Howto Kickstart Fedora with luks Encrypted Partitions

When I did a fresh Kickstart install of Fedora 21 (F21) via PXE on my main laptop I bumped into an issue where the Kickstart installation would fail because Anaconda would not properly setup the luks encrypted partition. Here are the steps to make it work.

1) the Kickstart file

The idea is to create the required partitions in the %pre section of the Kickstart file and then let Anaconda use those partitions in the main section of the Kickstart file. This means that you can not use clearpart in the main section as that would wipe all partitions. During execution of the %pre section the partitioning instructions are created and inserted into the main section of the Kickstart file via an %include.

Note that this is a minimalist example and requires more work in environments with different hardware configurations.

The example below assumes 3 partitions: one boot “/boot” partition, one root “/” partition and one user “/home/patrick” partition. Adding a GPT biosboot partition and/or swap partition should be easy.

The %pre section in the Kickstart file:

The main section of the Kickstart file:

In this section (usually at the top of the Kickstart file) the partitions are defined.

And that’s all that’s required to get your F21 install with a luks encrypted partition successfully kickstarted.

How to disable delta RPMs on Fedora 20

If you maintain a local mirror of Fedora or have fast WAN access to a Fedora mirror near you then it is quite inefficient to let yum download the delta RPMs and then take ages to rebuild them. It’s much faster to just download the full update RPMs instead. Here’s how you disable delta RPMs:

Open /etc/yum.conf and in the [main] section add deltarpm=0:

Note that this is a global setting. So none of your repositories will use delta RPMs anymore.

How to disable delta RPMS for individual repositories

If you want to disable delta RPMS for individual repositories then here’s a neat trick. In /etc/yum.repos.d/your.repo add the following setting:

From man yum.conf:

deltarpm_percentage When the relative size of delta vs pkg is larger than this, delta is not used. Default value is 75 (Deltas must be at least 25% smaller than the pkg). Use `0′ to turn off delta rpm processing. Local repositories (with file://baseurl) have delta rpms turned off by default.

How to setup OpenVPN on Fedora 19

Here is a quick howto setup OpenVPN on Fedora 19. For the sake of simplicity all steps are performed as root.

Install openvpn and easy-rsa:

Create the keys/ dir:

Create empty openvpn log files:

If you already have keys then copy them to /etc/openvpn/keys. If not then you will need to generate them. Read /usr/share/doc/easy-rsa-2.2.0/doc/README-2.0 for instructions how to do that.

Also generate the dh and ta keys:

Create a configuration called my-vpn.conf which uses TLS. It’s ok to call the config file something else but make sure to replace my-vpn in further steps below with the name you have chosen for your config file:

IMPORTANT: change the following settings above for your situation:
– server 10.0.1.0 255.255.255.0
– push “dhcp-option DOMAIN example.org”
– push “dhcp-option SEARCH example.org”

Make sure ipp.txt exists:

Set proper ownership of the openvpn directory, config files and keys:

Reset the SELinux labels:

Now setup systemd so openvpn starts at boot. For background information see this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=744244

Start the openvpn my-vpn service:

And check if it started ok:

Which should say something like this:

Next copy your client1.key, client1.crt, ca.crt and ta.key to ~/.cert/ on the client box that will access the OpenVPN server. If your client is also a recent Fedora box and you use NetworkManager then you can create a small config file with the proper settings to access your OpenVPN server and import it in NetworkManager.

The client config VPN for NetworkManager looks like this:

IMPORTANT: replace the entries between < ...> with your settings:
– remote <your-openvpn-server> 1194
– ca /home/<you>/.cert/ca.crt
– cert /home/<you>/.cert/client1.crt
– key /home/<you>/.cert/client1.key

Now import this file into NetworkManager by going to:

On your OpenVPN server make sure that port 1194 (or whatever port you chose) is open in the firewall.
Finally on your client box click on the NetworkManager icon in the top menu bar and select my-vpn. Enjoy your new secure VPN connection. Comments and enhancements always welcome.