- enable firewall port for tftp
- enable the service.
- systemctl start tftp.socket
- systemctl enable tftp.socket
- put some important files into the tftp server location:
- cd /var/lib/tftpboot # // it starts out empty.
- cp /usr/share/syslinux/{pxelinux.0,vesamenu.c32} . # // now it has those two files in it.
- Create a menu for the PXE Service… (the options a client machine gets):
- mkdir /var/lib/tftpboot/pxelinux.cfg
- cd /var/lib/tftpboot/pxelinux.cfg/
- nano default
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 8)
STEP 8 – CREATE /etc/yum.repos.d/c7x32.repo for the CentOS 7 32-bit REPOSYNC CLIENTS:
note: client machine has to have nss-mdns (avahi-daemon) working, or file will need to be edited with server’s IP ADDRESS.
provide a copy of the file at “http://c7pxe.local/repos/client-files/c7x32.repo” from
folder “/var/www/html/repos/client-files/”
subsequent kickstart scripts will get that file during system installations.
# File:/etc/yum.repos.d/c7x32.repo
[c7x32-base]
name=CentOS Base
baseurl=http://c7pxe.local/repos/c7x32/base/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1
[c7x32-extras]
name=CentOS Extras
baseurl=http://c7pxe.local/repos/c7x32/extras/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1
[c7x32-updates]
name=CentOS Updates
baseurl=http://c7pxe.local/repos/c7x32/updates/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 7)
STEP 7 – CREATE /etc/yum.repos.d/c7x64.repo for the CentOS 7 64-bit REPOSYNC CLIENTS:
note: client machine has to have nss-mdns (avahi-daemon) working, or file will need to be edited with server’s IP ADDRESS.
provide a copy of the file at “http://c7pxe.local/repos/client-files/c7x64.repo” from
folder “/var/www/html/repos/client-files/”
subsequent kickstart scripts will get this file during system installation.
# File:/etc/yum.repos.d/c7x64.repo
[c7x64-base]
name=CentOS Base
baseurl=http://c7pxe.local/repos/c7x64/base/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1
[c7x64-epel]
name=CentOS EPEL
baseurl=http://c7pxe.local/repos/c7x64/epel/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
enabled=1
[c7x64-extras]
name=CentOS Extras
baseurl=http://c7pxe.local/repos/c7x64/extras/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1
[c7x64-updates]
name=CentOS Updates
baseurl=http://c7pxe.local/repos/c7x64/updates/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 6)
- “rs32-reposync-update.sh” # for getting base, updates, and extras.
- “rs64-reposync-update.sh” # for getting base, extras
And, a REPOTRACK script for getting selected packages from EPEL:
- “rt64-c7x64-update.sh”
An easy way to begin using REPOTRACK is to query existing systems for what packages are installed from a given repo. To gather my EPEL package list, I ran these two commands on all of my application servers:
- repoquery -a –installed –qf “%{ui_from_repo} %{name}” | grep ‘^@epel’
- repoquery -a –installed –qf “%-20{ui_from_repo} %-30{name} %-7{arch} %{epoch}:%-12{version} %-4{release}” | grep ‘^@epel’
Parse the results however you want, and you’ve got the basis for your repotrack script. Repotrack doesn’t behave exactly like reposync, but it DOES get dependencies for packages, so it isn’t necessary to identify everything in advance. It also works with wildcards.
For the “rs-c7x64-update.sh” script:
- reposync –config=/etc/yumrsc7x64.conf –gpgcheck –plugins –repoid=base –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x64/
- reposync –config=/etc/yumrsc7x64.conf –gpgcheck –plugins –repoid=extras –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x64/
- reposync –config=/etc/yumrsc7x64.conf –gpgcheck –plugins –repoid=updates –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x64/
list the package URLs, but don’t actually download anything.
-
reposync –config=/etc/yumrsc7x64.conf –gpgcheck –plugins –repoid=base –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x64/ –urls
- reposync –config=/etc/yumrsc7x64.conf –gpgcheck –plugins –repoid=extras –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x64/ –urls
- reposync –config=/etc/yumrsc7x64.conf –gpgcheck –plugins –repoid=updates –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x64/ –urls
- reposync –config=/etc/yumrsc7x64.conf –gpgcheck –plugins –repoid=epel –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x64/ –urls
Create (or update) new repodata for the local repositories. Note the option “-g comps.xml” to update the package group information.
- createrepo /var/www/html/repos/c7x64/base/ -g comps.xml
- createrepo /var/www/html/repos/c7x64/extras/
- createrepo /var/www/html/repos/c7x64/updates/
- createrepo /var/www/html/repos/c7x64/epel/
For the “rs-c7x32-update.sh” script:
- reposync –config=/etc/yumrsc7x32.conf –gpgcheck –plugins –repoid=base –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x32/
- reposync –config=/etc/yumrsc7x32.conf –gpgcheck –plugins –repoid=extras –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x32/
- reposync –config=/etc/yumrsc7x32.conf –gpgcheck –plugins –repoid=updates –newest-only –delete –downloadcomps –download-metadata –download_path=/var/www/html/repos/c7x32/
- createrepo /var/www/html/repos/c7x32/base/ -g comps.xml
- createrepo /var/www/html/repos/c7x32/extras/
- createrepo /var/www/html/repos/c7x32/updates/
For the “rt64-c7x64-update.sh” script:
The repotrack options are very similar to reposync:
- –config=CONFIG # defaults to /etc/yum.conf
- –config=/etc/yumrsc7x64.conf
- –arch=ARCH # defaults to “current arch” (whatever the systems is currently running at).
- –repoid=REPOID # default is all enabled.
- –download_path=DESTDIR # Path to download packages to.
- –urls # only show download urls, don’t download files.
- –newest # defaults to newest-only.
For my script, I’ve sorted commands/packages into common groups. The script is literally the following commands and comments:
# common packages:
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest etckeeper htop nss-mdns epel-release
# security packages:
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest haveged tripwire fail2ban
# only for a Gui VM:
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest imlib2 openbox openbox-libs python2-pyxdg tweak yumex
# for python pypi … note: using “python36-pip” gets “python36, python36-libs, and python36-setuptools”.
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest python36-pip
# for a DNS server:
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest dhcping
# for a docker server… note: using “docker*” gets python dependencies; no need to type them all out.
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest docker*
# some git servers want/need this… note: using “github2fedmsg” gets dependencies; no need to type them all out.
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest github2fedmsg
# for a kitchen sink PYTHON36*… using python36* gets a lot of stuff… including… numpy, pyvomi, pytests, requests, tkinter, virtualenv
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest python36*
# for more GIT* packages… includes items like gitolite, gitstats, git-extras, git-tools,
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest git*
# for MYSQL* … fairly small list of items, some connectors, utilities, and some perl.
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest mysql*
# for SQLITE* … small list of items
repotrack –config=/etc/yumrsc7x64.conf –repoid=epel –download_path=/var/www/html/repos/c7x64/epel/Packages/ –newest sqlite*
# BUILD THE LOCAL REPOS:
createrepo /var/www/html/repos/c7x64/epel/
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 5)
- exclude list, filters out stuff I don’t need to download:
- this is the c7pxe list I’m using as of 2019-03-22.
- NOTE: when we’re done with this setup, we’ll have a least three yum config files on this server:
- 1) the regular /etc/yum.conf the OS uses.
- 2) –config=/etc/yumrsc7x64.conf
- 3) –config=/etc/yumrsc7x32.conf
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 4)
- 4.0G /var/www/html/repos/c7x64/base/ # filter allows for GNOME desktop.
- 206M /var/www/html/repos/c7x64/extras/
- 942M /var/www/html/repos/c7x64/updates/
- 187M /var/www/html/repos/c7x64/epel/
- 3.4G /var/www/html/repos/c7x32/base/ # filter also excludes GUI desktops.
- CREATE extra YUM config files, one for each {Distro-Release-Arch} being sync’d:
- /etc/yumrsc7x64.conf # configure an exclude= line.
- /etc/yumrsc7x32.conf # configure an exclude= line.
- CREATE extra YUM repo directory, one for each {Distro-Release-Arch} being sync’d:
- /etc/yumrsc7x64.repos.d
- /etc/yumrsc7x32.repos.d
- CREATE matching repo files under each directory:
- /etc/yumrsc7x64.repos.d/c7x64.repo # {base,extras,updates,epel}
- /etc/yumrsc7x32.repos.d/c7x32.repo # {base,extras,updates}
- EDIT each YUM config files to specify where to find it’s “*.repo” files:
- IN “/etc/yumrsc7x64.conf”, add the line “reposdir=/etc/yumrsc7x64.repos.d“
- IN “/etc/yumrsc7x32.conf”, add the line “reposdir=/etc/yumrsc7x32.repos.d“
- define reposync CONFIG OPTION for each {Distro-Release-Arch} being sync’d (for the reposync script(s):
- –config=/etc/yumrsc7x64.conf
- –config=/etc/yumrsc7x32.conf
- –arch= # can skip this option/flag for the x64 version, default already works.
- –arch= # for the x32… I’m not sure whether it is supposed to be “i386”, “i686”, or something else.
- note: 2019-03-22, seems to working without actually using this flag.
- This flag refers to the [repo name] in the configured “*.repo” files.
- “REPOID” must match a name in the targeted /etc/yum{$}.repos.d/{$}.repo file(s).
- So, if you keep the names simple there, then this flag remains much simpler.
- the options used by my repo configs and reposync/repotrack scripts:
- –repoid=base
- –repoid=extras
- –repoid=updates
- –repoid=epel
- My local repos are being stored/served in these locations (don’t put this syntax in the script):
- /var/www/html/repos/c7x64/{base,extras,updates,epel}
- /var/www/html/repos/c7x32/{base,extras,updates}
- note: the reposync utility will make (or use existing) subfolder(s) matching the repo name, so, my reposync scripts only need:
- –download_path=/var/www/html/repos/c7x64/
- –download_path=/var/www/html/repos/c7x32/
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 3)
- configure the 2nd disk: 20GB for “reposync” files (was using 30GB, but didn’t need it all):
- start up the vm.
- if NVME:
- fdisk -l # new disk is listed as ” Disk /dev/nvme0n2: 32.2 GB, 32212254720 bytes, 62914560 sectors “
- fdisk /dev/nvme0n2 # select new “n“, primary “p“, partition number “1“, first sector ‘default‘, last sector ‘default‘, write “w“.
- fdisk /dev/nvme0n2 # select change type “t“, linux lvm ‘8e‘, write ‘w‘.
- mkfs.xfs -f /dev/nvme0n2 # for some reason, the VMware Fusion VMs with NVMe vdisk required the extra “-f” flag for this to work.
- or, if SATA:
- fdisk -l # new disk is listed as “Disk /dev/sdb: 32.2 GB, 32212254720 bytes, 62914560 sectors”
- fdisk /dev/sdb # select new “n“, primary “p“, partition number “1“, first sector ‘default‘, last sector ‘default‘, write “w“.
- fdisk /dev/sdb # select change type “t“, linux lvm ‘8e‘, write ‘w‘.
- mkfs.xfs /dev/sdb1
cd /var/www/html/repos/
- mkdir -p /var/www/html/repos/{c7x64,c7x32} # or whatever list of distros to serve.
- mkdir -p /var/www/html/repos/c7x64/{base,extras,updates,epel}
- mkdir -p /var/www/html/repos/c7x32/{base,extras,updates} # there is no epel for c7x32.
- mkdir -p /var/www/html/repos/client-files/ # will serve scripts/files here, for post install uses.
- mkdir -p /var/www/html/repos/c7x64/ISOminimal
- # use: mount /dev/cdrom /var/www/html/repos/c7x64/ISOminimal
- mkdir -p /var/www/html/repos/c7x64/ISOeverything
- # use: mount /dev/cdrom /var/www/html/repos/c7x64/ISOeverything
- mkdir -p /var/www/html/repos/c7x32/ISOminimal
- # use: mount /dev/cdrom /var/www/html/repos/c7x32/ISOminimal
- mkdir -p /var/www/html/repos/c7x32/ISOeverything
- # use: mount /dev/cdrom /var/www/html/repos/c7x32/ISOeverything
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 2)
PREPARE FOR REPOSYNC AND PXE:
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (STEP 1)
This step requires an existing “minimal/baseline” VM ready to clone.
- On MacOS/Fusion:
- clone an existing baseline VM.
- verify VM config: 1 vcpu, 512MB mem, 6g NVMe disk, 1 network interface (VMNET2).
- verify VM config: disable/remove Printer, Sound, USB, Camera, Bluetooth.
- update shared folder settings, VM name, and notes.
- In VM:
- use nmtui to set/rename hostname and set static IP.
- pull scripts and config files into /home/elmer from /mnt/hgfs/c7pxe
- * many of these scripts and config files are described in following steps.
- yum repolist # => should be using online CentOS-7-64bit: base,updates,extras,epel
- systemctl status kdump # => check and confirm it’s disabled
- free -h # “Swap: 0B 0B 0B” # => check and confirm it’s all zeros (ie., swap is disabled).
- hostname; ip address; uname -r
- yum update
- List all of the installed packages (RPMs) with size info, and sort the list by size:
- rpm -qa –queryformat ‘%10{size} – %-25{name} \t %{version}\n’ | sort -n
- ./yum-clean.sh # note: my custom script for cleaning up after yum.
- ./shrink-disk.sh # note: my custom script for cleaning up and shrinking virtual disks.
- On MacOS/Fusion: shut down the newly cloned VM and ZIP a baseline backup before continuing.
Build a CentOS7 server for: pxe boot, kickstart, reposync, repotrack, nfs, https (introduction)
- CentOS 7.x Linux 64-bit, NO GUI desktop, HTTPD, PXE, Kickstart, RepoSync+RepoTrack, NFS.
- Begin with by making a full clone from existing VM c7baseline.
- two vDisks:
- 20GB for RepoSync at “/var/www/html/repos/” hdd=”c7pxe-repos.vmdk”
- 6GB for /boot and “/” hdd=”c7baseline-d1.vmdk”
- entry for “/etc/hosts”: 10.0.0.11 c7pxe.lab.domain.net c7pxe.local c7pxe
- VM is configured with a static IP using VMware Fusion VMNET2
- Only user is “elmer”. Elmer has administrative (sudo) privileges.
- SELinux=permissive
- firewalld is enabled and configured, with only SSH and nss-mdns in from local subnet.
- repo EPEL is enabled.
- KDUMP and SWAP were disabled during install.
- has these packages: ip address, nmtui, gzip, tar, top, curl, epel-release, yum-utils, deltarpm, nano, nss-mdns, htop, rng-tools, rsync.
- Avahi is running, so I can use *.local name resolution and skip more complicated DNS and/or host file configurations.
- open-vm-tools is running. I have a couple folders shared into the VM for getting scripts and outputting config backups.
- SSHD is running. I do most of my activity via a host MacOS terminal ssh connection.
- I use nano as editor on CentOS VMs. If you prefer vi, emacs, or something else… thats ok with me.
- The VM gets TIME from the host, via hypervisor/open-vm-tools, so it doesn’t need NTP or Chrony.
- Virtual hardware items Printer, Sound, USB, Camera, and Bluetooth have been removed from the VM config.
- The VM using NVMe for hard disks and SATA for cdrom. No IDE or SCSI.
- The reduced hardware profile enables removing a lot of firmware packages from these VMs.
It’s easy/fast to make a ZIP backup copy of an entire VM, so I’m moderately aggressive with removing things like dracut emergency/rescue packages, old kernels, yum caches, etc. If I break a VM, I just revert to a previous backup.
With VMs under 20GB in size, making ZIP backups via the host OS filesystem is often faster than managing VMware snapshots. Also, I like knowing that I have fully contained/atomic backups set to the side and quickly available if needed.
I have some custom scripts that clean up the VM contents and shrink the vdisk (to reduce disk usage on host system).
There are many options to further minimize and harden these VMs, but this current baseline maintains normal CentOS/Fedora/RHEL/Oracle functionality and compatibility.