CentOS Linux 6.8 Released

An anonymous reader writes: CentOS team is pleased to announce the immediate availability of CentOS Linux 6.8 and install media for i386 and x86_64 Architectures. Release Notes for 6.8 are available here. Softpedia writes: "CentOS Linux 6.8 arrives today with major changes, among which we can mention the latest Linux 2.6.32 kernel release from upstream with support for storing up to 300TB of data on XFS filesystems. The VPN endpoint solution implemented in the NetworkManager network connection manager utility is now provided on the libreswan library instead of the Openswan IPsec implementation used in previous release of the OS, and it looks like the SSLv2 protocol has been disabled by default for the SSSD (System Security Services Daemon), which also comes with support for smart cards now." In addition, the new release comes with updated applications, including the LibreOffice 4.3.7 office suite and Squid 3.4 caching and forwarding web proxy, many of which are supporting the Transport Layer Security (TLS) 1.2 protocol, including Git, YUM, Postfix, OpenLDAP, stunnel, and vsftpd. The dmidecode open-source tool now supports SMBIOS 3.0.0, you can now pull kickstart files from HTTPS (Secure HTTP) sources, the NTDp (Network Time Protocol daemon) package has an alternative solution as chrony, SSLv3 has been disabled by default, and there's improved support for Hyper-V.

Re:2.6

[Midnight_Falcon]

Considering CentOS 7.x has been out for well over a year...this is just an extending support for the old CentOS 6 line.

Re:2.6

[bobthesungeek76036]

They're just following RHEL which announced 6.8 on 5/10...

Re:2.6.32 kernel?

[KiloByte]

2.6.32 differs so much from modern kernels that trying to cherry-pick fixes leads to anything but stability. I wouldn't touch such a kernel with a 0.015 furlong pole.

Modernism and Stability

[hcs_$reboot]

CentOS/RedHat motto has always been "stability and security". Nowadays however , I don't think there is much difference with Debian, for instance, in terms of stability/security. Furthermore, for those using the desktop release, RH and CentOS are really behind (eg compared to Ubuntu) in terms of ergonomics, utilities and other applications.

Re:Modernism and Stability

[SkankinMonkey]

To be fair, they stay behind and backport security fixes for compatibility reasons - mainly enterprise apps that want to ensure they are not going to introduce any breaking changes while staying secure. Their customer isn't the day to day user that wants the latest and greatest.

Re:Modernism and Stability

[Phiz]

CentOS/RedHat major releases have a 10-year life span. Debian is 5 years for LTS and Ubuntu is 4 years. For my uses that is a significant difference.

Re:Modernism and Stability

[Phiz]

Oops. Ubuntu LTS is also 5 years.

Re:Modernism and Stability

[hcs_$reboot]

Was said "for those using the desktop release"... Buy those glasses, you're getting old.

ignorant idiots on slashdot

2.6.32 differs so much from modern kernels that trying to cherry-pick fixes leads to anything but stability. I wouldn't touch such a kernel with a 0.015 furlong pole.

rhel kernels are the most heavily tested kernels available, really you would trust a new kernel with your company's data?

Re:ignorant idiots on slashdot

[KiloByte]

I guess you haven't seen the amount of patches atop RH's kernels. They backport loads of features which were never coded with ancient kernels in mind. These backports are not tested by anyone but RH's internal kernel guys -- as opposed to a large community testing mainstream kernels.

No one says you should run 4.6 in production yet, let's have it season for a bit. But running kernels without mainstream maintenance is not wise. I'd understand them if they cherry-picked just security and bug fixes -- but they pick lots of random crap.

Re:ignorant idiots on slashdot

Red Hat guarantees the API and ABI compatibility of their kernels for years
why:
https://access.redhat.com/articles/rhel-abi-compatibility

They've been doing it for a decade - and are more trusted than any other Linux OS

https://www.redhat.com/en/about/trusted

I think they've got this covered

Re:ignorant idiots on slashdot

They backport loads of features which were never coded with ancient kernels in mind. These backports are not tested by anyone but RH's internal kernel guys -

What a load of crap, these kernels are thoroughly tested by every vendor with a RHEL port of their product. Database vendors etc run these kernels through the ringer on production loads long before you ever see them.

Re: ignorant idiots on slashdot

[buchanmilne]

And yet my exoerience with RHEL3,4,5 in production in a relatively large and varied environment was that they were all rock solid. We still have 5.x in production, we are currently rolling 7.2 out to replace most of those (though some VMs will need intermediate upgrades to 6.x due to multi-server customer-facing application upgrades also required to get to 7)

If you want more recent, run RHEL7.2. If you want bleeding edge run Fedora. If you want something between stable and bleeding edge, choose a more desktop-oriented distri.

Re:ignorant idiots on slashdot

[kamaaina]

Hmm, the dunno about the Kernel in 6.8, but one of the kernel updates in the 6.7 kernel caused our CPU load to go up, we downgraded back.

Re:ignorant idiots on slashdot

[prefect42]

Sure that wasn't the kernel that fixed a miscalculated load average? There were some niggles around that for sure, but there's hardly a consistent pattern of Redhat introducing bad kernel updates.

* Due to prematurely decremented calc_load_task, the calculated load
average was off by up to the number of CPUs in the machine. As a
consequence, job scheduling worked improperly causing a drop in the system
performance. This update keeps the delta of the CPU going into NO_HZ idle
separately, and folds the pending idle delta into the global active count
while correctly aging the averages for the idle-duration when leaving NO_HZ
mode. Now, job scheduling works correctly, ensuring balanced CPU load.
(BZ#1300349)

Re:ignorant idiots on slashdot

[Hognoxious]

We all hate SAP and Oracle, but RHEL is a preferred platform for them to run their enterprisey stuff on. If it was as bad as you say, I think somebody would have sort of noticed.

Just in time for PayPal.

Hosts have 3 weeks to roll it out:

"PHP cURL module now supports TLS 1.1 and TLS 1.2" and "NSS now enables the TLS version 1.2 protocol by default"

(Yes, that's right, NSS, not OpenSSL.)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Release_Notes/new_features_security.html

PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal in 2017. You will need to verify that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make appropriate updates.
DATE CHANGE - Act by June 30, 2017

https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1914

Oh wait, I see Paypal backed off on it, they have moved it ahead to June 30th 2017. Previously it was next month, June 17, 2016. Enough people must have complained. This change was going to break tens of thousands of eCommerce websites, if not more.

So hosts have more time now; a whole year. At least CentOS has addressed it now. I expect hosts are going to keep servers provisioned on 6.x on 6.x for as long as possible.

Re:Just in time for PayPal.

[Dog-Cow]

If we are fortunate, you will die before then. Unreasonable hatred is not something we wish to encourage or foster.

Re:Just in time for PayPal.

[unrtst]

"PHP cURL module now supports TLS 1.1 and TLS 1.2" and "NSS now enables the TLS version 1.2 protocol by default"

(Yes, that's right, NSS, not OpenSSL.)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Release_Notes/new_features_security.html

I don't understand your emphasis on NSS.
FWIW, the version of openssl that shipped with CentOS 6.7 fully supported TLSv1.2. Their announcement that, "NSS now enables the TLS version 1.2 protocol by default", does not in any way imply that OpenSSL had not or did not do so. They happen to be building some items against NSS, thus that change affects things like pyCurl and phpCurl for them, though those could be rebuilt against OpenSSL (I rebuild php to get a more recent version, and link it to openssl instead of NSS).

Re:Just in time for PayPal.

[codealot]

PayPal didn't back off, the PCI Council did. The PCI DSS standard previously offered an exemption for existing sites that could not easily deprecate TLS 1.0 that was to expire June 2016. Now that has been extended 12 months, and PayPal is following suit.

Re:Just in time for PayPal.

[Monkey]

I was like you. Then I tried it out. It's actually quite good.

You contradict yourself

[raymorris]

"CentOS 6 is really behind" means that it does not have a bunch of significant recent changes. Which is the definition of stable.

Has CentOS 6 kept up with recent changes? If so, it's not "really behind". If not, it's stable. Pick one.

I would say they've done as advertised, they kept it pretty stable. That happens to be what I want right now. If I wanted cutting-edge, I might use Fedora.

Re:You contradict yourself

[hcs_$reboot]

Was said "for those using the desktop release". Desktop wise, there is a huge difference between modern Ubuntu like releases and CentOS. Even Ubuntu 14.04 (2 years old) is way ahead re ergonomics, utilities and other applications. You can keep CentOS or RH, but at least show a bit of fairness.

Re:You contradict yourself

[hcs_$reboot]

Many people are still using v6 because of the many incompatibilities between 6 & 7. This is the real mess. Anyway, regarding apps/ergonomics/utilities, even v7 (desktop) is way behind other modern distros. Probably you didn't use v6 and/or v7, or didn't upgrade from v6 to v7, or didn't use any other modern distros. Well, I did all of that, for professional and personal reasons.

Re:You contradict yourself

[hcs_$reboot]

What does an AC know about karma on /. ....?

Re:You contradict yourself

[Antique+Geekmeister]

> Has CentOS 6 kept up with recent changes?

CentOS doesn't generally "keep up with changes". They follow changes from RHEL, with a few exceptions like their Xen virtualization project.

RHEL is kept very standard, with consistent major libraries, kernels, and software versions. They do occasionally publish add-on toolkits, such as additional and upgraded versions of python or gcc in parallel with the main default version. And they are doing some interesting things with the "software collecion" libraries, to provide updated MySQL and python toolkits compatible with older operating systems. But it can be very tricky to publish two major releases of the same softwae in parallel, and RHEL has been careful to keep them separate.

Re:2.6

This isn't even extended support. CentOS 5 is in Extended support until March 31st 2017, 6 is mainstream until that date and extended until November 30th 2020, 7 is mainstream until that date in 2020 and extended support until 2024. See: https://wiki.centos.org/About/... for more info and the latest version of different software on the different releases.

RHEL 6 was stable in 2010. See the revision number

[raymorris]

The major.minor kernel number for Red Hat 6.0 was chosen based on what was stable when it was released in 2010. Kernel updates since then are reflected in the revision number. Updates after initial release don't change the API, the ABI, or the major.minor parts of the version number. They change the revision number.

Again, hasn't been changed == remained stable

[raymorris]

> there is a huge difference between modern Ubuntu like releases and CentOS. Even Ubuntu 14.04 (2 years old) is way ahead

I don't necesarily disagree. Let's assume that's right, that Ubuntu has had a lot of updates (changes) and CentOS hasn't. That's what you said, right?

Of course all that new stuff has new APIs and especially new ABIs. The APIs and ABIs of RHEL 6 haven't changed for six years, so it doesn't have all the new shinies. What do you call it when something doesn't change a lot over time, when it pretty much remains the same? For APIs and ABIs, we call that "stable".

Notice the word is neither "good" nor "bad", it's "stable", aka unchanging, remaining the same, reliable.

> but at least show a bit of fairness.

I can't think of anything more fair than stating a plain, objective fact. RHEL doesn't change the interfaces. They are stable. Love it or hate it, it's a fact. What would be UNFAIR would be to lie and say RHEL doesn't provide a stable environment. That's simply untrue as a factual matter, for the sense of the word "stable" that matters for software maintainence.

Re:Again, hasn't been changed == remained stable

[hcs_$reboot]

Fair enough!

Re:2.6

[dbIII]

There are plenty of things not certified to run on CentOS7/RHEL7.
Also, at the risk of massive flamage - systemd.

Two very good reasons to keep on upgrading CentOS6.

Re:2.6?!?!

[eWarz]

Losing my mod points for this. CentOS 6.8 is designed to be binary compatible with RHEL 6.8, which uses the same kernel version. CentOS 6.8 is NOT the latest CentOS version, with CentOS 7.0 taking that honor. You can hardly be 'binary compatible' with a specific version of RHEL unless you use the same kernel version. A lot of mission critical systems rely on CentOS, so please don't flame them. If you want a bleeding edge kernel, use another distro.

Where is the auto install pop up ?

[Alain+Williams]

I had to install it this morning by typing ''yum update'', it told me that it was going to install 855 MB and prompted me ''Is this ok [y/N]'' -- notice a default answer of no.

This is yet more evidence that RedHat/CentOS is behind the time and not following recent industry practice of bamboozling their users into installing the latest version of the OS whether they want to or not. Should I downgrade to Microsoft Windows so that I can become as exasperated as some of my friends ?

Re:Where is the auto install pop up ?

[Scarred+Intellect]

Should I downgrade to Microsoft Windows so that I can become as exasperated as some of my friends ?

Do you hate yourself? If so, then yes, join your friends.

Re:2.6?!?!

[psmears]

CentOS 6.8 is NOT the latest CentOS version, with CentOS 7.0 taking that honor.

Actually 7.2 is the latest!

Re:Without systemd

[Hognoxious]

Or Gnome3. What a load of old rubbish, I must be an idiot to have almost 3 machines running it.

Re:2.6

I strongly suspect RedHat has a shitload of paying customers who have told them in no uncertain terms that if RH drops RHEL6 and goes systemd-only, they'll be moving to a non-systemd distro.

You expect wrong then. A shrill and tiny minority of trolls and whiners do not represent their customer base. RedHat is perfectly fine about continuing with systemd as are their customers.

Re:2.6.32 kernel?

[DrXym]

RHEL is for companies who are risk averse. They don't need the latest features, or want an OS which is constantly changing in unpredictable ways. They want something which is reliable, stable, supported and does what they bought it for in the first place. If a 2.6 kernel is good for that purpose then what's the problem?

Re:2.6?!?!

[Antique+Geekmeister]

RHEL 7.2 is the latest long-term supported production platform from Red Hat. Fedora is the bleeding edge work, and a sign of what will be in future RHEL releases. The bleeding edge versions of perl, python, and of virtualization toolkits and security toolkits can be very destabilizing to production systems, which is why RHEL and CentOS have been so popular for production work.

Re:2.6.32 kernel?

[Tetch]

I still have a Debian Squeeze system that can run perfectly happily using Debian's 2.6.32 kernel. As it happens, I did experience one (and only one) problem with this system & kernel, which is that USB3 didn't work properly (onboard Etron controller), so I installed Debian's 3.2 backport Sarge kernel and all has been well ever since. I don't suppose lack of USB3 is really going to worry the average production server operator (the target market for RedHat/CentOS).

Another POSIX hater

[walterbyrd]

> Unreasonable hatred is not something we wish to encourage or foster.

So why do you Red Hat shills so unreasonably hate POSIX, and the UNIX philosophy?

Re:Another POSIX hater

[F.Ultra]

There is nothing anti POSIX or anti UNIX with systemd.

Re:Wayland?

[codealot]

Unless you're running a desktop, who cares? My CentOS servers don't run Wayland, X, or any kind of graphical desktop.

Re:"major changes"

[codealot]

They don't change major version numbers, ever. New features may be patched in as long as the risk is minimal. That's what they call "major". Maybe they should have worded it "noteworthy changes" instead.

Watch out for fatal regression

[fnj]

Well, my big file server just paniced after a 6.7->6.8 upgrade. The ONLY reason to stick with CentOS6 was stability and long lifetime. Since that is now out the window, switching to Ubuntu 16.04 (with the huge advantage of having ZFS precompiled) is back on my burner.

The good news is it doesn't look like I lost any of my 24 TB of ZFS data, despite panics, reset switches, and power buttons.

Re: 2.6.32 kernel?

[F.Ultra]

No, They backport fixes, which is why the full version of the 2.6.32 kernel used in CentOS 6.8 is kernel-2.6.32-642, this means that it's has seen 642 revisions since the original release of the 2.6.32 kernel.

Re: 2.6.32 kernel?

[DrXym]

Such as?

Re:Without systemd

[F.Ultra]

So you sysv lovers now also love upstart?

Re:2.6

[Rakarra]

I strongly suspect RedHat has a shitload of paying customers who have told them in no uncertain terms that if RH drops RHEL6 and goes systemd-only, they'll be moving to a non-systemd distro.

I can assure you, systemd would be far, FAR down the list of reasons for RHEL's paying customers to not switch from 6 to 7.

Here is why

[dbIII]

You misunderstand badly, in fact very badly, and it's not even about whether systemd is any good or not.

Workstation software development, especially the commercial closed source kind, is very slow.
A major change in how things work such as systemd means that it will be several years before the devlopers of that sort of software even consider getting their software to work in the new environment instead of just telling users to use the old one. See also how many commercial packages still recommend turning SElinux off because they haven't got around to working out how their software can operate in that environment.

So until a lot of vendors dust off their rc scripts and work out what they have to change to run on a host with systemd there are plenty of their clients who will not be upgrading due to systemd itself.

Re:Here is why

[Rakarra]

What I'm saying is that the workstation changes in RHEL 7 are so radical, such a departure from RHEL 6.. I'm not sure where even to begin.
systemd is easy.. EASY to manage and configure and deal with compared to some of the other changes that run through the operating system, especially in the interface. Hell, converting our old rc scripts into something a bit more systemd-friendly wasn't a problem. It's everything else.

Re:Here is why

[dbIII]

Easy for you and maybe easy for me once I start rolling out CentOS7 (depends on how close to Fedora it is), but I'm describing vendors who tell you to disable iptables and SElinux or they won't give you any support. With one package it's only been three years since they upgraded part of it to run in better than 8bit color! I had to set up users with a second instance of X they could switch to when they wanted to use that stuff (less clunky than VNC).
A very major geophysics package from a company starting with H and associated with a guy you should not go hunting with only moved to RHEL6/CentOS6 in March last year, and I've still got stuff on CentOS5 because the new version still has some bugs not in the old one. I'll give it at least five years before it will work on RHEL7/CentOS7, and even then I'm likely to have to keep an old version around. If their devs can't cope with iptables and SElinux then systemd is really going to mess up their heads.

Workstation software development, especially the commercial closed source kind, is very slow.