• Kickstart
• Register the machine with certificate based method (subscription-manager)
• Install Puppet which will take care of the remainder of the configuration.

The really short version

This all goes into your anaconda kickstart file. Replace USERNAME and PASSWORD or use activation key (haven’t tested):

# register
echo "registering with redhat using certificate method"
subscription-manager register --username=USERNAME --password=PASSWORD --autosubscribe

# update all the base packages from the updates repository, also important since
# yum-config-manager doesn't function until you do something with yum!
echo "updating machine"
yum -t -y -e 0 update

# add optional red hat repository needed for puppet
echo "adding optional repository"
yum-config-manager --enable rhel-6-server-optional-rpms

# install epel if we can
echo "configuring epel repository"
rpm -Uvh http://download.fedora.redhat.com/pub/epel/beta/6/x86_64/epel-release-6-5.noarch.rpm

# install puppet
echo "installing puppet"
yum -t -y -e 0 install puppet

The LONG version

Why certificate based?

I haven’t confirmed yet, but hoping that the new content delivery framework “cdn.redhat.com” is a lot faster here in Iceland (currently ~200-300KBps).

On with the butter! (Icelandic saying)

The old way used to be:

rhnreg-ks --username <username> --password <password>

New way, autosubscribe tries to enable to correct subscription automatically:

subscription-manager register --username=<username> --password=<password> --autosubscribe

OK Great, now I’m subscribed, on to installing puppet

First we need the epel repository to get puppet

The EPEL repository contains lots of extra package for rhel including puppet.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/beta/6/x86_64/epel-release-6-5.noarch.rpm

On to the tricky stuff

puppet is in the epel repo, check. But it requires libselinux-ruby which is in the rhel-6-server-optional-rpms repository so installing puppet without enabling it will blow up because of dependency problems.

Enabling rhel-6-server-optional-rpms

Old version (pre 6.1) used rhn-channel, we use the new tools. Now here is what cost me quite some time. When you run “subscription-manager register” I think that the /etc/yum.repos.d/redhat.repo is not created. Not untill you run some yum commands, so that’s why I update here but I suspect any (install/update) command will do:

yum -y -e 0 update
yum-config-manager --enable rhel-6-server-optional-rpms

Finally, ready to rock and roll!

yum -y -e 0 install puppet

You should have a puppet ready on RHEL 6.1<

Decided to attach a picture of the damage that problems like these do to my hairstyle!

type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”/dev/hpilo/d0ccb5″ dev=tmpfs ino=6784 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”socket:[22602]” dev=sockfs ino=22602 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_route_socket

I don’t know what this is but I DON’T want to allow it and I don’t want to see this in the audit log anymore

First off 3 terms:

• SElinux – Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. (wikipedia)
• ProLiant Support Packs (PSP) represent operating system (OS) specific bundles of ProLiant optimized drivers, utilities, and management agents.
• RHEL (Red Hat Enterprise Linux) – CentOS (Community ENTerprise Operating System, RHEL Clone)

So basicly what I did to get rid of these messages is that I wrote a new module called pspignore to ignore, without allowing them. Here’s what I did:

Make a local directory for my modules

mkdir -p /etc/selinux/local

cd /etc/selinux/local

Download my custom module which include “dontaudit” for these conditions.

wget http://tommi.org/static/ignorepsp.te

Build the module and install it

checkmodule -M -m -o ignorepsp.mod ignorepsp.te

semodule_package -o ignorepsp.pp -m ignorepsp.mod

semodule -i ignorepsp.pp

That should be it. The main thing can be found at the bottom of ignorepsp.te:

dontaudit ifconfig_t device_t:chr_file { read write };
dontaudit ifconfig_t initrc_t:netlink_route_socket { read write };

Hope this is helpfull.

Install packages:

oracle-instantclient11.1-basic-11.1.0.7.0-1.x86_64.rpm
oracle-instantclient11.1-devel-11.1.0.7.0-1.x86_64.rpm
oracle-instantclient11.1-sqlplus-11.1.0.7.0-1.x86_64.rpm

Put the relevant libraries into the textrel_shlib_t context:

semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64 /lib/libnnz11.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libsqlplus.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libociei.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libsqlplusic.so
restorecon -R -v /usr/lib/oracle/11.1/client64/lib/

Put the libraries into the path of the dynamic library loader

echo "export ORACLE_HOME=/usr/lib/oracle/11.1/client64" > /etc/profile.d/oracle.sh

Set the path to the tnsnames.ora, I like /etc/tnsnames.ora

echo “export TNS_ADMIN=/etc/tnsnames.ora” >> /etc/profile.d/oracle.sh

Of course you have to have a valid tnsnames.ora file available.

Logout and login to update your environment and voila, you should be able to run sqlplus, install perl-DBD-Oracle or php-oci8, python, whatever your flavor is..

Ohh, and merry christmas!