Rocky Linux

Intro

Like many SysAdmins, I was ready to start investing time and energy into testing CentOS 8 when Red Hat took it under their wing and decided to turn it into a half-way house sitting between bleeding-edge Fedora and their Enterprise Linux release. And like many SysAdmins, I was left in a quandary of what to replace my ageing CentOS 7 systems with. Thankfully the creators of CentOS came to the rescue in the form of External link Rocky Linux.

At the end of December 2022, I decided to use the holiday time to experiment with building Rocky Linux on my laptop and testing what works and what does not. This is a write-up of my experience, and I hope it helps others.

My usage case: I want to use the whizzy 3D effects of Compiz with the window decorations of Emerald; the Amateur Radio tools available in Fedora; with the stability of Enterprise Linux. The latter part is important, as I run VirtualBox to virtualise Microsoft Windows, plus copies of Fedora and various versions of CentOS and Rocky Linux. The bleeding-edge kernels in Fedora (and others) tend to break the VirtualBox kernel module build-process, so it cannot be used in production. I need it to "just work" all day, every day!

Install

I maintain an in-house mirror on my primary server (currently CentOS 7) of the CentOS 7 and Rocky distributions as it makes it easier, and quicker, to install via PXE/UEFI boot.

I had to dig around the web to find the latest changes to kickstart, then run through various test installs before everything worked. The first installation was to my older Lenovo ThinkPad T440s, and that features a standard 2.5" S-ATA Flash drive, so the installation paths had to be set to /dev/sda. It also features a finger-print scanner, so I enrol a finger to provide a snappy way of logging in. For extra protection, the whole root partition is encrypted; which can be unlocked with a USB key.

I have an in-house External link Open LDAP daemon running to provide network authentication and NFS mount-point information used by the automount daemon. As this laptop is used elsewhere, I have to create a local account. I use the same UID and GID for the account as I do in LDAP to keep things simple.

Much of the kickstart script below is suited to my internal network. You are welcome to copy it, but please remember to set the url to suit your set-up. As you can see in the %post section, I delete the default repo files and replace them with amended versions to suit my network, and replace the bashrc with my own custom tweaks.

#platform=x86, AMD64, or Intel EM64T
#version=DEVEL
# Keyboard layouts
keyboard 'gb'
# Root password
rootpw --plaintext ******
user --name=gary --groups=wheel,cdrom,dialout,lock --password=****** --uid=1001 --gid=1001
# System language
lang en_GB
# Firewall configuration
firewall --enabled
# System authorization information
auth --useshadow --passalgo=sha512 enablefingerprint --enableldapauth --ldapserver=ldaps://mail.gaztronics.net --ldapbasedn=dc=gaztronics,dc=net
# Use network installation
url --url="ftp://mirror.gaztronics.net/rocky/8/BaseOS/x86_64/os/"
repo --name=BaseOS --baseurl=ftp://mirror.gaztronics.net/rocky/8/BaseOS/$basearch/os/ --cost=200
repo --name=AppStream --baseurl=ftp://mirror.gaztronics.net/rocky/8/AppStream/$basearch/os/ --cost=200
repo --name=PowerTools --baseurl=ftp://mirror.gaztronics.net/rocky/8/PowerTools/$basearch/os/ --cost=200
repo --name=extras --baseurl=ftp://mirror.gaztronics.net/rocky/8/extras/$basearch/os --cost=200
repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/$basearch/
repo --name=rpmfusion-free-release --mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8&arch=$basearch
# Use graphical install
graphical
# SELinux configuration
selinux --disabled

# Network information
network --bootproto=dhcp --device=eth0 --onboot=on
network --bootproto=dhcp --device=wlan0
network --hostname=T440s
# Reboot after installation
reboot
# System timezone
timezone Europe/London --ntpservers=ntp.gaztronics.net
# System bootloader configuration
bootloader --location=mbr
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part /boot/efi --asprimary --fstype="vfat" --ondisk=sda --label EFI --size=512
part /boot --asprimary --fstype="ext4" --ondisk=sda --size=1024
part swap --asprimary --fstype="swap" --ondisk=sda --recommended
part / --asprimary --fstype="ext4" --grow --ondisk=sda --size=1 --encrypted --passphrase=******

%post
echo "NOZEROCONF=yes" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
nmcli device modify eth0 ipv6.method "disabled"
nmcli device modify wlan0 ipv6.method "disabled"
cd /etc
rm -f bashrc
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/bashrc
cd /etc/sssd
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/sssd.conf
chmod 600 sssd.conf
cd /etc/yum.repos.d
rm -f Rocky-*
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/yum.repos.d/Rocky-*
cd /root
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/.dir_colors
plymouth-set-default-theme solar
%end

%packages
-biosdevname
-cockpit*
-libvirt*
-gdm
-hexchat
-mcelog
@base-x
@fonts
@graphical-admin-tools
@graphics
@hardware-monitoring
@internet-applications
@internet-browser
@java-platform
@multimedia
@office-suite
@print-client
gpm
make
rsync
rdesktop
net-tools
nfs-utils
autofs
brasero
thunderbird
kernel-devel
kernel-headers
automake
NetworkManager-bluetooth
NetworkManager-openvpn-gnome
NetworkManager-wifi
epel-release
gnome-disk-utility
kernel-modules
kernel-modules-extra
lightdm
lightdm-gobject
lightdm-gtk
lightdm-gtk-greeter-settings
lightdm-qt5
lightdm-settings
lm_sensors
eom
marco
mate-applets
mate-backgrounds
mate-calc
mate-control-center
mate-desktop
mate-dictionary
mate-disk-usage-analyzer
mate-disk-image-mounter
mate-icon-theme
mate-media
mate-menus
mate-menus-preferences-category-menu
mate-notification-daemon
mate-panel
mate-polkit
mate-power-manager
mate-screensaver
mate-screenshot
mate-search-tool
mate-sensors-applet
mate-session-manager
mate-settings-daemon
mate-system-log
mate-system-monitor
mate-terminal
mate-themes
mate-user-admin
mate-user-guide
mate-utils
caja
caja-extensions-common
caja-image-converter
caja-open-terminal
caja-schemas
caja-sendto
caja-actions
caja-beesu
p7zip
p7zip-plugins
pavucontrol
pluma
pluma-data
pluma-plugins
pluma-plugins-data
nano
network-manager-applet
nm-connection-editor
alacarte
cups-pdf
filezilla
gparted
ntfs-3g
ntfs-3g-system-compression
ntfsprogs
pwgen
redshift
redshift-gtk
screen
iperf3
youtube-dl
exfatprogs
bind-utils
arp-scan
gimp
nmap
wireshark
rpmfusion-free-release
vlc
htop
keepass
gnome-bluetooth
usbutils
wsjtx
audacity
audacity-manual
openvpn
unrar
vdpauinfo
atril
atril-caja
atril-thumbnailer
mozo
fprintd
fprintd-pam
plymouth-theme-solar
mlocate
sssd-ldap
flatpak
rng-tools
gnome-terminal
firewall-config
firewall-applet
fuse-afp
fuse-encfs
fuse-exfat
fuse-sshfs
fuse-zip
fuse-dislocker
yum-utils
dos2unix
gnome-control-center
mtr
traceroute
whois
stellarium
tar
cheese
hwloc-gui
redhat-lsb
telnet
tree
openssh-ldap
engrampa
java-17-openjdk
dconf-editor
ipcalc
gvfs-mtp
gvfs-fuse
xdg-desktop-portal-gtk
%end

Why LightDM?

I prefer LightDM over GDM as it is more visually appealing with a background image, you do not have to enter your username, and I am not using Gnome!

For the laptop, I have a docking station and a dual-screen set-up, and LightDM allows you to run a script on start-up and/or login to tweak things to your needs. The custom script below allows me to disable the laptop screen and set the two external displays as side-by-side.

#!/bin/sh

/usr/bin/xrandr --current | grep "DP2-1 connected "
if [ $? -eq 0 ]; then
    echo "DisplayPort found"
    sleep 1s
    /usr/bin/xrandr --output eDP1 --off
    /usr/bin/xrandr --output DP2-1 --auto --primary
    /usr/bin/xrandr --output DP2-2 --auto --right-of DP2-1
fi

exit 0

There are two copies of this script. One in /root/scripts and one in /home/gary/scripts and both are called docked-lightdm. Both scripts are referenced in /etc/lightdm/lightdm.conf for start-up and logout/in. The one in /home/gary/scripts is also run manually whenever I re-dock the laptop. I have not found a way to do that automatically!

There are two sections in /etc/lightdm/lightdm.conf that I modified to ensure the docking script runs again if I log-out and log-in again whilst docked.

[Seat:*]
display-setup-script = /root/scripts/docked-lightdm

[Seat:gary]
display-setup-script = /home/gary/scripts/docked-lightdm

Pending: To do this properly and create a file in /etc/lightdm/lightdm.conf.d

The above naming convention (eDP1 DP2-1) only comes about when using the i915 GPU code for X windows. So I have a custom X11 config that lives in /etc/X11/xorg.conf.d/ called 20-intel.conf and it contains the following:

Section "Device"
Identifier "Intel Graphics"
Driver "intel"
Option "TearFree" "true"
Option "TripleBuffer" "true"
Option "DRI" "3"
Option "AccelMethod" "sna"
EndSection

X windows defaults to Framebuffer mode if you do not force it to load the i915 drivers. FB mode suffers from screen-tear with video playback, and offers a different naming convention to the outputs.

Desktop

After proving the laptop worked, it was time to migrate the desktop. In the past couple of years I had added extra Virtual Machines, and these were now spread across an M.2 AHCI device and a standard 2.5" S-ATA flash drive. It was time to upgrade to a 1 TiB M.2 drive. This new drive was NVMe, and so that required a change in the kickstart config.

As with the laptop, the desktop also features a local account with matching UID and GID used on the LDAP server. This is a just-in-case the LDAP system is broken - I can still login. You have to declare --ondisk=nvme0n1 instead of /dev/sda when using M.2 NVMe storage.

#platform=x86, AMD64, or Intel EM64T
#version=DEVEL
# Keyboard layouts
keyboard 'gb'
# Root password
rootpw --plaintext ******
user --name=gary --groups=wheel,cdrom,dialout,lock --password=****** --uid=1001 --gid=1001
# System language
lang en_GB
# Firewall configuration
firewall --disabled
# System authorization information
auth --useshadow --passalgo=sha512 --enableldapauth --ldapserver=ldaps://mail.gaztronics.net --ldapbasedn=dc=gaztronics,dc=net
# Use network installation
url --url="ftp://mirror.gaztronics.net/rocky/8/BaseOS/x86_64/os/"
repo --name=BaseOS --baseurl=ftp://mirror.gaztronics.net/rocky/8/BaseOS/$basearch/os/ --cost=200
repo --name=AppStream --baseurl=ftp://mirror.gaztronics.net/rocky/8/AppStream/$basearch/os/ --cost=200
repo --name=PowerTools --baseurl=ftp://mirror.gaztronics.net/rocky/8/PowerTools/$basearch/os/ --cost=200
repo --name=extras --baseurl=ftp://mirror.gaztronics.net/rocky/8/extras/$basearch/os --cost=200
repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/$basearch/
repo --name=rpmfusion-free-release --mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8&arch=$basearch
# Use graphical install
graphical
# SELinux configuration
selinux --disabled

# Network information
network --bootproto=dhcp --device=eth0 --onboot=on
network --hostname=tron
# Reboot after installation
reboot
# System timezone
timezone Europe/London --ntpservers=ntp.gaztronics.net
# System bootloader configuration
bootloader --location=mbr
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part /boot/efi --asprimary --fstype="vfat" --ondisk=nvme0n1 --label EFI --size=512
part /boot --asprimary --fstype="ext4" --ondisk=nvme0n1 --size=1048
part swap --asprimary --fstype="swap" --ondisk=nvme0n1 --recommended
part / --asprimary --fstype="ext4" --grow --ondisk=nvme0n1 --size=1 --encrypted --passphrase=******

%post
echo "NOZEROCONF=yes" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
nmcli device modify eth0 ipv6.method "disabled"
cd /etc
rm -f bashrc
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/bashrc
cd /etc/sssd
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/sssd.conf
chmod 600 sssd.conf
cd /etc/yum.repos.d
rm -f Rocky-*
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/yum.repos.d/Rocky-*
cd /root
wget ftp://mirror.gaztronics.net/kickstart/rocky/8/.dir_colors
plymouth-set-default-theme solar
%end

%packages
-biosdevname
-cockpit*
-libvirt*
-gdm
-hexchat
-mcelog
@base-x
@fonts
@graphical-admin-tools
@graphics
@hardware-monitoring
@internet-applications
@internet-browser
@java-platform
@multimedia
@office-suite
@print-client
gpm
make
rsync
rdesktop
net-tools
nfs-utils
autofs
brasero
thunderbird
kernel-devel
kernel-headers
automake
NetworkManager-bluetooth
NetworkManager-openvpn-gnome
NetworkManager-wifi
epel-release
gnome-disk-utility
kernel-modules
kernel-modules-extra
lightdm
lightdm-gobject
lightdm-gtk
lightdm-gtk-greeter-settings
lightdm-qt5
lightdm-settings
lm_sensors
eom
marco
mate-applets
mate-backgrounds
mate-calc
mate-control-center
mate-desktop
mate-dictionary
mate-disk-usage-analyzer
mate-disk-image-mounter
mate-icon-theme
mate-media
mate-menus
mate-menus-preferences-category-menu
mate-notification-daemon
mate-panel
mate-polkit
mate-power-manager
mate-screensaver
mate-screenshot
mate-search-tool
mate-sensors-applet
mate-session-manager
mate-settings-daemon
mate-system-log
mate-system-monitor
mate-terminal
mate-themes
mate-user-admin
mate-user-guide
mate-utils
caja
caja-extensions-common
caja-image-converter
caja-open-terminal
caja-schemas
caja-sendto
caja-actions
caja-beesu
p7zip
p7zip-plugins
pavucontrol
pluma
pluma-data
pluma-plugins
pluma-plugins-data
nano
network-manager-applet
nm-connection-editor
alacarte
cups-pdf
filezilla
gparted
ntfs-3g
ntfs-3g-system-compression
ntfsprogs
pwgen
redshift
redshift-gtk
screen
iperf3
youtube-dl
exfatprogs
bind-utils
arp-scan
gimp
nmap
wireshark
rpmfusion-free-release
vlc
htop
keepass
gnome-bluetooth
usbutils
wsjtx
audacity
audacity-manual
openvpn
unrar
vdpauinfo
atril
atril-caja
atril-thumbnailer
mozo
plymouth-theme-solar
mlocate
sssd-ldap
flatpak
rng-tools
gnome-terminal
fuse-afp
fuse-encfs
fuse-exfat
fuse-sshfs
fuse-zip
fuse-dislocker
yum-utils
dos2unix
gnome-control-center
mtr
traceroute
whois
stellarium
tar
cheese
hwloc-gui
redhat-lsb
telnet
tree
openssh-ldap
engrampa
java-17-openjdk
dconf-editor
ipcalc
gvfs-mtp
gvfs-fuse
xdg-desktop-portal-gtk
%end

Lenovo ThinkPad P14s

Late January 2023, I decided to purchase a refurbished Lenovo ThinkPad P14s with an octo-core AMD Ryzen 5850U CPU and a 512 GiB NVMe flash-drive. Sadly this model does not feature a fingerprint reader. As I was purchasing second-hand to save money, I had to opt for what was available, and the 8-core CPU and RAM was more important. I added 32 GiB of RAM to take it to 48 GiB ... because, why not? Whilst the older T440s can still run Linux with ease, trying to virtualise the bloat-ware that is Windows 10 was causing it to struggle. The T440s used to run Windows 7 perfectly well as a virtual machine as Win7 did not require so much CPU and RAM resource.

As with the desktop, I had to to modify the kickstart script to suit an NVMe storage device.

# Disk partitioning information
part /boot/efi --asprimary --fstype="vfat" --ondisk=nvme0n1 --label EFI --size=512
part /boot --asprimary --fstype="ext4" --ondisk=nvme0n1 --size=1048
part swap --asprimary --fstype="swap" --ondisk=nvme0n1 --recommended
part / --asprimary --fstype="ext4" --grow --ondisk=nvme0n1 --size=1 --encrypted --passphrase=******

This laptop also required the installation of the External link AMDGPU software in order to ensure maximum power from the on-board GPU. Sadly, even with the custom GPU software installed, at the time of writing, compiz does not play well and crashes out. This problem existed on the T440s and its Intel GPU.

The P14s uses a 40AJ00135 docking station, and along with the amdgpu software, comes a new naming convention for the DisplayPort outputs. This required a tweak to the docking scripts:

#!/bin/sh

/usr/bin/xrandr --current | grep "DisplayPort-3 connected "
if [ $? -eq 0 ]; then
    echo "DisplayPort found"
    sleep 1s
    /usr/bin/xrandr --output eDP --off
    /usr/bin/xrandr --output DisplayPort-3 --auto --primary
    /usr/bin/xrandr --output DisplayPort-4 --auto --right-of DisplayPort-3
fi

exit 0

As with the T440s, there are two scripts at root and user level. I still need to clean-up the lightdm.conf configuration; and an auto-detect method would be cool!

Results

What works?

As you can see from the kickstart scripts, I prefer to use the MATE desktop. MATE is working well, as is the majority of the software available from the various repositories. My thanks to the volunteer teams behind Rocky Linux, EPEL, ELrepo, and RPMfusion. Yours efforts allow an Enterprise Grade Linux designed for servers to be usable as a desktop environment. With Fedora being too-unstable for day-to-day production use, I would be forced to look at the likes of Ubuntu LTS.

What is broken?

Despite the instruction in the kickstart script, NetworkManager still needs to be told to disable IPv6. If you do not do this, NetworkManager unhelpfully complains and fills-up the messages log. Like a lot of the world, I still have no need for IPv6!!

The upstream version of hplip and hplip-gui are too old to support my 2-year-old printer, so I had to rebuild the versions from Fedora 33 sources. This is where Red Hat falls down on the desktop-support front. Printer drivers need to be kept up-to-date!

It seemed to require a lot of effort to purge nomodeset from being added to the kernel boot parameters so I could enjoy the Plymouth Solar boot screen.

What is missing?

Bluetooth GUI control from the Blueberry package is no longer available. That is quite annoying when you have Bluetooth devices, as control via the command line is not always convenient. I have tried rebuilding the package from Fedora 33 sources, but it does not build, so I am stuck. I am not comfortable trying to install and build it from source. I prefer to use a package to ensure it can be updated and/or cleanly removed.

dnfdragora would be handy. I have tried and failed to rebuild it from Fedora 33 sources, so I am relying on the old method of a cron.daily script sending me an email when new packages are available. The replacement for yum-cron is not always ideal.

The rather handy Gnote.

GUI printer control. You have to use the CUPS web-interface on localhost:631, and that is not the most user-friendly method of sorting your printers!

PulseEffects. Yes I do require an equalizer function so I can enjoy music and videos properly!

I like the 3D effects of Compiz and the window decorations of Emerald. These packages are not available, so I rebuilt them from Fedora 33 and placed them in my own repository. Compiz largely works on my desktop with the nVidia card and kmod-nvidia from ELrepo. It regularly crashes on my P14s laptop with the AMDGPU software; and it does not play nice on the older T440s and the Intel GPU. Compiz and VLC rarely play nice when you want to switch VLC to full-screen.

A number of the amateur radio tools are not available unless the nice people of EPEL rebuild them. I have managed to rebuild a number of them: dxcc, flrig, gpredict, gqrx, ibp, klog, qsstv, rtlsdr-scanner, trustedqsl, xastir, and xlog.

The rather handy mail-notification utility has been helpfully informing me of new email in my various inboxes for years. Sadly, it appears to be abandon-ware and requires libgnome-devel to build. libgnome-devel has been deprecated by Red Hat, so there is no way for a humble SysAdmin to rebuild the Fedora package and have this great little util working in the background. I also suspect, with the push to OAuth 2.0, that people would find they could not check their IMAP accounts without updates to this software; although that is not a problem for those of us that run our own mail-server!

Flatpak

The flatpak system has sort of come to the rescue, although the downside of using this method is the space it takes up in /var/lib/flatpak. At the time of writing, 13 GiB is taken up with:

KiCAD

OpenShot Video Editor

Skype

Zoom

Gnote

Pulseeffects

Signal

CHIRP

The other downside with Flatpak is the need to remember to run flatpak update from time to time. There is no automatic system to inform you of updates.

Update 19th February 2023 Install xdg-desktop-portal-gtk if you want to print from Flatpak applications.

PulseEffects autostart

There is a trick to ensure the Flatpak version of PulseEffects starts-up on login. In the ~/.config/autostart directory, create an entry called pulseeffects-service.desktop and add the following:

[Desktop Entry]
Name=PulseEffects
Comment=PulseEffects Service
Exec=/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=pulseeffects com.github.wwmm.pulseeffects --gapplication-service
Icon=pulseeffects
StartupNotify=false
Terminal=false
Type=Application
X-MATE-Autostart-Delay=30

Your results may vary with PulseEffects. I have experienced some bizarre noises before I was able to tame it. I like the Rock profile in VLC, I so I copied the levels into PulseEffects to make my own custom equalizer.

Page updated: 28th February 2023