Rocky Linux
Intro
Like many SysAdmins, I was ready to start investing time and energy into testing CentOS 8 when Red Hat took it under their wing and decided to turn it into a half-way house sitting between bleeding-edge Fedora and their Enterprise Linux release. And like many SysAdmins, I was left in a quandary of what to replace my ageing CentOS 7 systems with. Thankfully the creators of CentOS came to the rescue in the form of Rocky Linux.
At the end of December 2022, I decided to use the holiday time to experiment with building Rocky Linux on my laptop and testing what works and what does not. This is a write-up of my experience, and I hope it helps others.
My usage case: I want to use the whizzy 3D effects of Compiz with the window decorations of Emerald; the Amateur Radio tools available in Fedora; with the stability of Enterprise Linux. The latter part is important, as I run VirtualBox to virtualise Microsoft Windows, plus copies of Fedora and various versions of CentOS and Rocky Linux. The bleeding-edge kernels in Fedora (and others) tend to break the VirtualBox kernel module build-process, so it cannot be used in production. I need it to "just work" all day, every day!
Install
I maintain an in-house mirror on my primary server (currently CentOS 7) of the CentOS 7 and Rocky distributions as it makes it easier, and quicker, to install via PXE/UEFI boot.
I had to dig around the web to find the latest changes to kickstart, then run through various test installs before everything worked. The first installation was to my older Lenovo ThinkPad T440s, and that features a standard 2.5" S-ATA Flash drive, so the installation paths had to be set to /dev/sda. It also features a finger-print scanner, so I enrol a finger to provide a snappy way of logging in. For extra protection, the whole root partition is encrypted; which can be unlocked with a USB key.
I have an in-house Open LDAP daemon running to provide network authentication and NFS mount-point information used by the automount daemon. As this laptop is used elsewhere, I have to create a local account. I use the same UID and GID for the account as I do in LDAP to keep things simple.
Much of the kickstart script below is suited to my internal network. You are welcome to copy it, but please remember to set the url to suit your set-up. As you can see in the %post section, I delete the default repo files and replace them with amended versions to suit my network, and replace the bashrc with my own custom tweaks.
#platform=x86, AMD64, or Intel EM64T #version=DEVEL # Keyboard layouts keyboard 'gb' # Root password rootpw --plaintext ****** user --name=gary --groups=wheel,cdrom,dialout,lock --password=****** --uid=1001 --gid=1001 # System language lang en_GB # Firewall configuration firewall --enabled # System authorization information auth --useshadow --passalgo=sha512 enablefingerprint --enableldapauth --ldapserver=ldaps://mail.gaztronics.net --ldapbasedn=dc=gaztronics,dc=net # Use network installation url --url="ftp://mirror.gaztronics.net/rocky/8/BaseOS/x86_64/os/" repo --name=BaseOS --baseurl=ftp://mirror.gaztronics.net/rocky/8/BaseOS/$basearch/os/ --cost=200 repo --name=AppStream --baseurl=ftp://mirror.gaztronics.net/rocky/8/AppStream/$basearch/os/ --cost=200 repo --name=PowerTools --baseurl=ftp://mirror.gaztronics.net/rocky/8/PowerTools/$basearch/os/ --cost=200 repo --name=extras --baseurl=ftp://mirror.gaztronics.net/rocky/8/extras/$basearch/os --cost=200 repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/$basearch/ repo --name=rpmfusion-free-release --mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8&arch=$basearch # Use graphical install graphical # SELinux configuration selinux --disabled # Network information network --bootproto=dhcp --device=eth0 --onboot=on network --bootproto=dhcp --device=wlan0 network --hostname=T440s # Reboot after installation reboot # System timezone timezone Europe/London --ntpservers=ntp.gaztronics.net # System bootloader configuration bootloader --location=mbr # Clear the Master Boot Record zerombr # Partition clearing information clearpart --all --initlabel # Disk partitioning information part /boot/efi --asprimary --fstype="vfat" --ondisk=sda --label EFI --size=512 part /boot --asprimary --fstype="ext4" --ondisk=sda --size=1024 part swap --asprimary --fstype="swap" --ondisk=sda --recommended part / --asprimary --fstype="ext4" --grow --ondisk=sda --size=1 --encrypted --passphrase=****** %post echo "NOZEROCONF=yes" >> /etc/sysconfig/network echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf nmcli device modify eth0 ipv6.method "disabled" nmcli device modify wlan0 ipv6.method "disabled" cd /etc rm -f bashrc wget ftp://mirror.gaztronics.net/kickstart/rocky/8/bashrc cd /etc/sssd wget ftp://mirror.gaztronics.net/kickstart/rocky/8/sssd.conf chmod 600 sssd.conf cd /etc/yum.repos.d rm -f Rocky-* wget ftp://mirror.gaztronics.net/kickstart/rocky/8/yum.repos.d/Rocky-* cd /root wget ftp://mirror.gaztronics.net/kickstart/rocky/8/.dir_colors plymouth-set-default-theme solar %end %packages -biosdevname -cockpit* -libvirt* -gdm -hexchat -mcelog @base-x @fonts @graphical-admin-tools @graphics @hardware-monitoring @internet-applications @internet-browser @java-platform @multimedia @office-suite @print-client gpm make rsync rdesktop net-tools nfs-utils autofs brasero thunderbird kernel-devel kernel-headers automake NetworkManager-bluetooth NetworkManager-openvpn-gnome NetworkManager-wifi epel-release gnome-disk-utility kernel-modules kernel-modules-extra lightdm lightdm-gobject lightdm-gtk lightdm-gtk-greeter-settings lightdm-qt5 lightdm-settings lm_sensors eom marco mate-applets mate-backgrounds mate-calc mate-control-center mate-desktop mate-dictionary mate-disk-usage-analyzer mate-disk-image-mounter mate-icon-theme mate-media mate-menus mate-menus-preferences-category-menu mate-notification-daemon mate-panel mate-polkit mate-power-manager mate-screensaver mate-screenshot mate-search-tool mate-sensors-applet mate-session-manager mate-settings-daemon mate-system-log mate-system-monitor mate-terminal mate-themes mate-user-admin mate-user-guide mate-utils caja caja-extensions-common caja-image-converter caja-open-terminal caja-schemas caja-sendto caja-actions caja-beesu p7zip p7zip-plugins pavucontrol pluma pluma-data pluma-plugins pluma-plugins-data nano network-manager-applet nm-connection-editor alacarte cups-pdf filezilla gparted ntfs-3g ntfs-3g-system-compression ntfsprogs pwgen redshift redshift-gtk screen iperf3 youtube-dl exfatprogs bind-utils arp-scan gimp nmap wireshark rpmfusion-free-release vlc htop keepass gnome-bluetooth usbutils wsjtx audacity audacity-manual openvpn unrar vdpauinfo atril atril-caja atril-thumbnailer mozo fprintd fprintd-pam plymouth-theme-solar mlocate sssd-ldap flatpak rng-tools gnome-terminal firewall-config firewall-applet fuse-afp fuse-encfs fuse-exfat fuse-sshfs fuse-zip fuse-dislocker yum-utils dos2unix gnome-control-center mtr traceroute whois stellarium tar cheese hwloc-gui redhat-lsb telnet tree openssh-ldap engrampa java-17-openjdk dconf-editor ipcalc gvfs-mtp gvfs-fuse xdg-desktop-portal-gtk %end |
Why LightDM?
I prefer LightDM over GDM as it is more visually appealing with a background image, you do not have to enter your username, and I am not using Gnome!
For the laptop, I have a docking station and a dual-screen set-up, and LightDM allows you to run a script on start-up and/or login to tweak things to your needs. The custom script below allows me to disable the laptop screen and set the two external displays as side-by-side.
#!/bin/sh /usr/bin/xrandr --current | grep "DP2-1 connected " if [ $? -eq 0 ]; then echo "DisplayPort found" sleep 1s /usr/bin/xrandr --output eDP1 --off /usr/bin/xrandr --output DP2-1 --auto --primary /usr/bin/xrandr --output DP2-2 --auto --right-of DP2-1 fi exit 0 |
There are two copies of this script. One in /root/scripts and one in /home/gary/scripts and both are called docked-lightdm. Both scripts are referenced in /etc/lightdm/lightdm.conf for start-up and logout/in. The one in /home/gary/scripts is also run manually whenever I re-dock the laptop. I have not found a way to do that automatically!
There are two sections in /etc/lightdm/lightdm.conf that I modified to ensure the docking script runs again if I log-out and log-in again whilst docked.
[Seat:*] display-setup-script = /root/scripts/docked-lightdm [Seat:gary] display-setup-script = /home/gary/scripts/docked-lightdm |
Pending: To do this properly and create a file in /etc/lightdm/lightdm.conf.d
The above naming convention (eDP1 DP2-1) only comes about when using the i915 GPU code for X windows. So I have a custom X11 config that lives in /etc/X11/xorg.conf.d/ called 20-intel.conf and it contains the following:
Section "Device" Identifier "Intel Graphics" Driver "intel" Option "TearFree" "true" Option "TripleBuffer" "true" Option "DRI" "3" Option "AccelMethod" "sna" EndSection |
X windows defaults to Framebuffer mode if you do not force it to load the i915 drivers. FB mode suffers from screen-tear with video playback, and offers a different naming convention to the outputs.
Desktop
After proving the laptop worked, it was time to migrate the desktop. In the past couple of years I had added extra Virtual Machines, and these were now spread across an M.2 AHCI device and a standard 2.5" S-ATA flash drive. It was time to upgrade to a 1 TiB M.2 drive. This new drive was NVMe, and so that required a change in the kickstart config.
As with the laptop, the desktop also features a local account with matching UID and GID used on the LDAP server. This is a just-in-case the LDAP system is broken - I can still login. You have to declare --ondisk=nvme0n1 instead of /dev/sda when using M.2 NVMe storage.
#platform=x86, AMD64, or Intel EM64T #version=DEVEL # Keyboard layouts keyboard 'gb' # Root password rootpw --plaintext ****** user --name=gary --groups=wheel,cdrom,dialout,lock --password=****** --uid=1001 --gid=1001 # System language lang en_GB # Firewall configuration firewall --disabled # System authorization information auth --useshadow --passalgo=sha512 --enableldapauth --ldapserver=ldaps://mail.gaztronics.net --ldapbasedn=dc=gaztronics,dc=net # Use network installation url --url="ftp://mirror.gaztronics.net/rocky/8/BaseOS/x86_64/os/" repo --name=BaseOS --baseurl=ftp://mirror.gaztronics.net/rocky/8/BaseOS/$basearch/os/ --cost=200 repo --name=AppStream --baseurl=ftp://mirror.gaztronics.net/rocky/8/AppStream/$basearch/os/ --cost=200 repo --name=PowerTools --baseurl=ftp://mirror.gaztronics.net/rocky/8/PowerTools/$basearch/os/ --cost=200 repo --name=extras --baseurl=ftp://mirror.gaztronics.net/rocky/8/extras/$basearch/os --cost=200 repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/$basearch/ repo --name=rpmfusion-free-release --mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8&arch=$basearch # Use graphical install graphical # SELinux configuration selinux --disabled # Network information network --bootproto=dhcp --device=eth0 --onboot=on network --hostname=tron # Reboot after installation reboot # System timezone timezone Europe/London --ntpservers=ntp.gaztronics.net # System bootloader configuration bootloader --location=mbr # Clear the Master Boot Record zerombr # Partition clearing information clearpart --all --initlabel # Disk partitioning information part /boot/efi --asprimary --fstype="vfat" --ondisk=nvme0n1 --label EFI --size=512 part /boot --asprimary --fstype="ext4" --ondisk=nvme0n1 --size=1048 part swap --asprimary --fstype="swap" --ondisk=nvme0n1 --recommended part / --asprimary --fstype="ext4" --grow --ondisk=nvme0n1 --size=1 --encrypted --passphrase=****** %post echo "NOZEROCONF=yes" >> /etc/sysconfig/network echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf nmcli device modify eth0 ipv6.method "disabled" cd /etc rm -f bashrc wget ftp://mirror.gaztronics.net/kickstart/rocky/8/bashrc cd /etc/sssd wget ftp://mirror.gaztronics.net/kickstart/rocky/8/sssd.conf chmod 600 sssd.conf cd /etc/yum.repos.d rm -f Rocky-* wget ftp://mirror.gaztronics.net/kickstart/rocky/8/yum.repos.d/Rocky-* cd /root wget ftp://mirror.gaztronics.net/kickstart/rocky/8/.dir_colors plymouth-set-default-theme solar %end %packages -biosdevname -cockpit* -libvirt* -gdm -hexchat -mcelog @base-x @fonts @graphical-admin-tools @graphics @hardware-monitoring @internet-applications @internet-browser @java-platform @multimedia @office-suite @print-client gpm make rsync rdesktop net-tools nfs-utils autofs brasero thunderbird kernel-devel kernel-headers automake NetworkManager-bluetooth NetworkManager-openvpn-gnome NetworkManager-wifi epel-release gnome-disk-utility kernel-modules kernel-modules-extra lightdm lightdm-gobject lightdm-gtk lightdm-gtk-greeter-settings lightdm-qt5 lightdm-settings lm_sensors eom marco mate-applets mate-backgrounds mate-calc mate-control-center mate-desktop mate-dictionary mate-disk-usage-analyzer mate-disk-image-mounter mate-icon-theme mate-media mate-menus mate-menus-preferences-category-menu mate-notification-daemon mate-panel mate-polkit mate-power-manager mate-screensaver mate-screenshot mate-search-tool mate-sensors-applet mate-session-manager mate-settings-daemon mate-system-log mate-system-monitor mate-terminal mate-themes mate-user-admin mate-user-guide mate-utils caja caja-extensions-common caja-image-converter caja-open-terminal caja-schemas caja-sendto caja-actions caja-beesu p7zip p7zip-plugins pavucontrol pluma pluma-data pluma-plugins pluma-plugins-data nano network-manager-applet nm-connection-editor alacarte cups-pdf filezilla gparted ntfs-3g ntfs-3g-system-compression ntfsprogs pwgen redshift redshift-gtk screen iperf3 youtube-dl exfatprogs bind-utils arp-scan gimp nmap wireshark rpmfusion-free-release vlc htop keepass gnome-bluetooth usbutils wsjtx audacity audacity-manual openvpn unrar vdpauinfo atril atril-caja atril-thumbnailer mozo plymouth-theme-solar mlocate sssd-ldap flatpak rng-tools gnome-terminal fuse-afp fuse-encfs fuse-exfat fuse-sshfs fuse-zip fuse-dislocker yum-utils dos2unix gnome-control-center mtr traceroute whois stellarium tar cheese hwloc-gui redhat-lsb telnet tree openssh-ldap engrampa java-17-openjdk dconf-editor ipcalc gvfs-mtp gvfs-fuse xdg-desktop-portal-gtk %end |
Lenovo ThinkPad P14s
Late January 2023, I decided to purchase a refurbished Lenovo ThinkPad P14s with an octo-core AMD Ryzen 5850U CPU and a 512 GiB NVMe flash-drive. Sadly this model does not feature a fingerprint reader. As I was purchasing second-hand to save money, I had to opt for what was available, and the 8-core CPU and RAM was more important. I added 32 GiB of RAM to take it to 48 GiB ... because, why not? Whilst the older T440s can still run Linux with ease, trying to virtualise the bloat-ware that is Windows 10 was causing it to struggle. The T440s used to run Windows 7 perfectly well as a virtual machine as Win7 did not require so much CPU and RAM resource.
As with the desktop, I had to to modify the kickstart script to suit an NVMe storage device.
# Disk partitioning information part /boot/efi --asprimary --fstype="vfat" --ondisk=nvme0n1 --label EFI --size=512 part /boot --asprimary --fstype="ext4" --ondisk=nvme0n1 --size=1048 part swap --asprimary --fstype="swap" --ondisk=nvme0n1 --recommended part / --asprimary --fstype="ext4" --grow --ondisk=nvme0n1 --size=1 --encrypted --passphrase=****** |
This laptop also required the installation of the AMDGPU software in order to ensure maximum power from the on-board GPU. Sadly, even with the custom GPU software installed, at the time of writing, compiz does not play well and crashes out. This problem existed on the T440s and its Intel GPU.
The P14s uses a 40AJ00135 docking station, and along with the amdgpu software, comes a new naming convention for the DisplayPort outputs. This required a tweak to the docking scripts:
#!/bin/sh /usr/bin/xrandr --current | grep "DisplayPort-3 connected " if [ $? -eq 0 ]; then echo "DisplayPort found" sleep 1s /usr/bin/xrandr --output eDP --off /usr/bin/xrandr --output DisplayPort-3 --auto --primary /usr/bin/xrandr --output DisplayPort-4 --auto --right-of DisplayPort-3 fi exit 0 |
As with the T440s, there are two scripts at root and user level. I still need to clean-up the lightdm.conf configuration; and an auto-detect method would be cool!
Results
What works?
As you can see from the kickstart scripts, I prefer to use the MATE desktop. MATE is working well, as is the majority of the software available from the various repositories. My thanks to the volunteer teams behind Rocky Linux, EPEL, ELrepo, and RPMfusion. Yours efforts allow an Enterprise Grade Linux designed for servers to be usable as a desktop environment. With Fedora being too-unstable for day-to-day production use, I would be forced to look at the likes of Ubuntu LTS.
What is broken?
Despite the instruction in the kickstart script, NetworkManager still needs to be told to disable IPv6. If you do not do this, NetworkManager unhelpfully complains and fills-up the messages log. Like a lot of the world, I still have no need for IPv6!!
The upstream version of hplip and hplip-gui are too old to support my 2-year-old printer, so I had to rebuild the versions from Fedora 33 sources. This is where Red Hat falls down on the desktop-support front. Printer drivers need to be kept up-to-date!
It seemed to require a lot of effort to purge nomodeset from being added to the kernel boot parameters so I could enjoy the Plymouth Solar boot screen.
What is missing?
Bluetooth GUI control from the Blueberry package is no longer available. That is quite annoying when you have Bluetooth devices, as control via the command line is not always convenient. I have tried rebuilding the package from Fedora 33 sources, but it does not build, so I am stuck. I am not comfortable trying to install and build it from source. I prefer to use a package to ensure it can be updated and/or cleanly removed.
dnfdragora would be handy. I have tried and failed to rebuild it from Fedora 33 sources, so I am relying on the old method of a cron.daily script sending me an email when new packages are available. The replacement for yum-cron is not always ideal.
The rather handy Gnote.
GUI printer control. You have to use the CUPS web-interface on localhost:631, and that is not the most user-friendly method of sorting your printers!
PulseEffects. Yes I do require an equalizer function so I can enjoy music and videos properly!
I like the 3D effects of Compiz and the window decorations of Emerald. These packages are not available, so I rebuilt them from Fedora 33 and placed them in my own repository. Compiz largely works on my desktop with the nVidia card and kmod-nvidia from ELrepo. It regularly crashes on my P14s laptop with the AMDGPU software; and it does not play nice on the older T440s and the Intel GPU. Compiz and VLC rarely play nice when you want to switch VLC to full-screen.
A number of the amateur radio tools are not available unless the nice people of EPEL rebuild them. I have managed to rebuild a number of them: dxcc, flrig, gpredict, gqrx, ibp, klog, qsstv, rtlsdr-scanner, trustedqsl, xastir, and xlog.
The rather handy mail-notification utility has been helpfully informing me of new email in my various inboxes for years. Sadly, it appears to be abandon-ware and requires libgnome-devel to build. libgnome-devel has been deprecated by Red Hat, so there is no way for a humble SysAdmin to rebuild the Fedora package and have this great little util working in the background. I also suspect, with the push to OAuth 2.0, that people would find they could not check their IMAP accounts without updates to this software; although that is not a problem for those of us that run our own mail-server!
Flatpak
The flatpak system has sort of come to the rescue, although the downside of using this method is the space it takes up in /var/lib/flatpak. At the time of writing, 13 GiB is taken up with:
The other downside with Flatpak is the need to remember to run flatpak update from time to time. There is no automatic system to inform you of updates.
Update 19th February 2023 Install xdg-desktop-portal-gtk if you want to print from Flatpak applications.
PulseEffects autostart
There is a trick to ensure the Flatpak version of PulseEffects starts-up on login. In the ~/.config/autostart directory, create an entry called pulseeffects-service.desktop and add the following:
[Desktop Entry] Name=PulseEffects Comment=PulseEffects Service Exec=/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=pulseeffects com.github.wwmm.pulseeffects --gapplication-service Icon=pulseeffects StartupNotify=false Terminal=false Type=Application X-MATE-Autostart-Delay=30 |
Your results may vary with PulseEffects. I have experienced some bizarre noises before I was able to tame it. I like the Rock profile in VLC, I so I copied the levels into PulseEffects to make my own custom equalizer.
Page updated: 28th February 2023