8

In a farm of virtualized Red Hat servers, there's the need to install a minimal system for security reasons. Minimal installs have several advantages (even no security related):

  1. Less exposure to vulnerabilities (if you don't need it, don't install it)
  2. Better update process (less packages to update, less probability of breaking the system)
  3. Better performance (no unneeded daemons or processes)
  4. The less software you have the easier it is to harden the system

Unfortunately, this is not easy because the "Minimal Installation" on Red Hat contains lots of unnecessary packages.

There is an added challenge as the farm is running Oracle iAS. I've been told that iAS has dependencies with local graphical environment. So finally every server in the farm has gnome, X, etc.

I've been searching the web and one solution seems to be making a kickstart script that will install only the necessary packages. But I find this difficult and have several doubts about how to maintain the system dependencies afterwards.

How do you install minimal Red Hat servers? Is it OK to use kickstart or will I have dependency problems in the installation or in updates? Is there any way to avoid installing the graphical environment for iAS?

BenMorel
  • 4,215
  • 10
  • 53
  • 81
chmeee
  • 7,270
  • 3
  • 29
  • 43
  • 1
    At first, this question has really stricken me as outright weird. I mean, X on a _minimal_server_installation_? But then, I understand, that this is Red Hat world and what a different world it is! We almost exclusively run Debian systems and a minimal Debian installation _is_ truly minimal - you get only enough stuff to run sshd and that's all (ever seen a process tree, where you could count the processes using the fingers of one hand?). – shylent Jun 20 '09 at 12:38
  • 2
    The Red Hat minimal installation does not have X. He has X because of Oracle, not because of Red Hat. – wzzrd Jun 20 '09 at 13:42

5 Answers5

9

I've been searching the web and one solution seems to be making a kickstart script that will intall only the necessary packages. But I find this difficult and have several doubts about how to maintain the system dependencies afterwards.

Making a kickstart file is not so hard: look in /root of one of your installed servers for a file called anaconda-ks.cfg. That is a kickstart file to make a new server looking like the existing one. Every RH, Fedora or CentOS server has that file.

You can edit the file in system-config-kickstart if you are unfamiliar with writing kickstart files. You do need X for that though.

How do you install minimal Red Hat servers? Is it Ok to use kickstart or will I have dependency problems in the installation or in updates? Is there any way to avoid installing the graphical environment for iAS?

You are doing fine with a kickstart file. Kickstart do affect the way you update after installation. During installation, dependencies are calculated automatically. Packages you removed (if that is at all possible) that are needed anyway are added. You cannot install a system with broken dependencies for the system. Dependencies for Oracle is a complete different matter though.

If Oracle needs a graphical environment (and it does, I know it sucks, but it does), you have no option but to install X. However, afaik, Oracle needs X because it has a graphical installer. You do not need X afterwards. So after install, you can remove X.

In my shop we only install a very minimal set of X libraries, btw. Just enough to run xclock (and thus the installer) remotely with X forwarding. That's enough.

Oracle has more insane dependencies. There are some ancient C library compat packages the Oracle installer needs. Not because it actually needs them, but because the zip implementation they ship needs them. Why do they ship that zip implementation? Rumor has it, that the very old zip implementation Oracle ships has more favorable licensing terms (as in: it's not GPL'ed), so they refuse to use a newer implementation. Just rumors though, never heard confirmation...

wzzrd
  • 10,269
  • 2
  • 32
  • 47
  • 1
    Oracle's installer does not need X if you perform a silent installation: http://www.oracle-base.com/articles/misc/OuiSilentInstallations.php – pokstad Feb 07 '11 at 21:23
  • I am facing the same situation now as well and found that on RHEL5.8 the minimal packages to run xclock with X forwarding are `xorg-x11-apps` and `xorg-x11-xauth`. This pulls in several dependencies but this shouldhopefully suffice for a remote graphical install. – Bram Jun 04 '12 at 11:46
7

KIckstart is fine. If you want to make sure certain packages are NOT installed you can list them in the list of packages/groups to install, preceeded by a minus ('-') sign.

e.g.

%packages
@base
core-utils
-httpd

to make sure apache does not get installed

Then in the %post section you can run commands such as chkconfig to switch off services you don't want - and do anything else you want to do to tighten up your install.

Jason Tan
  • 2,742
  • 2
  • 17
  • 24
3

Your problem in fact is not RedHat but more the Oracle dependency.

As said by a previous poster, Oracle dependencies are crazy and mainly link to the crappy installer, not the product itself.

You need to separate your problem in two :

  • Create a minimal RedHat installation with a kickstart file who will run on your hardware and generate the filesystem according to Oracle IAS pre-req.
  • Create a script/package who will install the needed packages for the Oracle installer, install Oracle with a response file, then uninstall the non-needed packages.

The second part is the most difficult, you will need to spend some time to determine from the oracle pre-req what is really needed and what is just a stupid dependency.

But when its done, you can automate your installation, and have a minimum maintenance on all the systems.

Fleole
  • 187
  • 1
  • 8
2

You can install once, make a backup and use it on other systems. To get a minimal system to use in the first place, you can either:

  • do a normal "minimal" installation, then remove the packages you don't need; or
  • ask the installer to let you choose individual packages.

I'd say the latter is easier to accomplish. It may take a while to do this, but it doesn't matter much since you'll be doing it only one time.

If the farm has homogenous virtual "hardware", all the better. If not, all you generally need to care for is making full use of disk space. Just make the "master" copy conform to the least denominator in terms of size and see below.

The last part is relatively easy to achieve in some conditions. If there's a biggest partition at the end of the (virtual) disk, you delete it in 'fdisk' and recreate it to fill the disk up. Then you run resize2fs and you're done. Another idea might be to use LVM, which allows for easier volume enlargement with 'lvextend'. (In LVM is quite effortless to script/automate this.)

Eduard - Gabriel Munteanu
  • 206
  • 1
  • 2
1

I'm answering another old one because I spent a while on this yesterday. I wanted Red Hat to install with the absolute minimal number of packages for a special purpose server.

It seems that in the latest versions, even if you don't specify a single package in the %packages section the group @base is installed by default.

This installs far more packages and service than I care to maintain on some systems.

Then I found %packages --nobase in the CentOS Kickstart/Anaconda Wiki. This truly is the most minimal install for Red Hat based distributions. You will find many commands that you are used to and dependent on missing. But, if you want a minimal starting point this is it.

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67