Moving Forward After CentOS 8 EOL

Cyber Security

The Linux community was caught unprepared when, in December 2020, as part of a change in the way Red Hat supports and develops CentOS, Red Hat suddenly announced that it’s cutting the official CentOS 8 support window from ten years – to just two, with support ending Dec 31, 2021.

It created a peculiar situation where CentOS 7 users that did the right thing and upgraded quickly to CentOS 8 were left using an OS with just a year’s official support remaining – while users of CentOS 7 still get full support until June 30, 2024.

Worse, the fact that stable releases of CentOS were discontinued in exchange for the rolling-release CentOS Stream means that to secure their workloads most CentOS 8 users have to opt for an entirely different Linux distribution, with just a year to choose, evaluate and implement an alternative.

Red Hat’s unexpected decision underlined to what degree software users depend on official support windows for their software security. Countless organizations are now left scrambling to secure or replace CentOS 8 – or run the risk of relying on an OS that’s no longer supported, with no official fixes for new vulnerabilities.

Want to run an enterprise-grade Linux OS and do so free of charge, while enjoying an official, predictable support window? That was the deal with CentOS.

The CentOS project has its roots in an independent project that produced a 1:1 binary compatible clone of Red Hat Enterprise Linux (RHEL). Every CentOS release was perfectly matched to RHEL – any applications that work on a RHEL release also worked on the matching CentOS release, simple as that.

CentOS was eventually taken over by Red Hat. Red Hat’s oversight brought some benefits including fixed reliable support windows which, for recent releases, was set to ten years. These support windows really matter: organizations that run thousands of Linux instances require a predictable support window to plan upgrades or migrations.

And that’s why CentOS was such a good deal. CentOS was a free enterprise-grade Linux OS supported by a big enterprise Linux player – including what everyone thought was bullet-proof support commitments.

CentOS is not dead. Red Hat will continue to release new versions of CentOS through CentOS Stream, but it is a rolling release: updates can come at any time, and it will inevitably mean that CentOS Stream is quickly out of sync with the most recent RHEL release.

Packages intended for a future RHEL release are guaranteed to land in CentOS Stream first before these packages are published into a fixed RHEL release.

In other words, users that run CentOS Stream simply won’t know what updates will come their way, and in which ways these upgrades will break binary compatibility with RHEL.

Losing binary compatibility means users lose the guarantee that an application certified for a RHEL release will work with a matching CentOS release – and for CentOS Stream users, that could happen at any point in time.

The fact that CentOS Stream breaks binary compatibility with RHEL complicates the efforts to secure CentOS 8 now that it is unexpectedly end of life. So while CentOS lives on as CentOS Stream, the key characteristics that made CentOS so appealing are now gone.

While it is somewhat understandable that Red Hat may not want to support a free enterprise-grade Linux OS forever, there was a real sting in Red Hat’s announcement last year, as it leaves CentOS 8 users in a tough spot, needing to secure their CentOS 8 workloads rapidly.

CentOS 8 support ends in just a few months so there isn’t a lot of time to think about securing CentOS 8 instances. Doing nothing isn’t an option, once Red Hat’s official support for CentOS 8 stops there will be no future bug fixes or patches for new vulnerabilities.

An unsupported OS brings significant risks. New vulnerabilities, once in the public domain, can rapidly lead to exploits in the wild. Where an OS is officially supported a vendor patch will quickly fix that problem.

Not so where official support is discontinued, in which case users are left with a vulnerable OS, unless they try to develop a patch themselves. Given how rapidly new CVEs are reported there is really no acceptable window during which a user can go without the guarantee of official vendor patches.

In some use cases, using CentOS 8 past its official support window also creates a compliance risk as some organizations will violate their compliance obligations by relying on an unsupported OS for workloads.

Downgrading to CentOS 7 to obtain a few additional years of support from Red Hat looks like an easy solution but it isn’t – there is no simple way to roll a CentOS 8 instance back to CentOS 7.

Switching, and switching right now, is the best way to secure CentOS 8 workloads as it stands. However, rapidly switching is only possible where the alternative distribution is also 1:1 binary compatible with RHEL.

Less feasible for most organizations is switching to a non-binary compatible Linux alternative – Ubuntu, or Debian perhaps. In some use cases that could be relatively easy, but most CentOS users would need to plan such a migration carefully – and perform it relatively slowly. There just isn’t enough time left to do that.

There are essentially three workable options. First up is RockyLinux, a 1:1 binary-compatible clone of RHEL launched by one of the CentOS project’s founders – Gregory Kurtzer. RockyLinux successfully published an official release, it’s free to download, and it is binary compatible, so everything that runs on RHEL should run just fine on RockyLinux.

Similarly, AlmaLinux is a community-driven project sponsored by CloudLinux. AlmaLinux also released a stable, 1:1 binary compatible clone of RHEL and promises to continue releasing a new edition every time a new RHEL release comes out.

Oracle Linux is the third alternative: it is established, and (currently at least) guarded by similar cast-iron support guarantees from Oracle. Oracle Linux 8 is also 1:1 binary compatible with RHEL 8.

There are scripts available to perform in-place migrations between those distributions, so the process itself is not overly complicated. For organizations looking to migrate, test deployments should (have) start(ed) now (long ago).

For many CentOS users the news about CentOS dawned relatively recently, and as we outlined – deciding on an alternative and preparing to switch takes time, something that CentOS 8 users don’t have right now.

As an alternative to switching away from CentOS 8, users could choose to buy extended lifecycle support from a third party. A good solution will include coverage for critical CentOS 8 bug fixes and any new CVEs for a specified period of time.

For example, TuxCare’s extended lifecycle support for CentOS 8 runs into 2025 and promises to deliver patches for vulnerabilities as fast as – if not faster than – the speed at which the CentOS team rolled out updates.

Subscribing for extended support ensures CentOS 8 workloads remain secure past 2021, including for the new and emerging threats that are so common in today’s cybersecurity environment. Extended support is a simple way to stay compliant with regulatory requirements too.

Users that currently rely on CentOS 8 are in a difficult position. There are few viable options to secure CentOS 8 right now, including moving to a binary compatible alternative. These options are not without their complexities, however. What many CentOS 8 users need right now is time.

Opting into the extended support immediately secures CentOS 8 and is a relatively affordable way to acquire the time to decide on a CentOS alternative that meets your requirements – without the need to perform a rushed migration and incur the associated risks.

The only thing that’s not an option is ignoring CentOS 8’s rapid and unexpected end of life. There are considerable costs associated with running an OS past its end of life. We created this calculator to give you a rough estimate of the financial impact it may have. We also analyzed in detail the issues that may arise from having an unsupported OS running inside your IT perimeter.

From Dec 31, 2021 CentOS 8 will become increasingly vulnerable to security threats – and so would any workload that runs on CentOS 8. For many organizations buying extended support may well be the best solution right now.