Minimal Kickstart File for Red Hat Enterprise Linux 6, CentOS 6, Oracle Linux 6 Virtual Machines

by Bob Plankers on December 4, 2013 · 9 comments

in Best Practices,Cloud,System Administration,Virtualization

This is a helper post in my December 2013 series about Linux Virtual Machine Performance Tuning. For more, please see the tag “Linux VM Performance Tuning.”

Here’s a minimal kickstart file for a virtual machine installation of RHEL 6, CentOS 6, or Oracle Linux 6. I use this in conjunction with tools like Puppet and Chef to do the rest of my system configuration. I provision 30 GB thin-provisioned disks to each VM, leaving the rest of it unallocated until needed. While this leads to a disk overcommitment situation that’s manageable, and a tradeoff to ensure more standardization and ease of administration & automation.

I remove a number of packages that we don’t necessarily need on a virtual machine, either because they’re irrelevant (microcode_ctl) or they duplicate what the hypervisor does already (sysstat). I also use Sendmail more than I use Postfix, and one of them needs to be on the system (which is annoying), so I make that choice at install time, too.

My kickstart has filesystems in it to help with CIS Benchmark configurations. Another great resource is Major Hayden’s (Racker Hacker) secure kickstarts, which already have the CIS Benchmark configured into them. The difference is that I do CIS compatibility via Puppet after build time, he does it at build time. There are pros and cons either way, make your own informed decision!

install
key abcdefdeadbeef
lang en_US.UTF-8
keyboard us
rootpw --iscrypted $6$putapasswordhashofyourownhere
firewall --enabled --port=22:tcp
authconfig --enableshadow --passalgo=sha512
selinux --disabled
reboot
network --noipv6 --device=eth0 --bootproto=dhcp
timezone America/Chicago
bootloader --location=mbr --driveorder=sda --append="rhgb quiet"
interactive
graphical
firstboot --disable

clearpart --all

part /boot --fstype=ext4 --size=250
part pv.6 --grow --size=1
volgroup Volume00 --pesize=65536 pv.6
logvol /home --fstype=ext4 --fsoptions="defaults,relatime,nodev,discard" --name=LogVol01 --vgname=Volume00 --size=500
logvol /tmp --fstype=ext4 --fsoptions="defaults,relatime,nodev,nosuid,noexec,discard" --name=LogVol03 --vgname=Volume00 --size=250
logvol /var --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol06 --vgname=Volume00 --size=600
logvol /var/log --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol08 --vgname=Volume00 --size=250
logvol /var/log/audit --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol11 --vgname=Volume00 --size=250
logvol / --fstype=ext4 --fsoptions="defaults,relatime,discard" --name=LogVol00 --vgname=Volume00 --size=5000

%packages
@Base
@Core
-abrt-libs
-abrt-tui
-abrt-cli
-abrt
-abrt-addon-python
-abrt-addon-ccpp
-abrt-addon-kerneloops
-Red_Hat_Enterprise_Linux-Release_Notes-6-en-US
-acipd
-b43-fwcutter
-blktrace
-bridge-utils
-cpuspeed
-fprintd-pam
-irqbalance
-kexec-tools
-ledmon
-microcode_ctl
-mlocate
-pcmciautils
-pinfo
-psacct
-quota
-pm-utils
-rfkill
-scl-utils
-smartmontools
-sos
-strace
-sysstat
-systemtap-runtime
-usbutils
-vconfig
-wireless-tools
-postfix
-dovecot
-spamassassin
sendmail
%end

{ 7 comments }

Mike December 4, 2013 at 11:32 AM

So, even though it isn’t the CIS, another good resource is the USGCB. Unfortunately, at this time, they only have a kickstart available that works with RHEL5/CENTOS5, etc. But, it is definitely a good resource: http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg

Bob Plankers December 4, 2013 at 5:30 PM

That appears to be mainly for desktop use, but you are correct, it is a good starting point. I’m trying to learn more about the whole SCAP/CCE part now, that’s new to me.

Quine December 4, 2013 at 7:53 PM

SELinux disabled? Bad form!

Your Mother December 4, 2013 at 9:01 PM

SELinux is security masturbation. Just turn it on if you need it and quit trolling.

Bob Plankers December 5, 2013 at 12:16 AM

Gents, this is why the internet is disabling comments. I enable SElinux where I need it via Puppet, and this way I can have a single template that suits more of my needs. I generally dislike SElinux as it has a pretty low ROI when compared to other areas admins can spend time, like actually patching or implementing automation. If you like complexity you’ll love SElinux.

Further discussion of my SElinux proclivities will be considered off topic and evidence of a holy war.

Quine December 5, 2013 at 6:10 PM

I appreciate that you don’t want to have some sort of “holy war” about SELinux on your comment section, but perhaps you can cover your reasons with more details? Perhaps in a separate post?

David Mackintosh December 21, 2013 at 8:31 PM

I notice there’s no swap in this example, is that deliberate? Is that configured at a later stage by puppet?

Comments on this entry are closed.

{ 2 trackbacks }

Previous post:

Next post: