Skip to content

Instantly share code, notes, and snippets.

@nickboldt

nickboldt/0-host-setup.adoc

Last active December 18, 2024 12:26
Show Gist options
  • Save nickboldt/f2abbfcdeb82256cb0611e47754f4b52 to your computer and use it in GitHub Desktop.
Save nickboldt/f2abbfcdeb82256cb0611e47754f4b52 to your computer and use it in GitHub Desktop.
Download ZIP
Fedora 40 VM Config (2024)
Raw
0-host-setup.adoc

Virtual Box Fedora 40 virtual machine setup - setup of VM on the host

VBox configuration

General
* bi-directional clipboard
* [ ] disk encryption: unchanged/off

System
* 36864 MB
[x] IO APIC
[x] hardware clock
* 4 CPUs
execution cap 100%
[x] PAE/NX
[x] vt-x/amd-v

Acceleration:
* default
* [x] hardware virt

Display
* video 128M
* monitor count 2
* disable 3d accel

Storage:
* AHCI/SATA vdi disk; dynamically allocated storage to 200G
* IDE controlled VBoxGuestAdditions.iso

Network ( see https://gist.github.com/nickboldt/ef98b41f4746e1e7b2f2475a0d78cf79 ):
  Attached to: Bridged Adapter
  Name: Intel Wifi
  Promiscuous Mode: Allow VMs
  [x] Cable Connected

USB
* USB 2

Shared Folders
* c:\work => /WORK
* c:\users\nboldt => /c-users-nboldt

------

## process governor setup

* get UUIDs:

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe list vms
"F40" {19cf7dde-46dd-4e17-a07a-4d15b68a3035}

* configure shortcut to:

"C:\Program Files\procgov\procgov64.exe" -r  --maxjobmem 40960M -- "C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe" --comment "F40" --startvm "{19cf7dde-46dd-4e17-a07a-4d15b68a3035}"
Raw
1-vm-config.adoc

Virtual Box Fedora 40 virtual machine setup - config of the guest in the guest

Initial RPM updates

dnf update -y

# chrome
dnf install -y --best --allowerasing fedora-workstation-repositories && \
dnf config-manager --set-enabled google-chrome

# sublime
rpm -v --import https://download.sublimetext.com/sublimehq-rpm-pub.gpg && \
dnf config-manager --add-repo https://download.sublimetext.com/rpm/stable/x86_64/sublime-text.repo

# codium
rpmkeys --import https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg && \
printf "[gitlab.com_paulcarroty_vscodium_repo]\nname=download.vscodium.com\nbaseurl=https://download.vscodium.com/rpms/\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg\nmetadata_expire=1h" | sudo tee -a /etc/yum.repos.d/vscodium.repo

# rpmfusion repos
dnf install -y \
  https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
  https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

# beyond compare v4 https://www.scootersoftware.com/download/v4
bcversion=4.4.7.28397
cd /tmp; wget https://www.scootersoftware.com/bcompare-${bcversion}.x86_64.rpm; \
  rpm --import https://www.scootersoftware.com/RPM-GPG-KEY-scootersoftware; \
  dnf -y install bcompare-${bcversion}.x86_64.rpm; rm -f bcompare-*.rpm

# install all the things!
dnf install -y --best --allowerasing \
  kernel kernel-headers kernel-devel \
  codium google-chrome-stable sublime-text vlc \
  vim vim-common vim-enhanced \
  podman skopeo nodejs npm httpd-tools bcrypt gimp ImageMagick \
  arandr curl python jq python-virtualenvwrapper python3-pip \
  git git-crypt hub sshfs openssl \
  plexus-utils maven java-11-openjdk-devel java-17-openjdk-devel \
  krb5-auth-dialog krb5-libs kstart sssd-krb5-common sssd krb5-workstation vpnc

VBox extensions

install VBox extensions to Windows Host; start up VM, mount VBox CD, and run:

dnf update -y
./VBoxLinuxAdditions.run
# /sbin/rcvboxadd quicksetup all
/sbin/rcvboxadd setup
reboot

Install Chrome

Go to https://www.google.com/chrome/?platform=linux (if not already installed above)

Install, log in, configure, etc.

Panel config

Panel:

  • panel prefs: 24px thick

  • screenshooter

  • 5 launchers:

    • terminal, chrome, codium, sublime

    • others: firefox, chrome, thunar, beyond compare, vscode, sublime-text

  • configure launchers with extra options:

    • terminal: xfce4-terminal --maximize

    • chrome: /usr/bin/google-chrome-stable --auth-server-whitelist="*.openshift.com, *.redhat.com" --ignore-certificate-errors %U

Clock panel:

  • tooltip: %a %Y-%m-%d %l:%M:%S / W%V

  • date: %a %m-%d

  • time: %l:%M

More software installation

Install gh cli

sudo dnf install 'dnf-command(config-manager)'
sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
sudo dnf install gh --repo gh-cli

Install pip, yq

pip install --upgrade pip
pip install jira pygithub diff-highlight yq jsonschema

Home dir configuration

Backup home dir and /etc/ content from old VM:

cd /home/nboldt
find . -name node_modules -exec rm -fr {} \;

# this file will be overwritten by rhit-idm-configs but it's nice to have a backup here
cp -f /etc/krb5.conf /home/nboldt/bin/krb5.conf

BACKUPDIR=/WORK/BACKUPS/20240825
HOMEDIR=/home/nboldt
mkdir -p ${BACKUPDIR}/${HOMEDIR}/
scpr \
	${HOMEDIR}/.alias \
	${HOMEDIR}/.bashrc ${HOMEDIR}/.bash_profile \
	${HOMEDIR}/bin \
	${HOMEDIR}/cookiejar.txt \
	${HOMEDIR}/.docker \
	${HOMEDIR}/Documents \
	${HOMEDIR}/.gitconfig \
	${HOMEDIR}/PWDs \
	${HOMEDIR}/RedHat \
	${HOMEDIR}/.screenlayout \
	${HOMEDIR}/.ssh \
		${BACKUPDIR}/${HOMEDIR}/ --exclude="Che-RHOSDS"

mkdir -p ${BACKUPDIR}/etc/
scpr \
	${HOMEDIR}/.config/hub \
	${HOMEDIR}/.config/bcompare \
		${BACKUPDIR}/${HOMEDIR}/.config/

scpr \
	/etc/krb5.conf \
	/etc/krb5.conf.d \
	/etc/vpnc \
	/etc/yum.repos.d \
		${BACKUPDIR}/etc/

Copy config files to new VM:

sudo su
BACKUPDIR=/WORK/BACKUPS/20240825
HOMEDIR=/home/nboldt
cd ${BACKUPDIR}/${HOMEDIR}/
source .alias
mv ${HOMEDIR}/.bashrc{,_PREV}
mv ${HOMEDIR}/.bash_profile{,_PREV}

scpr \
	./* .alias* .bash* .config .docker .gitconfig .screenlayout .ssh \
		/home/nboldt/
chown nboldt:nboldt -R /home/nboldt

Fix up perms in ~/.ssh and ~

pushd ~/.ssh
chmod 700 . *
chmod 644 *.pub
chmod 770 known_hosts
chmod 755 ~
popd

Use same aliases and bashrc for root user

sudo su
HOMEDIR=/home/nboldt
cd /root/
mv /root/.bashrc{,_PREV}
mv /root/.bash_profile{,_PREV}
ln -s ${HOMEDIR}/.bashrc
ln -s ${HOMEDIR}/.bash_profile
ln -s ${HOMEDIR}/.alias
ln -s ${HOMEDIR}/bin

Disable selinux in /etc/selinux/config

vim /etc/selinux/config

Set Chrome as default browser in terminal when opening links

gio mime x-scheme-handler/http google-chrome.desktop
gio mime x-scheme-handler/https google-chrome.desktop
# check current settings
gio mime x-scheme-handler/http | grep Default
gio mime x-scheme-handler/https | grep Default

RH and VPN setup

Install vpn stuff (see ~/RedHat/2017/vpn/*.rpm)

Download these files (see C:\WORK\BACKUPS\home\nboldt\RedHat\VPN\):

  • redhat-internal-NetworkManager-openvpn-profiles-0.1-51.el7.csb.noarch.rpm

  • redhat-internal-NetworkManager-openvpn-profiles-non-gnome-0.1-51.el7.csb.noarch.rpm

  • redhat-internal-openvpn-profiles-0.1-51.el7.csb.noarch.rpm

  • redhat-internal-cert-install-0.1-31.el7.noarch.rpm

  • redhat-internal-csb-browser-extensions-chrome-0.1-3.el7.noarch.rpm

  • redhat-internal-csb-browser-extensions-firefox-0.1-3.el7.noarch.rpm

  • redhat-internal-firefox-config-0.1-60.el7.x86_64.rpm

Install them:

dnf install -y *.rpm

# run VPN (from shortcut in ~/bin/)
V

Add yum repos

Copy files carefully from ~/bin/etc/yum.repos.d/ and ${BACKUPDIR}/${HOMEDIR}/etc/yum.repos.d/ to /etc/yum.repos.d/

  • rh-rcmtools.repo contains the rpms in the next step

Set up rhpkg & fedpkg

  1. install rpms

    dnf install -y rhpkg brewkoji-stage brewkoji dnf-utils mock patch koji \
    python3-koji-containerbuild-cli \
    openldap-clients python3-rpkg python3-kobo python3-bugzilla \
    gcc openssl-devel bzip2-devel sqlite-devel

    # Kerberos

  1. Set up kerberos/kinit (needed for rhpkg and many RCM systems accessed via chrome): google-chrome https://source.redhat.com/groups/public/identity-access-management/identity__access_management_wiki/how_to_renew_a_kerberos_tgt

  2. See also https://spaces.redhat.com/pages/viewpage.action?pageId=177385684#ETFAQ:HowdoIsetupmykerberos?-QuickTip(solvesmostissues)

  3. set up keytab file for kinit: google-chrome https://source.redhat.com/groups/public/certification-initiatives/infrastructureinitiatives/infrastructure_initiatives_wiki/creating_keytab_file_for_kerberos_login

  4. Set up IPA kerberos configuration and login to brew.registry.redhat.io

    Note
    		 A copy of /etc/krb.conf can be found in ~/bin/

Need this:

sudo su
mkdir /etc/opt/chrome/policies/managed/
echo '{ "AuthServerAllowlist": "*.redhat.com","DisableAuthNegotiateCnameLookup" : true }' > /etc/opt/chrome/policies/managed/redhat-corp.json

# get the correct krb5.conf files
cp /WORK/BACKUPS/etc//krb5.conf.d/* /etc/krb5.conf.d/

# test it works - log to VPN and initialize a kerberos session
K
V
google-chrome https://errata.devel.redhat.com/

Dev environment

git pre-commit hooks from prodsec

cd /tmp
curl -sSLO https://gitlab.corp.redhat.com/infosec-public/developer-workbench/tools/-/raw/main/rh-pre-commit/quickstart.sh
chmod +x quickstart.sh

# now install for 1 or more projects
/tmp/quickstart.sh -r ~/RHDH/DH/
...

helm from https://v3-1-0.helm.sh/docs/intro/install/

curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

openshift

  1. Get oc and kubectl, symlink from a PATH-visible folder like ~/bin

sudo su # as root
cd /opt
OC_VERSION=4.16.8
curl -sSLo- https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux-${OC_VERSION}.tar.gz | tar xvz oc kubectl
exit

curl -sSLO https://github.com/int128/kubelogin/releases/download/v1.29.0/kubelogin_linux_amd64.zip
unzip kubelogin_linux_amd64.zip kubelogin
rm -fr kubelogin_linux_amd64.zip /home/nboldt/bin/kubelogin /home/nboldt/bin/kubectl-oidc_login
ln -s /opt/kubelogin /home/nboldt/bin/kubelogin
ln -s /opt/kubelogin /home/nboldt/bin/kubectl-oidc_login

rm -f /home/nboldt/oc /home/nboldt/kubectl
ln -s /opt/oc /home/nboldt/oc
ln -s /opt/kubectl /home/nboldt/kubectl

install OPM

cd /tmp
OPM_VER="" # empty string to install latest, or a version like -4.10.26 for a specific one
curl -sSLo- https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.10/opm-linux${OPM_VER}.tar.gz | tar xz
./opm completion bash | sudo tee /etc/bash_completion.d/opm; ls -la /etc/bash_completion.d/opm
rm -fr ~/bin/opm
if [[ "${OPM_VER}" ]]; then
	mv -f /tmp/opm ~/bin/opm${OPM_VER}
	ln -s ~/bin/opm${OPM_VER} ~/bin/opm
else
	mv -f /tmp/opm ~/bin/opm
fi

GPG key gen

# gpg key generation - rsa/dsa, 4096, 5yr
# see https://mojo.redhat.com/docs/DOC-1146306
# then https://mojo.redhat.com/docs/DOC-1166450#jive_content_id_Configuring_a_freshly_installed_system
# then https://source.redhat.com/groups/public/identity-access-management/identity__access_management_wiki/how_to_install_idm_client

sudo yum localinstall -y https://hdn.corp.redhat.com/rhel8-csb/RPMS/noarch/rhit-idm-configs-1.0.0-20.noarch.rpm

echo "keyserver hkp://keys.openpgp.org" > ~/.gnupg/gpg.conf

# create a new key
MY_EMAIL=nboldt@redhat.com
gpg --gen-key

# then send your key with:
gpg --list-keys # get your key id
MY_KEY_ID=F00BAFCAFEBABE00

gpg --send-key $MY_KEY_ID

# confirm it worked
gpg --search-keys $MY_KEY_ID
gpg --keyserver hkp://keys.openpgp.org --search-keys $MY_EMAIL

# now ldap setup
gpg --fingerprint $MY_KEY_ID # get fingerprint
MY_FINGER_PRINTS="FING ERPR INT GOES HERE"

echo "dn: uid=nboldt,ou=users,dc=redhat,dc=com
changetype: modify
add: rhatGPGFingerprint
rhatGPGFingerprint: $MY_FINGER_PRINTS" > ~/bin/keytabs/ldap.fingerprint.txt

#### from this point down, something's not working

# should the -h flag be -R now?
ldapmodify -Q -h ldapmaster.corp.redhat.com -f ~/bin/keytabs/ldap.fingerprint.txt

# verify that new fingerprint is shown
gpg --fingerprint "$MY_EMAIL"
ldapsearch -Q -LLL "mail=$MY_EMAIL" mail rhatGPGFingerprint
Note
 Publishing new fingerprint didn’t work; -h flag not accepted (-R worked but the new fingerprint did not replace the old one)

See also:

set new hostname

sudo hostnamectl set-hostname t490s-f40

Copy project work from backup home dir into new home dir

sudo su
scpr /WORK/BACKUPS/home/nboldt/RHDH/* ./RHDH/ --exclude=node_modules --exclude=site-packages
chown -R nboldt:nboldt /home/nboldt/RHDH

recreate symlinks in ~, ~/bin, etc.

Raw
2-vm-config-unused.adoc

Steps from previous config guide not used in 2024

Anaconda installer

  • add/remove phrases with

	cryptsetup luksAddKey <device>
	cryptsetup luksRemoveKey <device>

where <device> can be seen in /etc/crypttab - eg., UUID=b5399822-d511-4a8a-a021-c70e0d755f00

Unpack sublime text config files

# unzip ~/bin/dot-config-sublime-text-3.zip -d ~/.config/

Install ssl certs

  1. install certs: see https://docs.engineering.redhat.com/display/KB/Troubleshooting+Tips#TroubleshootingTips-SSLerrortroubleshooting and https://mojo.redhat.com/docs/DOC-999615#jive_content_id_Certificates

  2. fix for using pip installed python - https://projects.engineering.redhat.com/browse/RCM-18993

    echo ""  >> ~/.bashrc
echo "fix for using pip installed python - https://projects.engineering.redhat.com/browse/RCM-18993" >> ~/.bashrc
echo "export REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" >> ~/.bashrc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment