5 options for Ubuntu 20.04 EOL in April 2025

/0 Comments/in /by

Ubuntu 20.04 goes End Of Life (EOL) in April 2025. When an operating system goes EOL there is usually a lot to think about so lets break down the options open to you.

  1. Do nothing
  2. Build new infrastructure (and move to the latest Ubuntu LTS release)
  3. Perform an in-place upgrade
  4. Buy an annual subscription to Ubuntu Pro – Extended Security Maintenance (ESM) – UPDATED 12 Nov 2024
  5. Just shut it down

Lets explore the pros and cons of each option.

1) Do Nothing (Not Recommended) See hear and speak no evil monkey statues

By far the easiest of the options but could end up costing you more in the long run. We do not recommend this option.

Doing nothing mean you have a ticking time bomb on your infrastructure. Your infrastructure will no longer receive security updates for the Ubuntu base OS, critical software packages and infrastructure components as well as no security maintenance for high and critical CVEs. This will probably also cause Compliance issues (PCI), Software incompatibility and make your whole network more vulnerable.

Using this option will also mean that more work will be required when you upgrade your server in the future costing you more.

2) Build new infrastructure (and move to the latest Ubuntu LTS release)

Clipart image of a trophyDogsbody always recommend this options as a clean and safe way to upgrade. It allows you to upgrade your hardware to the latest tech. (Suppliers may allow you a free cut over period to manage costs).

This options lets everyone involved test things fully without affecting production infrastructure .

Obviously the disadvantage is this is it is one of the more expensive options, not just because of the work involved but as you may have to pay for two set of hardware and support etc until you migrate from your old to your new infrastructure. Dogsbody offer a one month cross over period for all our maintenance customers 🙂 Also if you have multiple sites on the server (shared hosting) you need to update all sites to the new IP.

Ubuntu 24.04 LTS became available in April 2024 and is supported for 5 years with the end of their standard support in June 2029. We recommend installing the 22.04.1 release especially for production machines.

3) Perform an in-place upgrade

This may only be an option for certain infrastructure types. It can be cheaper than option 2 (and quicker) but only if it upgrades perfectly. This option gives you zero testing time which means there is a risk that this will not work and your infrastructure will be off line whilst you or your support services fix it live.

While in-place upgrades will result with you having a new operating system, you will likely inherit the (less secure) defaults from the old operating system. A great example of this is when the default changed in SSH to disable the insecure v1 of the protocol on new operating system installs. Systems that were upgraded via in-place upgrade would inherit the old config keeping SSH v1 turned on.

We would certainly never recommend more than one in-place upgrade. Taking a single system from Ubuntu 16.04 -> 18.04 -> 20.04 and now 22.04 is a bad idea as it just leaves too many loose threads.

It also means your hardware will not be upgraded keeping you potentially on old, less efficient hardware that may also cause you issues at a later date.

4) Buy an annual subscription to Ubuntu Pro – Extended Security Maintenance (ESM) – UPDATED 12 Nov 2024

Extended Security Maintenance (ESM) and Ubuntu Pro are annual subscriptions. They provide Security updates for Ubuntu LTS for an additional 5 years (until April 2030 for Ubuntu 20.04). Including security coverage of the Main and Ubuntu Universe repositories for Critical, High and select Medium CVEs.

The disadvantages with this option Ubuntu Pro will not cover software from other repositories. If you have installed other software (Nginx, Percona, etc.) from their own official repositories then these repo’s may decide to drop support for your operating system as it’s now deemed to be EOL. We have seen this happen multiple times so unfortunately isn’t the panacea for all Ubuntu users.

Additionally, as with the in-place upgrade, it also means your hardware will not be upgraded keeping you potentially on old, less efficient hardware that may also cause you issues at a later date.

After a extensive discussion with Canonical we finally have a solution for getting Ubuntu Pro on smaller public cloud provider such as Linode, Digital Ocean, Vultr etc.

Ubuntu Pro is an enterprise subscription charged per machine per year. If Ubuntu Pro is something you are interested in please contact us.

5) Just shut it downThe Ubuntu shutdown screen

It’s good to take stock of your infrastructure sometimes, especially internal/pet projects that may have been left to languish.

Do you actually still need this infrastructure? Has it been replaced by something better? If so then you can always just shut it down.

We had customer who reviewed their hosting infrastructure and made the decision to moving their final customer websites to our shared hosting platform which saved them both time and money.

About Ubuntu 24.04

Ubuntu 24.04 LTS release is supported for 5 years with the end of their standard support in June 2029.

Upgrading from Ubuntu 20.04 to Ubuntu 24.04 should, instantly, speed up your sites/infrastructure if you get it right.

It’s worth considering package changes between operating system versions. Some of the most common are…

  • Apache 2.4.52 -> Apache 2.4.58
  •  PHP 8.1.2 (default) -> PHP 8.3.6
  • Nginx 1.24
  • The docker.io package is version 24.0.7

More info in the Noble Numbat Release Notes.

Dogsbody have a lot of customers who run Ubuntu 20.04 who we will be advising and helping move to the best option for their business. If you need help on deciding the best route for your upgrade or more information about getting Ubuntu Pro for smaller public cloud provider please do contact us.

TLD’s affected by CentralNic Registry authCode reset

/0 Comments/in /by

CentralNic Registry was recently informed of a security issue with one of its third-party vendors. There’s no evidence of a compromise or any unauthorised access however there is a risk that domain authCode’s have been leaked.

A domain auth code can be used to steal a domain from you.

Any domain owners of the following TLD’s are advised to reset the authCode for their domain.

Some registrar’s are batch voiding and regenerating auth codes for affected domains but not all.

Affected TLD’s

gTLDs

  • .art
  • .bar
  • .basketball
  • .best
  • .college
  • .ceo
  • .design
  • .fans
  • .feedback
  • .frl
  • .fun
  • .gent
  • .host
  • .icu
  • .ink
  • .love
  • .observer
  • .online
  • .ooo
  • .press
  • .protection
  • .realty
  • .reit
  • .rent
  • .rest
  • .security
  • .site
  • .space
  • .storage
  • .store
  • .tech
  • .theatre
  • .tickets
  • .website
  • .wiki
  • .xyz

Official ccTLDs

  • .bh, Bahrain
  • .fm, Federated States of Micronesia
  • .fo, Faroe Islands
  • .gd, Grenada
  • .gl, Greenland
  • .la, Laos; also borrowed for Los Angeles
  • .pw, Palau
  • .sk, Slovakia
  • .vg, British Virgin Islands

Unofficial ccTLDs

  • .ae.org, for United Arab Emirates
  • .ar.com, Argentina
  • .br.com, Brazil
  • .cn.com, China
  • .com.de, Germany
  • .de.com, Germany
  • .eu.com, European Union
  • .gb.com, Great Britain
  • .gb.net, Great Britain
  • .gr.com, Greece
  • .hu.com, Hungary
  • .jpn.com, Japan
  • .jp.net, Japan
  • .kr.com, Korea
  • .no.com, Norway
  • .qc.com, Quebec
  • .ru.com, Russia
  • .sa.com, Saudi Arabia
  • .se.com, Sweden
  • .se.net, Sweden
  • .uk.com, United Kingdom
  • .uk.net, United Kingdom
  • .us.com: United States
  • .us.org: United States
  • .uy.com, Uruguay
  • .za.com, South Africa

Any domain owners of these TLD’s are advised to reset the authCode for that domain.

 

PHP 8.0 will go end of life – 26 Nov 2023

/0 Comments/in /by

PHP 8.0 goes end of life on the 26 November 2023. Known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 8.1 supported until 25 November 2024
  • 8.2 supported until 08 December 2025

This new minor version brings with it a number of new features and a few incompatibilities that should be tested for before switching PHP versions in production environments.

You may need to get your developers to update code, check plug-ins and app versions for supportability:

WordPress is still only showing “beta support” for anything PHP 8.0 or above, as WordPress say:

WordPress is not fully compatible with PHP 8.0 or 8.1. All remaining known PHP 8.1 issues are deprecation notices.

Please note, a deprecation notice is not an error, but rather an indicator of where additional work is needed for compatibility before PHP 9 (i.e. when the notices become fatal errors). With a deprecation notice, the PHP code will continue to work and nothing is broken.

At the time of writing PHP 8.2 for wordpress was still waiting on the dev notes.

Not sure what version your server is on? Maybe it’s time for a Server Audit so you have a full picture of your infrastructure – We produce a traffic light report telling you the good, the bad and the ugly…

Want a hand with your PHP upgrade? Get in touch!

Three Easy Ways To Secure Your WordPress Site

/2 Comments/in /by

Keeping your WordPress software up to date and safe from vulnerabilities is the most important security tip for any WordPress site. And it’s super easy to do.

Below are three simple ways to secure your WordPress site.

1. Use the latest WordPress Version

Whenever WordPress sends out a new update, it means they may have fixed some bugs, added some features, but most importantly they have added some security features and fixes.

One Click WordPress Update

Out of date WordPress verion

When you see the message above: Update it.

Nowadays, with one-click update, it’s very easy to upgrade your WordPress Version.

Make sure your theme and plugins are compatible with this latest version of WordPress. If an update has been rolled out and it’s not a security update, I suggest you wait for your plugins and themes to become compatible before upgrading.

2. Keep Your WordPress Plugins Updated

As I mentioned above, WordPress releases an update to fix bugs and vulnerabilities, and this is the same for plugins. This is a really quick update to make:

Guide to updating your WordPress Plugin

My 3 really simple steps:

  1. Log into your WordPress Site via wp-admin
  2. Click on ‘Plugins’ on the Left hand side
  3. Click the Update Now button for the vulnerable plugin

Many times, an out of date plugin or 3rd party script can create a security hole in your WordPress website causing it to become vulnerable.

In general you should always use plugins which are continually updated and have good support.

If you are using a plugin which has not been updated for a while, find an alternative to it. If you have an installed plugin, remove it.

Vulnerable WordPress Plugins

3. Keep Your WordPress Themes Updated

Yes! Even The Themes! Both plugins and themes are built on code. Mostly PHP to be specific. And, that code will eventually be outdated. When a theme (or plugin) is outdated, it’ll still work. Sure. However, it will be more prone to being exploited since it’s an easy way in for attackers.

Make a consistent schedule to regularly check and download the latest updates of themes (and plugins).

These can be found directly on the WordPress dashboard on the “Updates” pages.

For more helpful tips try:

Guide to updating your WordPress Theme

Vulnerable WordPress Themes

But why is this so important?

Hackers created over 65 million new malware in the first quarter of 2019 alone!

Plugins are being updated all the time. For example, on a single day (24 Aug 2021) the following plugin vulnerabilities were all fixed and were ready to be updated:

  • Contact Form Entries < Version 1.2.1 – Reflected Cross-Site Scripting
  • TextME SMS < Version 1.8.9 – Authenticated Stored XSS
  • Live Scores for SportsPress < Version 1.9.1 – Authenticated Local File Inclusion
  • Live Scores for SportsPress < Version 1.9.1 – Reflected Cross-Site Scripting
  • SMTP Mail < Version 1.2 – Reflected Cross-Site Scripting (XSS)
  • SMTP Mail < Version 1.2.2 – Authenticated SQL Injections
  • Contact List < Version 2.9.42 – Reflected Cross-Site Scripting
  • Coupon Affiliates for WooCommerce < Version 4.11.0.2 – Reflected Cross-Site Scripting
  • Podlove Podcast Publisher < Version 3.5.6 – Unauthenticated SQL Injection
  • Recipe Card Blocks < Version 2.8.1 – Reflected Cross-Site Scripting
  • Recipe Card Blocks < Version 2.8.3 – Contributor+ Stored Cross-Site Scripting

As of June 2020 over 73% of the most popular WordPress installations were vulnerable. They were vulnerable to exploitable vulnerabilities that can be detected with free automated tools, within seconds.
It only takes a couple of minutes for a malicious attacker to run an automated tool that can discover these vulnerabilities and exploit them. This highlights the importance choosing the right WordPress web host that auto updates both plugins and WordPress.

The most common vulnerabilities

Arbitrary File Upload & File Viewing: Lack of file type and content filtering allows for upload of arbitrary files that can contain executable code which, once run, can do pretty much anything on a site. Instead of allowing only certain file source to be viewed (for example plugin templates) the lack of checks in the code allows the attacker to view the source of any file, including those with sensitive information such as wp-config.php

Privilege Escalation: Once the attacker has an account on the site, even if it’s only of the subscriber type, he can escalate his privileges to a higher level, including administrative ones.

SQL Injection: By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.

Remote Code Execution (RCE): Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.

How Dogsbody can help

So, you maybe wondering ‘How will I know I’m vulnerable in the first place’.

The easiest way is to log into your WordPress site and take a look.

 

Feature image by mmayyer licensed Unsplash.

5 options for Ubuntu 18.04 EOL

/0 Comments/in /by

Ubuntu 18.04 goes end of life in April 2023. Our usual EOL blog posts tend to be quite short and sharp, making sure that people are aware of software becoming insecure. When an operating system goes EOL there is usually a lot more to think about.

Here we look at your 5 options for Ubuntu 18.04 EOL.

  1. Do nothing (Not recommended)
  2. Build new infrastructure and move to the latest Ubuntu LTS release (Recommended)
  3. Perform an in-place upgrade
  4. Buy an annual subscription to Ubuntu Pro – Extended Security Maintenance (ESM)
  5. Just shut it down

Lets explore the pros and cons of each option.

1) Do Nothing (Not Recommended) Options for Ubuntu 18.04 EOL

By far the easiest of the options but could end up costing you more in the long run.  Dogsbody do not recommend this option.

Doing nothing mean you have a ticking time bomb on your infrastructure. Your 18.04 Infrastructure will no longer receive security updates for the Ubuntu base OS, critical software packages and infrastructure components as well as no security maintenance for high and critical CVEs. This will probably also cause Compliance issues (PCI), Software incompatibility and make your whole network more vulnerable.

Using this option will also mean that more work will be required when you upgrade your server in the future costing you more.

2) Build new infrastructure and move to the latest Ubuntu LTS release (Recommended)

Options for Ubuntu 18.04 EOLDogsbody always recommend this options as a clean and safe way to upgrade. It allows you to upgrade your hardware to the latest tech. (Suppliers may allow you a free cut over period to manage costs).

This options lets everyone involved test things fully without affecting production infrastructure .

Obviously the disadvantage is this is it is one of the more expensive options, not just because of the work involved but as you may have to pay for two set of hardware and support etc until you migrate from your old to your new infrastructure. Dogsbody offer a one month cross over period for all our maintenance customers 🙂 Also if you have multiple sites on the server (shared hosting) you need to update all sites to the new IP.

Ubuntu 22.04 LTS became available in April 2022 and is supported for 5 years with the end of their standard support in April 2027. We recommend installing the 22.04.1 release especially for production machines.

3) Perform an in-place upgrade

This may only be an option for certain infrastructure types. It can be cheaper than option 2 (and quicker) but only if it upgrades perfectly. This option gives you zero testing time which means there is a risk that this will not work and your infrastructure will be off line whilst you or your support services fix it live.

While in-place upgrades will result with you having a new operating system, you will likely inherit the (less secure) defaults from the old operating system. e.g. Networking in Ubuntu 14.04 is typically configured via the /etc/network/interfaces file.  Networking in Ubuntu 16.04 is typically configured via the netplan configuration files. An in-place upgrade from 16.04 to 18.04 would leave the old interfaces configuration in place which may work or may not depending on the setup you have.

We would certainly never recommend more than one in-place upgrade. Taking a single system from Ubuntu 14.04 -> 16.04 -> 18.04 and now 20.04 is a bad idea as it just leaves too many loose threads.

It also means your hardware will not be upgraded keeping you potentially on old, less efficient  hardware that may also cause you issues at a later date.

4) Buy an annual subscription to Ubuntu Pro – Extended Security Maintenance (ESM)

Ubuntu Pro and Ubuntu Pro (infra-only) are annual subscriptions from Canonical. They provide Security updates for Ubuntu LTS for an additional 5 years (April 2028). Including security coverage of the Main and Ubuntu Universe repositories (Ubuntu Pro only) for Critical, High and select Medium CVEs.

There is a possibility that other software and packages will drop their support for Ubuntu 18.04 so you may cause yourselves problems down the line if you plan to leave it the full 5 years.

Ubuntu Pro is an enterprise subscription charged per machine per year. Annual costs depend on your infrastructure type (desktop or server) and support requirements.

Security Patching Ubuntu LTS Ubuntu Pro (INFRA-ONLY) Ubuntu Pro
Ubuntu Main Repo 5 years 10 years 10 years
Ubuntu Universe Repo Best effort Best effort 10 years

5) Just shut it downOptions for Ubuntu 18.04 EOL

It’s good to take stock of your infrastructure sometimes, especially internal/pet projects that may have been left to languish.

Do you actually still need this infrastructure? Has it been replaced by something better? If so then you can always just shut it down.

 

About Ubuntu 22.04

Ubuntu 22.04 LTS release is supported for 5 years with the end of their standard support in April 2027.

Upgrading from Ubuntu 18.04 to Ubuntu 22.04 should, instantly, speed up your sites/infrastructure if you get it right.

It’s worth considering package changes between operating system versions. Some of the most common are…

  • Apache 2.4.29 -> Apache 2.4.52
  • MySQL 5.7 -> MySQL 8.0
  • PHP  7.2 -> PHP 8.1.2 (default)

More info in the Jammy Jellyfish Release Notes.

Dogsbody have a lot of customers who run Ubuntu 18.04 who we will be advising and helping move to the best option for their business. If you need help on deciding the best route for your upgrade please do contact us.

PHP 7.4 EOL

PHP 7.4 will go end of life on 28 November 2022

/0 Comments/in /by

PHP 7.4 goes end of life (EOL) on the 28 November 2022 meaning known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 8.0 supported until 26 November 2023
  • 8.1 supported until 25 November 2024

New major PHP versions bring with it a number of new features and some incompatibilities. These should be tested before switching PHP versions in production environments.  You may need to get your developers to update some code, check plug-ins and app versions for the new PHP supportability:

WordPress 5.6 to 5.9 state that they have added “beta support” for PHP 8.0 and 8.1 however no one know when it will be out of beta status. Beta support means that the compatibility of WordPress with PHP is still being tested. We would usually advise not to use it on a production server until it is fully supported by WordPress.

Not sure what version your server is on? Maybe it’s time for a Server Audit so you have a full picture of your infrastructure – We produce a traffic light report telling you the good, the bad and the ugly…

Otherwise want a hand with your PHP upgrade? Get in touch!

Debian 9 “Stretch” goes End of Life (EOL) June 2022

/2 Comments/in /by

On the 30 June 2022, Debian 9 “Stretch” goes End of Life (EOL). We recommend you upgrade to Debian 11 “Bullseye” (skipping Debian 10 if possible) which is supported until June 2026.

After this date there will be no security updates released for Debian 9 and servers will not be patched for any new vulnerabilities discovered.

Leaving old Debian 9 “Stretch” systems past 30 June 2022 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability
    and
  • Making your network more vulnerable as a whole

Debian 11 “Bullseye” Supports:

  • Apache 2.4.48
  • MariaDB 10.5
  • MySQL 8.0
  • PHP 7.4
  • Python 3, 3.9.1

Not sure where to start? Contact us to find out how we can help you.

CVE-2021-44228 – Log4j2 vulnerability

/0 Comments/in /by

This weekend, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j, as well as the relative ease with which the vulnerability can be exploited, this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.

This was a “zero day exploit”, meaning that the bad guys found this vulnerability and started exploiting it before that vulnerability could be fixed. The NIST has catalogued this as CVE-2021-44228 with a 10/10 severity (the most severe).

Who’s affected

Put simply – Java applications that use the log4j package. It is almost impossible to conclusively list all affected software and services, given such widespread use and the multiple versions and implementations that affects the ability to exploit the vulnerability.

An attempt to list responses from as many vendors and service suppliers can be found here, though this list shouldn’t be taken as authoritative.

What you can do

Most importantly you should take immediate action to do the following:

  • Identify usage of affected log4j versions within your infrastructure.
  • Apply available patches from your software vendors, or consider disabling elements of your infrastructure/services until patches are available.
  • Monitor your systems/logs for signs of previous and ongoing exploit attempts.
  • Take immediate steps to restore any affected systems to a known good state.

Our Customers

We are actively following the steps above and triaging those affected. Those most severely affected will have already been contacted and we will continue to proactively monitor all infrastructure to ensure all systems are patched as soon as possible.

How to set-up fail2ban for a WordPress site

/1 Comment/in /by

What is Fail2ban

Fail2ban is a tool which you can use to reduce the impact of attacks on your servers. Typically you configure it to monitor a log file for suspicious activity.  Then once the activity crosses a threshold you can have it take an action, such as block the source IP address in your firewall.  It’s a good way to stop attacks early but doesn’t entirely prevent them.

Why use it to protect WordPress

Due to it’s popularity, WordPress is often the target of automated attacks.  We often see bruteforce attacks targeting xmlrpc.php or wp-login.php, these rely on making a huge number of requests in the hope that one will eventually be successful.  Using strong passwords, especially for accounts with admin access is important to reduce the risk from attacks.  Fail2ban can be used to slow attackers down.  This helps for two reasons: it makes them less likely to succeed; it reduces the load on the server caused by processing these requests.

Other options

Blocking an attack as far upstream as possible is always advantageous to save resources so we would typically favour a Web Application Firewall or Webserver configuration over using fail2ban or a WordPress plugin however every site, server and customer is different so it will depend on the exact configuration used and required.

Install & config fail2ban (for Ubuntu)

sudo apt-get install fail2ban

Fail2ban works by having a jail file which references the log file, a filter and an action.  By default fail2ban will protect sshd.  If you are restricting SSH access in another way then you might want to turn this off.  You can do so by creating the following as /etc/fail2ban/jail.local

[sshd]
enabled = false

Fail2ban doesn’t come with a filter for WordPress.  I’d like to credit these two articles for providing a good starting point.  We see requests to ‘//xmlrpc.php’ (note the double slashes) fairly frequently so tweaked the below to also flag them.  As this is detecting any requests to wp-login/xmlrpc it will flag legitimate admin users when they login etc.  We’ll look to account for this with the jail configuration.

You can create the filter as /etc/fail2ban/filter.d/wordpress.conf

[Definition]
failregex = ^<HOST> .* "(GET|POST) /+wp-login.php
            ^<HOST> .* "(GET|POST) /+xmlrpc.php

The jail file has most of the configuration options:

  • logpath, in this case the path to your Apache access log
  • action, adjust this if you’re using a different firewall or want to be sent email instead, you can see available options in /etc/fail2ban/action.d/
  • maxretry, the number of requests within findtime seconds to ban after
  • bantime, the number of seconds to ban for, with this action how long they’re blocked in iptables

As mentioned, the filter will catch both malicious and legitimate users.  We’re configuring maxrety fairly high and bantime relatively low to minimise the probability and impact if we do block a legitimate user.  Whilst this allows attackers to make roughly one request every ten seconds this is a fraction of what they’d make without fail2ban.

You can create the jail file as /etc/fail2ban/jail.d/wordpress.conf

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/all-sites-access.log
maxretry = 12
findtime = 120
bantime = 120

Restart fail2ban to load in your new config

sudo systemctl restart fail2ban

Checking your fail2ban set-up

Show the jails

sudo fail2ban-client status

Show info about the WordPress jail

sudo fail2ban-client status wordpress

List the f2b-wordpress iptables chain (this will be created the first time fail2ban blocks an IP and contain blocked IPs)

sudo iptables -v -n -L f2b-wordpress
sudo ip6tables -v -n -L f2b-wordpress

View the log to see any IPs banned or flagged

sudo less /var/log/fail2ban.log

 

Feature image by Jussie D.Brito licensed CC BY-SA 2.0.

CentOS 8 End of Life and what to do about it

/3 Comments/in /by

It’s July 2021 and there are just 5 months to go until CentOS 8 goes End of Life (31 December 2021).

Ordinarily our blog posts on software going End of Life are pretty cut and dry. This time drastic changes to CentOS’ future direction has complicated what would otherwise be a simple set of decisions.

In this post we’ll cover a few things. Firstly, we’ll recap a little of how this situation arose. Then we’ll take a look at what the changes are and why they might not be quite so bad. Then we’ll dive into your options for dealing with these huge changes…

  1. A brief recap.
  2. What do I do now CentOS 8 support is ending.
  3. Switching to RHEL.
  4. Switching from CentOS 8 to CentOS Stream.
  5. Can I downgrade to CentOS 7 from CentOS 8 to avoid CentOS 8 End of Life?
  6. Alternatives to CentOS 8 and Centos Stream.
    1. AlmaLinux.
    2. Oracle Linux.
    3. RockyLinux.
    4. Other options.
  7. WHM, cPanel and Plesk.

CentOS 8 End of Life – a brief recap

Unless you’ve been living under the proverbial digital rock, the opening sentence of this post won’t come as a surprise. You’ll also know of the ongoing saga concerning Red Hat bringing CentOS 8 End of Life forward 8(!) years. For those that have been under that rock, here’s what you missed in as few sentences as possible:

  • CentOS is the community-driven free (as in beer) downstream binary compatible repackaging of the (paid for) Red Hat Enterprise Linux (RHEL) distribution provided by Reb Hat Inc.
  • CentOS actually ‘joined’ (read ‘was acquired by’) Red Hat back in 2014 which gave Red Hat ‘power/ownership’ over the distribution.
  • IBM acquired Red Hat for $34B in July 2019, now giving it power over the CentOS project too.
  • Sept 2019 CentOS 8 is released with an End of Life date of 31 May 2029 and people are encouraged to switch over from the previous CentOS 7 release.
  • Dec 2020, just 15 months into the CentOS 8 distribution life cycle, Red Hat announces that CentOS 8 will no longer exist and will instead become CentOS Stream. CentOS 8 will receive no updates/support after 31st December 2021, cutting it’s original End of Life date by 8 years! CentOS Stream will also move to being an upstream development branch of RHEL instead of a downstream stable distribution, a complete change from the position CentOS 8 held.

It’s fair to say many people weren’t too happy with this. And who can blame them? Such a violent shift in focus for the distribution would have been enough to cause major ripples throughout the SysAdmin world on its own. Add to that the huge change of CentOS 8’s End of Life date and you really get the perfect storm of Linux Distro drama.

Was it really that bad?

Sort of. No. Yes. Maybe. Whilst this may become a historic text-book example of how not to communicate a product change, the reality is that the move to CentOS Stream is a culmination of years of work changing the way RHEL is delivered. Red Hat has now embraced a Continuous Integration delivery model – branded by Red Hat as ‘Always Ready RHEL’.

CentOS Stream is a natural extension of that work. It’s also a clear ‘bottom line’ lead business decision to reduce the brand and dollar cost CentOS put on RHEL. CentOS Stream will occupy a valuable slot in the RHEL development lifecycle. Rather than be a downstream burden, CentOS Stream will now lead development for the paid distribution.

There is a harsh reality though – CentOS Stream will be less stable than before. But in being slightly less stable it can address some valid complaints. Namely, it can now deliver feature updates faster than before and it will allow community members a chance to affect the downstream product (in this case RHEL).

It’s even possible that CentOS Stream could be far more ‘stable’ in terms of bugs or feature changes (not just version number changes) than other distros. That’s thanks to the move towards testing, CI and rigorous Quality Control under the ‘Always Ready RHEL’ development model. Only time will tell.

None of that matters though when the feelings of those invested in the project have been clouded by poor communication and perceived breach of trust these changes have caused.

What do I do now CentOS 8 support is ending?

Broadly, your choices are split into 4 categories:

  1. Switch over to the paid RHEL distribution
  2. Stay on CentOS 8 and switch over to CentOS Stream
  3. Roll back/rebuild on the CentOS 7 release, which enjoys support out until June 2024
  4. Switch to another distribution

When assessing your options, consider why you’re using CentOS 8 in the first place. There are good reasons to be using this distro. Knowing exactly what your reasons are will help inform your decision as to what steps you take next.

We’ll briefly look at options 1-3 but focus our attention mostly on 4. This is where there has been the most rapid development and your choices can evolve quickly.

What about cPanel?

We’ll cover that too. Jump forward to the cPanel section if that’s your main use case for CentOS.

Switching to RHEL

Lets start with the elephant in the room – the big drawback to switching to RHEL is cost. Pricing is varied depending on your use case but, as an example, a single server that comes with Red Hat’s famed support starts at $799 for a one year subscription.

A single server license without support will set you back $349 for a one year license.

It would be silly to focus solely on price though. Red Hat offer a huge range of discounts for licensing depending on your use case. Recent offerings, following the change of direction for CentOS, even cut the cost out completely if you’re under a certain size (though there are other caveats to this too).

Cloud providers like Azure, AWS and GCP also offer competitive on-demand pricing that takes care of managing licenses for you.

Another often missed aspect is Red Hat employees are amongst the most active contributors to many core Linux software, including the Kernel itself. Red Hat literally pays it’s people to fix issues in Linux itself, and a huge range of other open-source software. You get access to that kind of expertise, influence and speed of action when you take up their support offerings.

RHEL also has a huge focus on security with tools like SE Linux (love and hate it in equal measure!). Those who need to meet compliance requirements can enjoy automated tools and dedicated help and advice on where they need to make changes.

In short, RHEL is absolutely top of the pile. If you can afford the price!

Switching from CentOS 8 to CentOS Stream

What happens if you just do nothing and stay on CentOS 8? Will it automatically switch to CentOS stream?

In a word, no.

Thankfully, the process to switch is simple and officially endorsed by the CentOS team.

That’s not to say you won’t run into trouble but for the most part the process is simple.

The deeper question is should you switch to CentOS Stream? With the switch to being an Upstream development branch of RHEL, and a semi-Rolling Release at that, the move away from ‘stability’ may make this distro a non-starter for you.

Some have made the counter-argument; if your use case is so brittle that it is unable to handle even minor point version changes to an operating system, then it’s you who is doing something wrong. But the reality is there are situations when stability really is key. In those cases CentOS Stream may not a viable option for some.

If you are struggling with this decision then get in touch and we’d be happy to help you through the process.

Can I downgrade to CentOS 7 from CentOS 8 to avoid CentOS 8 End of Life?

If by downgrade you mean simply change some settings and migrate back down a release, then no.

If you want to switch back to CentOS 7 then you’ll need to perform a full reinstall of CentOS 7 on new physical/virtual hardware. Then migrate data over from your CentOS 8 servers. Not fun!

There may be good reason to do this, particularly if you were happy on CentOS 7 previously. CentOS 7 also retains it’s original End of Life date of 30th June 2024, so by switching back you can eek out as much time on a CentOS distribution as possible.

Likewise, some software is validated only against certain distributions and even certain releases. If you find yourself in that situation then migrating back to CentOS 7 could certainly be a valid option. It could also be a way give you more time to migrate your applications/assess your options.

Before doing so, we’d advise a very careful assessment of the costs and benefits of doing this. Jumping back to CentOS 7 might be the pragmatic choice but it may be worth putting your resources towards a longer term solution. That solution could be migrating to one of the CentOS replacements or maybe to a different distribution altogether.

Alternatives to CentOS 8 and CentOS Stream

Here we come to the core of the discussion but one where the answers are evolving very rapidly.

If you’ve decided that:

  • RHEL isn’t for you
  • you don’t want to move to CentOS Stream
  • downgrading to CentOS 7 seems a waste of time/resources
  • you still want a downstream distribution that is binary compatible with RHEL (just like CentOS 8)

…then what are your choices?

We’ll now focus on the ‘big three’ options shaping up to be viable candidates to replace CentOS. Then we’ll consider switching to a different distro altogether. Finally, we’ll mention a few other options that might be worth evaluating.

AlmaLinux

It was a tough choice to decide which of the alternative CentOS distributions to mention first. We could claim we’re going in alphabetical order, but the truth is AlmaLinux is shaping up to be the strongest option for replacing CentOS 8.

The project is backed by CloudLinux but will be ‘owned’ by an entirely separate and community led organisation called The Alma Linux Foundation.

What makes this such an attractive alternative is the cold hard cash backing the project. CloudLinux have committed $1 million a year until 2029 to support the project. They already have a decade long track record of supporting a downstream binary compatible RHEL clone, so they enter the field with a proven level of trust.

Importantly for many businesses AlmaLinux also has the option to receive paid support, provided by CloudLinux themselves.

Add to that the recent cPanel announcement of support for AlmaLinux in it’s current release version and AlmaLinux offers a comprehensive replacement for CentOS 8.

But the successes don’t stop there – secure boot shipped in the latest AlmaLinux 8.4 release and official images for the major cloud providers are now available.

If this sounds like the solution for you, there’s a simple migration script, as well as a stable release boasting binary compatibility with RHEL 8.4.

Oracle Linux

If we were being truly objective, Oracle Linux was already a viable candidate to replace CentOS and should have been first mention. But it’s Oracle, and even they have to address their own reputation in their own Oracle Linux FAQ.

Yes, Oracle Linux is free. It comes without any deliberate attempts to hold back features. And it offers an enterprise grade distro backed by the option for paid support. But it’s Oracle, so, you know…

To return to trying to be fair; Oracle Linux has a proven track record of bringing updates to their release faster than CentOS did. It also has paid options for cool technology like live kernel patching.

Switching is simple and reliable and you aren’t forced to pay for a support subscription. This is absolutely a 100% free, open source and feature rich CentOS replacement.

You’ll just have to decide for yourselves if you really want to get into bed with Oracle 🙂

RockyLinux

RockyLinux comes with one huge bonus – it’s founded by CentOS founder Gregory Kurtzer. Who better to lead the development of a CentOS replacement than the original founder himself?

RockyLinux has a slightly different approach to AlmaLinux, remaining fiercely free of any single external entity’s control/influence. It also has a broad range of supporters/sponsors contributing to the financial health of the project.

Recently the team released it’s first Rocky Linux Stable Release and has made available it’s first cloud offering, on GCP.

This is definitely one potential alternative worth assessing for your CentOS 8 replacement needs.

Other options

Ubuntu

If you know you’ll be replacing CentOS then it’s worth considering whether you want to stay on a distribution of the same derivative or switch to something else entirely.

One of the most popular and well supported options is an Ubuntu LTS variant. Ubuntu is based on the Debian branch of the Linux Family Tree. It enjoys huge developer, application and server provider support. Ubuntu also has massive ‘mindshare’ and deep penetration into the ‘consumer’ Linux market. This means it has a huge community, a well deserved level of trust and is familiar to most Linux users.

Ubuntu LTS releases deliver 5 years of updates free of charge, with extended support options available as paid extras. It is backed by Canonical who offer a range of support and services should you have Enterprise level needs.

Ubuntu’s popularity meant it was the first non-RHEL based distro to receive full cPanel support after CentOS announced it’s change of direction. Unfortunately, it’s still going to be some time until you can run cPanel on an Ubuntu server. We’ll discuss in the cPanel section below.

Debian

Debian is the grandfather of the Linux world. It’s been around forever and it’ll be around forever. Our recommendation above, Ubuntu, is built from a Debian base.

Debian pursues ‘freedom’ with an almost zealot-like religious fervour and has long been leading the fight for open-source software. It’s fair to say the current free software movement owes a great debt to Debian’s leadership over the decades.

Aside from being huge advocates for freedom, Debian also delivers a rock solid distribution that mirrors the ethics it espouses. It’s legendary focus on stability and support throughout the OS lifecycle rightly earns Debian a place on our recommended list.

Not only that, Debian is available for almost every architecture, every cloud service and every piece of hardware it’s possible to run a computer system on. Along with that comes an uncountable number of experts ready to help you whatever your needs.

It’s not as ‘fancy’ as some distros, nor as easy for newcomers, but Debian is part of the bedrock of the Linux world and a stellar choice for replacing a CentOS system.

OpenSUSE

The author can’t do justice to OpenSUSE, having last played with it over a decade ago. What we can say is that modern OpenSUSE offers an extremely well rounded alternative to Debian or RHEL based distributions.

OpenSUSE’s commitment to open-source and software freedom goes further than most. It has tools like the Open Build System and OpenQA, as well as excellent technology such as YaST or MicroOS.

It’s fair to say OpenSUSE doesn’t have as large a share of the pie as other distros but it’s Enterprise offerings more than make up for that with their excellent range of options.

WHM, cPanel and Plesk

Whilst Plesk has supported several operating systems for some time now, the 800lb Gorilla of the web hosting world, cPanel/WHM, was staunchly a RHEL derivative only.

That was until CentOS announced it’s change of direction and the curtailing of support for CentOS 8.

As of version 102 cPanel will officially support Ubuntu 20.04.

Version 102? Aren’t we only on version 98 now?

Yes, which means you can’t install cPanel on Ubuntu…yet.

But given cPanel versions bump up by 2 roughly every couple of months, and there are 6 versions to go…expect Ubuntu support somewhere around Oct-Dec 2021.

Wrapping it all up…

Well, this was a bit of a bigger post than our usual OS End of Life notices! And with 5 months to go things are still evolving rapidly.

We ourselves will be carefully monitoring the developments on the various replacement distros over the coming months. We’ll also be keenly exploring the opportunities afforded by companies like cPanel supporting different distributions such as Ubuntu.

If you need to jump ship right now but need to maintain compatibility with CentOS 8, you should consider AlmaLinux. It’s certainly leading the race to be a true CentOS 8 replacement, if you ignore Oracle’s offering.

Having read this post you might feel that the choices open to you right now might seen overwhelming. If you want some help deciding then we encourage you to get in touch with us. Our team of expert System Administrators have years of experience guiding customers in complex choices like this one.

We’d love to help you find the right solution for your needs!

 

Feature image by Trim Nilsen licensed: unsplash