Hi everyone,

I recently transitioned to the Linux (RHEL/CentOS) environment roughly 9-ish months ago and have learned so much since then but still consider myself a total newbie. This is my first Linux Administration role and I've never seen other infrastructures compared to what I've been dealing with. Our host/user base is also roughly about 20ish and I'd like to be prepared when that grows in the future.

Currently I feel as if the current infrastructure, that I inherited, isn't setup properly and I'd like everyone's opinion on my thoughts about improving it.

Here is how we have things setup:

RHEL Server (NFS Share): This host has been setup with the CentOS/RHEL kickstarts for NFS deployment and also Open Source Puppet for applying the necessary post imaging configurations.

RHEL Workstation (Sync? Local Repo): This host was setup with downloading RHEL/CentOS packages weekly and have our workstation hosts pointed to it for updates by using reposync. Unfortunately, there isn't a RHEL Server VM spun up setup like this host (yet) and all of our RHEL Servers are being pointed directly to RHN. Our local site requires the hosts to point to a local repo so that it can be managed. The reason why I have yet to stand up another RHEL Server VM for reposync is explained below.

My thought was to purchase Red Hat Satellite Server and utilize the Puppet Enterprise
(https://access.redhat.com/articles/s...pet-enterprise) integration so this way we can just get rid of the jury-rigged repo VM. Our RHEL machines also aren't subscribed since they're just pulling updates from the local repo.

Where you must use RHEL (for whatever reasons, client contract, compliance etc, etc) you first need to fix Licensing and then using Satellite + Puppet does make sense. For those machines that haven't such requirements transitioning to CentOS + Spacewalk (OSS Satellite) may be an option. And not that it's ready right now I believe but also look ahead at what Red Hat has on offer for the future (CloudForms + Foreman vs Katello).

Thank you for your response. Just as you said, for reasons (DoD), we only have RHSS and PE approved or else I would setup CentOS + Spacewalk. Good to know about the CloudForms + Foreman vs Katello, I'll play with those at home to get my feet wet.

I'm curious about your DoD site. Since I work DoD too, and we don't allow any of our DoD RHEL Servers to go out to RH Network directly. We have a Red Hat Satellite, disconnected, where we do all of the patching from. So I'm wondering why it is setup this way?

Also for NFS, it is against the STIGs to run this, so I shut all of that down and use scp to move files right now.

That's interesting, from what I gathered, no regular workstations are allowed to connect directly to RHN just as you said unless it's through a local repo or RHSS. We just went though the new accreditation process with DISA and I don't recall seeing anything saying this wasn't allowed. Could you clarify as to which portion you meant as being setup "this way"?

The STIGs don't specifically say to not use NFS (unless I missed a STIG ID), they say that if you are using it, you need certain options in place such as "nosuid" and "nodev" (list goes on).