CentOS 7 users will need to look for alternatives as EOL approaches

Friday, 19 April 2024 08:16

CentOS 7 users will need to look for alternatives as EOL approaches Featured

Image by Philip Wels from Pixabay

Enterprises which have been running CentOS 7 will have to look around for alternatives before the end of the Australian financial year as the distribution reaches its end-of-life on 30 June.

That may pose issues for some, according to observers, though some of this same class say it will not be an issue as alternatives abound.

The CentOS project, which produced an enterprise Linux distribution, was bought by Red Hat in 2014, but then shut down in December 2020, leaving many users angry. The distribution was basically Red Hat's Enterprise Linux without the trademarks, the only copyrighted portion of the code.

Six months later, Red Hat, which was bought by IBM in 2019, tightened its grip on RHEL source code, said it would make source code available only to its customers.

Red Hat's community distribution, Fedora, would be upstream to CentOS Stream which would mean it is even more outdated.

Given these contortions by the biggest open source entity, it is but natural that users of CentOS would be a little edgy as the EOL date approaches.

Joao Correia, a technical evangelist with Linux support services company TuxCare, told iTWire there would be no big event when CentOS 7 reached its end-of-life.

"It's when the first vulnerability comes along, affecting CentOS 7, that there is a reality check for IT teams: there won't be any patches to address the problem," he said.

"So, at that moment, you go from simply having an unpatched gap in your infrastructure to having a security hole waiting to be exploited. And threat actors have access to the same information as everyone else, so they too will be waiting for this vulnerability to appear, and will immediately start targeting CentOS 7 systems – with the certainty that it will be exploitable.

"This is obviously not the first time something like this happens. Consider, for example, CentOS 8. It took a couple of weeks for the first really critical vulnerability to show up after the EOL date [31 December 2021]. Then, it was a scramble trying to harden existing systems before they were detected and breached."

Alternatives like Rocky Linux and AlmaLinux have arisen after Red Hat's June 2023 announcement. Plus, SUSE, the second biggest open source company, has said it would invest more than US$10 million (A$14.97 million) to fork the publicly available RHEL source code and make it available to world+dog with no restrictions.

Veteran Debian developer and independent tech consultant Russell Coker, however, saw the problem differently. "I don't think it's a big deal really," he told iTWire. "CentOS 7 had a longer support life than CentOS 6 and the practice for upgrading CentOS, when I was using it, was to reinstall (as opposed to Debian where the standard is to just 'apt dist-upgrade') so installing a different distribution isn't going to be much extra effort.

"There's nothing stopping people running CentOS 7 with a kernel from a supported distribution and backporting their own patches where needed."

Correia said in an EOL situation like this, the replacement task was complex. "It's not simply the case of reinstalling a new system and migrating things over – that would be easy and doable in any organisation," he explained.

"The problem is when scale gets in the way – if you have thousands of systems, then it becomes a matter of properly planning, testing, deploying, and validating the new systems, and that can take many months or even years. Right now, if your organisation still hasn't addressed the problem, it's already too late to do it."

Russell said the best options were to either use a community supported distribution with an upgrade path (my preferred option is Debian, but there are others), or use a commercial distribution and pay for support - for which RHEL is a decent option if you like RPM-based distributions.

"Ubuntu is also a good option as it has decent support on a community basis, along with hardware to enable kernel updates to older releases to run on newer hardware. Ubuntu also has the option of paying for more support than the community offers and for longer update support for some packages.

"Supporting older releases of software takes effort. If enough people find the lack of support of CentOS 7 to be a big deal and want to put in some money then people could be paid to support it for a longer time, the source is available."

Correia said the main risk to running a distribution that had reached EOL was the lack of updates. "That is a critical risk. Then come the related problems with running an unsupported operating system: third-party application developers will stop releasing patches or supporting that operating system in new versions, as there is no point in developing for an essentially dead system.

"Also, if your organisation operates in an industry with any form of regulation that touches on cyber security, you will immediately fail any compliance requirements, as there won't be any way to address problems – regardless of how fast or slow the regulation requires you to do so.

"This can be business-threatening, for example, under HIPAA or PCI DSS. There are many others – lack of driver support for new hardware, even lack of proper documentation for procedures.

"It also makes it much more difficult to properly preserve your data when your system can be hacked – and you know it can – by anyone simply following the news on new vulnerabilities. It lowers the barrier to entry for would-be hackers, while significantly raising the risk profile and damage potential of any new threat."

He said the way to protect data integrity during migration was primarily with with properly tested back-ups.

"But depending on the choices you make, there may not even be a need for a migration. Vendors offering extended lifecycle support for CentOS 7 make it possible to extend the deadline (for years), and if there is no upgrade or migration involved, you'll simply continue to receive updates, but from a different source. Everything else continues to work as before."

Read 430 times

IDC WHITE PAPER: The Business Value of Aiven Data Cloud Solutions

DOWNLOAD WHITE PAPER!

PROMOTE YOUR WEBINAR ON ITWIRE

MORE INFO HERE!