Centos5

From Rivalug Wiki

Jump to: navigation, search

Centos 5.5 Desktop on x86_64

Contents

[edit] References

[edit] Release Notes

Known Issues, including some during upgrades from 5.2 to 5.3

[edit] Updating

http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.4 

yum clean all
yum update glibc\*
yum update yum\* rpm\* python\*
yum clean all
yum update
shutdown -r now

[edit] Hardening

[edit] Improved password hashes 

authconfig --passalgo=sha512 --update

[edit] Logging

Switch syslog with rsyslog to allow for remote encrypted logging

Adjust /etc/logrotate.conf to allow for log files to stay longer and to use date as extentions ( enable "dateext" in /etc/logrotate.conf )

[edit] ntp

[edit] rsyslog 

yum install rsyslog
service syslog stop
service rsyslog start
chkconfig rsyslog on
chkconfig --level 12345 syslog off

/etc/rsyslog.conf

Note: The rsyslog.conf as presented below may no longer be necessary due to recent changes in the rsyslog package. 

#### MODULES ####

$ModLoad imuxsock.so	# provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so	# provides kernel logging support (previously done by rklogd)


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log dropped packets from iptables
kern.warning						/var/log/iptables.log


# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;!warning       /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

[edit] system logging 

yum install sysstat

[edit] process accounting 

yum install psacct

http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html

[edit] yum-security

Shows package updates that are security related ( and not bug fixes or ) 

yum install yum-security

[edit] umask

Summary: The default directory permissions are 777 and the default file permissions are 666 unless a umask is specified. The umask alters these via octal subtraction: default permissions - umask = resulting permissions. These changes make is so that system users ( like root ) have default files of 600 and default directories 700, non system users have default files of 660 and default directories of 770.

services edit /etc/rc.d/init.d/functions change 

umask 022

to 

umask 027

Reference: CIS 8.13


edit 

/etc/profile
/etc/csh.login

append to <file> umask 077 chmod 444 <file>

edit 

/etc/bashrc
/etc/csh.cshrc

change in <file> umask 022 to 077 and umask 002 to 007

chmod 444 <file>

edit 

/root/.bash_profile
/root/.bashrc
/root/.cshrc
/root/.tcshrc

append to <file> umask 077

SL notes that this may result in a warning message during the upgrade of some packages.

References: CIS 8.10, SL 2.4.5

[edit] ICMP timestamp requests

[edit] tcpwrappers

hosts.deny 

% EXPANSIONS
       The following expansions are available within shell commands:

       %a (%A)
              The client (server) host address.

       %c     Client information: user@host, user@address, a host name, or just an  address,  depending  on  how  much
              information is available.

       %d     The daemon process name (argv[0] value).

       %h (%H)
              The client (server) host name or address, if the host name is unavailable.

       %n (%N)
              The client (server) host name (or "unknown" or "paranoid").

       %p     The daemon process id.

       %s     Server  information:  daemon@host, daemon@address, or just a daemon name, depending on how much informa-
              tion is available.

       %u     The client user name (or "unknown").

       %%     Expands to a single ‘%´ character.

       Characters in % expansions that may confuse the shell are replaced by underscores.

sshd: ALL: spawn (echo "Attempt from %h %a to %d at `date` by %u" | tee -a /var/log/sshd.log)

ALL:ALL: spawn (/bin/echo -e `/bin/date` "\n%c attempted connection to %s and was denied"\ | /bin/mail -s "%c denied to %s" root ) &

[edit] ssh

sshd_config 

Protocol 2
PermitRootLogin no
Banner /etc/issue.net

ssh_config 

Protocol 2
HashKnownHosts yes

[edit] iptables

These files increase the protection above the default iptables files. They also including various options for common hole and enable logging of dropped packets 

/etc/sysconfig/iptables

 
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

## persistant blacklist 
## packets dropped here are not logged

# common network broadcasts which can be ignored
-A RH-Firewall-1-INPUT -p udp -m udp -s <non-authoritative ntp>   --dport 123 -j DROP

# windows file sharing
-A RH-Firewall-1-INPUT -p udp -m udp -s <windoze machine>  --dport 137:138 -j DROP

# ipv4 dhcp server
-A RH-Firewall-1-INPUT -p udp -m udp -d 255.255.255.255 --dport 67 -j DROP

# # Microsoft Office OS X antipiracy broadcasts
#-A RH-Firewall-1-INPUT -p udp -m udp -d 255.255.255.255 --dport 2222 -j DROP
#-A RH-Firewall-1-INPUT -p udp -m udp -d 255.255.255.255 --dport 2223 -j DROP

# dropbox lansync
-A RH-Firewall-1-INPUT -p udp -m udp --sport 17500  --dport 17500 -j DROP


# loopback - never block
-A RH-Firewall-1-INPUT -i lo -j ACCEPT

# trusted interface
#-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

# vpn access
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

# zero-networking configuration
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

# cups
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

# disable ICMP timestamp requests and responses
-A RH-Firewall-1-INPUT -p ICMP --icmp-type timestamp-request -j DROP
-A RH-Firewall-1-INPUT -p ICMP --icmp-type timestamp-reply -j DROP

# accept all other pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#ssh
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#web
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

#ntp
-A RH-Firewall-1-INPUT -m udp -p udp -s <authoritative_ntp_server> --sport 123 -d 0/0 --dport 123 -j ACCEPT
#-A RH-Firewall-1-INPUT -m udp -p udp -s <authoritative_ntp_server> --sport 123 -d 224.0.1.1/32 --dport 123 -j ACCEPT

# nfs v4
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -s <NFS_SERVER> -j ACCEPT

# log all dropped packets
 -A RH-Firewall-1-INPUT -m limit --limit 5/m --limit-burst 20  -j LOG --log-prefix " IPv4 LOG " --log-level 4

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

[edit] ip6tables 

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

## ipv6 dhcp broadcast (needs fixing)
##-A RH-Firewall-1-INPUT -p udp -m udp -d ff02:0000:0000:0000:0000:0000:0001:0002 --dport 547 -j DROP
-A RH-Firewall-1-INPUT -p udp --dport 547 -d ff02::1:2 -j DROP

## ipv6 LLMNR - Link Local Multicast Name Resolution - a Microsoft thing
-A RH-Firewall-1-INPUT -p udp --dport 5355 -d ff02::1:3 -j DROP

# ipv6 mDNS broadcasts 
# http://forums.fedoraforum.org/archive/index.php/t-148198.html
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j DROP

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
##-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
##-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
##-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
##-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
##-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
##-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
##-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -m limit --limit 5/m --limit-burst 20  -j LOG --log-prefix " IPv6 LOG " --log-level info

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

[edit] handling firewall logging

  • Enable logging in iptables and ip6tables (see above)

edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables

  • Send logging to different log file

edit /etc/rsyslog.conf or /etc/syslog.conf 

# Log dropped packets from iptables
kern.warning						/var/log/iptables.log


# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;!warning       /var/log/messages

touch /var/log/iptables.log
chmod 600 /var/log/iptables.log
service rsyslog restart
  • Enable log rotation on new file

create /etc/logrotate.d/iptables 

/var/log/iptables.log {
  missingok
  notifempty
  create 0600 root root
}
  • Logwatch


  • Ossec


  • Psad

References:

[edit] grub password

[edit] integrity checking with aide

originally from: http://www.bofh-hunter.com/2008/04/10/centos-5-and-aide/

now only available in the wayback machine: http://web.archive.org/web/20080607135647/http://www.bofh-hunter.com/2008/04/10/centos-5-and-aide/

Proceedure:

Create database: 

/usr/sbin/aide --init

Check database: 

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
/usr/sbin/aide --check

AIDE, version 0.13.1
### All files match AIDE database. Looks okay!

Check via cron: 

0 8 * * * /usr/sbin/aide --check | /bin/mail -s "Daily Aide Data" address@host.com


enable automatic checking with logrotate

create /etc/logrotate.d/aide-check 

/var/lib/aide/aide.db.gz {

	# rotate files weekly
	weekly

	# keep 12 weeks
	rotate 12

        # compress log files after next-to-last
        compress
        delaycompress

	# use date as a suffix of the rotated file
	dateext

	postrotate
		/usr/sbin/aide --init
		cp -fpd /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
	endscript

}


Errors when using aide and selinux disabled: http://bugs.centos.org/view.php?id=1973 Workaround: http://www.mail-archive.com/aide@cs.tut.fi/msg01333.html

[edit] 3rd Party Repositories 

yum install yum-priorities yum-security yum-downloadonly yum-utils yum-fastestmirror

Repositories listed in order of reliability:

[edit] continuous release 

yum install centos-release-cr

[edit] epel

Install Repository: Install Key: 

rpm --import http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL

Verify repository package: you should get "(sha1) dsa sha1 md5 gpg OK" 

wget wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -K ./epel-release-5-4.noarch.rpm

Install Repository: 

rpm -Uvh ./epel-release-5-4.noarch.rpm

[edit] adobe 

rpm -Uvh adobe-release-i386-1.0-1.noarch.rpm

Jump to the Flash section to learn to install Adobe Flash plugin: http://wiki.rivalug.org/index.php/Centos5#Flash

[edit] rpmforge

Installing repository: 

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
rpm -K ./rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
rpm -Uvh ./rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

[edit] rpmfusion

Install epel and enable epel-testing at this time. Most packages are still in rpmfusion testing repository 

rpm --import 

rpm -ivh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm
rpm -ivh http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm

[edit] El Repo

[edit] IUS

The IUS Community Project is aimed at providing up to date and regularly maintained RPM packages for the latest upstream versions of PHP, Python, MySQL and other common software specifically for Redhat Enterprise Linux. IUS can be thought of as, “A better way to upgrade RHEL” when you really need to.

The IUS Community Project is a brain child of the RPM Development Team at Rackspace Hosting. Since 2006, we have provided and maintain packages for the latest versions of PHP/MySQL and other common software on Red Hat Enterprise Linux, because a lot of our customers strongly demand it. Internally we maintain a number of package sets for an audience of thousands of production servers. Until now, these packages have only been available internally to Rackspace customers. After a while we started thinking, “Why not make this available publicly for everyone to benefit?”.

[edit] Atomicorp

originally Atomic Rocket Turtle

  • aimed at servers, primarily for web hosting

[edit] atrpms

/etc/yum.repos.d/atrpms.repo 

[atrpms-stable]
name=RedHat Enterprise $releasever - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
       http://www.mirrorservice.org/sites/download.atrpms.net/el$releasever-$basearch/atrpms/stable/
       http://mirrors.ircam.fr/pub/atrpms/el$releasever-$basearch/atrpms/stable/
       http://ftp-stud.fht-esslingen.de/atrpms/dl.atrpms.net/el$releasever-$basearch/atrpms/stable/
       http://fedora.univ-nantes.fr/dl.atrpms.net/el$releasever-$basearch/atrpms/stable/
       http://wftp.tu-chemnitz.de/pub/linux/ATrpms/el$releasever-$basearch/atrpms/stable/
failovermethod=priority
enabled=1
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
protect=0

[edit] karan

appears to have no major packages for rhel5 at this time 

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
wget http://centos.karan.org/kbsingh-CentOS-Misc.repo

add "protect=0" to these repositories

rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt

Also read: http://www.karan.org/blog/

[edit] jpackage

http://www.jpackage.org/

[edit] future

RPMrepo: http://rpmrepo.org/ - merger of rpmforge and atrpms

RPMfusion: http://rpmfusion.org/ - merger of livna, freshrpms, and dribble

[edit] other

jason litka

[edit] Sensors & Controls

[edit] lm_sensors

http://lm-sensors.org/

Installation 

yum install lm_sensors

Configuration 

/usr/sbin/sensors-detect
/etc/sensors.conf
/etc/sysconfig/lm_sensors
/etc/modprobe.conf


Problems & Upgrade

[edit] hddtemp

Installation 

yum install hddtemp

Configuration /etc/sysconfig/hddtemp 

HDDTEMP_OPTIONS="-l 127.0.0.1 --syslog=900 /dev/sda /dev/sdb /dev/sdc"

This logs the drive temperaturs for 3 drives every 15 mins ( i.e. 900 seconds )

[edit] cpuspeed

http://www.carlthompson.net/Software/CPUSpeed

Requires a laptop cpu that is capable of scaling.

A CPU capable of scaling its frequency and / or voltage. Many modern mobile CPUs found in laptop computers can do this, including the Mobile AMD Athlon 64, Mobile AMD Athlon XP-M, the Intel Pentium 4M, the Intel Centrino, Mobile AMD Sempron, Mobile AMD Turion 64 and the Transmeta Crusoe. (Note that some laptop computers may actually have desktop CPUs which are not capable of scaling. These CPUs cannot be used and should be avoided when purchasing a new laptop computer.)

[edit] smartd

[edit] apcupsd

  • non APC systems, use nut

http://www.networkupstools.org/

  • Communication with APC battery backup system. Allow controlled shutdown in the event of power failure.

http://www.apcupsd.org/manual/manual.html#testing-apcupsd

  • Email notification

http://www.asylumnation.com/asylum/_r/showthread/threadid_44315/index.html

[edit] Hints to making a minimal install

[edit] Package Tricks

[edit] showing package architecture

from http://fedoraproject.org/wiki/Docs/Beats#RPM_multiarch_support_on_64-bit_platforms_.28x86_64.2C_ppc64.29 

RPM multiarch support on 64-bit platforms (x86_64, ppc64)

RPM supports parallel installation of multiple architectures of the same package. 
A default package listing such as rpm -qa might appear to include duplicate packages, 
since the architecture is not displayed. Instead, use the repoquery command, 
part of the yum-utils package, which displays architecture by default. 
To install yum-utils, run the following command:

 su -c 'yum install yum-utils'

To list all packages with their architecture using rpm, run the following command:

 rpm -qa --queryformat "%{name}-%{version}-%{release}.%{arch}\n"

You can add this to /etc/rpm/macros (for a system wide setting) 
or ~/.rpmmacros (for a per-user setting). 
It changes the default query to list the architecture:

 %_query_all_fmt         %%{name}-%%{version}-%%{release}.%%{arch}

[edit] generating package lists, comparisons

To have server2 packages match server1 packages 

rpm -qa --queryformat='%{NAME}.%{arch}\n' | sort > server1.txt
rpm -qa --queryformat='%{NAME}.%{arch}\n' | sort > server2.txt
diff server1.txt server2.txt > diff.txt
cat diff.txt | grep '<' | sed s/'<'// > install-list.txt
<manually edit install-list as needed>
yum install $(cat install-list.txt)

possibly: 

cat diff.txt | grep '>' | sed s/'>'// > remove-list.txt
<manually edit remove-list to make sure it doesn't remove any necessary packages, like the kernel>
yum remove $(cat remove-list.txt)

[edit] filesystems

[edit] ntfs

http://wiki.centos.org/TipsAndTricks/NTFS enable rpmforge


[edit] ext4

ext4 filesystem was included in Centos 5.4 as a technology preview. In Centos 5.6 it was fully supported by including the e4fsprogs package. 

mount -t ext4 -o ro /dev/sda1 /mnt/disk

[edit] sshfs

enable epel 

yum install fuse-sshfs

[edit] selinux

[edit] creating policy example: psad

After installing psad, I discovered that part of its process was blocked by selinux, the following was how it was allowed: 

 
 # grep psad audit.log

 type=AVC msg=audit(1233479546.386:28603): avc:  denied  { read write } for  pid=1796 comm="syslogd" name="psadfifo" dev=dm-3 ino=327729 scontext=system_u:system_r:syslogd_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=fifo_file

 type=AVC msg=audit(1234634214.100:42384): avc:  denied  { write } for  pid=24391 comm="iptables" path="/var/log/psad/psad.iptout" dev=dm-3 ino=426019 scontext=user_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

# audit2allow -a avc:  denied  { read write } for  pid=1796 comm="syslogd" name="psadfifo" dev=dm-3 ino=327729 scontext=system_u:system_r:syslogd_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=fifo_file


#============= ifconfig_t ==============
allow ifconfig_t initrc_tmp_t:file append;

#============= iptables_t ==============
allow iptables_t var_log_t:file write;

#============= named_t ==============
allow named_t named_zone_t:dir write;

#============= ndc_t ==============
allow ndc_t crond_t:fifo_file read;

#============= syslogd_t ==============
allow syslogd_t var_lib_t:fifo_file { read write };

# audit2allow -a avc:  denied  { write } for  pid=24391 comm="iptables" path="/var/log/psad/psad.iptout" dev=dm-3 ino=426019 scontext=user_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

#============= ifconfig_t ==============
allow ifconfig_t initrc_tmp_t:file append;

#============= iptables_t ==============
allow iptables_t var_log_t:file write;

#============= named_t ==============
allow named_t named_zone_t:dir write;

#============= ndc_t ==============
allow ndc_t crond_t:fifo_file read;

#============= syslogd_t ==============
allow syslogd_t var_lib_t:fifo_file { read write };

checkmodule -M -m -o psad.mod psad.te
semodule_package -o psad.pp -m psad.mod
semodule -i psad.pp

[edit] Multimedia

[edit] Flash

(this section has conflicting information and need to be edited)

Install 32bit stable flash player from adobe linux repository

http://get.adobe.com/flashplayer/

Select "RPM for Linux"

Download and install RPM, then: 

yum install flash-plugin nspluginwrapper

Install 64bit experimental flash player from adobe labs


Verify by going to: http://www.adobe.com/software/flash/about/ 

rpm -ivh http://linuxdownload.adobe.com/adobe-release/adobe-release-i386-1.0-1.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
  • 32 bit flash player on 64 bit Centos.

Note: in addition to the 4.5 Mb for the flash plugin, 44 Mb of 32 bit libraries and dependances are needed. 

yum install flash-plugin nspluginwrapper alsa-utils.i386 \ 
sox.i386 vorbis-tools.i386 curl.i386 alsa-utils.x86_64 \ 
sox.x86_64 vorbis-tools.x86_64 curl.x86_64

Warning: sometimes Adobe Reader for linux shows up as a dependency, it is not. Try "yum clean all" and try again.

Other References:

[edit] Java

Oracle Java download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html

(this section has conflicting information and need to be edited)

Open source Java is contained within the centos repository. If not installed follow the directions here:

While openjdk will handle most java programming and java applications, there are situations that require authentic Sun Java. There are several methods to install Sun ( and IBM ) Java under Centos and they are covered here:

However I've had success with the a method similar to the one described here: http://fedorasolved.org/browser-solutions/java-i386

I don't remove openjdk. There is a way to keep both and have individual users choose which one they'd like to use.

1. install compat libraries, run ldconfig 2. download Linux x86-64 Java JDK from Sun in bin, not rpm format. This should be around 80 Mb. 3. execute the bin file to unpack its contents, as root, move the resulting directory to /usr/local/, then create symlinks for jdk and jre 

sh ./jdk-6u21-linux-x64.bin
mv jdk1.6.0_21 /usr/local/
ln -s ./jdk1.6.0_21 ./jdk
ln -s ./jdk/jre

4. create /etc/profile.d/java.sh 

cat <<EOF>> /etc/profile.d/java.sh
export JAVA_HOME=/usr/local/jre
export PATH=\$JAVA_HOME/bin:\$PATH
EOF
source /etc/profile.d/java.sh

5. Use alternatives command to set up multiple java installs Read: 

/usr/sbin/alternatives --install /usr/bin/java java /usr/local/jre/bin/java 2
/usr/sbin/alternatives --config java
/usr/sbin/alternatives --display java

sed -i 's/XINERAMA/FAKEEXTN/g' /usr/local/jre/lib/i386/xawt/libmawt.so

6. Java browser plugin

Java plugin for web browsers is not available from the centos repository, you'll need to install Sun Java.

http://wiki.centos.org/TipsAndTricks/PluginsFor64BitFirefox 

ln -s /usr/local/jre/lib/amd64/libnpjp2.so /usr/lib64/mozilla/plugins/

[edit] mplayer

mplayer plugin 

mplayer mplayerplug-in mplayer-skins

Get codecs

http://www.mplayerhq.hu/MPlayer/releases/codecs/

http://www.mplayerhq.hu/MPlayer/releases/codecs/all-20110131.tar.bz2

Download: http://www.mplayerhq.hu/MPlayer/releases/codecs/all-20071007.tar.bz2 

mkdir -p /usr/local/lib/codecs
tar -jxvf all-20071007.tar.bz2 --strip-components 1 -C /usr/local/lib/codecs/
cd /usr/lib/codecs
find ../../local/lib/codecs/ -exec ln -s {} \;

[edit] vlc

videolan client

For centos its only available from rpmforge and is only available in VLC 0.9 due to Centos Qt version. 

vlc

[edit] skype

http://forum.skype.com/index.php?showforum=18

[edit] codecs

gstreamer codecs dvd player

[edit] Codeweavers

http://www.codeweavers.com/products/cxlinux/

Provides Windows compatibility layer (WINE) for to allow certain windows applications to run under linux

[edit] Konqueror

Sometimes its handy to have another web browser installed other than firefox. Konqueror, the web browser developed for KDE will be installed when the kdebase package is installed. If you don't have KDE installed expect many dependencies.

[edit] Video Drivers

With nVidia and ATI proprietary drivers on Centos, I've found the most reliable method to install is to download and use their respective install scripts from their manufacturers. I've now found the ATI drives to be just as reliable as the nVidia ones.

[edit] Proprietary nVidia Drivers

[edit] Proprietary ATI Drivers

AMD/ATI proprietary linux drivers in the past were problematic, but if using them on recent AMD/ATI cards they are now stable.

Retrieved from "http://wiki.rivalug.org/index.php/Centos5"
Personal tools