F36 VM configuration (2022-07-30 - 08-16)

vm-config.adoc

Virtual Box Fedora 36 virutal machine setup

VBox settings

Base memory: 16384 MB
Chip PIIX3
[x] Enable IO APIC
[ ] Enable EFI
[x] Hardware clock UTC

2 processors, exec cap 100%
Extended features both on [x]

Video mem  128M (max)
Monitors: 3
Scale 100% min
Graphics VMSVGA
[ ] 3d acceleration

175G dynamic disk, VDI

shared folders in c:\work (WORK) and c:\users\nboldt (nboldt)

Anaconda installer

See https://fedoraproject.org/wiki/Disk_Encryption_User_Guide#Add_a_new_passphrase_to_an_existing_device

• add/remove phrases with

	cryptsetup luksAddKey <device>
	cryptsetup luksRemoveKey <device>

where <device> can be seen in /etc/crypttab - eg., UUID=b5399822-d511-4a8a-a021-c70e0d755f00

Panel config

Panel:

• panel prefs: 24px thick

• 4 launchers:

  • screenshooter, terminal, thunar,

  • others: beyond compare, pidgin, firefox, chrome, vscode, sublime-text

• configure launchers with extra options:

  • terminal: xfce4-terminal --maximize

  • chrome: /usr/bin/google-chrome-stable --auth-server-whitelist="*.openshift.com, *.redhat.com" --ignore-certificate-errors %U

Clock panel:

• line1: %a %m-%d %l:%M:%S

• line2: %a %Y-%m-%d %l:%M:%S / W%V

Software installation

RPM updates ("download the internet") !

dnf update -y

# chrome
dnf install -y --best --allowerasing fedora-workstation-repositories && \
dnf config-manager --set-enabled google-chrome

# sublime
rpm -v --import https://download.sublimetext.com/sublimehq-rpm-pub.gpg && \
dnf config-manager --add-repo https://download.sublimetext.com/rpm/stable/x86_64/sublime-text.repo

# codium
rpmkeys --import https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg && \
printf "[gitlab.com_paulcarroty_vscodium_repo]\nname=download.vscodium.com\nbaseurl=https://download.vscodium.com/rpms/\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg\nmetadata_expire=1h" | sudo tee -a /etc/yum.repos.d/vscodium.repo

# rpmfusion repos
dnf install -y \
  https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
  https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

# beyond compare
bcversion=4.4.3.26655
cd /tmp; wget https://www.scootersoftware.com/bcompare-${bcversion}.x86_64.rpm; \
  rpm --import https://www.scootersoftware.com/RPM-GPG-KEY-scootersoftware; \
  dnf -y install bcompare-${bcversion}.x86_64.rpm; rm -f bcompare-*.rpm

# install all the things!
dnf install -y --best --allowerasing \
  kernel kernel-headers kernel-devel \
  codium google-chrome-stable sublime-text vlc \
  vim vim-common vim-enhanced \
  podman skopeo nodejs npm httpd-tools bcrypt gimp ImageMagick \
  arandr curl python jq python-virtualenvwrapper python3-pip \
  git git-crypt hub sshfs openssl ccrypt \
  plexus-utils maven java-11-openjdk-devel java-17-openjdk-devel \
  krb5-auth-dialog krb5-libs kstart sssd-krb5-common sssd krb5-workstation vpnc

Install pip, yq

pip install --upgrade pip
pip install PyXB jira pygithub diff-highlight yq jsonschema

VBox extensions

install VBox extensions; reboot, then mount VBox CD, and run:

./VBoxLinuxAdditions.run
/sbin/rcvboxadd quicksetup all

Home dir configuration

Backup home dir and /etc/ content from old VM:

BACKUPDIR=/WORKD/BACKUPS/20220730
HOMEDIR=/home/nboldt
mkdir -p ${BACKUPDIR}/${HOMEDIR}/
scpr \
	${HOMEDIR}/.alias \
	${HOMEDIR}/.bashrc ${HOMEDIR}/.bash_profile \
	${HOMEDIR}/bin \
	${HOMEDIR}/config.json \
	${HOMEDIR}/cookiejar.txt \
	${HOMEDIR}/.docker \
	${HOMEDIR}/Documents \
	${HOMEDIR}/.gitconfig \
	${HOMEDIR}/PWDs \
	${HOMEDIR}/.purple \
	${HOMEDIR}/RedHat \
	${HOMEDIR}/.screenlayout \
	${HOMEDIR}/.ssh \
		${BACKUPDIR}/${HOMEDIR}/ --exclude=".purple/logs"

mkdir -p ${BACKUPDIR}/etc/
scpr \
	${HOMEDIR}/.config/hub \
	${HOMEDIR}/.config/bcompare \
		${BACKUPDIR}/${HOMEDIR}/.config/

scpr \
	/etc/vpnc \
	/etc/yum.repos.d \
		${BACKUPDIR}/etc/

Copy config files to new VM:

sudo su
BACKUPDIR=/WORKD/BACKUPS/20220730
HOMEDIR=/home/nboldt
cd ${BACKUPDIR}/${HOMEDIR}/
source .alias
mv ${HOMEDIR}/.bashrc{,_PREV}
mv ${HOMEDIR}/.bash_profile{,_PREV}

scpr \
	./* .alias* .bash* .config .docker .gitconfig \
	.purple .screenlayout .ssh \
		/home/nboldt/
chown nboldt:nboldt -R /home/nboldt

Note	.gitconfig file is also stored at https://gist.github.com/nickboldt/67ad86895d1b10164ea0fdbcdadefd02#file-gitconfig

Fix up perms in ~/.ssh and ~

pushd ~/.ssh
chmod 700 . *
chmod 644 *.pub
chmod 770 known_hosts
chmod 755 ~
popd

Use same aliases and bashrc for root user

sudo su
HOMEDIR=/home/nboldt
cd /root/
mv /root/.bashrc{,_PREV}
mv /root/.bash_profile{,_PREV}
ln -s ${HOMEDIR}/.bashrc
ln -s ${HOMEDIR}/.bash_profile
ln -s ${HOMEDIR}/.alias

Unpack sublime text config files

# unzip ~/bin/dot-config-sublime-text-3.zip -d ~/.config/

Note

Skipped.

Disable selinux in /etc/selinux/config

vim /etc/selinux/config

Set Chrome as default browser in terminal when opening links

gio mime x-scheme-handler/http google-chrome.desktop
gio mime x-scheme-handler/https google-chrome.desktop
# check current settings
gio mime x-scheme-handler/http | grep Default
gio mime x-scheme-handler/https | grep Default

RH and VPN setup

Add yum repos

Copy files carefully from ~/bin/etc/yum.repos.d/ and ${BACKUPDIR}/${HOMEDIR}/etc/yum.repos.d/ to /etc/yum.repos.d/

Install vpn stuff (see ~/RedHat/2017/vpn/*.rpm)

Open http://hdn.corp.redhat.com/rhel7-csb-stage/repoview/redhat-internal-cert-install.html and http://hdn.corp.redhat.com/rhel7-csb-stage/RPMS/noarch/?C=M;O=D on a machine that’s already on the VPN (your old VM).

Download these files (see D:\WORK\BACKUPS\20220730\RPMs):

• redhat-internal-cert-install-0.1-25.el7.noarch.rpm

• redhat-internal-NetworkManager-openvpn-profiles-0.1-55.el7.noarch.rpm

• redhat-internal-NetworkManager-openvpn-profiles-non-gnome-0.1-55.el7.noarch.rpm

• redhat-internal-openvpn-profiles-0.1-55.el7.noarch.rpm

• slack-4.14.0-0.1.fc21.x86_64.rpm

Install them:

dnf install -y *.rpm

# run VPN (from shortcut in ~/bin/)
V

RHEL Subscription

# subscription-manager register --auto-attach --username "$SUBSCRIPTION_USERNAME" --password "$SUBSCRIPTION_PASSWORD"

Note

Skipped.

Set up rhpkg & fedpkg

1. install rpms

   dnf install -y rhpkg brewkoji-stage brewkoji dnf-utils mock patch koji \
       python3-koji-containerbuild-cli \
       openldap-clients python3-rpkg python3-kobo python3-bugzilla \
       gcc openssl-devel bzip2-devel sqlite-devel
   
   # previously, used to install these too (for F31):
   # javapackages-local fedora-packager fedpkg libffi-devel

2. install certs: see https://docs.engineering.redhat.com/display/KB/Troubleshooting+Tips#TroubleshootingTips-SSLerrortroubleshooting and https://mojo.redhat.com/docs/DOC-999615#jive_content_id_Certificates

3. fix for using pip installed python - https://projects.engineering.redhat.com/browse/RCM-18993

   echo ""  >> ~/.bashrc
   echo "fix for using pip installed python - https://projects.engineering.redhat.com/browse/RCM-18993" >> ~/.bashrc
   echo "export REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" >> ~/.bashrc

   Note

   Skipped.

Kerberos

1. Set up kerberos/kinit (needed for rhpkg and many RCM systems accessed via chrome): google-chrome https://source.redhat.com/groups/public/identity-access-management/identity__access_management_wiki/how_to_renew_a_kerberos_tgt

2. See also https://spaces.redhat.com/pages/viewpage.action?pageId=177385684#ETFAQ:HowdoIsetupmykerberos?-QuickTip(solvesmostissues)

3. set up keytab file for kinit: google-chrome https://source.redhat.com/groups/public/certification-initiatives/infrastructureinitiatives/infrastructure_initiatives_wiki/creating_keytab_file_for_kerberos_login

4. Set up IPA kerberos configuration and login to brew.registry.redhat.io

   Note	A copy of /etc/krb.conf can be found in ~/bin/

   1. https://docs.engineering.redhat.com/display/CFC/Test

   2. https://source.redhat.com/groups/public/identity-access-management/identity__access_management_wiki/how_to_kerberos_realm_referrals

   3. https://source.redhat.com/groups/public/teamnado/wiki/brew_registry#obtaining-registry-tokens

Dev environment

git pre-commit hooks from prodsec

1. Install git hook from https://gitlab.corp.redhat.com/infosec-public/developer-workbench/tools/-/tree/main/rh-pre-commit

Eclipse.org

1. Install git hook via https://til.hashrocket.com/posts/c89a35a66c-global-git-hooks

   mkdir -p ~/.git-templates/hooks
   git config --global init.templatedir '~/.git-templates'
   # use this hook to add Change-Id to all commits, so we can edit gerrits (push changes) instead of having to submit new ones
   scp -p -P 29418 [email protected]:hooks/commit-msg ~/.git-templates/hooks/

   Note	Skipped, not working

openshift

1. Get oc and kubectl, symlink from a PATH-visible folder like ~/bin

sudo su # as root
cd /opt
OC_VERSION=4.10.24
curl -sSLo- https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux-${OC_VERSION}.tar.gz | tar xvz oc kubectl
exit

# as user
cd ~/bin/
rm -f oc kubectl
ln -s /opt/oc
ln -s /opt/kubectl

GPG key gen

# gpg key generation - rsa/dsa, 4096, 5yr
# see https://mojo.redhat.com/docs/DOC-1146306
# then https://mojo.redhat.com/docs/DOC-1166450#jive_content_id_Configuring_a_freshly_installed_system
# then https://source.redhat.com/groups/public/identity-access-management/identity__access_management_wiki/how_to_install_idm_client

sudo yum localinstall -y https://hdn.corp.redhat.com/rhel8-csb/RPMS/noarch/rhit-idm-configs-1.0.0-20.noarch.rpm

echo "keyserver hkp://keys.openpgp.org" > ~/.gnupg/gpg.conf
# then send your key with:
gpg --list-keys # get your key id
gpg --send-key F00BAFCAFEBABE00
gpg --search-keys F00BAFCAFEBABE00
gpg --keyserver hkp://keys.openpgp.org --search-keys nboldt
# now ldap setup
gpg --fingerprint F00BAFCAFEBABE00 # get fingerprint
echo "dn: uid=nboldt,ou=users,dc=redhat,dc=com
changetype: modify
add: rhatGPGFingerprint
rhatGPGFingerprint: FING ERPR INT GOES HERE" > ~/bin/keytabs/ldap.fingerprint.txt

# should the -h flag be -R now?
ldapmodify -Q -h ldapmaster.corp.redhat.com -f ~/bin/keytabs/ldap.fingerprint.txt

# verify that new fingerprint is shown
[email protected]
gpg --fingerprint "$email"
ldapsearch -Q -LLL "mail=$email" mail rhatGPGFingerprint

Note	Publishing new fingerprint didn’t work; -h flag not accepted (-R worked but the new fingerprint did not replace the old one)

---

See also:

• https://gist.github.com/nickboldt/bd594794dcce9fb9a4bff5a56cde0953 F36

• https://gist.github.com/nickboldt/52d7031fab62bfab7ed15195ddfc9e7f F31

install OPM

cd /tmp
OPM_VER="" # empty string to install latest, or a version like -4.10.26 for a specific one
curl -sSLo- https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.10/opm-linux${OPM_VER}.tar.gz | tar xz
./opm completion bash | sudo tee /etc/bash_completion.d/opm; ls -la /etc/bash_completion.d/opm
rm -fr ~/bin/opm
if [[ "${OPM_VER}" ]]; then
	mv -f /tmp/opm ~/bin/opm${OPM_VER}
	ln -s ~/bin/opm${OPM_VER} ~/bin/opm
else
	mv -f /tmp/opm ~/bin/opm
fi