Administrators who have run Linux, or garden-variety Unix variants, have learned to live inside the Unix systems administration and security models. They’re still there in the new Red Hat Enterprise Linux 5 distribution (RHEL5), announced last week.
But there’s a chance that a migration to RHEL5 can cause things to stop working if you’re not aware of the changes.
If you’ve followed Fedora Core 6, then little of Red Hat’s Enterprise Linux 5 will be a mystery to you. If you're used to RHEL4 and earlier, however, you’ll find that Red Hat now puts in place some very serious value in the form of user-session security and, if desired, server session para-virtualisation.
The changes come on four levels: Security Enhanced Linux (SELinux) deployment, Xen virtualisation, new versions of important software packages and the onset of IP Version 6.
It’s absolutely possible to deploy and ignore these feature sets that Red Hat bundles into RHEL5 and lead a happy life. Your resulting life may be bereft of both the newest features -- stable and predictable server para-virtualisation -- but you’ll have an up-to-date distribution with a full kit of the latest applications.
Red Hat first delivered SELinux in RHEL4. Security Enhanced Linux is a method of atomising user sessions and preventing user sessions from accessing root authentication, or applications and processes that can gain root. Microsoft introduced similar technology in Windows XP SP2, and it now lives in Windows Vista, too. The concept prevents applications from increasing their privilege. Older applications may misbehave because they’re unable to garner resources that were "legal" before.
Shaking out these applications may be very simple, and there are numerous policy control settings that administrators can make to selectively elevate critical activities without compromising essential systems security. Different levels of primary SELinux environmental control can be set, ranging from very tight to "who cares?"
The important consideration is that a bit of experimentation is needed to ensure reliability. SELinux Troubleshooter is a good tool to examine the logs of SELinux errors so you can track down and fix them. SELinux Management Tool, in turn, can fix a wide variety of settings so that problems found through the logs have a chance to be fixed in an orderly way.
The benefit at the end of the exercise of deploying SELinux is that it becomes very difficult for sessions to jeopardise systems security or tie up crucial resources with misbehaving applications -- if SELinux controls are properly applied.
Red Hat criticised Xen when Novell included virtualisation technology in its SUSE Linux Enterprise Server 10, released in July 2006. But the company has changed its tune, as XenSource and Red Hat have worked with Xen through several rounds of maturation.
The downside to running applications within guest operating system sessions is that virtualised sessions can be stifled by sporadic, high disk I/O or network needs. Virtualised sessions also aren’t really designed for graphics. However, applications that run as processing jobs in the old IBM Job Control Language sense often do very well in guest operating system sessions -- provided you're confident you can control their communications demands or spontaneous high-memory paging needs.
The advanced Apache 2.3 version is also included, which for some represents a milestone for its ability to use Lightweight Directory Access Protocol authentication more closely. RHEL4 included the 2.0 version of the Web server.
What others have found, however, is that Web applications need to be strongly tested before moving to Apache 2.3. Apache 2.0 represented a similar leap, and probably a code update session, when migrating from Apache 1.3. The robust feature set of Apache 2.3 is tempting for many reasons, including more flexible authentication support, but the module application programming interface is different.
The final implication for sysadmins is the advent of full-featured support in RHEL 5 for IPv6. Yes, IPv4 works just fine, but if your organisation is one of many that finds itself being pushed toward IPv6 and its comparatively gargantuan IP address space, RHEL5 and its core routing and firewalling, then you should understand and use both IPv6 and IPv4 almost interchangeably. If you’ve worried about cross-application support for IPv6, RHEL 5 has it.
Many of these advanced components can be highly desirable both from a reliability and systems security perspective. As a basis for new code development, however, the components inside the RHEL 5 distribution aren’t experimental or technology previews anymore. Instead, you’ll find them in the community-supported environs of the Fedora Project, where they may or may not catch the Red Hat Linux wind in their sails.