flarcreate in RHEL

Latest response

Is there anything like flarcreate in RHEL?

In Solaris, you can secure a server, create a flash archive and use the archive to jumpstart other servers.

Is there anything such thing in RHEL that can be implemented using kickstart?

Thanks

Arrey

Responses

The Solaris flarcreate command is pretty much cpio inside a wrapper-utility.

Given that you're transferring equivalent amounts of data - whether doing one, giant flar (cpio) file or using a whole bunch of cpio files (RPMs) - and then running a customizer, at the end, doing a flar-style JumpStart isn't appreciably faster than a well-constructed KickStart profile.

My reason for asking is this; recently I have had to install a couple physical servers and secure them. Again in solaris, I could install one server, secure it and create a flash archive. Use that archive to install the rest of the servers using jumpstart. This way, I don't have to do security on each server after installation.

Is there any method in RHEL similar to the method used by solaris?

And how can you implement security using kickstart? Is it possible? If yes, can anyone point me to the right documentation?

Thanks

Arrey

You can use the %post section of the KickStart config: you can either script out all the stuff directly in the %post section or you can put the script on a network-reachable resource then have the %post section download and run that hardening-script.

Thanks Tom. Good idea. But for some of us who are not good scripters, we will be left securing one server after another. It would have been nice if RHEL had something similar to what solaris does. Thanks a lot for staying with me on this.

Arrey

You're probably overthinking it. Scripting doesn't have to be hard: it can be as simple as manually executing your hardening commands and then dumping your history-buffer into a file. Once you've got that core, you can fiddle with and tweak it to work more generally. Even better, you can use your "build-time" procedure as a life-cycle security tool (i.e., periodically run it against systems throughout their lifetimes to ensure they're still adequately secured). Remember: keeping systems secure is best done as more than just a one-time activity.

As a side-note: one of the RedHat guys maintains a set of STIG scripts on GitHub (if I remember correctly). If you grab those, much of your hardening might already be pre-done for you. There are similar hardening-projects that will show up in Google searches. +)

Ghost4Linux would be the closest to this.

PlateSpin could be used to, but has the disadvantage that it has to be run online. So you need to stop all services and restart after the clone.

If you need/want a corporate-supported solution, I would recommend Acronis. It seems as though their solutions consistently have provided the most flexibility and functionality (without having to be a scripting/programming genius ;-)

GhostZilla is free one that comes to mind, but I have not personally used it.

I agree that functionality similar to FLAR would be nice as you could image a box and push that image out and make a few tweaks, especially for disconnected environments.

Thanks James for the suggestion. RHEL is good. I just wonder why they are lacking in this area. Will make sense for them to implement this.

I'm an old Solaris guy converted to RHEL (never looked back). I ran a very critical Jumpstart server for many years to build, rebuild, and update my Sun Sparc baseline workstations and servers. It saved TONS of time, without question, but, it did take time up front to learn, setup, and tweak just the way I wanted it - quite a lot of time.

This setup included good flar image files and a healthy post-install configuration setup (including a one-time use init script for any final tweaks). But once that work was completed and everything was set up, there was very little to worry about and little work to do after that.

Though I don't Kickstart much these days (we're a VMWare snob shop with clones) I would definitely take the time to do the Kickstart setup. I'm trying to encourage one of my co-workers to do more Kickstarts on one project because it's not VMware-ready. I think you'll find that it'll be, if not "better", a "comparable/acceptable difference".

My 2 cents of course. LOL

Good luck!

"I miss ZFS". :-(

Not part of RHEL, but... There is the ZFS on Linux project (if you're running an EL6 or EL7 derivative, you can get ZOL via the EPEL repositories: http://zfsonlinux.org/epel.html).

That said, if you ZFS but want something more Linux-native, BTRFS is like ZFS+.

True that Chris. I miss boot environments as well. RHEL is good, but solaris has some cool stuffs.

Gawd: how far has the UNIX world fallen that Solaris is the one with "cool stuff". Solaris was always the "we'll sorta hang back and let the other commercial UNIX vendors cut themselves on the bleeding-edge of things". It's why conservative shops bought Solaris over other, higher-performance commercial UNIXes.

At this point in the game, there's not much in Solaris for which Linux (as a whole) lacks equivalency. With the EL7 release, even RedHat's got a high degree of the Solaris-y functionality built in or reproducable (without the horror-show that is Solaris 11's adoption of a registry-like configuration management system). Plus, no having to deal with Oracle. :p

Hey Arrey - I came across this today
http://www.storix.com/supported-systems/linux/redhat

Seemed promising ;-)