In a farm of virtualized Red Hat servers, there's the need to install a minimal system for security reasons. Minimal installs have several advantages (even no security related):
- Less exposure to vulnerabilities (if you don't need it, don't install it)
- Better update process (less packages to update, less probability of breaking the system)
- Better performance (no unneeded daemons or processes)
- The less software you have the easier it is to harden the system
Unfortunately, this is not easy because the "Minimal Installation" on Red Hat contains lots of unnecessary packages.
There is an added challenge as the farm is running Oracle iAS. I've been told that iAS has dependencies with local graphical environment. So finally every server in the farm has gnome, X, etc.
I've been searching the web and one solution seems to be making a kickstart script that will install only the necessary packages. But I find this difficult and have several doubts about how to maintain the system dependencies afterwards.
How do you install minimal Red Hat servers? Is it OK to use kickstart or will I have dependency problems in the installation or in updates? Is there any way to avoid installing the graphical environment for iAS?
Best Answer
Making a kickstart file is not so hard: look in /root of one of your installed servers for a file called anaconda-ks.cfg. That is a kickstart file to make a new server looking like the existing one. Every RH, Fedora or CentOS server has that file.
You can edit the file in system-config-kickstart if you are unfamiliar with writing kickstart files. You do need X for that though.
You are doing fine with a kickstart file. Kickstart do affect the way you update after installation. During installation, dependencies are calculated automatically. Packages you removed (if that is at all possible) that are needed anyway are added. You cannot install a system with broken dependencies for the system. Dependencies for Oracle is a complete different matter though.
If Oracle needs a graphical environment (and it does, I know it sucks, but it does), you have no option but to install X. However, afaik, Oracle needs X because it has a graphical installer. You do not need X afterwards. So after install, you can remove X.
In my shop we only install a very minimal set of X libraries, btw. Just enough to run xclock (and thus the installer) remotely with X forwarding. That's enough.
Oracle has more insane dependencies. There are some ancient C library compat packages the Oracle installer needs. Not because it actually needs them, but because the zip implementation they ship needs them. Why do they ship that zip implementation? Rumor has it, that the very old zip implementation Oracle ships has more favorable licensing terms (as in: it's not GPL'ed), so they refuse to use a newer implementation. Just rumors though, never heard confirmation...