RHEL7: Changes between versions.

Share this link

Presentation

The RHEL 7 release brought many changes from RHEL 6, some of them breaking backward compatibility (Systemd, etc). Unfortunately, such changes happened between minor versions of RHEL 7 too.
Here you will find a non-exhaustive list of such changes.

NFS

Syntax Change

The RHEL 7.1 release completely changed the way the various NFS services worked.

The nfs-secure-server service doesn’t work the same way anymore, the nfs-idmap service has a new brother, nfs-idmapd, and the Kerberos NFS client gets a new nfs-client.target.

Hopefully, there is a Kerberos NFS tutorial that took a long time to update!

Migration Problems

When installing or migrating to RHEL 7.3, don’t disable IPv6 without running the dracut -f command just after, otherwise NFS won’t work (see details).

NFS Mount Behavior

In RHEL 7.4, the NFS mount behavior has changed, trying NFS vers=4.1 by default. Also, rather than trying 4.0 after failing on 4.1, RHEL 7.4 fails down to NFS 3. To get the previous behavior, force vers=4.0 (source).

NetworkManager

From RHEL 7.2 to RHEL 7.3, NetworkManager underwent a major evolution, going from v1.0.6 to v1.4.0. Modularity was at the heart of the changes.

IPv6 Security

In v1.2, a new IPv6 feature has been added called Stable Privacy Addressing through a new connection property: ipv6.addr-gen-mode. It is a tracking prevention mechanism activated by default (ipv6.addr-gen-mode=stable-privacy). To disable this new feature and get the previous behavior, type:

# nmcli con mod "Wired connection 1" ipv6.addr-gen-mode eui64

Another new IPv6 feature popped up called Privacy Extension bringing a new ipv6.ip6-privacy connection property. This allows randomization of MAC addresses and is activated by default (ipv6.ip6-privacy=1) (see details here). To disable this new feature and get the previous behavior, type:

# nmcli con mod "Wired connection 1" ipv6.ip6-privacy 0

There are certainly other changes unknown at this time.

Nmcli Syntax Change

In RHEL 7.0, you could write:

# nmcli con mod myConn ipv4.addresses "10.0.0.10/24 10.0.0.1"

Since RHEL 7.1, you have to do it in two steps:

# nmcli con mod myConn ipv4.addresses 10.0.0.10/24
# nmcli con mod myConn ipv4.gateway 10.0.0.1

Or, in only one step:

# nmcli con mod myConn ipv4.addresses 10.0.0.10/24 ipv4.gateway 10.0.0.1

Use of ZONE Variable Deprecated

Since RHEL 7.5, the use of the ZONE variable in ifcfg-* files no longer works (source).

New Unit File Directives

With RHEL 7.3, the NetworkManager service got two new directives in its unit file for security purpose:

  • ProtectSystem=true
  • ProtectHome=read-only

These directives forbid some changes made to respectively system (/usr, /boot, /root, /run/user) and /home directories, mainly the creation of symbolic links to them (see details here). If you use a non-standard directory structure, you may need to remove these directives.

Systemd

With RHEL 7.2, Systemd moves from v208 to v219 and many changes happened.

New Systemd Directives

Some new directives regarding security have been introduced in the v219 version of Systemd.

In the NetworkManager chapter above, the ProtectSystem and ProtectHome directives were already mentioned but some others exist (see details here).

Conflicts with Docker

At least one change has already been reported concerning execution of Docker containers. You can read an article on the CentOS blog about Fixing CentOS 7 systemd conflicts with docker.

Also with RHEL 7.5 a bug was fixed in the SELinux policy denying access from within a container to the cgroup configuration. Since Systemd heavily uses cgroups, containers requiring Systemd don’t start anymore without any warning. To allow containers access to the cgroup configuration, a SELinux boolean needs to be set (source): setsebool -P container_manage_cgroup on

RemoveIPC Directive

A new option called RemoveIPC was introduced in RHEL 7.2 through Systemd v219. When set to yes, this option forces a cleanup of all allocated inter-process communication (IPC) resources linked to a user leaving his last session. If a daemon is running as a user with a uid number >=1000, it may crash.

This option should always be set to no by default but, due to the logic of package upgrade, it is highly advisable to set RemoveIPC=no in the /etc/systemd/logind.conf file followed by # systemctl restart systemd-logind (source).

Certificate Verification in Python

The Python standard library includes multiple modules that provide HTTP client functionality, including httplib, urllib, urllib2, and xmlrpclib. While these modules support HTTPS connections, they traditionally performed no verification of certificates presented by HTTPS servers, and offered no way to easily enable such verification (see details here).

In RHEL 7.0 and RHEL 7.1, there was no certificate verification.

In RHEL 7.2, a new file was created called /etc/python/cert-verification.cfg with verify=disable as main content.

In RHEL 7.3, the same file now displays verify=platform_default: this means that certificate verification depends on hard-coded value in the ssl module. According to the ssl module used, certificate verification will happen or not. However, it is perfectly possible to assign enable or disable to the verify directive to define the wanted behavior.

SELinux

Up to RHEL 7.2, the semodule -l command was displaying the version of the loaded policy:

[root@rhel72]# semodule -l
abrt 1.4.1
accountsd 1.1.0
acct 1.6.0
...

With RHEL 7.3, this information is not given anymore:

[root@rhel73]# semodule -l
abrt
accountsd
acct
...

This can be a problem with configuration management tool like Puppet. More details about this serious compatibility problem are available here and here.

Libvirt Based Containers

With RHEL 7.3, it seems that execution of real-time libvirt based containers doesn’t work as before. New parameters need to be set up (see details here).

Nmtui bugs

Don’t use the nmtui command with RHEL 7.0: this command is reported as regularly crashing in this minor version.

OpenSSH Versions

In RHEL 7.0, OpenSSH was in version 6.4p1. From RHEL 7.1 to RHEL 7.3, OpenSSH stayed in version 6.6.1p1 with limited changes.

In RHEL 7.4, OpenSSH moved to version 7.4p1. Expect some issues with legacy code (see details here).
At least two RedHat articles dealing with OpenSSH changes in RHEL 7.4 have been posted (here and here).

Other Compatibility Problems?

Leave a comment if you find another problem not listed here.

(4 votes, average: 5.00 out of 5)
Loading...

Upcoming Events (Local Time)

There are no events.

Follow me on Twitter

Archives

vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |