Welcome to my area of the Blue Chip blog, a fast-track overview of new products, services and technical tips from the UNIX world, covering the multiple flavours of Linux such as Debian, SUSE and Red Hat Linux versions.
On future blog updates, I will be going into a personal favourite of mine, being IBM’s own UNIX, AIX, but for my first blog, let’s talk about the new and improved Red Hat version 8.
Red Hat Enterprise Linux 8 comes four years after its last major release and is still going strong in the market. This new version just builds on the strong foundations it already has and being a personal favourite distro of mine. I was invited to attend a partner event in Red Hat offices in Farnborough where we met some of the staff and took away some of the brilliant new features of the new operating system.
Here is the list of enhancements and updates from RHEL v8, learned from my time at Red Hat:
- No more separate releases or ISOs for desktop, server, compute nodes, it is a single installer.
- Updated installer, NVDIMM support, TPM booting and modules via Kickstart.
- Server management via Cockpit which can be done remotely through a single web browser GUI, which can manage physical and virtual machines.
- Red Hat Virtualisation (RHV) can be installed using the new YUM module command.
- For storage, we now have Stratis Storage Manager, this combines the features first learned in ZFS and Btrfs, this is because Btrfs and ZFS are no longer supported in RHEL V8, it is a volume managing file system.
- A volume managing file system integrates the file system in the volume itself, in comparison with the LVM, where the volume requires a file system on top of it.
- Other features provided by Stratis, are thin-provisioning, snapshotting and monitoring.
- Virtual Data Optimizer (VDO)
- This is a Linux device mapper driver to reduce disk space usage on block devices and minimize on replication bandwidth.
- Supports inline data deduplication and compression.
- It removes blocks which only include zeroes and keeps their metadata
- This can be extremely useful for cloud providers who bill on data usage, as you will be saving here.
- The default NFS version is 4.2 in RHEL V8, while NFS V4 and NFS V3 major versions are supported and NFS V2 is no longer supported.
- A few other changes include the location of the configuration file, this is now in /etc/nfs.conf and no longer in /etc/sysconfig/nfs.
- Introduction of a new tool – nfsconf – which manages NFS config files.
- RHEL V8 removes the nfsnobody user and adjusts the UID/GID to 65534.
- RPCBIND is no longer required for NFS V4 eliminating the need for UDP connections.
- Server-side copying enables efficient data copies inside NFS file systems eliminating the waste of network resources and causing bandwidth consumption.
- Labelled NFS enforces data access rights and enabled SELinux on NFS file systems.
- Improved network performance with new algorithm.
- Firewalld now uses nftables as its new default backend. Nft command replaces iptables/ip6tables, arptables and nftables commands.
- You can still use iptables commands as these are links to xtables-nft-multi commands which accept the iptables input but will create nftables rules instead.
- This can now handle complex configurations such as Open vSwitch or SR-IOV.
- Systemd network service is not available anymore and is recommended that you use NetworkManager.
- New Q35 virtual machines. In addition to Intel 44FX machine types, QEMU now emulates the new Q35 chipset which provides more current HW devices, PCI-E bus and supports secure-boot.
- Q35 also supports PCI-E pass-through and simplifies physical to virtual migrations (p2v).
- As mentioned before, Cockpit is now the recommended tool for virtual machine management over virt-manager, this will be removed in subsequent releases.
- A new tool to administer, deploy and manage containers.
- Fast and lightweight with no daemons required.
- Advanced namespace isolation mean that you have rootless operations for container run and build.
- It is open standards compliant meaning it creates and maintains any standard Open Containers Initiative (OCI) compliant containers and pods.
- Provides scriptable tooling for fine-grained image control.
- Minimizes images by eliminating the unnecessary dependencies using host-based tools.
- Provides inspection and transport tools such as:
- Examining image metadata without downloading.
- Copy images from registries to hosts or directly between registries.
- Supports GPG key signing on publish.
- Provides inspection and transport tools such as:
- In a nutshell: Combining the innovations of container Linux and Atomic with the stability and ecosystem of Red Hat Enterprise Linux.
- Integrated and delivered via OpenShift with a small footprint of around 400 packages.
- Deploy a cluster within minutes.
- Simplified updates and upgrades.
- Managed and automated via operators.
- Transactional updated via rpm-ostree
- This ensures the CoreOS is never altered during runtime, it is booted in to an always “known good” version.
- Each update is versioned and tested as a complete image.
- OS binaries are read only.
- Updates are encapsulated in container images.
- File systems and packages layering available for hotfixes and debugging.
- Universal Base Image
- Enables a single CI/CD chain.
- Same performance, security and life cycle as Red Hat Enterprise Linux.
- Can attach RHEL support subscriptions on top of this.
- Available May 2019.
- Security and Compliance
- Set acceptable algorithms from a single tool (openSCAP).
- Cover multiple cryptographic providers and consumers like TLS, Kerberos and Java.
- Legacy systems requiring 64-bit security and FIPS allowed or approved algorithms.
- TLS 1.3 via OpenSSL 1.1.1.
- Integrated identity management in stand-alone or as part of a trusted member in active directory.
- Place devices or classes in white or black lists.
- Change default behaviour for unlisted USB devices.
- Network-bound disk encryption
- Enable encryption/decryption of disks only on trusted networks, this makes data unusable if removed from the network.
- Automated decryption using client framework and module key framework, including network key service. CLEVIS and TANG.
- DRACUT unlocker allows for decryption during early boot sequences.
- SYSTEMD unlocker allows for decryption during system startup process.
- OpenSCAP integration with Red Hat Ansible.
- Define and tailor security polices via profiles
- Scan and apply policies via Ansible or bash scripts that are built post scan.
- Assert the security policy with Ansible or Anaconda.
- Shipped security profiles…
- DISA STIG
- PCI DSS
- NIST USGCB
- Recording user terminal sessions
- Create a record of actions taken for reviewing.
- Build run books and training materials.
- Record and playback.
As you can see, not just a simple update, Red Hat thought about what is important in the market today and packed in some really neat features in to their next major release, aimed at containers, virtualisation and security and compliance. We at Blue Chip are looking forward to deploying this operating system in the coming months.
In regards with subscriptions, this remains the same with Red Hat Enterprise Linux 8. From discussions with the people at Red Hat, we learn this will be supported on the following hardware architectures…
- Intel/AMD 64-bit
- IBM Power LE
- IBM z Systems
- ARM 64-bit
I am awaiting confirmation for BE for Power systems as well as the new Artificial Intelligence systems, as we do love this HW architecture here at Blue Chip, stay tuned for updates when I have them.
For updates on Red Hat Enterprise Linux 8, the next major release will likely be in three years, with minor updates in about six months. Expect releases numbered such as 7.1, 7.2 and so on.
The repositories utilised by RHEL v8 will change from the common repositories found in RHEL 7, such as extras, RHSCL, dotnet, devtools, to a single appstream for simpler access, access to newer versions as they stabilise and access to open source tools and frameworks as developers need.
How can you get the above? Well, with YUM v4 being new in Red Hat Enterprise Linux 8, this still maintains the same experience while adding more tools. This dependency management is much improved and offers faster resolution and easier minimisation of what is installed and an API for YUM which will extend the features available.
How about those Gold Images and templates?
Here comes the image builder, you can create gold images from any ‘blue print’ increasing stability and consistency. If you think it will only go in to Red Hat technologies, you’d be wrong, as you can then deploy these gold builds to public or private clouds as you need to, as well as support for multiple enterprise hypervisors and bare metal.
Seeing this being demonstrated in Red Hat’s offices showed how easy it is, as simple as a web console for selecting packages and creating your desired blue prints.
Optimised experiences for mission-critical databases such as SQL and SAP HANA
With SQL, you can rapidly deploy instances via VMs or containers with excellent performance. RHEL is only one of two certified Linux distributions with more than twenty years of Red Hat and SAP joint engineering collaboration, so a strong focus here with a great technology.
You’re probably wondering where you can get RHEL 8 or update your existing version.
From my discussions with Red Hat, I learnt that LeApp is a preferred method for in-place upgrades from RHEL 7 to RHEL 8. It’s is an extendable framework designed to assist admins with application modernisation. It supports RHEL, CentOS and Fedora. Methods to do this can be as follows…
- Upgrade in place.
- Migrate to new place.
- Or containerise.
In-place upgrades can reduce migrations by analysing systems to determine if an upgrade option can avoid migration processes. Combine this with a bootable LVM snapshot just in case so you can rollback with ease.
My conclusion is that Red Hat Enterprise Linux 8 represents a tremendous leap forward for the operating system, giving sysadmins a wealth of control and security, with a greatly increased level of performance.
If you’re committed to getting the best out of Red Hat Enterprise Linux 8, Blue Chip has a renowned speciality in handling Linux workloads on its Power Cloud service.