This is a helper post in my December 2013 series about Linux Virtual Machine Performance Tuning. For more, please see the tag “Linux VM Performance Tuning.”
Here’s a minimal kickstart file for a virtual machine installation of RHEL 6, CentOS 6, or Oracle Linux 6. I use this in conjunction with tools like Puppet and Chef to do the rest of my system configuration. I provision 30 GB thin-provisioned disks to each VM, leaving the rest of it unallocated until needed. While this leads to a disk overcommitment situation that’s manageable, and a tradeoff to ensure more standardization and ease of administration & automation.
I remove a number of packages that we don’t necessarily need on a virtual machine, either because they’re irrelevant (microcode_ctl) or they duplicate what the hypervisor does already (sysstat). I also use Sendmail more than I use Postfix, and one of them needs to be on the system (which is annoying), so I make that choice at install time, too.
My kickstart has filesystems in it to help with CIS Benchmark configurations. Another great resource is Major Hayden’s (Racker Hacker) secure kickstarts, which already have the CIS Benchmark configured into them. The difference is that I do CIS compatibility via Puppet after build time, he does it at build time. There are pros and cons either way, make your own informed decision!
install key abcdefdeadbeef lang en_US.UTF-8 keyboard us rootpw --iscrypted $6$putapasswordhashofyourownhere firewall --enabled --port=22:tcp authconfig --enableshadow --passalgo=sha512 selinux --disabled reboot network --noipv6 --device=eth0 --bootproto=dhcp timezone America/Chicago bootloader --location=mbr --driveorder=sda --append="rhgb quiet" interactive graphical firstboot --disable clearpart --all part /boot --fstype=ext4 --size=250 part pv.6 --grow --size=1 volgroup Volume00 --pesize=65536 pv.6 logvol /home --fstype=ext4 --fsoptions="defaults,relatime,nodev,discard" --name=LogVol01 --vgname=Volume00 --size=500 logvol /tmp --fstype=ext4 --fsoptions="defaults,relatime,nodev,nosuid,noexec,discard" --name=LogVol03 --vgname=Volume00 --size=250 logvol /var --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol06 --vgname=Volume00 --size=600 logvol /var/log --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol08 --vgname=Volume00 --size=250 logvol /var/log/audit --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol11 --vgname=Volume00 --size=250 logvol / --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol00 --vgname=Volume00 --size=5000 %packages @Base @Core -abrt-libs -abrt-tui -abrt-cli -abrt -abrt-addon-python -abrt-addon-ccpp -abrt-addon-kerneloops -Red_Hat_Enterprise_Linux-Release_Notes-6-en-US -acipd -b43-fwcutter -blktrace -bridge-utils -cpuspeed -fprintd-pam -irqbalance -kexec-tools -ledmon -microcode_ctl -mlocate -pcmciautils -pinfo -psacct -quota -pm-utils -rfkill -scl-utils -smartmontools -sos -strace -sysstat -systemtap-runtime -usbutils -vconfig -wireless-tools -postfix -dovecot -spamassassin sendmail %end
So, even though it isn’t the CIS, another good resource is the USGCB. Unfortunately, at this time, they only have a kickstart available that works with RHEL5/CENTOS5, etc. But, it is definitely a good resource: http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
That appears to be mainly for desktop use, but you are correct, it is a good starting point. I’m trying to learn more about the whole SCAP/CCE part now, that’s new to me.
SELinux disabled? Bad form!
SELinux is security masturbation. Just turn it on if you need it and quit trolling.
Gents, this is why the internet is disabling comments. I enable SElinux where I need it via Puppet, and this way I can have a single template that suits more of my needs. I generally dislike SElinux as it has a pretty low ROI when compared to other areas admins can spend time, like actually patching or implementing automation. If you like complexity you’ll love SElinux.
Further discussion of my SElinux proclivities will be considered off topic and evidence of a holy war.
I appreciate that you don’t want to have some sort of “holy war” about SELinux on your comment section, but perhaps you can cover your reasons with more details? Perhaps in a separate post?
I notice there’s no swap in this example, is that deliberate? Is that configured at a later stage by puppet?