WingNews logo WingNews
top | item 40774513

(no title)

otagekki | 1 year ago

Transitioning from CentOS 7 to RedHat 8 and 9 at my former company's private cloud has smooth for most teams, pareto-style, with 80% of migration-related incidents caused by the 20% of the teams that did some really weird changes to the VM's OS that was no longer allowed under RHEL 8 or 9.

At first, I thought it was just to reduce the complexity of managing hardening rules for several OS and OS versions.

discuss

order

IsTom|1 year ago

Recently we had issues with RH 9 not having header packages for openssl 1.1 (which means e.g. you can't have erlang < 25). There's a potential for breakage for anything that is 3+ years old.

bitcharmer|1 year ago

Not sure if that applies to your line of work but RHEL has been an increasingly annoying source of issues in low-latency space. Their kernels are a bizarre mixture of cherry picked stuff from upstream and a completely bonkers project structure. Also, they break ABI across minor kernel versions which is unthinkable in mainline. What I'm trying to say is: if you're doing more funky stuff with your OS, just go with a distro built on top of mainline.

eraser215|1 year ago

Which ABI has red hat broken between minor versions? Can you give some examples that weren't bugs that got fixed?

p_l|1 year ago

It's a big issue for companies that have substantial deployment of CentOS7... and FedRAMP or similar clientele.

bayindirh|1 year ago

It's a very big issue for scientific clusters which depend on CentOS, too.

We'll find a way, though.

worthless-trash|1 year ago

Talking firsthand, There is significant effort into ensuring that both 8.6.z (through to current) and 9.2.z (through to current) are fedramp compliant, this requirement eats my day, every day.

8.6 and 9.2 kernels are released more frequently than other streams, if you want more frequent updates for compliance reasons, these are the streams to use.

tiberious726|1 year ago

If you were using centos for fedramp, unless you got a variance from the feds, you were not in compliance. No one actually paid to have NIST evaluate centos's binaries (evaluation/certification must be of the compiled binary, not the source code, barring an exception made for openssl, and only openssl, not the kernel)

Twirrim|1 year ago

Why is it a problem with FedRAMP? CentOS 8 is FIPS certified, has STIG profiles etc.