The differences are:

• When you get to the “More Minimizing” section, yum -C grouplist will show a package called “Yum Utilities” which you probably want to leave installed.
• The Deployment_Guide-en-US file is not there so you don’t need to remove it.

That’s it.

I should also note that downloading a 3.9GB DVD ISO image in order to build a ~700MB installed OS may not be very efficient. I didn’t bother looking for a network installer but that might be the way to get this done faster.

Next, you need a way to compare this list to the list of what you have installed. Here’s a command line that I used:

yum list installed | awk 'split($1,a,".") { if (NR>2){ print a[1] } }' \\
> installed_package_names.txt ; diff installed_package_names.txt \\
minimal_package_names.txt  | grep '<' | colrm 1 2

(The awk command is there to strip out the version number and architecture from the package name.)

Now you can run that command and see a list of package names that are not in your minimal_package_names.txt list. You can switch that grep command so it looks for '>' instead of '<', and see things that you consider minimal which are not currently installed.

Then it's just a matter of "yum install foo" and "yum remove foo". I encourage you to use "yum info foo" to make removal decisions one by one, since someone at the ISP probably took the time to research them and thought you might find them useful. You should probably also remove packages in small groups or one by one, because you might be surprised at the dependencies you find. I was surprised to find that uninstalling postgresql-libs would cause httpd (Apache) to be removed as well.

But if you want to automate it, just tack | xargs yum remove on the end of that command, and it will automatically remove them all at once.

Using this as a starting point, you can change your "minimal" packages list to fit your preferences, or even as a quick and dirty alternative to using Kickstart.

The first problem (no init script) is easy to solve, but apparently nobody has done so for CentOS 5.1 and published it. So, here is my CentOS 5.1 init script for the Sphinx Search server. It is known to work with version 0.9.8-rc2.

BTW, the alternative solution to the problem of a daemon not having a System V init script is to just put some extra junk in /etc/rc.local. That is the quick and dirty solution, and is undesirable for several reasons:

1. You can’t easily stop or restart the service, because it’s not a service as far as the OS knows; it’s just some junk in a script that got run a while ago.
2. You can’t use chkconfig or its GUI cousin with the creative name, The Services Configuration Tool, to control it and tie it to specific runlevels.

(System V runlevels and init scripts are useful, even if you don’t need all of the runlevel functionality. The stop/start/restart PID stuff is useful by itself.)

After a lot of reading about it, and debating disabling it entirely, I figured out how to do some minor SELinux customization to fit my needs for a MySQL database server. Hopefully this will help folks who are in a similar situation.

Fortunately, although SELinux is sophisticated, it’s not too obtrusive as implemented in CentOS 5.1. In configuring it, Red Hat has picked an admirable position somewhere between ironclad security with a huge administrative burden, and toothless security that is easy to use because it isn’t doing anything to protect you. This is important, because if the configuration process were too odious from the point of view of a typical junior sysadmin, it’s very likely that people would get in the habit of just turning it off entirely. As it is, SELinux on RHEL 5 / CentOS 5.1 is now becoming part of the landscape of what a modern Linux looks like; based on what I’ve read on relevant forums lately, admins are taking the time to try and customize its default configuration to their needs (with some success) rather than just turning it off.

The nicely balanced default configuration that Red Hat has chosen is called the Targeted Policy, which means that if the SELinux configuration files know about a specific daemon, then it will be subject to specific rules; otherwise, the classic Unix security model applies. So if you stay with the standard configuration of those targeted daemons, SELinux is providing an additional level of security containment around them, and as long as it does what it’s supposed to, you’ll never notice it.

In my case, I’m running MySQL and OpenSSH, and have configured them to listen on nonstandard ports. SSH is not targeted, so this was trivial to do. MySQL is targeted, so it didn’t work right away.

Specifically, MySQL wouldn’t start, and in /var/log/messages I saw something like this:
kernel: audit(1206710000.178:12): avc: denied { name_bind } \
for pid=8591 comm="mysqld" src=1234 scontext=user_u:system_r:mysqld_t:s0 \
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
In plain English, “I denied process 8591’s request to bind to port 1234″. So SELinux needs to be told that MySQL should be allowed to bind to port 1234.

Here’s what I had to do: (assuming a mysqld port number of 1234, and that the iptables firewall is already adjusted for this)
sudo /usr/sbin/semanage port -a -t mysqld_port_t -p tcp 1234

This means “Change the SELinux policy for ports by adding one, of mysqld_port_t type, protocol TCP, port number 1234.”

Now you should be able to see the standard port (3306) and the new one (1234) with this:
sudo /usr/sbin/semanage port -l | grep mysql

That should output something like “mysqld_port_t tcp 1234,3306″.

(These changes are persisted in ‘/etc/selinux/targeted/modules/active/ports.local’, so they will still be active after a reboot.)

Now, MySQL starts happily and I can connect and use it as I had expected. But I didn’t have to disable SELinux, which means that this and other daemons are still running inside a security container that will help to limit the damage if their security is compromised.

Assumptions:

• this server uses an x86_64 CPU architecture, not i386 (or for an ultra-small disk footprint, consider i386 since it doesn’t need duplicate 64 and 32 bit glibc libraries)
• this is a server VPS (running in VMware or Xen) so it isn’t interested in low-level hardware management
• no need for ACPI (sleep/hibernate)
• no need for laptop CPU power reduction
• no need for SMART disk monitoring (since the VPS disk is virtualized)
• no need for MD (software RAID) since it’s a VPS; any RAID is happening at a lower level (host OS / dom0)
• no need to use LVM2 to mirror a logical volume (again because RAID is handled outside of the VPS)
• no need for bluetooth, hot-plug hardware, or PCMCIA
• this server may have more than one CPU (or may be given additional VCPUs later due to load) so multi-CPU support is desired
• this is a headless server so no GUI features are desirable
• there are no legacy services that need RPC
• NFS will not be used
• SELinux will be left in the default configuration (”Enforcing” the “Targeted” policy).

Basic Installation:

Start with the Centos 5.1 x86_64 install DVD.
Boot the DVD.
Select English language and U.S. English keyboard layout.
Choose to Install the OS (not upgrade).
Choose “Remove linux partitions on selected drives and create default layout.”
Select DHCP network configuration, or the static IP address for this server.
(I choose DHCP, and tell the DHCP server to use a specific IP for this host based on its Ethernet MAC address.)
Choose the time zone the server is in (for me this is America/Los Angeles), and enable the “System clock uses UTC” option.
Pick a complex root password (https://grc.com/passwords can generate one for you) and enter it.
When given a chance to install additional tasks, uncheck everything (no additional tasks) and choose the “Customize now” radio button.
In the next screen, go into every group and uncheck everything. (*Nothing* should be checked when you’re done. Be careful not to miss anything!)
Confirm that you want the installer to begin the installation process. (For me this process took about 6 minutes.)
Confirm that you want to reboot, and make sure that the server will boot from the hard disk instead of the installation media.
When the server boots, log in as root. (You can disconnect from the console and use SSH instead at this point if it’s more convenient.)

More Minimizing:
Run this command to tell yum to go grab the latest package info from out on the internet.
yum grouplist
Run this command to make sure you didn’t install anything other than the bare minimum:
yum -C grouplist
You shouldn’t see a section called “Installed Groups:”. If you do see it, it means you missed something you were supposed to disable in the previous section.
In that case, run this to remove it and all the packages in it:
yum -C groupremove SomeGroupName

You can also run this command to count how many packages have been installed already:
yum -C list installed | wc -l
The resulting count of packages installed should be 154.

Next, run “chkconfig --list | grep 3:on” to see what services are enabled.
Several of them can safely be disabled (provided that the assumptions at the top of this guide are true), so run this:
for i in haldaemon lvm2-monitor messagebus netfs; do chkconfig $i off; done
These are useful and should stay enabled:
ip6tables
iptables
kudzu
mcstrans
network
restorecond
sshd
syslog
If for some reason there are others that are still enabled that aren’t on that list, you’ll have to decide for yourself.

Run this command to remove a 9.7MB standalone documentation package that you almost certainly won’t be reading from the server:
yum -C remove Deployment_Guide-en-US

If you wish, run this command to update your installed packages to the latest stable version.
yum update
As of 3/27/2008 this installed a new kernel, updated 19 other packages, and required a 54MB download.
Accept the CentOS package-signing GPG key when asked.
If a kernel update is installed, it would be a good idea to reboot soon to make sure it works.
You can also remove your old kernel (use “rpm -qa | grep kern” to find old ones) to save ~75MB.
yum remove kernel-2.6.18-53.el5 NOTE! ONLY do this if you updated your kernel and have 2 installed now.

Useful Things You May Want To Install:

These packages are very useful for administering servers, deploying software and data to them, and performing backups:
yum install bzip2 lsof man man-pages mlocate quota rsync sysstat vixie-cron wget which

If your server has more than 1 CPU you may wish to install irqbalance, to distribute interrupt servicing duty across CPUs:
yum install irqbalance

This package makes the system boot slightly faster using a very simple, safe technique:
yum install readahead

If you aren’t familiar with the vim text editor, you can install nano, which is less powerful but very easy to use:
yum install nano

Have fun! Hope this helps.