CentOS Minimal Install for Production: Reducing Attack Surface and Waste

Server admins routinely inherit bloated Linux installations — full of graphical desktops, unused utilities, and surprise listening services. That scenario violates core principles of hardening and operational efficiency for any mission-critical fleet. A minimal CentOS deployment, by contrast, ensures only fundamentals are present: predictable, fast, and easier to maintain.

Minimal Install: Why Bother?

• Tighter security boundaries. Fewer binaries, less code — substantially shrinking the exploit surface.
• Deterministic performance. No rogue background daemons eating IO or memory.
• Predictable update cycles. With fewer dependencies, yum update impacts are easier to audit.

Note: A “minimal install” is rarely production-ready as-is. It’s a reliable, clean base — think hardened API appliance, not desktop workstation.

Prerequisites at a Glance

Obvious but missed: Always verify checksum (sha256sum) on the ISO before installation to avoid deploying compromised images.

1. Boot and Launch Installer

Power up, ensure media/ISO is first in the boot order. On KVM, attach the ISO and reset the guest. Catch the “Install CentOS 7” boot entry. If using older hardware, sometimes “Troubleshooting > Install with basic graphics” works when GPU firmware is sketchy.

2. Language and Keyboard

English (US)? Fine. But on some BMCs (e.g., SuperMicro KVM/IPMI), non-US layouts break Ctrl/Alt mapping. If automation is planned — keep default locale to minimize edge cases.

3. Partitioning: Disk Layout Strategy

Automatic partitioning is adequate for temporary VMs. On production hardware, always control layout.

Recommended baseline (manual partitioning):

Skip /home and other splits unless dictated by policy or workload. If using LVM, document VG/LV names — this helps when automating provisioning at scale.

4. Software Selection: The Trap

Most failed minimalizations occur here. Select only:

• Base Environment: Minimal Install
• Add-Ons: None. Uncheck everything else.

GUI stack? No. Editors, dev tools, hypervisors? Add those post-install if actually needed. The goal is a ~300-package system. If in doubt, press Tab in the list for description popups.

5. Network and Hostname

Network devices default to “off” on fresh installs. Click Configure and activate primary NIC (often eth0 or ens*). Assign static IPs for servers intended for persistent workloads — DHCP addresses can change with hypervisor/physical NIC resets. Use qualified hostnames (node1.prod.example.com) to avoid reverse-DNS lookup hitches in later SSH/scp jobs.

Attention: If IPv6 is not needed, disable it now to avoid unwanted traffic routes.

6. Credentials: Root and User Creation

Set a robust root password, 14+ chars, mix of upper/lower/symbols. Add a non-root user (e.g., deploy) with wheel/sudo access:

• Create user, check “Make this user administrator”
• Or manually configure /etc/sudoers.d/deploy

Some teams auto-provision keys here, but for airgapped/secure facilities, importing via Ansible later is safer.

7. Proceed with Installation

Click Begin Installation. This takes less than 5 minutes on SSD-backed storage, and you’ll see minimal console output. No GPG errors or dependency warnings are expected — if you see any, the ISO may be corrupt.

8. Post-Install Configuration

System will reboot. Login prompt should be text-only — no graphical target enabled. Confirm minimal footprint:

# How many RPMs?
rpm -qa | wc -l
# Example output:
# 298

Anything above 350? You likely included add-ons, or used the wrong ISO.

Networking sanity check:

ip a        # Ensure your NIC is UP with correct IP
systemctl status network NetworkManager

NFS server or graphical.target running? That shouldn’t happen.

Tightening the Ship: Post-Install Hardening

• Firewall:

  sudo systemctl enable --now firewalld
  sudo firewall-cmd --state
  

  Note: firewalld is “dumbed-down”, but preferable for quick, low-maintenance needs. For heavy segmentation, consider iptables or nftables directly.

• Strip Services:
  List enabled units:

  sudo systemctl list-unit-files --state=enabled
  

  Turn off anything not strictly required (e.g., postfix, cups).

  sudo systemctl disable postfix.service
  

• Install missing essentials:
  No editors? No SSH? Install only what’s actually needed:

  sudo yum install nano openssh-server -y
  sudo systemctl enable --now sshd
  

  Question: Why not pre-select during install? Because review and auditability matter — see what really lands on-disk.

• Update immediately:

  sudo yum update --security -y
  

  Gotcha: On mirror lag, your kernel might not be latest — double-check, especially if planning to deploy hardened modules or SELinux policies.

Atypical Hints and Side Notes

• If provisioning via PXE/Kickstart, set #version=RHEL7 at the top of kickstart files for cleaner parser output.
• UEFI boot: some minimal images skip placing files in /boot/efi by default, leading to failed boots on some boards — check your firmware type before install.
• For containers/Kubernetes: swap must be disabled or set minuscule (/etc/fstab), or kubelet will complain.

Summary Table: Minimal Install Checklist

A minimal CentOS install is rarely the last step — but always the most important one. By stripping down from the outset, you create predictable systems, outperforming generic builds both on stability and security. But keep trade-offs in mind: minimal also means additional setup for real workloads, and sometimes inconvenient “missing” tools (no curl, no scp, etc.) if you don’t plan ahead.

If you encounter boot failures, networking quirks, or installer bugs, check /var/log/anaconda/anaconda.log — it's where the real clues live.

Deploy lean. Expand only as dictated by need. Typical results: faster rollouts, better patch discipline, easier monitoring.

Questions about quirky hardware or integrating with configuration management? Real answers come from real-world fieldwork, not spec sheets.