Been doing a lot with Kickstart recently, as I’ve had to build some airgapped VM’s in a hurry and have gone off Ansible again. Been templating the more complex bits using j2cli and YAML, so its a bit like Ansible without the SSH - and its ready at first boot rather than afterwards. I’ve uploaded my RHEL/Alma/Rocky/CentOS 8.4 CIS-hardened kickstart to github
Oddly enough I’ve found that the SLES install being so slow in esxi appears to be SUSE (or AutoYAST?) -specific, as a RHEL 7/8 install from kickstart is almost as fast as QEMU-KVM, despite SUSE being a third the speed under esxi.
I’ve also been playing with firewalld which I’ve decided is a total pile of excrement. Not only does it not expose the full functionality of iptables/nftables, but most of the documented kickstart commands don’t actually do anything, they just silently pass (as confirmed by the anaconda logs!) which is mostly down to kickstart using
firewall-offline-cmd and NetworkManager (Mangler) walking all over the settings or just plain ignoring them. You can’t even fix it using
nmcli, you have to run
firewall-cmd at first boot, or modify the /etc/sysconfig/network-scripts/ifcfg-* files which you shouldn’t really do on RHEL8.
I’ve also been playing with AlmaLinux 8.4, migrated all of my CentOS8 boxes to it and tested my hardening scripts with it etc. It seems to be more security-focused and has less of a shady corporate structure to RockyLinux who seem to be throwing FUD around.
I figured out how to use a RedHat developer subscribed machine to mirror their yum repo’s - you can use reposync in a similar manner to SUSE’s smt-mirror. They have a weird policy of you having to run the OS you’re mirroring, so you can’t mirror RHEL7 on RHEL8. Well, you can. You just have to have RHEL7 and RHEL8 machines subscribed, then you can copy the certificates from 7 to 8.
Register the RHEL7 box:
subscription-manager register --org=123456 --activationkey=blah cp /etc/pki/entitlement/666666666.pem /var/tmp/clientcert7.pem cp /etc/pki/entitlement/666666666-key.pem /var/tmp/clientkey7.pem cp /etc/rhsm/ca/redhat-uep.pem /var/tmp/cacert7.pem cp /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /var/tmp/gpgkey7.gpg
SCP those files to the RHEL8 box, then on RHEL8 create these disabled yum repo’s as
[rhel-7-server-rpms] metadata_expire = 86400 enabled_metadata = 0 sslclientcert = /var/tmp/clientcert7.pem baseurl = https://cdn.redhat.com/content/dist/rhel/server/7/7.9/x86_64/os ui_repoid_vars = releasever basearch sslverify = 1 name = Red Hat Enterprise Linux 7 Server (RPMs) sslclientkey = /var/tmp/clientkey7.pem gpgkey = file:///var/tmp/gpgkey7.gpg enabled = 0 sslcacert = /var/tmp/cacert7.pem gpgcheck = 1 [rhel-7-server-extras-rpms] metadata_expire = 86400 enabled_metadata = 0 sslclientcert = /var/tmp/clientcert7.pem baseurl = https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/extras/os ui_repoid_vars = basearch sslverify = 1 name = Red Hat Enterprise Linux 7 Server - Extras (RPMs) sslclientkey = /var/tmp/clientkey7.pem gpgkey = file:///var/tmp/gpgkey7.gpg enabled = 0 sslcacert = /var/tmp/cacert7.pem gpgcheck = 1
reposync to mirror both the RHEL 7 and 8 repo’s from the RHEL8 box:
reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-8-for-x86_64-baseos-rpms reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-8-for-x86_64-appstream-rpms reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-7-server-rpms reposync --delete -n -p /var/www/html/ --download-metadata --repo=rhel-7-server-extras-rpms
On the clients, disable subscription-manager:
sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/subscription-manager.conf rm /etc/yum.repos.d/redhat.repo
/etc/yum.repos.d/rhel7.repo pointing to a webserver on the RHEL8 box (I’ll leave setting up apache2 to the reader):
[rhel-7-server-rpms] name = Red Hat Enterprise Linux 7.9 Server (RPMs) enabled = 0 baseurl=http://192.168.1.2/rhel-7-server-rpms gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [rhel-7-server-extras-rpms] name = Red Hat Enterprise Linux 7 Server - Extras (RPMs) enabled = 1 baseurl=http://192.168.1.2/rhel-7-server-extras-rpms gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Or similarly for RHEL8 clients,
[BaseOS] name=Red Hat Enterprise Linux 8 BaseOS enabled=1 gpgcheck=1 baseurl=http://192.168.1.2/rhel-8-for-x86_64-baseos-rpms gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [AppStream] name=Red Hat Enterprise Linux 8 AppStream enabled=1 gpgcheck=1 baseurl=http://192.168.1.2/rhel-8-for-x86_64-appstream-rpms gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
I even did the same for the DockerCE repo’s:
curl https://download.docker.com/linux/centos/gpg -o /var/tmp/docker.gpg cat << "EOF" > /etc/yum.repos.d/docker-ce.repo [docker-ce-stable7] name=Docker CE Stable - centos7 baseurl=https://download.docker.com/linux/centos/7/x86_64/stable enabled=0 gpgcheck=1 gpgkey=file:///var/tmp/docker.gpg [docker-ce-stable8] name=Docker CE Stable - centos8 baseurl=https://download.docker.com/linux/centos/8/x86_64/stable enabled=0 gpgcheck=1 gpgkey=file:///var/tmp/docker.gpg EOF reposync --delete -n -p /var/www/html/ --download-metadata --repo=docker-ce-stable7 reposync --delete -n -p /var/www/html/ --download-metadata --repo=docker-ce-stable8
As of writing, the repo sizes (only keeping the latest packages) are:
104M docker-ce-stable7 104M docker-ce-stable8 286M rhel-7-server-extras-rpms 8.7G rhel-8-for-x86_64-appstream-rpms 2.1G rhel-8-for-x86_64-baseos-rpms
After about 3 months my FTTP install is nearing completion, duct move and external work was completed in the last two days, just need the internal work now (drill hole through wall, connect ONT to fibre and SmartHub2).