If you like containers, at some point you will deploy them into production. And you will need a dedicated server to host them.
Atomic Host is the RedHat solution for this.
It is a lightweight version of RHEL/CentOS 7 (there is also a Fedora version) where :
- only the /etc and /var directories are writable,
- all the OS can be upgraded or rolled back atomically (hence the name) through the rpm-ostree mechanism,
- there is no yum command nor man pages.
Take the time to discover this new animal through the Atomic Host tutorial.
I don’t know if you have already heard about CPU governor.
With the global warming, IT culture should integrate the various mechanisms available for reducing computer consumption.
In a perfect world, during the idle periods servers should adjust their clock frequency to get significant power saving. They should even stop through some scalability mechanisms if possible.
If you think a better understanding of technology can help our earth, have a look at the CPU governor tutorial.
At the Red Hat annual summit the main planned features of RHEL 7.4 were disclosed.
You can find them in a dedicated page.
In addition, as of today, the RHEL 7.4 Beta has been released. Release notes are available here.
Also, new interesting Red Hat summit presentations were published this week:
Similarly, new Red Hat summit videos were released:
Of particular interest for exam candidates two labs were published:
Finally, several technical articles were recently posted:
- Ten layers of container security,
- Deploying CloudForms at Scale,
- Devops with OpenShift,
- AWS and Red Hat – Digging a Little Deeper,
- Kubernetes deep dive: API Server – part 1,
- Auto Scaling,
- Best Cloud Tools for Infrastructure Automation,
- Breaking up the Container Monolith,
- CPU Utilization is Wrong,
- Truly Seemless Reloads with HAProxy – No more Hacks!
- Kubernetes: The smart person’s guide,
- It takes more than a Circuit Breaker to create a resilient application,
- Quick reference for the Foreman installation under CentOS 7,
- NetworkManager changes and improvements,
- Basic Best Practices for Securing LDAP and Active Directory with Red Hat,
- What’s new in Red Hat OpenStack Platform 11?,
- Fighting Service Latency in Microservices with Kubernetes,
- Accelerate EDB Postgres Advanced Server with HPE Persistent Memory on HPE ProLiant servers,
- WannaCry Ransomware: Who It Affected and Why It Matters.
Happy reading, watching, and labbing!
The annual Red Hat summit 2017 happened last week.
The first videos are available on the Red Hat summit channel on Youtube.
Some presentations have already been published about:
- the Red Hat security roadmap,
- the Red Hat Ceph storage roadmap,
- the Red Hat CloudForms roadmap,
- the Red Hat Cloud Suite roadmap,
- the Red Hat Virtualization and KVM roadmaps,
- the Red Hat JBOSS BPM roadmap,
- Lessons learned with microservices,
- Developing real time intelligent applications with in-memory data management,
- The new OS model coming with Kubernetes and Docker,
- Hyper-Converged Infrastructure in OpenStack,
- Heterogeneous Memory Management,
- OpenShift for Operations,
- Reactive programming with Vert.x,
- Monitoring Java application performance using Thermostat,
- High availability for Red Hat Virtualization Manager,
- Demystifying systemd,
- JBoss AMQ 7,
- Utilizing persistent memory to improve database performance,
- Identity Management and Compliance in OpenShift,
- Choosing the right storage for your OpenStack cloud,
- DevSecOps the open source way,
- Node.js for building modern applications,
- Flexible, software-defined networking infrastructure,
- Common sense approaches to cloud security,
- Tuning Red Hat products for databases,
- Performance analysis and tuning of Red Hat Enterprise Linux,
- Building a fast and scalable architecture for SKY TV Video Encoding with Openshift Container Platform and Red Hat Gluster Storage,
- Security Enhanced Linux for mere Mortals,
- Red Hat Satellite Power User Tips and Tricks,
- HA Clustering with Red Hat Enterprise Linux 7.
Besides presentations you can also practice through:
More videos will progressively be released but be patient: last year it took Red Hat 3 months to publish most of the Red Hat Summit 2016 videos due to a problem with one of its subcontractors!
Until recently I didn’t know what was exactly the Cockpit project.
I thought it was a new complicated panel for administrators looking for a GUI.
Difficult to install, to maintain, to understand …
In fact, it is just the contrary: easy to use with a zero memory and process footprint!
Take the time to discover the Cockpit project through the Cockpit tutorial, you won’t be disappointed.
NetworkManager big update
From RHEL 7.2 to RHEL 7.3, NetworkManager moved from v1.0.6 to v1.4.0: a lot of things have changed.
Color is everywhere!
NetworkManager now uses colors to match the status of a device or a connection and sorts the output for better clarity.
Invoking nmcli without argument displays all the network interfaces with an ifconfig style.
Also, connection add syntax is now consistent with connection modify.
When asking for completion, NetworkManager doesn’t propose inappropriate argument anymore: here the connection called Hotspot can’t be chosen because already inactive.
# nmcli con down [tab]
apath id path virbr0 vlan40
help Internet uuid vlan30
You need a bridge over VLAN? Software devices (bond, bridge, vlan, team, …) can now be stacked arbitrarily. The nmcli interface for creating master-slave relationships has been significantly improved by the use of ‘master’ argument to all link types.
IPv6 security improvements
IPv6 connection properties have been added like:
- ipv6.addr-gen-mode: the stable privacy addressing is a tracking prevention mechanism implementing the RFC7217 (more details here); when enabled the property takes stable-privacy as value and eui64 when disabled,
- ipv6.ip6-privacy: the privacy extension is a way to randomize MAC address as defined by the RFC4941 (more details here and here); when enabled the property takes 1 and 0 otherwise.
- Better security: several options have been added concerning the exposed MAC address of a Wi-Fi device during the scanning phase and after (see details here).
The 802-11-wireless.cloned-mac-address property can now receive the following values:
- A MAC address: this was already supported before 1.4.0 and allows to spoof a specific MAC address.
- permanent: use the permanent MAC address of the device. Before 1.4.0, the permanent MAC address was used if the cloned-mac-address property was left empty, thus it was the default. In 1.4.0, it is still the default.
- preserve: don’t change the MAC address of the device upon activation.
- random: generate a randomized value upon each connect.
- stable: generate a stable, hashed MAC address.
- Better Wi-Fi scanning: with recent versions of wpa_supplicant, NetworkManager scanning behavior has been improved (see details here).
- Wi-Fi power saving: Wi-Fi power saving can now be enabled globally or on a per-connection basis.
- Support for more devices: NetworkManager can now manage tun, tap, macvlan, vxlan and IP tunnel devices.
- More flexible VPN support: Many previous VPN restrictions have been removed. You can now import and export the VPN connection settings of most types of VPNs in the VPN’s native format using the nmcli connection export and nmcli connection import commands.
- Compatibility with namespace-based containers: NetworkManager now runs fine in LXC and Docker.
- Hostname management: hostname is now managed via systemd-hostnamed.
- DHCP: timeout for DHCP requests can now be modified using the ipv4.dhcp-timeout property.
- IPv4: support for detecting duplicate IPv4 addresses, with a timeout configurable through the ipv4.dad-timeout connection property, is now available.
- Rollback: API for using configuration snapshots that automatically roll back after a timeout has been added. A remote network configuration tools like Cockpit can use this new feature to avoid situations where a mistake in the configuration makes the remote host unreachable.
- DNS client: A new dns-priority property of ipv4 and ipv6 settings can be used to tweak the order of servers in resolv.conf. This will make things easier for users who often use multiple active connections.
- Bandwidth monitoring: RX/TX counters of transferred bytes per interface are now exposed on D-Bus. With this, client applications can monitor the bandwidth.
There are still other improvements but they are too many to be all listed here!
You can also read this Red Hat Article about setting up MACsec using wpa_supplicant and NetworkManager.
Support for OpenVSwitch bridge, bond and VLAN has been added to NetworkManager but is still not integrated in the RHEL 7.4 release.
In addition, you can read some elements of History of NetworkManager in RHEL/CentOS.
Since RHEL 6, CGroups have been a work in progress. So, in RHEL 7 features evolved through new Systemd commands like systemd-cgls, systemd-cgtop, and mainly systemctl set-property.
Still through Systemd, RHEL 7.0 brought the CPUShares (percentage of CPU), MemoryLimit (memory quota), and BlockIOWeight (percentage of block IO) main properties, allowing you to set some constraints on system resources.
RHEL 7.2 added StartupCPUShares, StartupBlockIOWeight, and most importantly CPUQuota.
Marc Richter, Technical Account Manager at Red Hat, recently published a series of articles helping you better understand CGroups:
But CGroups are still evolving: Chris Down from Facebook presented the new CGroupsv2 interface at the 2017 FOSDEM conference at the beginning of February. This new interface changes the way the CGroups hierarchy works and globally removes several existing inconsistencies. This interface is stable since the kernel 4.5 and requires a recent version of Systemd (>=v226) not available in RHEL 7 until now (but unofficial options exist).
As usual, you can find all these details and more at the CGroups page.
The RHEL 6.9 distribution has just been released and brings the following main benefits:
- TLS 1.2 support has been added to all system components,
- several SSSD improvements have been made in connection with AD forests and PAM services,
- the cpuid utility is now available and dumps detailed information about the CPU(s) gathered from the CPUID instruction. It supports Intel, AMD, and VIA CPUs.
You will find all the details in the RHEL 6.9 Releases Notes & RHEL 6.9 Technical Notes.
In addition, on May 10, 2017, Red Hat Enterprise Linux 6 enters Production Phase 3, meaning that subsequent updates to Red Hat Enterprise Linux 6 will be limited to qualified critical security fixes and business-impacting urgent issues.
Finally, according to the Red Hat Enterprise Linux lifecycle, RHEL 6 will be supported until at least November 2020.
Back in September 2016, an event went unnoticed, although it was a fundamental change. Google and RedHat declared the game is over: they decided to fork Docker.
Why did they decide to do that?
Redhat had several reasons:
- Container conception: Solomon Hykes from Docker couldn’t agree with Lennart ‘Systemd’ Poettering from RedHat on the container vision,
- Container security: frustration in the RedHat security team was high because of difficulties to integrate patches into the Docker product,
- Container stability: the Docker company was always adding new features based on new Linux kernels into its product, triggering an insane amount of work to backport all these features into the 3.10 kernel used by most of RedHat products (RHEL 7, Atomic, OpenShift, etc),
- Container support: the Docker company didn’t consider compatibilities between versions a priority and problems regularly occurred, this didn’t please RedHat that makes a living by supporting customers.
On the Google‘s side, things were even easier to understand. The company has been working on an in-house orchestrator called Kubernetes for years and wanted it to be at the heart of all the container ecosystem. When Google‘s team heard that the Docker company was promoting its own product named Swarm as reference orchestrator, the decision to fork was almost made.
At the end of January 2017 at DevConf.cz, Dan Walsh from RedHat gave a very interesting presentation about Containers in Production (container standardization, read-only container images, CRI-O, COW filesystem problems, etc). At 40 minutes from the beginning, he acknowledged that the Docker replacement was in the testing stage.
At first called OCID, then renamed CRI-O, it already owns its logo. Fully compatible at the format level with Docker, this new Open Source product will bring its own set of tools like skopeo to get an image from a container registry.
If for developers things may continue as usual, in production environments you should see the following change in the coming months:
RedHat people never say that CRI-O is a Docker replacement, they only say they are building an alternative option that will become their reference solution …
Now, you can’t say you didn’t know.