In a farm of virtualized Red Hat servers, there's the need to install a minimal system for security reasons. Minimal installs have several advantages (even no security related):
- Less exposure to vulnerabilities (if you don't need it, don't install it)
- Better update process (less packages to update, less probability of breaking the system)
- Better performance (no unneeded daemons or processes)
- The less software you have the easier it is to harden the system
Unfortunately, this is not easy because the "Minimal Installation" on Red Hat contains lots of unnecessary packages.
There is an added challenge as the farm is running Oracle iAS. I've been told that iAS has dependencies with local graphical environment. So finally every server in the farm has gnome, X, etc.
I've been searching the web and one solution seems to be making a kickstart script that will install only the necessary packages. But I find this difficult and have several doubts about how to maintain the system dependencies afterwards.
How do you install minimal Red Hat servers? Is it OK to use kickstart or will I have dependency problems in the installation or in updates? Is there any way to avoid installing the graphical environment for iAS?
Making a kickstart file is not so hard: look in /root of one of your installed servers for a file called anaconda-ks.cfg. That is a kickstart file to make a new server looking like the existing one. Every RH, Fedora or CentOS server has that file.
You can edit the file in system-config-kickstart if you are unfamiliar with writing kickstart files. You do need X for that though.
You are doing fine with a kickstart file. Kickstart do affect the way you update after installation. During installation, dependencies are calculated automatically. Packages you removed (if that is at all possible) that are needed anyway are added. You cannot install a system with broken dependencies for the system. Dependencies for Oracle is a complete different matter though.
If Oracle needs a graphical environment (and it does, I know it sucks, but it does), you have no option but to install X. However, afaik, Oracle needs X because it has a graphical installer. You do not need X afterwards. So after install, you can remove X.
In my shop we only install a very minimal set of X libraries, btw. Just enough to run xclock (and thus the installer) remotely with X forwarding. That's enough.
Oracle has more insane dependencies. There are some ancient C library compat packages the Oracle installer needs. Not because it actually needs them, but because the zip implementation they ship needs them. Why do they ship that zip implementation? Rumor has it, that the very old zip implementation Oracle ships has more favorable licensing terms (as in: it's not GPL'ed), so they refuse to use a newer implementation. Just rumors though, never heard confirmation...
KIckstart is fine. If you want to make sure certain packages are NOT installed you can list them in the list of packages/groups to install, preceeded by a minus ('-') sign.
e.g.
%packages
@base
core-utils
-httpd
to make sure apache does not get installed
Then in the %post section you can run commands such as
chkconfig
to switch off services you don't want - and do anything else you want to do to tighten up your install.Your problem in fact is not RedHat but more the Oracle dependency.
As said by a previous poster, Oracle dependencies are crazy and mainly link to the crappy installer, not the product itself.
You need to separate your problem in two :
The second part is the most difficult, you will need to spend some time to determine from the oracle pre-req what is really needed and what is just a stupid dependency.
But when its done, you can automate your installation, and have a minimum maintenance on all the systems.
You can install once, make a backup and use it on other systems. To get a minimal system to use in the first place, you can either:
I'd say the latter is easier to accomplish. It may take a while to do this, but it doesn't matter much since you'll be doing it only one time.
If the farm has homogenous virtual "hardware", all the better. If not, all you generally need to care for is making full use of disk space. Just make the "master" copy conform to the least denominator in terms of size and see below.
The last part is relatively easy to achieve in some conditions. If there's a biggest partition at the end of the (virtual) disk, you delete it in 'fdisk' and recreate it to fill the disk up. Then you run resize2fs and you're done. Another idea might be to use LVM, which allows for easier volume enlargement with 'lvextend'. (In LVM is quite effortless to script/automate this.)
I'm answering another old one because I spent a while on this yesterday. I wanted Red Hat to install with the absolute minimal number of packages for a special purpose server.
It seems that in the latest versions, even if you don't specify a single package in the
%packages
section the group@base
is installed by default.This installs far more packages and service than I care to maintain on some systems.
Then I found
%packages --nobase
in the CentOS Kickstart/Anaconda Wiki. This truly is the most minimal install for Red Hat based distributions. You will find many commands that you are used to and dependent on missing. But, if you want a minimal starting point this is it.