auth_pgsql 
Restore /etc/auto.master, auto.local, auto.home
Copy files from  /usr/local/sbin and /usr/local/share/dict
Copy (tar) mailman from /var/lib/mailman/
Run systemctl start mailman and systemctl enable mailman
Set RedirectMatch ^/mailman[/]*$ in /etc/httpd/conf.d/mailman.conf, systemctl restart mailman

Install greylisting, SpamAssassin/spamass-milter and clamav/clamav-milter for sendmail
Download the and files from and from into /etc/mail/spamassassin
Install the unbound DNS caching server to avoid URIBL_BLOCKED message in /var/log/maillog: dnf install unbound. 
Copy the /etc/mail/spamassassin/ file from a backup or make sure the following settings are in place:
trusted_networks 150.108.68/24 150.108.64/24
dns_available yes

A good install guide for ClamAV is
Note for ClamAV using the TCPSocket/TCPAddr option in /etc/clamd.conf appears easier to configure.
Make sure ClamdSocket in /etc/mail/clamav-milter.conf matches TCPSocket/TCPAddr in /etc/clamd.conf.
Whitelist the logwatch reports, e.g., copy from a backup /etc/mail/clamav-milter-whitelist.conf and make sure the path is correct in /etc/mail/clamav-milter.conf

On storm restore  /etc/httpd/conf.d/CGIaliases.conf which allows a directory to be browser without the tilde (~).
Restore files just as /etc/profile.d/ and any others in /etc/profile.d.

Customize /etc/skel
Install expect (for mkpasswd)
Set up sudoers to allow staff to create accounts:
## Allow members of the staff group to generate account cards
%staff dsm=/usr/local/sbin/gen-account-cards
## Allow members of the staff group to create accounts
%staff dsm=/usr/local/sbin/create-accounts

Copy all of the files & directories associated with create-accounts. Note that the files in /usr/local/bin, such as create-accounts and gen-account-cards, are wrapper scripts used to call the actual script in /usr/local/sbin, to allow sudo privileges for users in the 'staff' group.
on storm, there is a GUI to change passwords: /usr/local/mydev/bscripts/chpwd/*

Install certbot for the Let's Encrypt SSL certificate and copy the entry for cron to renew the certs.
dnf install certbot

For erdos with ext4 file system:
  in fstab, turn on quotas and ACLs:
   /home/users             ext3    exec,nosuid,rw,usrquota,acl 1 2
  then run quotacheck to set up the quota files:
 # quotacheck -c /home/users
  Add dsm's root public key to ~root/.ssh/authorized_keys so that
    edquota can be run remotely from dsm.
  Restore /etc/hangman.conf with line HANGMAN_PORT=9999

For erdos with xfs file system:
in /etc/fstab add quota option:
/dev/mapper/fedora_newerdos-home /home                   xfs  defaults,gquota    1 2  
xfs_quota -xc 'limit -g bsoft=900m bhard=990m students' /home
xfs_quota -xc 'report' /home/
Group quota on /home (/dev/mapper/fedora_newerdos-home)
Group ID         Used       Soft       Hard    Warn/Grace     
---------- -------------------------------------------------- 
root                0          0          0     00 [--------]
students            0     921600    1013760     00 [--------]
localguy           20          0          0     00 [--------]


For erdos:
  Set up web remote desktop with X2Go
dnf install x2goserver

Python 3 
1. Since Python is deprecated, Python 3 should be the default.
2. Downbload the latest Anaconda Python installer from
3. install it by running ./ This includes the pandas, numpy, scipy, and matplotlib libraries. Replace YYYY and MM accordingly.
4. Install the following modules/libraries, e.g., pip3 install pandas keras nibabel tensorflow tensorflow-gpu gensim imbalanced-learn mlxtend xgboost seaborn nltk graph-tools graphviz opencv-python mysql-connector-python-rf flask nilearn nibabel xlrd pymc3
5. If the device has a GPU, add tensorflow-gpu
6. Add the path to Anaconda Python 3 in a .sh file in /etc/profile.d, e.g., on storm see /etc/profile.d/

If httpd not installed:
mkdir /var/www 

(For the sake of uniformity, rsnapshot on mandelbrot is configured to
back up this directory on all hosts, and it will report an error
message if the directory does not exist.)


Remove /var/spool/mail and symlink to /local/mail
   Make sure automount is enabled and working right.  (Note autofs is
   not installed by default.  It may get disabled in upgrade.)

Configure sendmail as follows.
1. dnf install sendmail sendmail-cf procmail
2. Edit /etc/mail/
Add the following real time black lists:
FEATURE(`dnsbl', `', `', `"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server " in "')dnl
FEATURE(`enhdnsbl', `', `"Spam blocked see:"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `', `"550 Rejected: IP found in mailspike RBL"')dnl 
FEATURE(`enhdnsbl', `', `"550 Rejected: IP found in RBL"')dnl

For ClamAV:
INPUT_MAIL_FILTER(`clamav-milter', `S=inet:6666@, F=, T=S:4m;R:4m')dnl

For SpamAssassin:
INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl

    Comment out (by prefixing with dnl)
    i.e. by changing it to read
      dnl FEATURE(always_add_domain)dnl

    Comment out
      DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl

    Comment out

    Comment out

       dnl MASQUERADE_AS(`')dnl

       dnl FEATURE(masquerade_envelope)dnl
    after which, insert the following:
dnl #
dnl # Added by agw (29 Aug 2013) so that recipient addresses are masqueraded
dnl #
FEATURE(`allmasquerade') dnl

3. In /etc/mail directory, do "make".

4. systemctl (re)start sendmail


Arrange for root's mail to be sent to an unprivileged account for

1. Add to /etc/aliases:

# Person who should get root's mail
root:		unclroot

2. Run newaliases


[Optional] in /etc/gdm/custom.conf under [greeter]:


For mandelbrot after fresh install, set up matlab license manager.
Mandelbrot acts as license manager for the lab machines in LL612.
The setup is a network installation.

Check the licensing manager start up script on reboot in /etc/systemd/system/lmgrd.service

systemctl enable yppasswdd
systemctl start yppasswdd
systemctl enable ypfxrd
systemctl start yppasswdd


On non-dsm hosts, set MAIL=/root/mail for root user.  Put the
following into /etc/profile.d/

# Mail spool is nfs mounted; don't want local root logins to hang
# if nfs server is down.  For some reason setting MAILCHECK=-1
# doesn't suppress initial mailcheck, so set MAIL to a local location. -rkm
      if [ `id -u` = "0" ]; then


Configure printers:
systemctl enable cups systemctl start cups
-For HP desktop printers install these 2 packages: dnf install hplip hplip-gui
-make sure to add the printer in Make and Model field if uses system-config-printer, "raw data" will not interpret Unix carriage returns
-see, change ErrorPolicy retry-job in /etc/cups/printers.conf and set JobRetryInterval 3 JobRetryLimit 3 in /etc/cups/cupsd.conf ps610-c # HP color laser in 610 hallway had to use Fordham IP not CIS ps612      #printer in back corner ps813 ps813-s     # HP laserjet in 813 in front of Eliane, only in emergency
# ps812     # HP laserjet in 601, USB as there’s no free Ethernet port
# ps824-c # HP color laser in 824 Mary Hamilton's only print if emergency

To add Canon Uniflow printers/copiers to Fedora, see for tips.
For the 3550i on the 6th floor, download the Linux driver from Canon's Australia web site, as the USA web site (as of late 2019) did not have updated Linux drivers:
Run tar -xvf (as of 2019 the filename was linux-UFRII-drv-v500-uken-06.tar.gz,, cd into the direxctory and run the script, and say yes to all prompts.
Run the following command remembering to change the username to your Fordham Access ID login name, i.e., the left side of
/usr/sbin/lpadmin -p FordhamSecurePrint -E -v lpd:// -D "FordhamSecurePrint"
Run system-config-printer and in the Make and Model field click Change, and find and select "Canon iR-ADV C3530 C3525/3530 III UFR II [en]". This might change if/when the copier is replaced. ========== Create symlinks /usr/local.dsm et al, e.g. /usr/local.dsm -> /local/dsm/ ========== Install iptables-setup from ~moniot/src/sysadmin/scripts/ into /usr/local/sbin. ========== For upgrade or install: Turn off selinux: edit /etc/selinux/config: SELINUX=disabled For immediate effect use setenforce 0 ========== Set up symlinks to custom texlive: ln -s /usr/local.dsm/tex /usr/local/tex ln -s /usr/local/tex/${RELEASE}/bin/{$ARCH}-linux/* /usr/local/bin where RELEASE is the latest version and ARCH is i386 or x86_64. For dsm: ln -s /usr/local.dsm/texlive/2007 /usr/local.dsm/tex ========== If latex2html is installed, fix /usr/share/latex2html/, removing -Ppdf flag from this line, so it looks like this: $DVIPSOPT = ' -E'; ========== to disable the user list from appearing in the GDM login screen create a file named /etc/dconf/profile/gdm and add the following lines: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults gdm is the name of a dconf database. Create a gdm keyfile for machine-wide settings in /etc/dconf/db/gdm.d/00-login-screen with the following lines: [org/gnome/login-screen] # Do not show the user list disable-user-list=true Update the system databases by running: dconf update ======== Install Weka dnf install weka -Create a desktop shortcut in /usr/share/local/applications, along with an icon. A sample weka.desktop file looks like this, just match the paths to Weka and the Icon: cat /usr/share/applications/weka.desktop [Desktop Entry] Type=Application Encoding=UTF-8 Name=Weka Comment=Weka Application Exec=java -jar /usr/local/bin/weka-3-8-2/weka.jar Icon=/usr/local/bin/weka-3-8-2/weka.ico Terminal=false ========== For any computers with access from outside Fordham's network install fail2ban: dnf install fail2ban copy the /etc/fail2ban/jail.local file from a working computer systemctl enable fail2ban systemctl start fail2ban Install the script from sudo wget sudo chmod 755 sudo nano Look for _keyservice= and add 9f0f68f96dad4815715b22bd260eaa90bc3be9af Type the following to run the script: sudo ./ (ignore the syntax error/invalid number of lines) The script populates the /etc/hosts.deny Copy the script to /usr/local/bin and add it to cron to run nightly Install a script called sync-blocklist from that blocks IPs reported to the well-known reporting service. It runs via /etc/cron.daily =========== Install mongodb Community Edition, check for latest version: cat << EOL > /etc/yum.repos.d/mongodb-org-3.4.repo [mongodb-org-3.4] name=MongoDB Repository baseurl= gpgcheck=1 enabled=1 gpgkey= EOL dnf install -y mongodb-org systemctl enable mongod.service systemctl start mongod.service systemctl status mongod.service As of March 2018 there are errors on startup such as Failed to start High-performance, schema-free document-oriented database. Try the following commands: mkdir -p /var/run/mongodb/ ;chown -R mongod:mongod /var/run/mongodb/ Also check permissions in /var/lib/mongo, owner & group should be mongod:mongod. You may need to do delete a lock file if someone had installed another version or via a tar package: sudo rm /tmp/mongodb-*.sock ========== To remove Qualys entries from root's history command add this to ~/.bashrc: export HISTIGNORE=*QUALYS*:*ORIG_PATH*:echo\ *TEST* To increase the history command's saved number of commands add this to ~/.bashrc: HISTSIZE=2000 HISTFILESIZE=3000 =========== To get Dell EMC OpenManage Server Administrator (OMSA) working on Fedora see Dell does NOT officially support Fedora. -Download the os-dependent RPMS from, as of this writing, it's Red Hat 8 -Several dependencies may be missing, install the following: openwsman-server libxml2 syscfg net-snmp -Search for the current RPM of libwsman1 changing xx to the respective version of Fedora -If SELinux is disabled skip srvadmin-selinux* -Confirm these symbolic links are in place, noting the versions will be different: lrwxrwxrwx 1 root root 13 Dec 24 2019 /opt/dell/srvadmin/lib64/ -> lrwxrwxrwx 1 root root 21 Dec 24 2019 /opt/dell/srvadmin/lib64/ -> -rw-r--r-- 1 root root 2521032 Dec 24 2019 /opt/dell/srvadmin/lib64/ -Start OMSA with /opt/dell/srvadmin/sbin/ start As long as systemctl status shows running on these 3: dsm_sa_eventmgrd.service dsm_sa_snmpd.service dsm_om_connsvc.service systemctl status instsvcdrv.service will show failed with: instsvcdrv.service: Control process exited, code=exited, status=155/n/a -Wait a few minutes and open a browser on the server and visit