Six weeks after the announcement of RHEL 7.4, it is now time for the release of CentOS 7.4, also called CentOS 7 (1708).
The release doesn’t only concern x86_64 architecture but also aarch64, armhfp, ppc64 and ppc64le (see download directory here).
In the Releases Notes appear the following major changes:
- SSH1 support has been removed from the SSH server (see details here). Along with this move, all cryptographic protocols and algorithms which are considered insecure have been deprecated (see details here).
- OpenSSL now supports DTLS (TLS via UDP) and ALPN.
- NVMe Over Fabric is now supported in the NVM-Express kernel driver.
- There have been various changes/enhancements to cryptographic abilities of various packages. I.e. sendmail now supports ECDHE, OpenSSH now using SHA2 for public key signatures, … among others.
- Various packages have been rebased. Some of those are openLDAP, samba, clufter, ipmitool, tcpdump, shim, GNOME, NetworkManager, Kernel-GRE-module, openssh, openSSL, libreswan, chrony, rsyslog, sudo and libvirt.
Some issues have already been reported:
- The http-parser and http-parser-devel packages have been removed from the EPEL repository and added to the CentOS/RHEL main repository causing potential problems (see details here).
- The NFS mount behavior has changed, trying NFS vers=4.1 by default. Also, rather than trying 4.0 after failing on 4.1, RHEL/CentOS 7.4 fails down to NFS 3. To get the previous behavior, force vers=4.0 (see details here).
- There is an issue with using iptables and ip6tables where the iptables service fails to start and affects systems where firewalld is disabled and BOTH iptables AND ip6tables are enabled (see details here).
- VirtualBox (currently at 5.1.26) is not fully compatible with CentOS 7 (1708). The fix is in the beta release (see details here).
- Samba may fail with “symbol krb5_get_init_creds_opt_set_pac_request, not defined“. This is because of a missing dependency for a newer version of krb5-libs. The issue is resolved by installing krb5-libs-1.15.1-8.el7 (see details here).
- Samba share with sssd authentication is broken. This is being worked on upstream. A workaround is to downgrade the Samba packages to an earlier version (sssd-1.15.2-50.el7_4.3.1 should solve the problem; see details here).
- At least 1024 MB RAM is required to install and use CentOS 7 (1708). When using the Live ISOs for install, 1024 MB RAM produces very slow results and even some install failures. At least 1344 MB RAM is recommended for LiveGNOME or LiveKDE installs.
- VMware Workstation/VMware ESXi allow to install two different virtual SCSI adapters: BusLogic and LsiLogic. However the default kernel from CentOS 7 does not include the corresponding driver for any of them thus resulting in an unbootable system if you install on a SCSI disk using the defaults for CentOS Linux. If you select ‘Red Hat Enterprise Linux‘ as OS, the paravirtualized SCSI adapter is used, which works.
- Commonly used utilities such as ifconfig/netstat have been marked as deprecated for some considerable time and the ‘net-tools‘ package is no longer part of the @core group so will not be installed by default. Use nmcli c up ifname <interfacename> to get your network up and running and use yum to install the package if you really need it. Kickstart users can pull in the net-tools package as part of the install.
The CentOS 7 (1708) distribution can be downloaded here as usual.
To harden a server or simply reduce its security footprint, it is very useful to get a list of the main processes running. However, it is not an obvious task to get a synthetic view like this.
Using a command like ps -edf brings too much information and doesn’t really help you.
I recently came across the pstree command and found it quite useful.
First, install the psmisc package available in the base repository:
# yum install -y psmisc
Then, execute the pstree command:
As the test was performed on a virtual machine, I could quickly see that the smartd daemon (part of the smartmontools package) was running. This daemon monitors disk health: this is completely useless in a virtual environment where all disks are already managed by the host or a dedicated storage subsystem.
# systemctl disable --now smartd
# yum remove -y smartmontools
I hope you find this tool as useful as I found it.
Today, Red Hat announced the official release of RHEL 7.4.
To know more about this new version you can read a summary of the RHEL 7.4 changes or the RHEL 7.4 Release Notes.
Several points can be highlighted:
- docker overlay graph driver with SELinux in enforcing mode is now supported,
- OpenSSL update (1.0.2k) brings support for ALPN & native HTTP/2,
- System Security Services Daemon (SSSD) in a container is now fully supported,
- Identity Management (IdM) server container is available as a Technology Preview feature,
- OpenLDAP & Btrfs are deprecated and will be removed in future RHEL major versions.
Many technical articles were published in the last two months:
- OpenShift / Kubernetes:
- Standard Operating Environment: Part 1 / Part 2 / Part 3,
- What’s new in MACsec: setting up MACsec using wpa_supplicant and NetworkManager,
- How To Setup A Redis Server Cluster on Red Hat,
- The need for speed and the kernel datapath – recent improvements in UDP packets processing,
- Short Retry vs Long Retry in Apache Camel,
- Scaling Sync,
- Bastion Hosts and Custom SSH Configurations,
- Easily secure your Spring Boot applications with Keycloak,
- Secure your webserver with improved Certbot,
- How-to setup a 3scale AMP on-premise all-in-one install,
- Installing eBPF tools, bcc and ply on CentOS 7.
Note: Two objectives have recently been removed from the RHCSA exam:
- Install RHEL using Kickstart,
- Configure a physical machine to host virtual guests.
This means that you don’t need to learn KVM or Kickstart anymore to pass the RHCSA exam, using Virtual Box is enough.
Until one or two years there was almost no online trainings for the RHCSA & RHCE 7 certifications.
You had to take Red Hat classes or study by yourself through books.
Now, companies like EdX, Udemy and LinuxAcademy to name some of the most known have started to create good contents.
You can now find most of them in the dedicated RHEL 7 online training page.
If you like containers, at some point you will deploy them into production. And you will need a dedicated server to host them.
Atomic Host is the RedHat solution for this.
It is a lightweight version of RHEL/CentOS 7 (there is also a Fedora version) where :
- only the /etc and /var directories are writable,
- all the OS can be upgraded or rolled back atomically (hence the name) through the rpm-ostree mechanism,
- there is no yum command nor man pages.
Take the time to discover this new animal through the Atomic Host tutorial.
I don’t know if you have already heard about CPU governor.
With the global warming, IT culture should integrate the various mechanisms available for reducing computer consumption.
In a perfect world, during the idle periods servers should adjust their clock frequency to get significant power saving. They should even stop through some scalability mechanisms if possible.
If you think a better understanding of technology can help our earth, have a look at the CPU governor tutorial.