← Back to DevBytes

Fedora Server Setup: From Installation to Production

Understanding Fedora Server

What Is Fedora Server?

Fedora Server is a community-driven, freely available Linux operating system built specifically for server workloads. It provides a minimal, flexible foundation designed to run services, containers, and virtual machines without the overhead of a graphical desktop environment. Fedora Server ships with the latest stable open-source technologies, including the newest Linux kernels, systemd, SELinux, firewalld, and Podman.

Unlike Fedora Workstation, which targets desktop users, Fedora Server focuses on headless operation, remote management via Cockpit, and streamlined service deployment. The distribution uses the standard dnf package manager and RPM packages from the Fedora repositories, with fast access to upstream innovations through a six-month release cycle.

Why Choose Fedora Server for Production?

Fedora Server is an excellent choice for production environments that demand modern tooling, strong security defaults, and container-native capabilities. Key advantages include:

Preparing for Installation

🚀 Deploy your AI agent in 10 minutes

Managed Hermes hosting. Zero DevOps. 100M tokens/mo included.

Try it free →

Downloading the ISO

Begin by downloading the official Fedora Server installation image. Choose the standard ISO for interactive installation or the netinstall ISO for minimal, network-based deployment.

# Download the latest stable Server ISO (example for Fedora 39)
curl -O https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/x86_64/iso/Fedora-Server-dvd-x86_64-39-1.5.iso

Verify the integrity of the downloaded image using the checksum file and signed signature available on the same mirror.

# Verify SHA256 checksum
sha256sum -c Fedora-Server-39-1.5-x86_64-CHECKSUM

Installation Methods

You can deploy Fedora Server in several ways:

Step-by-Step Installation

Booting and Initial Setup

Burn the ISO to a USB drive or mount it as a virtual DVD in your hypervisor. Boot the system and select Install Fedora Server from the menu. The installer will load and present a text-based wizard.

Choose your language and keyboard layout, then proceed to the Installation Summary screen. Here you configure timezone, network, storage, and root password before the actual installation begins.

Partitioning and Storage

Select the destination disk and choose between automatic partitioning or custom layout. For production servers, a custom layout is recommended to separate system, data, and log partitions.

# Example manual partitioning using LVM
/boot     - 1 GB ext4
/         - 20 GB xfs on LVM
/var      - 10 GB xfs on LVM (separate for logs and databases)
/home     - remaining space xfs on LVM

Ensure you leave enough space for swap or configure a swap file later. After partitioning, confirm the changes and proceed.

Network Configuration

In the network section, enable the desired interface and configure a static IP if necessary. For headless servers, set the hostname now, as it will be used by Cockpit and service discovery.

# Example static IP configuration during installation
Interface: eth0
IPv4 Address: 192.168.1.100/24
Gateway: 192.168.1.1
DNS: 8.8.8.8, 8.8.4.4
Hostname: srv-prod-01.example.com

User and Root Password

Set a strong root password and create an administrative user account. Check the box Make this user administrator to grant sudo privileges without needing the root password for daily operations.

Post-Installation Essentials

System Update and Package Management

After the first boot, apply all available updates immediately. Fedora’s package manager dnf handles RPMs with dependency resolution and supports delta updates to minimize download size.

# Update all packages and reboot if kernel was updated
sudo dnf update -y
sudo systemctl reboot

Install essential tools for server management:

sudo dnf install -y vim htop curl wget git tmux screen rsync policycoreutils-python-utils

Enabling Cockpit Web Console

Cockpit provides a real-time, browser-based management interface for the server. It is pre-installed on Fedora Server but the socket needs to be enabled.

# Enable and start the Cockpit service
sudo systemctl enable --now cockpit.socket

# If the server has a firewall, open port 9090
sudo firewall-cmd --add-service=cockpit --permanent
sudo firewall-cmd --reload

Now access Cockpit at https://your-server-ip:9090. Log in with your administrative user credentials. From here you can manage storage, networking, containers, virtual machines, and terminal sessions.

Firewall Configuration with firewalld

Fedora Server uses firewalld as its default firewall, with a zone-based model. The public zone is active by default and blocks incoming traffic except for SSH and Cockpit (if enabled).

# Check active zones and services
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-services

# Open HTTP and HTTPS services
sudo firewall-cmd --add-service=http --add-service=https --permanent
sudo firewall-cmd --reload

# Open a custom port (e.g., 8080 for a Node.js app)
sudo firewall-cmd --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

SELinux Management

SELinux is in enforcing mode by default. It confines services and reduces the impact of exploits. Use semanage and restorecon to adjust policies when needed, but never disable SELinux on a production server.

# Check SELinux status
getenforce

# Temporarily switch to permissive for troubleshooting (will revert on reboot)
sudo setenforce 0
# Re-enable enforcing
sudo setenforce 1

# List SELinux context of a directory
ls -Z /var/www

# Allow Apache to serve content from a custom directory
sudo semanage fcontext -a -t httpd_sys_content_t "/custom/web(/.*)?"
sudo restorecon -R /custom/web

SSH Hardening

Secure the SSH daemon before exposing the server to the internet. Edit /etc/ssh/sshd_config with these minimal changes:

# Disable root login
PermitRootLogin no

# Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes

# Restrict allowed users
AllowUsers admin alice bob

After editing, reload the SSH service:

sudo systemctl reload sshd

Setting Up Core Services

Web Server (Apache/Nginx)

Install and configure a web server. The example uses Nginx, which is available in the Fedora repositories.

# Install Nginx
sudo dnf install nginx -y

# Enable and start the service
sudo systemctl enable --now nginx

# Open HTTP/HTTPS in the firewall
sudo firewall-cmd --add-service=http --add-service=https --permanent
sudo firewall-cmd --reload

# Place your site content
sudo mkdir -p /var/www/example.com
echo "<h1>Hello from Fedora Server</h1>" | sudo tee /var/www/example.com/index.html
sudo chown -R nginx:nginx /var/www/example.com

# Configure a server block
sudo vim /etc/nginx/conf.d/example.com.conf

Example minimal server block:

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example.com;
    index index.html;
    location / {
        try_files $uri $uri/ =404;
    }
}

Test configuration and reload Nginx:

sudo nginx -t
sudo systemctl reload nginx

Database (PostgreSQL/MariaDB)

Fedora Server offers multiple database choices. PostgreSQL is the default relational database for many modern applications.

# Install PostgreSQL
sudo dnf install postgresql-server -y

# Initialize the database cluster
sudo postgresql-setup --initdb

# Enable and start the service
sudo systemctl enable --now postgresql

# Secure the default database with a password for the postgres role
sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'StrongPasswordHere';"

# Create a new database and user
sudo -u postgres createuser myappuser
sudo -u postgres createdb myappdb
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE myappdb TO myappuser;"

If using MariaDB:

sudo dnf install mariadb-server -y
sudo systemctl enable --now mariadb
sudo mysql_secure_installation

Containerization with Podman

Podman is the native container engine in Fedora Server. It runs without a daemon, supports rootless containers, and generates systemd unit files for production management.

# Run a containerized application (Nginx) in detached mode
podman run -d --name webapp -p 8080:80 docker.io/nginx

# Generate a systemd service file to keep the container running across reboots
podman generate systemd --name webapp > ~/.config/systemd/user/container-webapp.service

# Enable and start the user-level systemd service
systemctl --user enable --now container-webapp.service

# For system-wide rootful containers, use:
sudo podman run -d --name sysweb -p 80:80 docker.io/nginx
sudo podman generate systemd --name sysweb > /etc/systemd/system/container-sysweb.service
sudo systemctl enable --now container-sysweb.service

Automatic Updates and Cron Jobs

Fedora provides dnf-automatic to schedule unattended package updates. This is useful for applying security patches automatically.

# Install and enable automatic updates
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer

# Configure /etc/dnf/automatic.conf to apply updates silently
sudo sed -i 's/^apply_updates = .*/apply_updates = yes/' /etc/dnf/automatic.conf
sudo sed -i 's/^download_updates = .*/download_updates = yes/' /etc/dnf/automatic.conf

For custom scheduled tasks, use systemd timers or cron:

# Example cron job for daily log cleanup
echo "0 2 * * * /usr/bin/journalctl --vacuum-time=7d" | sudo tee /etc/cron.d/log-cleanup

Production Hardening and Best Practices

Minimal Package Set

Install only what you need. After setup, remove unnecessary packages to reduce the attack surface and minimize update overhead.

# List installed packages and remove unwanted ones
sudo dnf list installed
sudo dnf remove --noautoremove packages-you-don't-need

Consider using the Fedora Server minimal install option or the netinstall ISO to start with a very lean base.

SELinux Enforcing Mode

Always keep SELinux in enforcing mode. If a service fails due to SELinux, use audit2allow and semanage to create custom policies rather than disabling it.

# Analyze SELinux denials
sudo sealert -a /var/log/audit/audit.log

# Generate a local policy module to allow legitimate behavior
sudo grep "type=AVC" /var/log/audit/audit.log | audit2allow -M mylocalpolicy
sudo semodule -i mylocalpolicy.pp

Audit and Monitoring

Set up system auditing with auditd and remote logging. Monitor server health using Cockpit’s metrics or external tools like Prometheus and Grafana.

# Ensure auditd is running
sudo systemctl enable --now auditd

# Configure audit rules for critical files
echo "-w /etc/passwd -p wa -k identity_changes" | sudo tee /etc/audit/rules.d/identity.rules
sudo service auditd restart

Backup Strategies

Implement regular backups using tools like rsync, tar, or dedicated backup software. Encrypt and store backups offsite.

# Simple daily backup of /var/www and /etc
sudo rsync -avz /var/www /backup/www-$(date +%Y%m%d)
sudo rsync -avz /etc /backup/etc-$(date +%Y%m%d)

For databases, use built-in dump tools:

# PostgreSQL backup
sudo -u postgres pg_dump myappdb > /backup/myappdb.sql

Kernel and Security Updates

Fedora delivers kernel updates frequently. Enable dnf-automatic for security patches and reboot after kernel updates. Use tuned to optimize kernel parameters for server workloads.

# Install and enable tuned with a server profile
sudo dnf install tuned -y
sudo systemctl enable --now tuned
sudo tuned-adm profile throughput-performance

Conclusion

Setting up Fedora Server from installation to a production-ready state is a straightforward process that rewards you with a secure, modern, and container-friendly platform. By following the steps outlined—minimal installation, immediate updates, firewall and SELinux enforcement, Cockpit management, service deployment, and regular backups—you create a robust environment suited for web servers, databases, containerized applications, and more. Fedora’s commitment to upstream innovation keeps your stack current, while its strong security posture protects your workloads. Whether you’re deploying a single node or a fleet of servers, these practices form the foundation of a reliable and maintainable production system.

🚀 Need a reliable AI agent for your project?

Deploy Hermes Agent in 10 minutes. Managed hosting, zero DevOps.

Get Started — $23.99/mo
← Back to all articles