Top Rocky Linux 10 Post-Installation Tips and Tricks

A fresh Rocky Linux 10 install gives you a lean base image and not much else. Before the server earns its keep, there are a handful of one-time tweaks that make everything after easier: a safer login path, a usable shell, a firewall that actually runs, and a few kernel knobs that keep the box responsive under load. This guide walks through the checklist we apply to every Rocky 10 server at build time.

Original content from computingforgeeks.com - post 69

The commands below were tested on a fresh Rocky Linux 10.1 (Red Quartz) cloud image running kernel 6.12.0-124.8.1.el10_1.x86_64. Everything works on AlmaLinux 10 and RHEL 10 as well since all three share the same package set. Nothing here disables SELinux or tears down the firewall, because those are bad habits that bite you later.

Verified working: April 2026 on Rocky Linux 10.1, kernel 6.12.0-124.8.1, SELinux enforcing, DNF 4.20.0

1. Set a meaningful hostname

Cloud images ship with generic or auto-generated hostnames. Give the server something you’ll actually recognize in your SSH prompt and monitoring dashboards.

sudo hostnamectl hostname rocky10-web01.example.lan

Confirm the change with hostnamectl:

hostnamectl

You should see the new name reflected, along with the machine ID and kernel:

 Static hostname: rocky10-web01.example.lan
       Icon name: computer-vm
         Chassis: vm
  Virtualization: kvm
Operating System: Rocky Linux 10.1 (Red Quartz)
     CPE OS Name: cpe:/o:rocky:rocky:10::baseos
   OS Support End: Thu 2035-05-31
          Kernel: Linux 6.12.0-124.8.1.el10_1.x86_64
    Architecture: x86-64

For the hostname to appear in a new login shell, either reconnect or run exec bash.

2. Configure the timezone and locale

A correct timezone is the difference between logs you can correlate and logs that look like they came from three different servers in three different universes. List available zones and pick yours:

timedatectl list-timezones | grep -i africa
sudo timedatectl set-timezone Africa/Nairobi

Verify the clock, timezone, and NTP sync in one view:

timedatectl

Expected output on a healthy system:

               Local time: Sat 2026-04-11 03:04:18 EAT
           Universal time: Sat 2026-04-11 00:04:18 UTC
                 RTC time: Sat 2026-04-11 00:04:18
                Time zone: Africa/Nairobi (EAT, +0300)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Rocky 10 uses chronyd for time sync by default and it’s already running on a fresh install. If the system clock is ever drifting, check what server you’re bound to:

chronyc tracking
chronyc sources -v

The locale matters if you’re running tools that complain about LC_ALL. Check and set it:

localectl
sudo localectl set-locale LANG=en_US.UTF-8

3. Update everything (and keep the kernel current)

First thing on every new server: pull the latest packages. Rocky 10 uses DNF 4.20 and this single command handles both package updates and kernel upgrades:

sudo dnf -y upgrade --refresh

If a new kernel is installed, reboot once so the new version is the running one:

sudo dnf needs-restarting -r || sudo reboot

DNF keeps the last 3 kernels by default (installonly_limit=3 in /etc/dnf/dnf.conf), which is a good balance between having a known-good rollback and not wasting /boot.

4. Enable the CRB and EPEL 10 repositories

Two extra repos cover 90% of the packages you’ll actually want on a working server. CodeReady Builder (CRB) carries build dependencies EPEL needs, and EPEL itself carries tools like htop, tmux, fail2ban, and hundreds more.

sudo /usr/bin/crb enable
sudo dnf -y install epel-release

The CRB enable step prints a short confirmation:

Enabling CRB repo
CRB repo is enabled and named: crb

Confirm both repos are active:

dnf repolist

You should see crb and epel listed alongside the base repos:

repo id              repo name
appstream            Rocky Linux 10 - AppStream
baseos               Rocky Linux 10 - BaseOS
crb                  Rocky Linux 10 - CRB
epel                 Extra Packages for Enterprise Linux 10 - x86_64
extras               Rocky Linux 10 - Extras

5. Create a dedicated administrator account

Cloud images typically ship with a single rocky user tied to cloud-init metadata. For a production host, create a proper admin account in the wheel group and use that for day-to-day work.

sudo useradd -m -G wheel -s /bin/bash opsadmin
sudo passwd opsadmin

Verify the user lands in the wheel group, which is already granted sudo via /etc/sudoers:

id opsadmin

The group list should include wheel, confirming the account inherited sudo rights from the default Rocky 10 sudoers config:

uid=1001(opsadmin) gid=1001(opsadmin) groups=1001(opsadmin),10(wheel)

Copy your SSH public key over so you can log in without a password:

ssh-copy-id [email protected]

6. Harden the SSH daemon

The default sshd config on Rocky 10 is reasonable, but a couple of tweaks cut down automated brute-force noise. Rather than editing the main /etc/ssh/sshd_config, drop overrides into /etc/ssh/sshd_config.d/. They take precedence and survive package updates cleanly.

sudo vi /etc/ssh/sshd_config.d/10-hardening.conf

Paste in these lines:

PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no

Always test the config before reloading. A typo here can lock you out.

sudo sshd -t && sudo systemctl reload sshd

Keep your current SSH session open and test a second connection from another terminal before disconnecting. If the new session works, you’re safe to close the first one. For changing the SSH port itself (which requires an extra semanage step because of SELinux), see our guide on changing the SSH port on Rocky Linux 10 with SELinux.

7. Install and configure firewalld

This one surprises people: Rocky Linux 10 minimal and cloud images do not ship with firewalld installed. Check with rpm -q firewalld and install it if it’s missing:

sudo dnf -y install firewalld
sudo systemctl enable --now firewalld

The install pulls in nftables 1.1.1-9 and python3-firewall 2.4.0, which is the backend the firewall-cmd tool talks to. Once it’s running, inspect the default public zone:

sudo firewall-cmd --list-all

The default public zone already allows SSH and the Cockpit socket:

public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no

Adding services is a two-step pattern: update the permanent config, then reload.

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload
sudo firewall-cmd --list-services

For a deep dive including rich rules, zones, and direct rule syntax, see our dedicated firewalld on Rocky Linux 10 guide.

8. Keep SELinux enforcing (do not disable it)

Every older CentOS guide will tell you to set SELINUX=disabled. Ignore that advice. SELinux on Rocky 10 is mature, the default targeted policy understands the common services, and the tooling to fix the rare mislabel is well documented. Confirm it’s still in enforcing mode after updates:

sestatus

The output should show SELinux enabled, targeted policy, and enforcing mode:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing

When a service misbehaves because of SELinux, the fix is almost always a one-liner with setsebool, semanage, or restorecon. Our SELinux troubleshooting guide for Rocky 10 covers the common patterns. Install the policy utilities and man pages so you can use them:

sudo dnf -y install policycoreutils-python-utils setools-console selinux-policy-doc

9. Install the essential command-line toolkit

The default Rocky 10 minimal footprint is around 470 packages. A few more make the server much more pleasant to work on. This set covers editing, multiplexing, monitoring, networking, and archive handling.

sudo dnf -y install vim-enhanced nano tmux htop tar wget curl-minimal \
  bash-completion bind-utils net-tools mtr traceroute lsof strace \
  iotop-c ncdu jq rsync unzip zip

A few of these are worth calling out. htop and iotop-c come from EPEL, so step 4 needed to run first. curl-minimal is already present (Rocky 10 replaced the full curl with a minimal build by default) so the install is a no-op for it. bash-completion activates on next login and makes systemctl and firewall-cmd much easier to drive.

10. Add a swap file and tune virtual memory

Cloud images routinely ship with zero swap. You don’t want swap to replace RAM, but a small swap file is a safety net that prevents the OOM killer from taking out PostgreSQL at 3am. Create a 2 GB file:

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

Verify it’s active:

swapon --show
free -h

Confirm the swap file shows up and free memory reflects the new swap device:

NAME      TYPE SIZE USED PRIO
/swapfile file   2G   0B   -2
               total        used        free      shared  buff/cache   available
Mem:           1.7Gi       451Mi       570Mi       4.5Mi       901Mi       1.3Gi
Swap:          2.0Gi          0B       2.0Gi

Persist the swap file across reboots by adding it to /etc/fstab:

echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

The default vm.swappiness=60 is tuned for desktops. On a server you generally want the kernel to prefer reclaiming page cache before touching swap. Drop in a sysctl override:

sudo tee /etc/sysctl.d/99-vm-tune.conf <<'EOF'
vm.swappiness=10
vm.vfs_cache_pressure=50
EOF
sudo sysctl --system

11. Install and enable tuned

Rocky 10 minimal does not install tuned by default. It’s the daemon that applies profile-based sysctl and scheduler tweaks, and it knows how to auto-detect a KVM guest or a baremetal box.

sudo dnf -y install tuned
sudo systemctl enable --now tuned

Ask tuned to pick the right profile for this machine:

sudo tuned-adm recommend
sudo tuned-adm profile virtual-guest
tuned-adm active

tuned picks the right profile for a KVM guest automatically:

Current active profile: virtual-guest

On a baremetal database box you’d pick throughput-performance or latency-performance. On a laptop or workstation, balanced or powersave.

12. Enable persistent journald logs

By default Rocky 10 journald is configured to use Storage=auto, which means journal data lives under /run/log/journal and evaporates on reboot. On a server you want journal logs to survive restarts so you can investigate incidents that happened before the last boot.

sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journald

Verify journald is now writing to disk:

journalctl --disk-usage

A fresh system reports a small amount of archived journal data:

Archived and active journals take up 16M in the file system.

Cap the size so a runaway logger can’t fill the disk. Edit /etc/systemd/journald.conf (or drop a file in /etc/systemd/journald.conf.d/) and set:

SystemMaxUse=500M
SystemMaxFileSize=50M
MaxRetentionSec=1month

13. Turn on automatic security updates

dnf-automatic can either just download updates, apply them with notification, or install security updates on a schedule. For a server you can’t manually patch every week, the security-only mode is a good middle ground.

sudo dnf -y install dnf-automatic

Open the config file and switch it to apply security updates:

sudo vi /etc/dnf/automatic.conf

Set these values in the [commands] section:

upgrade_type = security
apply_updates = yes

Then enable the systemd timer that runs the updates daily:

sudo systemctl enable --now dnf-automatic.timer
systemctl list-timers dnf-automatic.timer --no-pager

The timer is armed to fire daily, typically around 6am local time:

NEXT                            LEFT LAST PASSED UNIT                ACTIVATES
Sat 2026-04-11 06:08:35 EAT 2h 59min -         - dnf-automatic.timer dnf-automatic.service

14. Install Cockpit for a web-based admin console

Rocky 10 cloud images come with most Cockpit components pre-installed (cockpit-ws, cockpit-bridge, cockpit-system) and the socket is active on port 9090. The meta-package simply pulls in the rest and a few optional modules:

sudo dnf -y install cockpit cockpit-storaged cockpit-networkmanager cockpit-podman
sudo systemctl enable --now cockpit.socket
sudo firewall-cmd --permanent --add-service=cockpit
sudo firewall-cmd --reload

Open https://your-server-ip:9090 in a browser and sign in with the admin account you created in step 5. For a complete walkthrough of the Cockpit UI including server management, KVM, and logs, see our guide on managing Rocky Linux using Cockpit.

15. Clean up and take a snapshot

After the dust settles, reclaim space and prune orphaned packages:

sudo dnf -y autoremove
sudo dnf -y clean all

If this box is a VM, now is a great time to take a snapshot or power off and clone it. You’ve just built a baseline image you can reuse for every future Rocky 10 server without repeating these steps.

Final checklist

Run one last pass to confirm everything stuck:

hostnamectl --static
timedatectl | grep -E 'Time zone|synchronized'
sestatus | grep 'Current mode'
systemctl is-active firewalld chronyd sshd dnf-automatic.timer tuned cockpit.socket
free -h | grep Swap
dnf repolist | grep -E 'crb|epel'

Every line should come back clean: the hostname you set, a synchronized clock, SELinux enforcing, all five services active, swap showing 2G, and both the CRB and EPEL repos enabled. From here the server is ready for whatever role it’s going to play. Good candidates for the next step: installing PostgreSQL 17, PHP 8.4, or Docker CE on Rocky Linux 10.