eRacks Systems Tech Blog

Open Source Experts Since 1999

Red Hat Enterprise Linux 8

Red Hat Enterprise Linux 8 (RHEL 8) is now available on all eRacks Systems with lots of developer-friendly capabilities.

Red Hat Inc. announced the official release of Red Hat Enterprise Linux (RHEL) 8 on May 7, 2019.

Red Hat Enterprise Linux 8 (RHEL 8) comes with new features and improvements as compared to the predecessor – RHEL 7. Some of the new features of RHEL 8 are as described below.

Kernel & OS

Red Hat Enterprise Linux 8.0 is based on Fedora 28 and upstream kernel 4.18. This provides users with a secure, stable and consistent foundation across hybrid cloud and Data Center deployments with tools needed to support all levels of workloads.

 

Storage and File systems

Stratis is the new local storage manager for RHEL 8. It provides managed file systems on top of pools of storage with additional features to the user. Stratis provides ZFS/Btrfs-style features by integrating layers Linux’s device mapper subsystem, and the XFS filesystem.

Stratis supports LUKSv2 disk encryption and Network-Bound Disk Encryption (NBDE) for more robust data security.

  • With Stratis, you can easily perform storage tasks such as:
  • Maintain file systems
  • Manage snapshots and thin provisioning
  • Automatically grow file system sizes as needed

Pools are created from one or more storage devices, and volumes are created from a pool. The file system is created on top of a volume, hence resizing a volume automatically resize FS as well. The default file system used by Stratis is XFS.

Other notable Storage features are:

  • The XFS file system now supports shared copy-on-write data extent functionality. This enables two or more files to share a common set of data blocks. Creating shared copies does not utilize disk I/O nor consume additional disk space. The files sharing common blocks act like regular files.
  • The shared copy-on-write data extents are now enabled by default when creating an XFS file system, starting with the xfsprogs package version 4.17.0-2.el8.
  • Support for Virtual Data Optimizer (VDO) on all of the architectures supported by RHEL 8.
  • LUKS2 is now the default format for encrypting volumes. This replaces the legacy LUKS (LUKS1) format distributed in RHEL 7. LUKS2 provides encrypted volumes with metadata auto-recovery and redundancy if partial metadata corruption is encountered.

 

Virtualization

  • Red Hat Enterprise Linux 8 is distributed with qemu-kvm 2.12 with – Q35 guest machine type support, UEFI guest boot support, vCPU hot plug and hot unplug, NUMA tuning and pinning in the guest and guest I/O threading
  • The QEMU emulator introduces the sandboxing feature. QEMU sandboxing provides configurable limitations to what systems calls QEMU can perform, and thus makes virtual machines more secure
  • KVM virtualization now supports the User-Mode Instruction Prevention (UMIP) feature, which can help prevent user-space applications from accessing to system-wide settings
  • KVM virtualization now supports the 5-level paging feature, which significantly increases the physical and virtual address space that the host and guest systems can use.
  • NVIDIA vGPU is now compatible with the VNC console
  • Ceph storage is supported by KVM virtualization on all CPU architectures supported by Red Hat
  • Q35, a more modern PCI Express-based machine type is supported by RHEL 8 Virtualization. All virtual machines created in RHEL 8 are set to use Q35 PC machine type by default

 

eRacks/INTELLINATOR22

Configure your Own eRacks/INTELLINATOR Server With Red Hat Enterprise Linux 8 (RHEL 8).

 

Networking

Below are the new changes in the Networking Level:

  • RHEL 8 is distributed with TCP networking stack version 4.16, which provides higher performances, better scalability, and more stability.
  • The networking stack upgraded to upstream version 4.18
  • Iptables has been replaced by the nftablesframework as the default network packet filtering facility.
  • The nftables framework is the designated successor to the iptables, ip6tables, arptables, and ebtables tools. This provides a single framework for both the IPv4 and IPv6 protocols
  • The firewalld daemon now uses nftables as its default backend.
  • Support for IPVLAN virtual network drivers that enable the network connectivity for multiple containers.
  • Network Manager now supports single-root I/O virtualization (SR-IOV) virtual functions (VF). Network Manager allows configuring some attributes of the VFs, such as the MAC address, VLAN, the spoof checking the setting and allowed bitrate

 

Content Distribution

Red Hat Enterprise Linux 8 has two modes of Content distribution and will only need two repositories enabled.

  1. BaseOS repository – The BaseOS repository provides the underlying core OS content in the form of traditional RPM packages. BaseOS components have a life cycle identical to that of content in previous Red Hat Enterprise Linux releases.
  2. AppStream repository – The Application Stream repository provides all the applications you might want to run in a given userspace. Other software that has special licensing are available on a Supplemental repository.

 

Web servers, Web Tools, Web Management – Cockpit, Compilers, Languages & Databases, Software Management

Red Hat Enterprise Linux 8 includes Application Streams of multiple versions of databases, languages, compilers, and other tools available for your use.

RHEL 8 comes with Cockpit automatically installed and firewall ports required by Cockpit are automatically opened. Cockpit interface can be used to apply Policy-Based Decryption (PBD) rules to disks on managed systems.

RHEL 8 YUM package manager is now based on the DNF technology and it provides support for modular content, increased performance, and a well-designed stable API for integration with tooling. The version of RPM is 4.14.2 and it validates the whole package contents before it starts the installation.

 

Desktop Environment

RHEL default Desktop Environment is GNOME. The GNOME Project is supported by the GNOME Foundation. Gnome version 3.28 shipped in RHEL 8 which has automatic downloading of operating systems in Boxes. Other new features include:

  • New on-screen keyboard
  • New GNOME Boxes features
  • Extended devices support, most significantly integration for the Thunderbolt 3 interface
  • Improvements for GNOME Software, dconf-editor and GNOME Terminal
  • GNOME Software utility, which enables you to install and update applications and gnome-shell extensions.
  • GNOME Display Manager (GDM) use Wayland as their default display server instead of the X.org server

Features of Wayland display server

    • Stronger security model
    • Improved multi-monitor handling
    • Improved user interface (UI) scaling
    • The desktop can control window handling directly.

 

Security

RHEL 8 comes with support for OpenSSL 1.1.1 and TLS 1.3. This enables you to secure customer’s data with the latest standards for cryptographic protection.

RHEL 8 comes with System-wide Cryptographic Policies which helps you with the management of cryptographic compliance. No need to modify and tune specific applications.

OpenSSH has been rebased to version 7.8p1– with no support for SSH version 1 protocol, Blowfish/CAST/RC4 ciphers, hmac-ripemd160 message authentication code.

 

Red Hat Developer Subscriptions

Red Hat Developer members have been enjoying no-cost developer subscriptions for 3+ years now, and RHEL 8 is now automatically part of that. If your company wants developer support, there are several Red Hat Enterprise Linux Developer Subscriptions options with Red Hat support, too.

For more detail please contact eRacks Systems or visit Red Hat Enterprise Linux 8 official Page.

May 12th, 2019

Posted In: Linux, New products, News, Open Source, Operating Systems, virtualization

Tags: , , , , ,

Leave a Comment

A secure environment is absolutely crucial for a virtualization server connected to the Internet. If the host is compromised, all its virtual machines are at risk and their services will be affected, learn more from these important internet safety tips and advice article.


eRacks virtualization experts have put together a useful list of security considerations for virtualization migration planners. TIP #1. Use an open source virtualizer if possible. Open source software vulnerabilities are documented clearly, are well-known, and fixed quickly.
Proprietary-software bugs usually take longer to get fixed, and are even sold on black markets for illicit hacking. In fact, there are documented cases of closed source software companies purchasing security hole information of their own applications. Open source software vulnerabilities have less value on the black market, because of their shorter shelf-life.
TIP #2. Use open source guests wherever possible. New drivers for open source applications improve security as well as performance. Open source guests are more cooperative with the host, leaving less room for attack. Windows is inherently less secure, since a – it is closed source and updated less frequently. b – widely used and thus a big target. c – statistically has more severe vulnerabilities than open source OSes which take longer to fix.
TIP #3. Minimize the host footprint, making less surface area available for hackers. A small target is harder to hit than a large one. eRacks typically recommends KVM because of its small footprint, simple design, and ease of use.
The virtualization host provides services in the form of ports and packages, which should only include those required by the VMs. An effective security plan should minimize the number of open ports, narrowing the possibilities of illicit entry.
TIP #5. Use an external physical firewall. It is also possible to use a virtualized firewall, running as a guest, but it can only protect the downstream systems, and not the host. A virtualized IP-less bridging firewall is also possible but it is more difficult to implement, and still doesn’t protect the host. The safest solution is an external firewall, such as the eRacks/TWINGUARD, a redundant 1U system, with failover, running a very secure OpenBSD.
TIP #6. Assess your security level, including regular port scans (Nmap), and OS fingerprinting, keeping track of any changes. A hardened system will not give out versions of running services, otherwise it would be too easy to know exactly where the vulnerabilities lie. eRacks can give you a head start by building, installing, and configuring your system for you. Your physical host server can be configured with your choice of a virtualization host, including the freely available version of VMWare or Linux-native KVM (Kernel-based Virtual Machine), as well as a large number of possible virtual operating systems and applications, including web, DNS, email, proxy and other infrastructure services.
virtualizer description complexity level of open source
KVM built into the kernel, uses the standard Linux scheduler, memory management and other services simple, non-intrusive, very stable, easy to administrate –
KVM hypervisor about 10-12K lines of code (2007)
released under the GNU GPL
free
Xen external hypervisor, supports both paravirtualization and full virtualization, has its own scheduler, memory manager, timer handling, and machine initialization. specially modified kernel – has 10x more lines of code as KVM => raises the vulnerability level released under the GNU GPL
free
VMware fully virtualizes using software techniques only, very good performance, stability. very large and complex; more than 10x lines of code of Xen proprietary,
player open (teaser-ware),
fees

July 9th, 2008

Posted In: News, security, virtualization

Tags: , , , , ,

Leave a Comment