Reinstalling Fedora

# Reinstalling Fedora Intalling Fedora32 7/17/2020 - Install Fedora Workstation via live USB - Encrypt Storage - Add a temporary user when required. This will be deleted later. - Root account is disabled by default. Re-enable via `sudo passwd` to set root password - Get VPN working - [KB article](https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0005424&sys_kb_id=f4a8c6c713572640daa77b304244b084) has links to the RPMs to install manually - Used `redhat-internal-cert` and `redhat-internal-NetworkManager-openvpn-profiles` - This was sufficient to connect to VPN w/ username/token - Once connected, go back and add the rhel8-csb repo so we get updates in the future - [Get Kerberos working](https://mojo.redhat.com/docs/DOC-1017803-configure-fedora-with-red-hat-ldapkerberos-and-vpn) - IT is in the process of converting to some kind of identity management system, but I couldn't get it to work, and it appears to be known broken at this time. - You should be on the VPN so your machine can contact the Kerberos servers - Install required packages: ```bash dnf install sssd krb5-workstation dnf remove gnome-initial-setup ``` - Create `/etc/sssd/sssd.conf`, making sure to update `simple_allow_users`: ``` [sssd] config_file_version = 2 services = nss, pam, ssh domains = redhat.com [nss] filter_groups = root filter_users = root [pam] [domain/redhat.com] id_provider = ldap ldap_search_base = dc=redhat,dc=com auth_provider = krb5 krb5_realm = REDHAT.COM krb5_store_password_if_offline = true #-- Only allow me to log in access_provider = simple simple_allow_users = jstrunk ldap_user_ssh_public_key = ipaSshPubKey cache_credentials = true # Don't use the homedir path in LDAP override_homedir = /home/%u lookup_family_order = ipv4_only ``` - Create `/etc/krb5.conf` (this is from 2017, The F32 install got modified by the IPA installer, but it works :unamused:): ``` [logging] default = FILE:/var/log/krb5libs.log [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true renew_lifetime = 7d forwardable = true rdns = false default_realm = REDHAT.COM [realms] REDHAT.COM = { } [domain_realm] redhat.com = REDHAT.COM .redhat.com = REDHAT.COM ``` - Finish up ```bash chmod 600 /etc/sssd/sssd.conf authselect select sssd with-mkhomedir --force systemctl start sssd systemctl enable oddjobd systemctl start oddjobd ``` - Try loggin in: ```bash systemctl start sshd ssh jstrunk@localhost ``` - Add yourself to sudoers: `echo "jstrunk ALL = NOPASSWD: ALL" >> /etc/sudoers` - Install software - Chrome - Set up Chrome to authenticate w/ Kerberos ```json cat /etc/opt/chrome/policies/managed/redhat-corp.json { "AuthServerWhitelist": "*.redhat.com" } ``` - [SpiderOak](https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0000941&sys_kb_id=c4d78ae31b315090aa0f960abc4bcb3e) - VS Code - Add the yum repo ```bash sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc cat - <<EOF | sudo tee /etc/yum.repos.d/vscode.repo [code] name=Visual Studio Code baseurl=https://packages.microsoft.com/yumrepos/vscode enabled=1 gpgcheck=1 gpgkey=https://packages.microsoft.com/keys/microsoft.asc EOF ``` - Increase inotify watches. Add the following to `/etc/sysctl.conf` ``` cat - <<EOF | sudo tee /etc/sysctl.d/50-vscode.conf fs.inotify.max_user_watches=524288 EOF ``` - Docker - Switch back to cgroups v1: ```bash sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0" ``` - Configure firewall: **Don't do the docker0 line, [it breaks vagrant (libvirt)](https://bugzilla.redhat.com/show_bug.cgi?id=1829090)** ```bash sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0 sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-masquerade ``` - Install & enable: ```bash sudo dnf install moby-engine docker-compose sudo systemctl enable docker ``` - Make it so you can run docker as normal user: ```bash sudo groupadd docker sudo usermod -aG docker $(whoami) ``` - kubectl ```bash cat - <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg EOF sudo dnf install kubectl ``` - vagrant rhel8-csb has vagrant in addition to the fedora repos. Append `exclude=vagrant` to the end of the `rhel8-csb.repo` file to ensure we get the fedora official one. ```bash sudo dnf install vagrant vagrant-sshfs sudo usermod -aG libvirt $(whoami) ``` - Don't suspend on lid close - Set `HandleLidSwitch=ignore` in `/etc/systemd/logind.conf` `systemctl restart systemd-logind.service` - Get Yubikey working for ssh & gpg2 - Works OOTB for the 2FA code for RHT and for web site 2FA (U2F) - Install `ykpers` and `yubikey-manager` - The latter installs the pcscd to allow accessing it as a smartcard for gpg2 & ssh