Linux servers.

Upgrading Red Hat Enterprise Linux / CentOS / Oracle

RHEL/CentOS/Oracle 6–7–8–9 Changes

Here are my notes on what changes when you upgrade from one major release of Red Hat Enterprise Linux, or was its clone CentOS, or its derivative Oracle Linux. In other words, how to upgrade from RHEL or CentOS or Oracle Linux 6 to 7 to 8 to 9.

The changes 6 to 7 were enormous. Then 7–8 and 8–9 were more of an evolution.

Remember that it's not as if Red Hat is changing all of these things. Their installers and their graphical configuration tools, sure, those are the distribution's changes. But much of this is the result of the many underlying projects changing. So this collection of pages also applies to Oracle Linux, where the major release numbers 6, 7, 8, 9 largely align with RHEL and CentOS, and really to any distribution as its components have updated over the past several years.

RHEL 2.1 26 March 2002
RHEL 3 22 October 2003
RHEL 4 15 February 2005
RHEL 5 14 March 2007
RHEL 6 10 November 2010
RHEL 7 10 June 2014
RHEL 8 7 May 2019
RHEL 9 17 May 2022

CentOS ceased to be a RHEL clone with CentOS 7. There was a CentOS Linux 8 but it ended at the end of 2021. Now there is CentOS Stream Linux, and its versions are quite similar to the corresponding RHEL versions. But basically CentOS Stream has taken the role of Fedora, and Fedora still exists for, well, ... I'm not sure exactly what its role is. Even sketchier beta testing and development, I suppose. It makes Oracle Linux look even more attractive to me.

1 — Installation and Exploring the Newly Installed System

The order of events and the logic of the installation completely change with every major release.

Linux has always supported much larger systems than I have had to worry about. For example, RHEL 7 had 48/46 bits of virtual/physical memory address, and the kernel did 4 levels of page tables. That limited virtual memory to 256 TiB and physical memory to 64 TiB, although 64 terabytes of RAM was way beyond any hardware I dealt with.

Well, RHEL 8 moved the goalposts much further out. Its kernel supports 57/52 bits of virtual/physical memory address, and does 5 levels of page tables. So, it could support up to 128 PiB of virtual address space and 4 PiB of physical memory.

With RHEL 8, Red Hat started emphasizing deployment in containers, in cloud settings, and as a virtualization host. The new Composer lets you created customized images in several formats, including those prepared for deployment onto public cloud providers.

RHEL 8 added the web console, Cockpit. It lets you create and manage virtual machines. The QEMU full system virtualization control introduces a sandboxing feature with RHEL 8, limiting the system calls QEMU can make.

Here are some Cockpit screenshots, note that it listens on TCP/9090:

Cockpit web console on RHEL 8, system overview.
Cockpit web console on RHEL 8, network activity.
Cockpit web console on RHEL 8, services overview.
Cockpit web console on RHEL 8, audit service.
Cockpit web console on RHEL 8, web-based terminal interface.

The change from RHEL 6 to 7 was the most sweeping. Not because of what Red Hat did, but because that spans the change from init to systemd and the many /usr/*bin/*ctl programs, and the Ethernet device name shift that came with IProute2

The commands and configuration files used to configure RHEL 7 were often completely different from RHEL 6. That didn't happen in going from RHEL 7 to 8 to 9. RHEL 8 and 9 seem to me to be about updating existing components.

Many 7–8–9 updates are quite significant:
Kernel 3.10.0 to 4.18.0 to 5.14.0,
GCC 4.8.5 to 8.2.1 to 11.2.1,
Python 2.7.5 to 3.6.6 to 3.9.10,
PHP 5.4.16 to 7.2.11 to 8.0.13,
Ruby 2.0.0 to 2.5 to 3.0.2,
OpenSSL 1.0.2k to 1.1.1 to 3.0.1,
iptables v1.4.21 to v1.8.0 and then nftables 0.9.0 to 0.9.8,
qemu-kvm 1.5.3 to 2.12.0 to 6.2.0,
and many other significant changes.

At RHEL 8 the packaging splits into two sets: BaseOS (1,660 packages, 905 MB) and AppStream (4,987 packages, 5.3 GB). Versus 9,007 packages and 6.5 GB on the CentOS 7 Everything-1511 ISO.

Nginx with OpenSSL and Open Quantum Safe

As for web servers, RHEL 7 gave you Apache 2.4.6. RHEL 8 has Apache 2.4.37 and Nginx 1.14.0. Both of those support TLS 1.3. The 8 beta release had Apache 2.4.35, which does not. Apache 2.4.37, the first version of Apache to support TLS 1.3, became generally available on October 23. This was just about 3 weeks before RHEL 8-beta released. RHEL 9 has Apache 2.4.51 and Nginx 1.20.1.

X improves from one version to the next. With RHEL 5 you have just whatever was auto-detected during the installation, probably 800×600. RHEL 6 should be close to full screen size, RHEL 7 and later should be full screen size.

RHEL 8 and later instead use the Wayland display server by default. Package xorg-x11-server-Xwayland provides /usr/bin/Xwayland, while package xorg-x11-server-Xorg provides the classic /usr/bin/Xorg.

* I thought it was just me being naïve, but I have discovered that many other people who work with Linux servers don't know what the "Windows Start Key" is. If your keyboard has a key with the Microsoft logo on it, down around the left-hand Shift and Alt and Control keys, it's that thing.

Once you get it installed, the configuration of Gnome within RHEL hides the terminal emulator in ever more inconvenient corners of the menus. Gnome 3 supports using the Windows Start Key* to bring up a "run this command" text box that allows searching. It can be confusing, you can bring up a command by a search for something that isn't really the command's name. This left me confused as to why I could start the firewall administration tool by typing firewall at text box, which is really searching on some metadata, but I couldn't run that graphical tool using a command starting firewall.

The default user PATH environment variable has changed. To include an even earlier version to see how much it has changed:

RHEL 5:

/usr/kerberos/bin:/usr/local/bin:/bin:/usr/X11R6/bin:~/bin

No sbin components, so you had to remember to always add "-" or "-l" or "--login" to your su command so your following system administration commands work!

RHEL 6:

/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:~/bin

What an odd beginning! There are 12 programs there. Stranger yet, /usr/lib64/qt4/bin exists with 35 programs, 7 of which have the same names as those under qt-3.3. The newer version is not in the user's path. I don't know what's going on here...

RHEL 7:

/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:~/.local/bin:~/bin

It's strange that /bin and /sbin are included, as they are links to /usr/bin and /usr/sbin, respectively. And I don't know who would use ~/.local/bin to house their personal programs.

RHEL 8, 9:

~/.local/bin:~/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

That's the same set as RHEL 7, minus the redundant /bin and /sbin, and reordered.

The Bash shell environment on RHEL 8 behaves strangely. It is case insensitive at times, and these two commands work differently:

$ ls [NO]*
... all files starting with "N" or "O" ...
$ ls [N-O]*
... all files starting with "n", "N", "o", or "O" ...

The environment variables LANG, LC_ALL, and LOCALE are correctly (for me) set to en_US.utf8, C, and en_US.utf8, respectively, on RHEL/CentOS/Oracle Linux 7. However, on RHEL 8 and 9 only LANG are set. Fix: add a line to ~/.bash_profile:

$ cat ~/.bash_profile
... lines deleted ...
# User specific environment and startup programs
export LC_ALL=C

The manual page indices always need to be rebuilt so man -k will work after the installation. There will be a cron job to do that, or you can do it manually. This had used the makewhatis utility, but with RHEL 7 mandb replaces makewhatis. The file /etc/cron.daily/man-db.cron makes this happen every night. With RHEL 8 it appears that this is enabled in /etc/sysconfig/man-db but there is no corresponding cron job. All the same, you get the indices. It seems that there is an hourly cron job, but I don't see signs of it.

When you upgrade from RHEL 6 to 7, network configuration becomes more complicated. The graphical configuration tool for networking now includes tabs for 802.1x security and higher performance data center type LAN technology.

The distribution had grown to the point that RHEL 6 no longer fit onto one single-layer DVD. DVD1 is the main installation media, it's 4.0 GB for the RHEL 6 workstation and the single CentOS image. DVD2 is the "optional" media, it's just 1.2 GB. DVD2 for the most part contains the -doc and -devel packages, but it also contains some of the intranet/LAN server packages. For example, samba-swat and lpd-cups.

RHEL 5 gave you a choice about using SELinux and the iptables and ip6tables firewall rules. RHEL 6 and later force these on you, preconfigured and enabled.

The firstboot program that runs on the first post-installation graphical boot starting with RHEL 6 insists that you create a user. However, the user creation tool is poorly designed and it does not let you fully control all the attributes of this user. Workaround: Create a dummy user to make it happy, create your real users, and then delete the dummy user.

If you're using VMware, Red Hat has included drivers that give you the benefits of VMware's VMtools, such as the ability to simply move the mouse out of the VM window without first pressing <Ctrl><Alt>. Do not install VMtools, as that can make things worse instead of better. My experience was that VMtools took away my control of the display settings and recreated the mouse and keyboard focus problem. Just install RHEL or CentOS or Oracle Linux and enjoy.

The desktop graphical user interface goes through major changes, especially going from RHEL 6 to 7. Both the default Gnome and the optional KDE graphical interface go through major version changes. RHEL 8 dropped the KDE window manager. Linux Mint also dropped KDE after its version 18.3.

Gnome is surprisingly resource-hungry. You will probably want to put autospawn = no in your ~/.pulse/client.conf file and also in /etc/skel. Otherwise pulseaudio will always run and always restart, and sometimes it will impose a surprising load on the CPU.

By RHEL 7 many more packages had moved to having one main configuration file plus a collection, like what xinetd had done for some time. For example, sudo puts its system-wide settings in /etc/sudoers and then reads all the user-specific files /etc/sudoers.d/*. Rsyslog reads /etc/rsyslog.conf and then all the files in /etc/rsyslog.d/*.

This isn't anything specific to Red Hat, it is a Linux-wide trend that became common between the releases of RHEL 6 and 7. This is also similar to the shells that for some time now first use /etc/profile and then /etc/profile.d/*, followed by ~/.profile.

This is good, take advantage of it. The intent is that you don't touch the distribution-provided file /etc/*.conf. When the package updates, rpm discovers that the main configuration file is still in pristine form and you have no confusing *.rpmnew, *.rpmold, and so on to track down and manually merge changes. Let the distribution's provided configuration file do whatever they intended, and their your locally created files can override any system-wide settings you want to change.

With RHEL 7 there is a significant difference between running vi and vim. Many distributions, including earlier RHEL, really ran vim, the improved version with more capabilities, when you typed just vi. (this was through some trickery with /etc/alternatives).

vim is your friend, it really helps by coloring the syntax in configuration files, programming languages, HTML, and much more. I had the benefit of being in the habit of always typing vim so I got the better one on non-Linux OSes like OpenBSD and Solaris. Adopt my habit!