Ubuntu 20.04 goes End Of Life (EOL) in April 2025. When an operating system goes EOL there is usually a lot to think about so lets break down the options open to you.
By far the easiest of the options but could end up costing you more in the long run. We do not recommend this option.
Doing nothing mean you have a ticking time bomb on your infrastructure. Your infrastructure will no longer receive security updates for the Ubuntu base OS, critical software packages and infrastructure components as well as no security maintenance for high and critical CVEs. This will probably also cause Compliance issues (PCI), Software incompatibility and make your whole network more vulnerable.
Using this option will also mean that more work will be required when you upgrade your server in the future costing you more.
2) Build new infrastructure (and move to the latest Ubuntu LTS release)
Dogsbody always recommend this options as a clean and safe way to upgrade. It allows you to upgrade your hardware to the latest tech. (Suppliers may allow you a free cut over period to manage costs).
This options lets everyone involved test things fully without affecting production infrastructure .
Obviously the disadvantage is this is it is one of the more expensive options, not just because of the work involved but as you may have to pay for two set of hardware and support etc until you migrate from your old to your new infrastructure. Dogsbody offer a one month cross over period for all our maintenance customers 🙂 Also if you have multiple sites on the server (shared hosting) you need to update all sites to the new IP.
Ubuntu 24.04 LTS became available in April 2024 and is supported for 5 years with the end of their standard support in June 2029. We recommend installing the 22.04.1 release especially for production machines.
3) Perform an in-place upgrade
This may only be an option for certain infrastructure types. It can be cheaper than option 2 (and quicker) but only if it upgrades perfectly. This option gives you zero testing time which means there is a risk that this will not work and your infrastructure will be off line whilst you or your support services fix it live.
While in-place upgrades will result with you having a new operating system, you will likely inherit the (less secure) defaults from the old operating system. A great example of this is when the default changed in SSH to disable the insecure v1 of the protocol on new operating system installs. Systems that were upgraded via in-place upgrade would inherit the old config keeping SSH v1 turned on.
We would certainly never recommend more than one in-place upgrade. Taking a single system from Ubuntu 16.04 -> 18.04 -> 20.04 and now 22.04 is a bad idea as it just leaves too many loose threads.
It also means your hardware will not be upgraded keeping you potentially on old, less efficient hardware that may also cause you issues at a later date.
4) Buy an annual subscription to Ubuntu Pro – Extended Security Maintenance (ESM)
Extended Security Maintenance (ESM) and Ubuntu Pro are annual subscriptions from Canonical. They provide Security updates for Ubuntu LTS for an additional 5 years (until April 2030 for Ubuntu 20.04). Including security coverage of the Main and Ubuntu Universe repositories for Critical, High and select Medium CVEs.
There are however some large disadvantages with this option at the moment:
Ubuntu Pro is ONLY available on physical machines or on one of the large cloud providers (GCP, Azure, AWS). Smaller public cloud provider such as Linode, Digital Ocean, Vultr etc have no option to use Ubuntu Pro at this time.
Ubuntu Pro will not cover software from other repositories. If you have installed other software (Nginx, Percona, etc.) from their own official repositories then these repo’s may decide to drop support for your operating system as it’s now deemed to be EOL. We have seen this happen multiple times.
Additionally, as with the in-place upgrade, it also means your hardware will not be upgraded keeping you potentially on old, less efficient hardware that may also cause you issues at a later date.
Ubuntu Pro is an enterprise subscription charged per machine per year. Annual costs depend on your infrastructure type (desktop or server) and support requirements.
5) Just shut it down
It’s good to take stock of your infrastructure sometimes, especially internal/pet projects that may have been left to languish.
Do you actually still need this infrastructure? Has it been replaced by something better? If so then you can always just shut it down.
We had customer who reviewed their hosting infrastructure and made the decision to moving their final customer websites to our shared hosting platform which saved them both time and money.
About Ubuntu 24.04
Ubuntu 24.04 LTS release is supported for 5 years with the end of their standard support in June 2029.
Upgrading from Ubuntu 20.04 to Ubuntu 24.04 should, instantly, speed up your sites/infrastructure if you get it right.
It’s worth considering package changes between operating system versions. Some of the most common are…
Dogsbody have a lot of customers who run Ubuntu 20.04 who we will be advising and helping move to the best option for their business. If you need help on deciding the best route for your upgrade please do contact us.
https://www.dogsbody.com/wp-content/uploads/animal-4070485_1280.jpg8531280Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2024-09-27 16:41:012024-09-27 16:47:485 options for Ubuntu 20.04 EOL in April 2025
CentralNic Registry was recently informed of a security issue with one of its third-party vendors. There’s no evidence of a compromise or any unauthorised access however there is a risk that domain authCode’s have been leaked.
A domain auth code can be used to steal a domain from you.
Any domain owners of the following TLD’s are advised to reset the authCode for their domain.
Some registrar’s are batch voiding and regenerating auth codes for affected domains but not all.
Affected TLD’s
gTLDs
.art
.bar
.basketball
.best
.college
.ceo
.design
.fans
.feedback
.frl
.fun
.gent
.host
.icu
.ink
.love
.observer
.online
.ooo
.press
.protection
.realty
.reit
.rent
.rest
.security
.site
.space
.storage
.store
.tech
.theatre
.tickets
.website
.wiki
.xyz
Official ccTLDs
.bh, Bahrain
.fm, Federated States of Micronesia
.fo, Faroe Islands
.gd, Grenada
.gl, Greenland
.la, Laos; also borrowed for Los Angeles
.pw, Palau
.sk, Slovakia
.vg, British Virgin Islands
Unofficial ccTLDs
.ae.org, for United Arab Emirates
.ar.com, Argentina
.br.com, Brazil
.cn.com, China
.com.de, Germany
.de.com, Germany
.eu.com, European Union
.gb.com, Great Britain
.gb.net, Great Britain
.gr.com, Greece
.hu.com, Hungary
.jpn.com, Japan
.jp.net, Japan
.kr.com, Korea
.no.com, Norway
.qc.com, Quebec
.ru.com, Russia
.sa.com, Saudi Arabia
.se.com, Sweden
.se.net, Sweden
.uk.com, United Kingdom
.uk.net, United Kingdom
.us.com: United States
.us.org: United States
.uy.com, Uruguay
.za.com, South Africa
Any domain owners of these TLD’s are advised to reset the authCode for that domain.
It is important to update them to a newer version. We would recommend updating to either:
8.1 supported until 25 November 2024
8.2 supported until 08 December 2025
This new minor version brings with it a number of new features and a few incompatibilities that should be tested for before switching PHP versions in production environments.
You may need to get your developers to update code, check plug-ins and app versions for supportability:
WordPress is not fully compatible with PHP 8.0 or 8.1. All remaining known PHP 8.1 issues are deprecation notices.
Please note, a deprecation notice is not an error, but rather an indicator of where additional work is needed for compatibility before PHP 9 (i.e. when the notices become fatal errors). With a deprecation notice, the PHP code will continue to work and nothing is broken.
At the time of writing PHP 8.2 for wordpress was still waiting on the dev notes.
Not sure what version your server is on? Maybe it’s time for a Server Audit so you have a full picture of your infrastructure – We produce a traffic light report telling you the good, the bad and the ugly…
https://www.dogsbody.com/wp-content/uploads/PHP-80-EOL.jpg10801920Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2023-05-17 13:31:222023-05-17 13:31:22PHP 8.0 will go end of life – 26 Nov 2023
Keeping your WordPress software up to date and safe from vulnerabilities is the most important security tip for any WordPress site. And it’s super easy to do.
Below are three simple ways to secure your WordPress site.
1. Use the latest WordPress Version
Whenever WordPress sends out a new update, it means they may have fixed some bugs, added some features, but most importantly they have added some security features and fixes.
Nowadays, with one-click update, it’s very easy to upgrade your WordPress Version.
Make sure your theme and plugins are compatible with this latest version of WordPress. If an update has been rolled out and it’s not a security update, I suggest you wait for your plugins and themes to become compatible before upgrading.
2. Keep Your WordPress Plugins Updated
As I mentioned above, WordPress releases an update to fix bugs and vulnerabilities, and this is the same for plugins. This is a really quick update to make:
Click the Update Now button for the vulnerable plugin
Many times, an out of date plugin or 3rd party script can create a security hole in your WordPress website causing it to become vulnerable.
In general you should always use plugins which are continually updated and have good support.
If you are using a plugin which has not been updated for a while, find an alternative to it. If you have an installed plugin, remove it.
3. Keep Your WordPress Themes Updated
Yes! Even The Themes! Both plugins and themes are built on code. Mostly PHP to be specific. And, that code will eventually be outdated. When a theme (or plugin) is outdated, it’ll still work. Sure. However, it will be more prone to being exploited since it’s an easy way in for attackers.
Make a consistent schedule to regularly check and download the latest updates of themes (and plugins).
These can be found directly on the WordPress dashboard on the “Updates” pages.
Plugins are being updated all the time. For example, on a single day (24 Aug 2021) the following plugin vulnerabilities were all fixed and were ready to be updated:
Contact Form Entries < Version 1.2.1 – Reflected Cross-Site Scripting
TextME SMS < Version 1.8.9 – Authenticated Stored XSS
Live Scores for SportsPress < Version 1.9.1 – Authenticated Local File Inclusion
Live Scores for SportsPress < Version 1.9.1 – Reflected Cross-Site Scripting
SMTP Mail < Version 1.2 – Reflected Cross-Site Scripting (XSS)
SMTP Mail < Version 1.2.2 – Authenticated SQL Injections
Contact List < Version 2.9.42 – Reflected Cross-Site Scripting
Coupon Affiliates for WooCommerce < Version 4.11.0.2 – Reflected Cross-Site Scripting
Podlove Podcast Publisher < Version 3.5.6 – Unauthenticated SQL Injection
Recipe Card Blocks < Version 2.8.1 – Reflected Cross-Site Scripting
As of June 2020 over 73% of the most popular WordPress installations were vulnerable. They were vulnerable to exploitable vulnerabilities that can be detected with free automated tools, within seconds.
It only takes a couple of minutes for a malicious attacker to run an automated tool that can discover these vulnerabilities and exploit them. This highlights the importance choosing the right WordPress web host that auto updates both plugins and WordPress.
The most common vulnerabilities
Arbitrary File Upload & File Viewing: Lack of file type and content filtering allows for upload of arbitrary files that can contain executable code which, once run, can do pretty much anything on a site. Instead of allowing only certain file source to be viewed (for example plugin templates) the lack of checks in the code allows the attacker to view the source of any file, including those with sensitive information such as wp-config.php
Privilege Escalation: Once the attacker has an account on the site, even if it’s only of the subscriber type, he can escalate his privileges to a higher level, including administrative ones.
SQL Injection: By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.
Remote Code Execution (RCE): Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.
How Dogsbody can help
So, you maybe wondering ‘How will I know I’m vulnerable in the first place’.
The easiest way is to log into your WordPress site and take a look.
https://www.dogsbody.com/wp-content/uploads/unsplash.com_.photos.8_NI1WTqCGY.webp7001050Ashley Hollandhttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngAshley Holland2022-10-14 10:00:382022-10-14 15:50:59Three Easy Ways To Secure Your WordPress Site
Ubuntu 18.04 goes end of life in April 2023. Our usual EOL blog posts tend to be quite short and sharp, making sure that people are aware of software becoming insecure. When an operating system goes EOL there is usually a lot more to think about.
Here we look at your 5 options for Ubuntu 18.04 EOL.
By far the easiest of the options but could end up costing you more in the long run. Dogsbody do not recommend this option.
Doing nothing mean you have a ticking time bomb on your infrastructure. Your 18.04 Infrastructure will no longer receive security updates for the Ubuntu base OS, critical software packages and infrastructure components as well as no security maintenance for high and critical CVEs. This will probably also cause Compliance issues (PCI), Software incompatibility and make your whole network more vulnerable.
Using this option will also mean that more work will be required when you upgrade your server in the future costing you more.
2) Build new infrastructure and move to the latest Ubuntu LTS release (Recommended)
Dogsbody always recommend this options as a clean and safe way to upgrade. It allows you to upgrade your hardware to the latest tech. (Suppliers may allow you a free cut over period to manage costs).
This options lets everyone involved test things fully without affecting production infrastructure .
Obviously the disadvantage is this is it is one of the more expensive options, not just because of the work involved but as you may have to pay for two set of hardware and support etc until you migrate from your old to your new infrastructure. Dogsbody offer a one month cross over period for all our maintenance customers 🙂 Also if you have multiple sites on the server (shared hosting) you need to update all sites to the new IP.
Ubuntu 22.04 LTS became available in April 2022 and is supported for 5 years with the end of their standard support in April 2027. We recommend installing the 22.04.1 release especially for production machines.
3) Perform an in-place upgrade
This may only be an option for certain infrastructure types. It can be cheaper than option 2 (and quicker) but only if it upgrades perfectly. This option gives you zero testing time which means there is a risk that this will not work and your infrastructure will be off line whilst you or your support services fix it live.
While in-place upgrades will result with you having a new operating system, you will likely inherit the (less secure) defaults from the old operating system. e.g. Networking in Ubuntu 14.04 is typically configured via the /etc/network/interfaces file. Networking in Ubuntu 16.04 is typically configured via the netplan configuration files. An in-place upgrade from 16.04 to 18.04 would leave the old interfaces configuration in place which may work or may not depending on the setup you have.
We would certainly never recommend more than one in-place upgrade. Taking a single system from Ubuntu 14.04 -> 16.04 -> 18.04 and now 20.04 is a bad idea as it just leaves too many loose threads.
It also means your hardware will not be upgraded keeping you potentially on old, less efficient hardware that may also cause you issues at a later date.
4) Buy an annual subscription to Ubuntu Pro – Extended Security Maintenance (ESM)
Ubuntu Pro and Ubuntu Pro (infra-only) are annual subscriptions from Canonical. They provide Security updates for Ubuntu LTS for an additional 5 years (April 2028). Including security coverage of the Main and Ubuntu Universe repositories (Ubuntu Pro only) for Critical, High and select Medium CVEs.
There is a possibility that other software and packages will drop their support for Ubuntu 18.04 so you may cause yourselves problems down the line if you plan to leave it the full 5 years.
Ubuntu Pro is an enterprise subscription charged per machine per year. Annual costs depend on your infrastructure type (desktop or server) and support requirements.
Security Patching
Ubuntu LTS
Ubuntu Pro (INFRA-ONLY)
Ubuntu Pro
Ubuntu Main Repo
5 years
10 years
10 years
Ubuntu Universe Repo
Best effort
Best effort
10 years
5) Just shut it down
It’s good to take stock of your infrastructure sometimes, especially internal/pet projects that may have been left to languish.
Do you actually still need this infrastructure? Has it been replaced by something better? If so then you can always just shut it down.
About Ubuntu 22.04
Ubuntu 22.04 LTS release is supported for 5 years with the end of their standard support in April 2027.
Upgrading from Ubuntu 18.04 to Ubuntu 22.04 should, instantly, speed up your sites/infrastructure if you get it right.
It’s worth considering package changes between operating system versions. Some of the most common are…
Dogsbody have a lot of customers who run Ubuntu 18.04 who we will be advising and helping move to the best option for their business. If you need help on deciding the best route for your upgrade please do contact us.
https://www.dogsbody.com/wp-content/uploads/beaver-gac8e01c32_1280.jpg8531280Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2022-07-01 09:00:462023-02-09 10:44:575 options for Ubuntu 18.04 EOL
It is important to update them to a newer version. We would recommend updating to either:
8.0 supported until 26 November 2023
8.1 supported until 25 November 2024
New major PHP versions bring with it a number of new features and some incompatibilities. These should be tested before switching PHP versions in production environments. You may need to get your developers to update some code, check plug-ins and app versions for the new PHP supportability:
WordPress 5.6 to 5.9 state that they have added “beta support” for PHP 8.0 and 8.1 however no one know when it will be out of beta status. Beta support means that the compatibility of WordPress with PHP is still being tested. We would usually advise not to use it on a production server until it is fully supported by WordPress.
Not sure what version your server is on? Maybe it’s time for a Server Audit so you have a full picture of your infrastructure – We produce a traffic light report telling you the good, the bad and the ugly…
Otherwise want a hand with your PHP upgrade? Get in touch!
https://www.dogsbody.com/wp-content/uploads/lifeline-ge081f87d3_1920.jpg12801920Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2022-05-26 14:36:332022-05-26 14:36:33PHP 7.4 will go end of life on 28 November 2022
On the 30 June 2022, Debian 9 “Stretch” goes End of Life (EOL). We recommend you upgrade to Debian 11 “Bullseye” (skipping Debian 10 if possible) which is supported until June 2026.
After this date there will be no security updates released for Debian 9 and servers will not be patched for any new vulnerabilities discovered.
Leaving old Debian 9 “Stretch” systems past 30 June 2022 leaves you at risk to:
Security vulnerabilities of the system in question
Software incompatibility
Compliance issues (PCI)
Poor performance and reliability
and
Making your network more vulnerable as a whole
Debian 11 “Bullseye” Supports:
Apache 2.4.48
MariaDB 10.5
MySQL 8.0
PHP 7.4
Python 3, 3.9.1
Not sure where to start? Contact us to find out how we can help you.
https://www.dogsbody.com/wp-content/uploads/debian-9-stretch.jpg10801920Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2022-01-05 14:05:412022-01-05 14:05:41Debian 9 “Stretch” goes End of Life (EOL) June 2022
This weekend, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j, as well as the relative ease with which the vulnerability can be exploited, this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
This was a “zero day exploit”, meaning that the bad guys found this vulnerability and started exploiting it before that vulnerability could be fixed. The NIST has catalogued this as CVE-2021-44228 with a 10/10 severity (the most severe).
Who’s affected
Put simply – Java applications that use the log4j package. It is almost impossible to conclusively list all affected software and services, given such widespread use and the multiple versions and implementations that affects the ability to exploit the vulnerability.
An attempt to list responses from as many vendors and service suppliers can be found here, though this list shouldn’t be taken as authoritative.
What you can do
Most importantly you should take immediate action to do the following:
Identify usage of affected log4j versions within your infrastructure.
Apply available patches from your software vendors, or consider disabling elements of your infrastructure/services until patches are available.
Monitor your systems/logs for signs of previous and ongoing exploit attempts.
Take immediate steps to restore any affected systems to a known good state.
Our Customers
We are actively following the steps above and triaging those affected. Those most severely affected will have already been contacted and we will continue to proactively monitor all infrastructure to ensure all systems are patched as soon as possible.
Fail2ban is a tool which you can use to reduce the impact of attacks on your servers. Typically you configure it to monitor a log file for suspicious activity. Then once the activity crosses a threshold you can have it take an action, such as block the source IP address in your firewall. It’s a good way to stop attacks early but doesn’t entirely prevent them.
Why use it to protect WordPress
Due to it’s popularity, WordPress is often the target of automated attacks. We often see bruteforce attacks targeting xmlrpc.php or wp-login.php, these rely on making a huge number of requests in the hope that one will eventually be successful. Using strong passwords, especially for accounts with admin access is important to reduce the risk from attacks. Fail2ban can be used to slow attackers down. This helps for two reasons: it makes them less likely to succeed; it reduces the load on the server caused by processing these requests.
Blocking an attack as far upstream as possible is always advantageous to save resources so we would typically favour a Web Application Firewall or Webserver configuration over using fail2ban or a WordPress plugin however every site, server and customer is different so it will depend on the exact configuration used and required.
Install & config fail2ban (for Ubuntu)
sudo apt-get install fail2ban
Fail2ban works by having a jail file which references the log file, a filter and an action. By default fail2ban will protect sshd. If you are restricting SSH access in another way then you might want to turn this off. You can do so by creating the following as /etc/fail2ban/jail.local
[sshd]
enabled = false
Fail2ban doesn’t come with a filter for WordPress. I’d like to credit thesetwo articles for providing a good starting point. We see requests to ‘//xmlrpc.php’ (note the double slashes) fairly frequently so tweaked the below to also flag them. As this is detecting any requests to wp-login/xmlrpc it will flag legitimate admin users when they login etc. We’ll look to account for this with the jail configuration.
You can create the filter as /etc/fail2ban/filter.d/wordpress.conf
The jail file has most of the configuration options:
logpath, in this case the path to your Apache access log
action, adjust this if you’re using a different firewall or want to be sent email instead, you can see available options in /etc/fail2ban/action.d/
maxretry, the number of requests within findtime seconds to ban after
bantime, the number of seconds to ban for, with this action how long they’re blocked in iptables
As mentioned, the filter will catch both malicious and legitimate users. We’re configuring maxrety fairly high and bantime relatively low to minimise the probability and impact if we do block a legitimate user. Whilst this allows attackers to make roughly one request every ten seconds this is a fraction of what they’d make without fail2ban.
You can create the jail file as /etc/fail2ban/jail.d/wordpress.conf
https://www.dogsbody.com/wp-content/uploads/river.jpg19202560Jim Carterhttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngJim Carter2021-08-09 11:04:382021-08-09 11:04:38How to set-up fail2ban for a WordPress site
It’s July 2021 and there are just 5 months to go until CentOS 8 goes End of Life (31 December 2021).
Ordinarily our blog posts on software going End of Life are pretty cut and dry. This time drastic changes to CentOS’ future direction has complicated what would otherwise be a simple set of decisions.
In this post we’ll cover a few things. Firstly, we’ll recap a little of how this situation arose. Then we’ll take a look at what the changes are and why they might not be quite so bad. Then we’ll dive into your options for dealing with these huge changes…
Unless you’ve been living under the proverbial digital rock, the opening sentence of this post won’t come as a surprise. You’ll also know of the ongoing saga concerning Red Hat bringing CentOS 8 End of Life forward 8(!) years. For those that have been under that rock, here’s what you missed in as few sentences as possible:
CentOS is the community-driven free (as in beer) downstream binary compatible repackaging of the (paid for) Red Hat Enterprise Linux (RHEL) distribution provided by Reb Hat Inc.
CentOS actually ‘joined’ (read ‘was acquired by’) Red Hat back in 2014 which gave Red Hat ‘power/ownership’ over the distribution.
IBM acquired Red Hat for $34B in July 2019, now giving it power over the CentOS project too.
Sept 2019 CentOS 8 is released with an End of Life date of 31 May 2029 and people are encouraged to switch over from the previous CentOS 7 release.
Dec 2020, just 15 months into the CentOS 8 distribution life cycle, Red Hat announces that CentOS 8 will no longer exist and will instead become CentOS Stream. CentOS 8 will receive no updates/support after 31st December 2021, cutting it’s original End of Life date by 8 years! CentOS Stream will also move to being an upstream development branch of RHEL instead of a downstream stable distribution, a complete change from the position CentOS 8 held.
It’s fair to say many people weren’t too happy with this. And who can blame them? Such a violent shift in focus for the distribution would have been enough to cause major ripples throughout the SysAdmin world on its own. Add to that the huge change of CentOS 8’s End of Life date and you really get the perfect storm of Linux Distro drama.
Was it really that bad?
Sort of. No. Yes. Maybe. Whilst this may become a historic text-book example of how not to communicate a product change, the reality is that the move to CentOS Stream is a culmination of years of work changing the way RHEL is delivered. Red Hat has now embraced a Continuous Integration delivery model – branded by Red Hat as ‘Always Ready RHEL’.
CentOS Stream is a natural extension of that work. It’s also a clear ‘bottom line’ lead business decision to reduce the brand and dollar cost CentOS put on RHEL. CentOS Stream will occupy a valuable slot in the RHEL development lifecycle. Rather than be a downstream burden, CentOS Stream will now lead development for the paid distribution.
There is a harsh reality though – CentOS Stream will be less stable than before. But in being slightly less stable it can address some valid complaints. Namely, it can now deliver feature updates faster than before and it will allow community members a chance to affect the downstream product (in this case RHEL).
It’s even possible that CentOS Stream could be far more ‘stable’ in terms of bugs or feature changes (not just version number changes) than other distros. That’s thanks to the move towards testing, CI and rigorous Quality Control under the ‘Always Ready RHEL’ development model. Only time will tell.
None of that matters though when the feelings of those invested in the project have been clouded by poor communication and perceived breach of trust these changes have caused.
What do I do now CentOS 8 support is ending?
Broadly, your choices are split into 4 categories:
Switch over to the paid RHEL distribution
Stay on CentOS 8 and switch over to CentOS Stream
Roll back/rebuild on the CentOS 7 release, which enjoys support out until June 2024
Switch to another distribution
When assessing your options, consider why you’re using CentOS 8 in the first place. There are good reasons to be using this distro. Knowing exactly what your reasons are will help inform your decision as to what steps you take next.
We’ll briefly look at options 1-3 but focus our attention mostly on 4. This is where there has been the most rapid development and your choices can evolve quickly.
Lets start with the elephant in the room – the big drawback to switching to RHEL is cost. Pricing is varied depending on your use case but, as an example, a single server that comes with Red Hat’s famed support starts at $799 for a one year subscription.
A single server license without support will set you back $349 for a one year license.
It would be silly to focus solely on price though. Red Hat offer a huge range of discounts for licensing depending on your use case. Recent offerings, following the change of direction for CentOS, even cut the cost out completely if you’re under a certain size (though there are other caveats to this too).
Cloud providers like Azure, AWS and GCP also offer competitive on-demand pricing that takes care of managing licenses for you.
Another often missed aspect is Red Hat employees are amongst the most active contributors to many core Linux software, including the Kernel itself. Red Hat literally pays it’s people to fix issues in Linux itself, and a huge range of other open-source software. You get access to that kind of expertise, influence and speed of action when you take up their support offerings.
RHEL also has a huge focus on security with tools like SE Linux (love and hate it in equal measure!). Those who need to meet compliance requirements can enjoy automated tools and dedicated help and advice on where they need to make changes.
In short, RHEL is absolutely top of the pile. If you can afford the price!
Switching from CentOS 8 to CentOS Stream
What happens if you just do nothing and stay on CentOS 8? Will it automatically switch to CentOS stream?
In a word, no.
Thankfully, the process to switch is simple and officially endorsed by the CentOS team.
That’s not to say you won’t run into trouble but for the most part the process is simple.
The deeper question is should you switch to CentOS Stream? With the switch to being an Upstream development branch of RHEL, and a semi-Rolling Release at that, the move away from ‘stability’ may make this distro a non-starter for you.
Some have made the counter-argument; if your use case is so brittle that it is unable to handle even minor point version changes to an operating system, then it’s you who is doing something wrong. But the reality is there are situations when stability really is key. In those cases CentOS Stream may not a viable option for some.
If you are struggling with this decision then get in touch and we’d be happy to help you through the process.
Can I downgrade to CentOS 7 from CentOS 8 to avoid CentOS 8 End of Life?
If by downgrade you mean simply change some settings and migrate back down a release, then no.
If you want to switch back to CentOS 7 then you’ll need to perform a full reinstall of CentOS 7 on new physical/virtual hardware. Then migrate data over from your CentOS 8 servers. Not fun!
Likewise, some software is validated only against certain distributions and even certain releases. If you find yourself in that situation then migrating back to CentOS 7 could certainly be a valid option. It could also be a way give you more time to migrate your applications/assess your options.
Before doing so, we’d advise a very careful assessment of the costs and benefits of doing this. Jumping back to CentOS 7 might be the pragmatic choice but it may be worth putting your resources towards a longer term solution. That solution could be migrating to one of the CentOS replacements or maybe to a different distribution altogether.
Alternatives to CentOS 8 and CentOS Stream
Here we come to the core of the discussion but one where the answers are evolving very rapidly.
If you’ve decided that:
RHEL isn’t for you
you don’t want to move to CentOS Stream
downgrading to CentOS 7 seems a waste of time/resources
you still want a downstream distribution that is binary compatible with RHEL (just like CentOS 8)
…then what are your choices?
We’ll now focus on the ‘big three’ options shaping up to be viable candidates to replace CentOS. Then we’ll consider switching to a different distro altogether. Finally, we’ll mention a few other options that might be worth evaluating.
It was a tough choice to decide which of the alternative CentOS distributions to mention first. We could claim we’re going in alphabetical order, but the truth is AlmaLinux is shaping up to be the strongest option for replacing CentOS 8.
The project is backed by CloudLinux but will be ‘owned’ by an entirely separate and community led organisation called The Alma Linux Foundation.
What makes this such an attractive alternative is the cold hard cash backing the project. CloudLinux have committed $1 million a year until 2029 to support the project. They already have a decade long track record of supporting a downstream binary compatible RHEL clone, so they enter the field with a proven level of trust.
Importantly for many businesses AlmaLinux also has the option to receive paid support, provided by CloudLinux themselves.
Yes, Oracle Linux is free. It comes without any deliberate attempts to hold back features. And it offers an enterprise grade distro backed by the option for paid support. But it’s Oracle, so, you know…
To return to trying to be fair; Oracle Linux has a proven track record of bringing updates to their release faster than CentOS did. It also has paid options for cool technology like live kernel patching.
Switching is simple and reliable and you aren’t forced to pay for a support subscription. This is absolutely a 100% free, open source and feature rich CentOS replacement.
You’ll just have to decide for yourselves if you really want to get into bed with Oracle 🙂
RockyLinux comes with one huge bonus – it’s founded by CentOS founder Gregory Kurtzer. Who better to lead the development of a CentOS replacement than the original founder himself?
RockyLinux has a slightly different approach to AlmaLinux, remaining fiercely free of any single external entity’s control/influence. It also has a broad range of supporters/sponsors contributing to the financial health of the project.
If you know you’ll be replacing CentOS then it’s worth considering whether you want to stay on a distribution of the same derivative or switch to something else entirely.
One of the most popular and well supported options is an Ubuntu LTS variant. Ubuntu is based on the Debian branch of the Linux Family Tree. It enjoys huge developer, application and server provider support. Ubuntu also has massive ‘mindshare’ and deep penetration into the ‘consumer’ Linux market. This means it has a huge community, a well deserved level of trust and is familiar to most Linux users.
Ubuntu LTS releases deliver 5 years of updates free of charge, with extended support options available as paid extras. It is backed by Canonical who offer a range of support and services should you have Enterprise level needs.
Ubuntu’s popularity meant it was the first non-RHEL based distro to receive full cPanel support after CentOS announced it’s change of direction. Unfortunately, it’s still going to be some time until you can run cPanel on an Ubuntu server. We’ll discuss in the cPanel section below.
Debian is the grandfather of the Linux world. It’s been around forever and it’ll be around forever. Our recommendation above, Ubuntu, is built from a Debian base.
Aside from being huge advocates for freedom, Debian also delivers a rock solid distribution that mirrors the ethics it espouses. It’s legendary focus on stability and support throughout the OS lifecycle rightly earns Debian a place on our recommended list.
Not only that, Debian is available for almost every architecture, every cloud service and every piece of hardware it’s possible to run a computer system on. Along with that comes an uncountable number of experts ready to help you whatever your needs.
The author can’t do justice to OpenSUSE, having last played with it over a decade ago. What we can say is that modern OpenSUSE offers an extremely well rounded alternative to Debian or RHEL based distributions.
OpenSUSE’s commitment to open-source and software freedom goes further than most. It has tools like the Open Build System and OpenQA, as well as excellent technology such as YaST or MicroOS.
Yes, which means you can’t install cPanel on Ubuntu…yet.
But given cPanel versions bump up by 2 roughly every couple of months, and there are 6 versions to go…expect Ubuntu support somewhere around Oct-Dec 2021.
Wrapping it all up…
Well, this was a bit of a bigger post than our usual OS End of Life notices! And with 5 months to go things are still evolving rapidly.
We ourselves will be carefully monitoring the developments on the various replacement distros over the coming months. We’ll also be keenly exploring the opportunities afforded by companies like cPanel supporting different distributions such as Ubuntu.
If you need to jump ship right now but need to maintain compatibility with CentOS 8, you should consider AlmaLinux. It’s certainly leading the race to be a true CentOS 8 replacement, if you ignore Oracle’s offering.
Having read this post you might feel that the choices open to you right now might seen overwhelming. If you want some help deciding then we encourage you to get in touch with us. Our team of expert System Administrators have years of experience guiding customers in complex choices like this one.
We’d love to help you find the right solution for your needs!
https://www.dogsbody.com/wp-content/uploads/centos8-end-of-life1.jpg8421920Josh Archerhttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngJosh Archer2021-07-19 11:06:282021-07-21 20:21:00CentOS 8 End of Life and what to do about it