I have used Red Hat professionally since my first job as a System Administrator back in 20101. I started out on Red Hat Enterprise Linux 5, which was a solid OS but a huge pain for development since its packages were outdated. Building and using modern tools on RHEL 5 was not fun.
While I was supporting RHEL 5, RHEL 6 was released. It was a step in the right direction but still lagged behind its main competitor in the server space, Ubuntu 12.04 LTS, in terms of modern Linux features. RHEL 6 still felt behind the times and moving too slowly, too conservatively. Conservatism is an admirable trait in a server operating system, but RHEL always felt conservative to a fault.
Since 2013, all the production servers I have deployed (including the one that runs this site) run CentOS 6. I have been happy with CentOS 6 but it has always felt like a stepping stone release: solid, much newer packages, but still uses an older kernel and
upstart with some
sysv sprinkled in. I have anxiously awaited the release of RHEL 7 which I knew would further modernize the OS and bring
systemd to handle services.
Ironically, when RHEL 7 was released last year, I was overwhelmed by the amount of fundamental changes, changes I have been wishing for since my RHEL 5 days2.
firewalld now manages the firewall, XFS is the new default filesystem, GRUB 2 is the default bootloader on 64-bit systems, and the tools for doing basic network configuration have changed. I’ve been looking at it seriously the last few days and this is my overview of how to get acclimated to RHEL 7 if you have lots of experience with Red Hat or CentOS.
CentOS Release Naming Scheme
This is CentOS specific, but the version numbering has changed. This threw me off a but until I found the explanation:
CentOS 7.0-1406 introduces a new numbering scheme that we want to further develop into the life of CentOS-7. The 0 component maps to the upstream realease, whose code this release is built from. The 1406 component indicates the monthstamp of the code included in the release ( in this case, June 2014 ).
systemd brings a lot more to the table than just better management of services: it also completely replaces the concept of runlevels and handles reboot and shutdown3. A welcome default setting in RHEL 7 is that single user mode now requires the root password4. Previous versions defaulted to
/sbin/sushell which give root access without authentication.
One caveat is that to actually protect access to single user mode, you also need to password protect Grub 2 since you can tell Grub 2 to execute any command, such as
/bin/sh. You should always password protect the bootloader and single user mode. Single user mode is now password protected by default, so that’s one less thing that needs to be configured.
Show all services:
systemctl list-units | grep service
Show all enabled service units:
systemctl list-unit-files -t service | grep enabled
Disable service units:
systemctl disable [unit file name]
Stop/start service units:
systemctl stop [unit file name] systemctl start [unit file name] systemctl restart [unit file name] systemctl reload [unit file name]
Two major things have changed regarding networking in RHEL 7: interface naming and the removal of some very common tools such as
Regarding interface names, the
ethX scheme is gone in favor of a more consistent naming scheme. The interface names look a bit funny at first, but they are a welcome change once you understand the logic. Also, anyone who has ever written custom
udev rules so interfaces are named consistently will love the new system. Interface config files are still stored is
/etc/sysconfig/network-scripts and have a familiar syntax. You can change the name of the interface by changing the
NAME= parameter in the appropriate configuration file, then restarting the network service (
systemctl restart network).
The following commands have been removed in favor of different (not necessarily new) tools to perform the same function:
route. These can be installed by running
yum install net-tools, but it’s a good idea to get used to the new tools instead of hanging on to the old ones.
Here is how to perform familiar tasks with the “new” tools:
List interfaces (old
ip link show
Disable/enable an interface:
ip link set ens160 down ip link set ens160 up
Show ip addresses (old
ip addr show
Add address to an interface:
ip add 192.168.0.19 dev ens160
Show routing table (old
route -an or
ip route show
Global default gateway is stored it
/etc/sysconfig/network. Add the following line to create a default gateway:
Show all listening ports (old
There is also a new command for setting the hostname:
hostnamectl. The “static” hostname is now stored in
/etc/hostname instead of
/etc/sysconfig/network. The “transient” hostname is akin to using the
hostname command (which still exists).
hostnamectl also has settings for use by graphical desktop environments, which I won’t go over.
Show the hostname:
Set the transient and static hostname:
hostnamectl set-hostname [fqdn]
Probably the biggest change in RHEL 7 is the replacement of the
iptables service with
firewall-cmd. It still uses
iptables under the hood, but how the rules are stored and how you interact with the firewall are quite different. Plus,
firewalld is zone-based, a powerful feature that can be a bit of a hurdle to get over if you . Look at the XML config files in
/usr/lib/firewalld to get a better understanding of the defaults.
I’m not going to do a full overview of
firewalld here. The official documentation is excellent. This is my short list of commands to get up and running if you’re accustomed to working with
iptables and looking at
Here are some key concepts to know:
- An interface must be added to a zone before the firewall rules have any effect.
- Rules added with
--permanentget written to config files in
/etc/firewalldand do not take effect until the firewall is reloaded with
- To show all the current rules,
iptables -vnLis still your friend.
- There is a rich rules syntax for specifying source and destination address, among other things.
Show firewall status:
firewall-cmd --state # OR systemctl status firewalld
Show all zones:
Show default zone:
Set default zone:
firewall-cmd --set-default-zone [zone]
Add an interface to a zone:
# With no --zone options, adds to the default zone firewall-cmd --add-interface=ens160 # Specify the --zone option to add to a zone other than the default firewall-cmd --add-interface=ens160 --zone=home
Show active zones and their interfaces:
Show all settings of a zone, including member interfaces and open ports/services:
firewall-cmd --zone=public --list-all
Only allow access to SSH from a certain subnet:
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 service name=ssh accept'
Only allow access to a range of UDP ports from a certain subnet:
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 port port=5060-5062 protocol=udp accept'
Seems like I’ve been at this longer. A lot has changed in five short years.↩
Insert “Be careful what you wish for” lesson here.↩
rebootare now symlinks that point to
rescue.service. They all call