Kickstart & Mirrors

Been doing a lot with Kickstart recently, as I’ve had to build some airgapped VM’s in a hurry and have gone off Ansible again. Been templating the more complex bits using j2cli and YAML, so its a bit like Ansible without the SSH - and its ready at first boot rather than afterwards. I’ve uploaded my RHEL/Alma/Rocky/CentOS 8.4 CIS-hardened kickstart to github

Oddly enough I’ve found that the SLES install being so slow in esxi appears to be SUSE (or AutoYAST?) -specific, as a RHEL 7/8 install from kickstart is almost as fast as QEMU-KVM, despite SUSE being a third the speed under esxi.

I’ve also been playing with firewalld which I’ve decided is a total pile of excrement. Not only does it not expose the full functionality of iptables/nftables, but most of the documented kickstart commands don’t actually do anything, they just silently pass (as confirmed by the anaconda logs!) which is mostly down to kickstart using firewall-offline-cmd and NetworkManager (Mangler) walking all over the settings or just plain ignoring them. You can’t even fix it using nmcli, you have to run firewall-cmd at first boot, or modify the /etc/sysconfig/network-scripts/ifcfg-* files which you shouldn’t really do on RHEL8.

I’ve also been playing with AlmaLinux 8.4, migrated all of my CentOS8 boxes to it and tested my hardening scripts with it etc. It seems to be more security-focused and has less of a shady corporate structure to RockyLinux who seem to be throwing FUD around.

I figured out how to use a RedHat developer subscribed machine to mirror their yum repo’s - you can use reposync in a similar manner to SUSE’s smt-mirror. They have a weird policy of you having to run the OS you’re mirroring, so you can’t mirror RHEL7 on RHEL8. Well, you can. You just have to have RHEL7 and RHEL8 machines subscribed, then you can copy the certificates from 7 to 8.

Register the RHEL7 box:

subscription-manager register --org=123456 --activationkey=blah

cp /etc/pki/entitlement/666666666.pem /var/tmp/clientcert7.pem
cp /etc/pki/entitlement/666666666-key.pem /var/tmp/clientkey7.pem
cp /etc/rhsm/ca/redhat-uep.pem /var/tmp/cacert7.pem
cp /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /var/tmp/gpgkey7.gpg

SCP those files to the RHEL8 box, then on RHEL8 create these disabled yum repo’s as /etc/yum.repos.d/rhel7.repo:

[rhel-7-server-rpms]
metadata_expire = 86400
enabled_metadata = 0
sslclientcert = /var/tmp/clientcert7.pem
baseurl = https://cdn.redhat.com/content/dist/rhel/server/7/7.9/x86_64/os
ui_repoid_vars = releasever basearch
sslverify = 1
name = Red Hat Enterprise Linux 7 Server (RPMs)
sslclientkey = /var/tmp/clientkey7.pem
gpgkey = file:///var/tmp/gpgkey7.gpg
enabled = 0
sslcacert = /var/tmp/cacert7.pem
gpgcheck = 1

[rhel-7-server-extras-rpms]
metadata_expire = 86400
enabled_metadata = 0
sslclientcert = /var/tmp/clientcert7.pem
baseurl = https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/extras/os
ui_repoid_vars = basearch
sslverify = 1
name = Red Hat Enterprise Linux 7 Server - Extras (RPMs)
sslclientkey = /var/tmp/clientkey7.pem
gpgkey = file:///var/tmp/gpgkey7.gpg
enabled = 0
sslcacert = /var/tmp/cacert7.pem
gpgcheck = 1

Then use reposync to mirror both the RHEL 7 and 8 repo’s from the RHEL8 box:

reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-8-for-x86_64-baseos-rpms
reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-8-for-x86_64-appstream-rpms

reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-7-server-rpms
reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-7-server-extras-rpms

On the clients, disable subscription-manager:

sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/subscription-manager.conf
rm /etc/yum.repos.d/redhat.repo

Create /etc/yum.repos.d/rhel7.repo pointing to a webserver on the RHEL8 box (I’ll leave setting up apache2 to the reader):

[rhel-7-server-rpms]
name = Red Hat Enterprise Linux 7.9 Server (RPMs)
enabled = 0
baseurl=http://192.168.1.2/rhel-7-server-rpms
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[rhel-7-server-extras-rpms]
name = Red Hat Enterprise Linux 7 Server - Extras (RPMs)
enabled = 1
baseurl=http://192.168.1.2/rhel-7-server-extras-rpms
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Or similarly for RHEL8 clients, /etc/yum.repos.d/rhel8.repo:

[BaseOS]
name=Red Hat Enterprise Linux 8 BaseOS
enabled=1
gpgcheck=1
baseurl=http://192.168.1.2/rhel-8-for-x86_64-baseos-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[AppStream]
name=Red Hat Enterprise Linux 8 AppStream
enabled=1
gpgcheck=1
baseurl=http://192.168.1.2/rhel-8-for-x86_64-appstream-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

I even did the same for the DockerCE repo’s:

curl https://download.docker.com/linux/centos/gpg -o /var/tmp/docker.gpg

cat << "EOF" > /etc/yum.repos.d/docker-ce.repo
[docker-ce-stable7]
name=Docker CE Stable - centos7
baseurl=https://download.docker.com/linux/centos/7/x86_64/stable
enabled=0
gpgcheck=1
gpgkey=file:///var/tmp/docker.gpg

[docker-ce-stable8]
name=Docker CE Stable - centos8
baseurl=https://download.docker.com/linux/centos/8/x86_64/stable
enabled=0
gpgcheck=1
gpgkey=file:///var/tmp/docker.gpg
EOF

reposync --delete -n -p /var/www/html/ --download-metadata --repo=docker-ce-stable7
reposync --delete -n -p /var/www/html/ --download-metadata --repo=docker-ce-stable8

As of writing, the repo sizes (only keeping the latest packages) are:

104M	docker-ce-stable7
104M	docker-ce-stable8
286M	rhel-7-server-extras-rpms
8.7G	rhel-8-for-x86_64-appstream-rpms
2.1G	rhel-8-for-x86_64-baseos-rpms

After about 3 months my FTTP install is nearing completion, duct move and external work was completed in the last two days, just need the internal work now (drill hole through wall, connect ONT to fibre and SmartHub2).