Operating System Configuration

This is the design for the configuration of all RedHat-workalike operating systems within the Nerdhole environment. We will define standards here for file system path names, password policies, users, and the like.

Our workhorse operating system will be CentOS Stream 9. We will support other operating systems on the network as well, such as Rocky Linux, or Ubuntu Linux, as well as older versions of the OS such as CentOS Stream 8, but the default is CentOS 9.

We will distinguish between the following classes of machine:

  • Minimal installs - Bare bones command line only hosts.
  • Servers - Dedicated servers that the users are not expected to log in on.
  • Workstations - Machines intended for the users to do their daily work. A workstation can also do server duties, such as being a VM Host.
  • Laptops - Portable workstations that do not have a permanent connection to the home network.
  • Virtual machines - Hosts that run as a sub-process on a server.

Common to all RedHat-like operating systems

These policies apply to all our RedHat derived operating systems:

Security

We will keep SELinux enabled as professional environments do this and it is better to get used to it than to run into surprises later.

Root logins over SSH will be enabled for the duration of the server install, but will be disabled as soon as possible. We will endeavour to implement the "Become" mechanism in Ansible. Thus, members of the "Wheel" group will be able to run Ansible playbooks without additional passwords.

By default, we don't configure any additional authentication methods like NIS or LDAP in our basic OS install. There is one user named builder (System Builder), who can log in on the host's graphical console and via SSH using a well-known password. We will remove that user once the server is using the main authentication server.

We will make SSH as transparent as possible. Once the user is authenticated to SSH and the key is loaded into the agent, the user can move from one machine to the next without additional passwords.

Repositories

We will use the following repositories for CentOS Stream 9:

Repo ID Repo name
appstream CentOS Stream 9 - AppStream
baseos CentOS Stream 9 - BaseOS
epel Extra Packages for Enterprise Linux 9 - x86_64
epel-cisco-openh264 Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64
epel-next Extra Packages for Enterprise Linux 9 - Next - x86_64
extras-common CentOS Stream 9 - Extras packages

Some applications such as Skype may require additional repositories, but those will be added as and when necessary.

Ansible configuration

Ansible lives in the EPEL repository, which is not enabled by default. We will put a script on every server we install named "environment_bootstrap" that takes the server from its minimal install to the point where it can support other hosts. We only run this on the main server, manually. Ansible being agentless, once we have our main server running, we can do everything else with it.

More details on this in the Ansible section.

Minimal installs

Minimal installs contain just enough of the operating system to be addressable with Ansible. No GUI, no services apart from SSH. A minimal install is meant as a starting point for building more elaborate hosts. There will be automated procedures for turning a minimal install into a laboratory host with central authentication, remote file systems and other quality-of-life features.

Hardware

We can use most any x86_64 machine as a minimal install, including virtual machines running on a VM host. The minimum requirements are:

  • A 4-core CPU
  • A minimum of 4GB of RAM
  • One disk (Preferably SSD) for the OS
  • Zero or more disks to use for data.
  • One or more Ethernet interfaces
  • USB for keyboard and mouse
  • HDMI output for console
  • UEFI BIOS that lets us disable safe boot (Microsoft Tax)

Most of our workstations tend to be bigger though.

Base OS

The OS does not get more base than this. It is installed using a kickstart file named like base-centos-stream-9.ks. It does the following:

  1. Specify text mode install
  2. Sets locale and keyboard info as appropriate for the UK
  3. Agrees to the CentOS EULA so we won't have to click anything on server reboot
  4. Sets the network to use DHCP for IP parameters
  5. Specifies http://bis.nerdhole.me.uk/ as the installation source.
  6. Wipes all information from the OS installation disk and puts it in rootvg.
  7. Creates file systems on rootvg disk:
    • /boot/efi - 600MB boot patition
    • /boot - 1024MB XFS kernel boot image
    • 8GB swap logical volume initially. We can add swap space as needed.
    • 70GB root logical volume for the operating system.
    • Note: There are no separate /home or /var file systems.
  8. Selects the following packages to be installed:
    • Group: minimal-environment (Todo: Work these out per distro)
    • De-installs cockpit
  9. Configures the OS disk, for Sypha this is the 120GB M.2 SDD
    • Use only /dev/disk/by-path/pci-0000:00:17.0-ata-5
    • Clears all partitions
    • Puts the boot loader in the Master Boot Record (MBR)
    • Puts 600MB into /boot/efi
    • Puts 1024MB into /boot
    • Assigns the rest of avaliable space to a partition named pv.1
    • Creates a volume group called "rootvg" onto pv.1
    • Puts 8GB into a swap logical volume on rootvg
    • Assigns the rest of available storage to a root logical volume in rootvg.
  10. Configures logins
    • Sets the root password to a well-known value but does not allow direct root logins.
    • Configures a user named builder with permission to use sudo and a well-known password.
  11. Finally: Reboots into the new operating system.

This will get you a truly minimal installation that you can log in on as root, and that you can use as a starting point for other types of machine.

Servers

A server is a machine that is usually run without a keyboard and display. It provides a specific set of functions to the network such as DNS, NFS, authentication and the like. It can run any of the supported operating systems.

Hardware

We can use most any x86_64 machine as a server. The minimum requirements are:

  • A 4-core CPU
  • A minimum of 8GB of RAM
  • One disk (Preferably SSD) for the OS
  • Zero or more disks to use for data.
  • One or more Ethernet interfaces
  • USB for keyboard and mouse
  • HDMI output for console
  • UEFI BIOS that lets us disable safe boot (Microsoft Tax)

We do have more powerful machines in the Nerdhole.

Base OS

We tend to leave most defaults be on our OS installs, only modifying them when necessary. We do remove the web-based configuration service named Cockpit, because we use Ansible to carry out all configuration tasks. Also, we name the OS volume group "rootvg" in homage to AIX. Putting the hostname into the root vg is only useful if you have several operating systems on the machine with different hostnames, which we don't do.

The base OS is installed using a kickstart file called centos-stream-9-server-gui.ks. This kickstart file uses the installation resources on Paya to install the base OS. This file does the following:

  1. Specify text mode install
  2. Sets locale and keyboard info as appropriate for the UK
  3. Agrees to the CentOS EULA so we won't have to click anything on server reboot
  4. Sets the network to use DHCP for IP parameters
  5. Specifies http://www.nerdhole.me.uk/cd-iso/CentOS-Stream-9-latest-x86_64-dvd1/ as the installation source
  6. Selects the following packages to be installed:
    • Group: graphical-server-environment
    • De-installs gnome-initial-setup
    • De-installs cockpit
  7. Configures the OS disk, for Sypha this is the 120GB M.2 SDD
    • Use only /dev/disk/by-path/pci-0000:00:17.0-ata-5
    • Clears all partitions
    • Puts the boot loader in the Master Boot Record (MBR)
    • Puts 600MB into /boot/efi
    • Puts 1024MB into /boot
    • Creates a 120GB physical volume on pv.755
    • Creates a volume group called "rootvg" into pv.755
    • Puts 8GB into a swap logical volume on rootvg
    • Puts 70GB into the / logical volume on rootvg
    • Leaves the rest for future expansion.
  8. Configures logins
    • Sets the root password to a well-known value and allows root to log in on SSH (Don't panic, we will change this in a later stage).
    • Creates a local admin user builder who can use the GUI.
  9. In post-install:
    • Puts the boot install server's root SSH key into /root/.ssh/authorized_keys for Ansible access.
    • Sets the default target to graphical.target.
  10. Finally: Reboots into the new operating system.

This gives us a server that we can access using SSH and run Ansible playbooks on for further configuration. This is an empty server that provides no functions to the net beyond SSH logins.

Workstations

A workstation is a machine designed for people to do their work on. They are meant to be permanent fixtures in the network, and rely on network resources for users' home directories, login information, data stores, printing and so on. We will try always to install the latest and greatest OS on a workstation.

Workstations are also designed to be used as servers, simply by assigning server roles to them. The most common example is to use a workstation as a Virtual Machine host using KVM.

Hardware

We can use most any x86_64 machine as a workstation. The minimum requirements are:

  • A 4-core CPU
  • A minimum of 4GB of RAM
  • One disk (Preferably SSD) for the OS
  • Zero or more disks to use for data.
  • One or more Ethernet interfaces
  • USB for keyboard and mouse
  • HDMI output for console
  • UEFI BIOS that lets us disable safe boot (Microsoft Tax)

Most of our workstations tend to be bigger though.

Base OS

The base OS installation for a workstation is very similar to the one for a server. We will not even install the usual workstation packages except for the Gnome GUI. That happens later using Ansible.