name: rocky-foundation
description: Shared conventions, OS detection, and safety model for Rocky Linux 8/9 system administration. This skill is automatically referenced by all other rocky-* skills. Use when performing any sysadmin task on Rocky Linux, detecting OS version, or understanding the command safety tier system.

Rocky Linux Foundation

Shared conventions, OS detection, and safety execution model for all Rocky Linux 8/9 sysadmin skills.

OS Detection

Every rocky-* skill should detect the OS version before running version-specific commands:

# Standard detection snippet
ROCKY_VERSION=$(source /etc/os-release && echo "${VERSION_ID%%.*}")  # [READ-ONLY]

Use $ROCKY_VERSION to branch on version-specific behavior:

if [[ "$ROCKY_VERSION" == "9" ]]; then
    # Rocky 9 path
elif [[ "$ROCKY_VERSION" == "8" ]]; then
    # Rocky 8 path
else
    echo "Unsupported Rocky Linux version: $ROCKY_VERSION" >&2
    exit 1
fi

Validate We're on Rocky Linux

# Confirm we're actually on Rocky Linux  # [READ-ONLY]
if ! grep -qi 'rocky' /etc/os-release; then
    echo "WARNING: This does not appear to be Rocky Linux" >&2
fi

Version Differences Master Table

Safety Execution Model

All commands across every rocky-* skill are classified into three tiers.

Tier 1 -- Read-Only

Behavior: Execute directly, no confirmation needed.

Commands that only inspect system state and make no changes.

# Examples of Tier 1 commands  # [READ-ONLY]
systemctl status sshd
journalctl -u nginx --since "1 hour ago"
sestatus
getenforce
ip addr show
firewall-cmd --list-all
lvs
df -h
borg list /path/to/repo
cat /etc/os-release
rpm -qa | grep opensearch
ss -tlnp
free -h
uptime

Tier 2 -- Reversible Changes

Behavior: Show the command, explain what it does, confirm before executing. Show the rollback command.

Changes that can be undone or have limited blast radius.

# Examples of Tier 2 commands  # [CONFIRM]
systemctl restart nginx          # Rollback: systemctl restart nginx (idempotent)
dnf install -y httpd             # Rollback: dnf remove httpd
firewall-cmd --add-service=https --permanent  # Rollback: firewall-cmd --remove-service=https --permanent
setsebool -P httpd_can_network_connect on     # Rollback: setsebool -P httpd_can_network_connect off
useradd deploy                   # Rollback: userdel deploy
nmcli con mod eth0 ipv4.dns "8.8.8.8"        # Rollback: nmcli con mod eth0 ipv4.dns ""

Confirmation template:

About to run (Tier 2 -- Reversible):
  $ <command>

This will: <human-readable explanation>
Rollback:  <rollback command>

Proceed? [y/N]

Tier 3 -- Destructive / Irreversible

Behavior: Extra warning with impact description, explicit confirmation required. Consider dry-run first if available.

Changes that destroy data, are hard to reverse, or affect production availability.

# Examples of Tier 3 commands  # [DESTRUCTIVE]
mkfs.xfs /dev/sdb1              # Formats the partition -- data loss
lvremove /dev/vg0/old_lv        # Removes logical volume -- data loss
borg prune --keep-daily=7       # Removes backup archives -- data loss
userdel -r olduser              # Removes user AND home directory
dd if=/dev/zero of=/dev/sda     # Wipes entire disk
mysql -e "DROP DATABASE app;"   # Drops database -- data loss
shred -vfz -n 3 /dev/sdb       # Securely wipes device

Confirmation template:

⚠ DESTRUCTIVE OPERATION (Tier 3) ⚠
  $ <command>

This will: <human-readable explanation>
Impact:    <what data/service is affected>
Recovery:  <recovery options, if any>

Type 'yes' to confirm, or 'dry-run' if available:

Dry-run first pattern (when available):

# ALWAYS dry-run first for destructive commands that support it
borg prune --dry-run --keep-daily=7 /backup/repo  # [READ-ONLY]
# Review output, then:
borg prune --keep-daily=7 /backup/repo             # [DESTRUCTIVE]

Common Conventions

Package Installation Pattern

# Rocky 8: may need to enable module stream first
dnf module enable php:8.0 -y    # [CONFIRM]
dnf install php -y              # [CONFIRM]

# Rocky 9: module streams work differently
dnf install php -y              # [CONFIRM]

Service Management Pattern

# Always check config before restarting
nginx -t && systemctl reload nginx     # [CONFIRM]
apachectl -t && systemctl reload httpd # [CONFIRM]
sshd -t && systemctl reload sshd      # [CONFIRM]

Configuration Backup Pattern

Before editing any system config file:

# CORRECT: Always back up before editing
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%Y%m%d%H%M%S)  # [CONFIRM]

# WRONG: Editing config without backup
vim /etc/ssh/sshd_config  # No backup means no easy rollback

Log Investigation Pattern

# systemd journal (preferred on Rocky 8/9)
journalctl -u <service> --since "1 hour ago" --no-pager  # [READ-ONLY]
journalctl -p err --since today --no-pager                # [READ-ONLY]

# Traditional logs
tail -100 /var/log/messages   # [READ-ONLY]
tail -100 /var/log/secure     # [READ-ONLY]

EPEL Repository

Many tools (fail2ban, borgbackup, htop, etc.) require EPEL:

# Rocky 8
dnf install epel-release -y    # [CONFIRM]

# Rocky 9
dnf install epel-release -y    # [CONFIRM]
# Some packages also need CRB (CodeReady Builder)
dnf config-manager --set-enabled crb  # [CONFIRM]

Skill Cross-Reference Index

Related Skills

• rocky-core-system -- Package management, services, users, scheduling
• rocky-networking -- Firewall, network configuration
• rocky-storage -- LVM, filesystems, mounts
• rocky-selinux -- SELinux policy management
• rocky-security-hardening -- CIS, SSH, fail2ban, audit, PAM
• rocky-webstack -- Web servers, PHP, MariaDB, TLS
• rocky-opensearch -- OpenSearch 3.4 cluster administration
• rocky-opentelemetry -- OpenTelemetry collector and pipelines
• rocky-borg-backup -- Borg backup, restore, and scheduling
• rocky-virtualization -- KVM/QEMU, libvirt, virt-manager, VM lifecycle