Converting Windows 10 laptops to CentOS 7 for developers

Started by Dieselboy, August 13, 2019, 09:00:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

August 13, 2019, 09:00:22 PM Last Edit: August 13, 2019, 09:02:23 PM by Dieselboy
One of our management persons requested Ubuntu to replace Windows 10 for devs. Long story short I thought it was best to utilise WSL within Windows 10 to get the best of both worlds however (for some reason) there is a severe resistance against Windows entirely. We cannot use Ubuntu natively on the hardware because our anti-malware solution is not compatible with Ubuntu. Cisco AMP anti-malware supports RHEL and CentOS. RHEL for workstations would be a great option however there are high costs with licensing as well as issues with RHEL repos getting the required packages to the devs. So CentOS 7 it is.

Requirements
- easy to deploy (eg an image)
- domain join
- Anti-malware
- Compatibility with business tools / apps
- Disk encryption
- VPN for internal services
- High performance is a primary concern for the devs

Solution
Going through the requirements, we couldnt use an image due to the disk encryption and differing size HDD/SSDs. After deploying an image we would need to work to resize the partitions or add to LVM. Basically aggro. So instead I used kickstart and told it to start with a 50GB OS partition and if there is free space after the 50GB then fill it up to maximum. So this means we have full disk available whether it's 51GB or xTB's.

What is Kickstart - it's a installation script for RedHat and CentOS systems (I think also Fedora). If you manually install a RHEL/CentOS system, when you get to log in to the system there is a file called anaconda-ks.cfg located in /root/. This file is a kickstart script and it's a 100% match for everything you did during the installation. For example, setting the partitions, system name, network, any installations such as gui etc. So To get started I installed a system exactly how I wanted it and then took the script and built on top of that, looking for solutions around the web as I hit hurdles.

Domain join has been a PITA previously. Minor differences in package versions with sssd,oddjob etc resulted in difference of experience. For example, computer names in AD show up as lower case or upper case depending. And occasionally things drop off the domain and require to be re-joined. To make this process as easy as possible I used `pbis-open` free software. Simply install the package and run the domain join command. In addition to that, one extra step I took was to enable the system to assume the default domain when using user IDs. This means users can log in the same way they do on Windows and Mac by using `userID` instead of `userID@domain.domain` and this makes it easier and less of a re-learn.
Cisco AMP is supported but required to disable the bios `secure boot` option so that the AMP software has the ability to run. Else there are kernel issues.
Business tools / apps = everything in a browser. Webex teams, google docs, gmail, diagram drawings etc - everything has browser apps so this is covered. The only issue here is that the default browser installed is Firefox v60 which is pretty old (68 is/was the current as of a few weeks ago). So firefox is actually removed and a script installs the current/latest Google Chrome. The issue with firefox is their installer just unpacks the files where the user wants them and runs the browser from there. So it cant easily be upgraded.
Disk encryption - this is done at install time. The options we have is to use a standard encryption key which is specified in the kickstart or; dont specify any key and the system will prompt during the installation to set a key. TPM can be used but it requires using different bootloader called TrustedGrub and if the kernel is updated, the system will fail to boot unless you know how to modify the grub to boot using a password then fix the issue. For this reason TPM can't be used at this time but I'll keep monitoring the progress. So a key rotation policy will be used for disk encryption.
VPN - CentOS has native support for ike and Anyconnect SSL vpns. I only needed to install one additional package to resolve a bug which is a missing library. Then Anyconnect can be connected by configuring VPN in the gui.
High performance - They want to maximise performance for dev and builds. For that I did not install any software that was not required except for XFCE gui. I dont know how this will impact the use so I left the default gnome gui installed. My option was to make XFCE the default choice for users but I could not find any way to actually make that the default for new logins. You have to set it yourself on first login, then it is saved as the default for you.

Lastly, I have a bunch of other things happen during the install:
The script imports our internal CA cert into the system so that the system trusts certs issued by it.
Root password is set and SSH ROOT login is turned off
A local admin user is set so that root is not used
The script scans for usb disks and blacklists them at install time so that the OS installed on the only other disk = the internal SSD/HDD. Some laptops have an internal usb MMC disk and we also need to blacklist the usb installation drive.
LAN adapter network is activated via dhcp
SUDO is configured to allow without a password
GRUB timeout set to 0 seconds so the system just boots without a countdown
SWAP is configured via /swapfile instead of a partition because swap partition is difficult to manage over time whereas a swapfile can be changed during OS use
A few web shortcuts are saved in a users template so that any new user (ie the LDAP user) has shortcuts on their desktop when they log in

A post-boot.sh script is downloaded and saved to /opt/
This script installs Chrome, AMP and the pbis-open software. It then runs through the domain join process and gives prompts to add the new user to the sudo users group called `wheel`.
The script also sets the local admin user account to be a `system account` which hides it from the login screen. This means that when the system boots up, it gives a username box if there is no other user. An AD user can log in. Else if the laptop has already been logged into via an AD user, then it will show that account at the login screen.
Finally do a yum update -y and reboot which signals the system is ready for usage.

All in all it's been a fun experience and no real issues to contend with. The script is configured so that (almost) any system can boot the script and get installed. I've not found a system which does not work, yet. The issues that came about was disk ID/names/ sizes which is resolved as described. And the network interface name which I removed the name from the kickstart and the system just loads the fist NIC it finds in this case which is great.

Kickstart script is in git: https://github.com/tonyppe/universal-centos7-kickstart

:)

deanwebb

#1
August 14, 2019, 09:25:14 AM
So what do you do for software packages that require the root account for installation? Not a sudo, but the actual root account? :problem?:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#2
August 14, 2019, 09:49:04 AM
Use Sudo Su 😉
Print
Go Up Pages1
User actions