RHEL 9 Workstation

Project Summary

Deploy a production-grade RHEL 9 workstation as a KVM virtual machine on local infrastructure. Unlike disposable lab VMs, this is a persistent daily-driver: development, documentation, containers, and infrastructure management. Every interaction is RHCSA training — SELinux enforcing, firewalld rules, LVM management, Podman containers, and systemd services in a real environment.

RHEL 9 with the free Developer Subscription provides the actual Red Hat tooling (subscription-manager, Red Hat repos, Insights) that binary-compatible clones (Rocky, Alma) cannot replicate.

Deployment Status

Phase	Description	Status	Notes
0: Red Hat Registration	Developer subscription, ISO download, subscription-manager concepts	❌ Not started	developers.redhat.com/register
1: KVM VM Creation	virt-install, resource allocation, network bridge, storage pool	❌ Not started	—
2: RHEL 9 Installation	Installer walkthrough, partitioning (LVM), base packages	❌ Not started	Manual install (not kickstart) — learn the installer
3: Post-Install Baseline	subscription-manager, repos, dnf update, hostname, timezone, chrony	❌ Not started	—
4: Desktop Environment	GNOME, Wayland, fonts, themes, display config	❌ Not started	GNOME is RHEL’s default and what the exam environment uses
5: Networking	Static IP, VLAN bridge, nmcli, firewalld zones and rules	❌ Not started	nmcli + firewall-cmd (not ip/ufw — RHEL way)
6: Storage & LVM	VG/LV layout, additional disks, XFS, fstab, swap, Stratis	❌ Not started	LVM is core to RHCSA
7: Users & Security	SELinux enforcing, sudo, SSH hardening, audit	❌ Not started	SELinux is the #1 RHCSA failure topic
8: Development Stack	Python, Go, Node, Rust, Neovim, Claude Code	❌ Not started	—
9: Secrets & Identity	gopass, age, GPG, SSH keys, Vault SSH cert	❌ Not started	—
10: Dotfiles & Stow	dots-quantum RHEL adaptation, stow packages	❌ Not started	RHEL paths differ from Arch
11: Containers	Podman (not Docker), rootless, systemd integration, pods	❌ Not started	Podman is RHCSA — Docker is not on the exam
12: Maintenance	dnf-automatic, Borg backup, cert renewal, systemd timers	❌ Not started	—

Phase

Description

Status

Notes

0: Red Hat Registration

Developer subscription, ISO download, subscription-manager concepts

❌ Not started

developers.redhat.com/register

1: KVM VM Creation

virt-install, resource allocation, network bridge, storage pool

❌ Not started

—

2: RHEL 9 Installation

Installer walkthrough, partitioning (LVM), base packages

❌ Not started

Manual install (not kickstart) — learn the installer

3: Post-Install Baseline

subscription-manager, repos, dnf update, hostname, timezone, chrony

❌ Not started

—

4: Desktop Environment

GNOME, Wayland, fonts, themes, display config

❌ Not started

GNOME is RHEL’s default and what the exam environment uses

5: Networking

Static IP, VLAN bridge, nmcli, firewalld zones and rules

❌ Not started

nmcli + firewall-cmd (not ip/ufw — RHEL way)

6: Storage & LVM

VG/LV layout, additional disks, XFS, fstab, swap, Stratis

❌ Not started

LVM is core to RHCSA

7: Users & Security

SELinux enforcing, sudo, SSH hardening, audit

❌ Not started

SELinux is the #1 RHCSA failure topic

8: Development Stack

Python, Go, Node, Rust, Neovim, Claude Code

❌ Not started

—

9: Secrets & Identity

gopass, age, GPG, SSH keys, Vault SSH cert

❌ Not started

—

10: Dotfiles & Stow

dots-quantum RHEL adaptation, stow packages

❌ Not started

RHEL paths differ from Arch

11: Containers

Podman (not Docker), rootless, systemd integration, pods

❌ Not started

Podman is RHCSA — Docker is not on the exam

12: Maintenance

dnf-automatic, Borg backup, cert renewal, systemd timers

❌ Not started

—

Assessment

Why RHEL 9 (Not Rocky/Alma/CentOS Stream)

Factor RHEL Advantage

Factor	RHEL Advantage
`subscription-manager`	On the RHCSA exam. Does not exist on clones.
Red Hat repos (BaseOS, AppStream)	Authenticated repos with Red Hat signing keys. Clones mirror content but not the tooling.
Red Hat Insights	System health, compliance, vulnerability scanning. RHEL-only.
Exam environment	RHCSA is taken on RHEL. Muscle memory on the actual OS matters.
Support knowledge base	access.redhat.com — solutions, errata, security advisories.
Production reality	Enterprise shops run RHEL, not Rocky. Daily use on RHEL = production readiness.

subscription-manager

On the RHCSA exam. Does not exist on clones.

Red Hat repos (BaseOS, AppStream)

Authenticated repos with Red Hat signing keys. Clones mirror content but not the tooling.

Red Hat Insights

System health, compliance, vulnerability scanning. RHEL-only.

Exam environment

RHCSA is taken on RHEL. Muscle memory on the actual OS matters.

Support knowledge base

access.redhat.com — solutions, errata, security advisories.

Production reality

Enterprise shops run RHEL, not Rocky. Daily use on RHEL = production readiness.

Infrastructure Requirements

Resource	Allocation
vCPUs	4 (minimum 2)
RAM	8 GB (minimum 4 GB)
Root disk	40 GB (LVM — will practice extend/resize)
Additional disks	2x 10 GB (LVM/Stratis labs)
Network	Bridged to lab VLAN (real IP, not NAT)
Display	SPICE/VNC for GNOME desktop
GPU	Software rendering (no passthrough needed for workstation use)

Resource

Allocation

vCPUs

4 (minimum 2)

RAM

8 GB (minimum 4 GB)

Root disk

40 GB (LVM — will practice extend/resize)

Additional disks

2x 10 GB (LVM/Stratis labs)

Network

Bridged to lab VLAN (real IP, not NAT)

Display

SPICE/VNC for GNOME desktop

GPU

Software rendering (no passthrough needed for workstation use)

Key Differences: Arch → RHEL

Area Arch Linux RHEL 9

Area	Arch Linux	RHEL 9
Package manager	`pacman` / `yay`	`dnf` / `rpm`
Init system	systemd (same)	systemd (same)
Firewall	`ufw` / `iptables`	`firewalld` (`firewall-cmd`)
MAC framework	AppArmor	SELinux (enforcing by default)
Default shell	zsh (user choice)	bash
Desktop	Hyprland (Wayland)	GNOME (Wayland)
Storage	btrfs	LVM + XFS
Container runtime	Docker	Podman (rootless, daemonless)
Network config	NetworkManager / nmcli	NetworkManager / nmcli (same)
Boot loader	systemd-boot	GRUB2
Kernel	Rolling (latest)	Fixed (5.14.x with backports)
Release model	Rolling	Point release (9.x every ~6 months)

Package manager

pacman / yay

dnf / rpm

Init system

systemd (same)

Firewall

ufw / iptables

firewalld (firewall-cmd)

MAC framework

AppArmor

SELinux (enforcing by default)

Default shell

zsh (user choice)

bash

Desktop

Hyprland (Wayland)

GNOME (Wayland)

Storage

btrfs

LVM + XFS

Container runtime

Docker

Podman (rootless, daemonless)

Network config

NetworkManager / nmcli

NetworkManager / nmcli (same)

Boot loader

systemd-boot

GRUB2

Kernel

Rolling (latest)

Fixed (5.14.x with backports)

Release model

Rolling

Point release (9.x every ~6 months)

Risk Areas

SELinux — Arch uses AppArmor. SELinux is a completely different paradigm (contexts, booleans, policies). Enforcing mode from day one — learn by fixing denials.
LVM muscle memory — Arch uses btrfs. LVM create/extend/reduce under time pressure is an RHCSA requirement.
firewalld — UFW is simpler. firewall-cmd zones, services, and rich rules need practice.
dnf module streams — AppStream modules are RHEL-specific (e.g., dnf module enable python39).
GRUB2 — Arch uses systemd-boot. GRUB2 configuration and recovery is on the exam.

Project Metadata

Field	Value
PRJ ID	PRJ-2026-04-rhel9-workstation
Author	Evan Rosado
Created	2026-04-05
Updated	2026-04-05
Status	Draft — Phase 0 in progress
Category	Workstation Deployment
Priority	P1
Platform	KVM virtual machine (local infrastructure)
Target OS	Red Hat Enterprise Linux 9 (Workstation)
Subscription	Red Hat Developer Subscription (free, 16 systems)
Purpose	Production-grade RHEL 9 daily-driver workstation — real workloads, SELinux enforcing, firewalld, LVM, Podman. Natural RHCSA preparation through daily use.
Related	RHCSA Study Curriculum

Field

Value

PRJ ID

PRJ-2026-04-rhel9-workstation

Author

Evan Rosado

Created

2026-04-05

Updated

2026-04-05

Status

Draft — Phase 0 in progress