What's New in CentOS 8

Posted on | Edited on | In

New features:

  • Using cockpit web interface
  • Using enhanced firewall: nftables
  • Managing NFSv4 with nfsconf
  • Layered storage management with stratis
  • Data de-duplication and compression with VDO (virtual data optimizer)

感觉资源挺分散的,不知道就是不知道😢 RedHat provides lab interactive learning exercise:

Openshift lab interactive exercise:

Fast Ping Test

This is the new shorthand format.

1
2
3
4
5
# last decimal represents 24 bits
# the same as 127.0.0.1
ping 127.1
# 1.0.0.1
ping 1.1

Cocopit Web Console

Available since CentOS 7.5. 相当于一个简化版的桌面. You can check logs, create account, monitor network, start services, and so on.

1
2
3
4
5
6
7
8
9
10
11
# install
sudo yum install -y cockpit-211.3-1.el8.x86_64

# start socket only not cockpit.service
sudo systemctl enable --now cockpit.socket
systemctl status cockpit.socket
# see port opened: 9090
sudo ss -tnlp

# still inactive
systemctl status cockpit.service

Set root password, user vagrant is privileged, run:

1
sudo passwd root

I have the port forwarding for 9090, view cockpit UI by localhost:9090, login as root user with the password you set. After login the cockpit.service is now active:

1
systemctl status cockpit.service

There is a terminal in web UI, you can work with it just like working on a normal ssh terminal.

The dashboard plugin:

1
2
3
4
5
6
# see plugins
# you can see yum packages installed and available
yum list cockpit*

yum info cockpit-dashboard
yum install -y cockpit-dashboard

With cockpit dashboard plugin installed, you can connect to remote machine (with cockpit installed and cockpit.socket running), dashboard is just like a control plane.

Other plugins like cockpit-machines is used to manage virtual guests.

Enhancing Firewall

RedHat 8 Getting start with nftables It is the designated successor to the iptables, ip6tables, arptables, and ebtables tools. Stick to one command, not using mixed. firewalld command can be replaced by nftables.

NFTables nft is the default kernel firewall in CentOS 8. Single command for IPV4, IPV6 ARP, and Bridge filters. nftables does not have any predefined tables, tables are created by firewalld or rely on our scripts.

First yum install nftables, run as sudo or root.

1
2
3
4
systemctl disable --now firewalld
reboot
# list all tables, nothing is there.
nft list tables

Now start and enable firewalld, the tables will be created:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
systemctl enable --now firewalld
# list all tables
nft list tables

table ip filter
table ip6 filter
table bridge filter
table ip security
table ip raw
table ip mangle
table ip nat
table ip6 security
table ip6 raw
table ip6 mangle
table ip6 nat
table bridge nat
table inet firewalld
table ip firewalld
table ip6 firewalld

Some common commands:

1
2
3
4
5
6
7
# list all tables
nft list tables

# list tables with specific protocol family
nft list tables ip
# check detail of ip filter
nft list table ip filter

Let’s see the demo code to build nftables:

  • create chains
  • create rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# disable firewalld
systemctl disable --now firewalld ; reboot
nft list tables
# inet will work both for ipv4 and ipv6
# create a new table `filter`
nft add table inet filter 

# INPUT is the chain name, not necessarily call it INPUT
# here we add INPUT chain to inet filter table
nft add chain inet filter INPUT \
  # basic chain type: filter, route, nat
  # basic hook types: prerouting, input, forward, output, postrouting, ingress
  # priority 0 ~ 100, 0 is hightest
  { type filter hook input priority 0 \; policy accept \;}

Add SSH inbound to our system, set rules:

1
2
3
4
5
6
7
8
# add rule to inet filter table INPUT chain
nft add rule inet filter INPUT iif lo accept 
# allow traffic back to system with specified state
nft add rule inet filter INPUT ct state \
      established,related accept 
nft add rule inet filter INPUT tcp dport 22 accept
# drop everthing that is not explicitly defined
nft add rule inet filter INPUT counter drop

Persisting nftables rules

1
2
3
4
5
6
7
8
# store rules
nft list ruleset > /root/myrules
# clear table
nft flush table inet filter
# delete table
nft delete table inet filter
# restore rules
nft -f /root/myrules

Using systemd service unit:

1
2
3
4
5
# the systemd service unit for nftables use /etc/sysconfig/nftables.conf
nft list ruleset > /etc/sysconfig/nftables.conf
nft flush table inet filter
nft delete table inet filter
systemctl enable --now nftables

NFSv4

CentOS 8 uses NFSv4.2 as NFS server. The new tool nfsconf writes to the /etc/nfs.conf. Enable and use NFSv4 only and managing inbound TCP connections using firewall. SELinux NFS configuration.

Install nfs package for both server and clients:

1
yum install -y nfs-utils

The default will have NFSv2 disable and NFSv3 and above enabled, we will disable NFSv3 and have NFSv4 only with TCP port 2049 to be opened. 这样看来之前项目中的NFS 用的默认设置,并且不是secure的.

we can edit /etc/nfs.conf or using nfsconf commands:

1
2
3
4
5
nfsconf --set nfsd vers4 y
nfsconf --set nfsd tcp y
# close udp and nfsv3
nfsconf --set nfsd vers3 n
nfsconf --set nfsd udp n

Start nfs server daemon:

1
systemctl enable --now nfs-server.service

Check port opened:

1
2
3
4
5
6
7
8
ss -tlp -4

State  Recv-Q   Send-Q      Local Address:Port       Peer Address:Port                                                              
LISTEN 0        128               0.0.0.0:sunrpc          0.0.0.0:*      users:(("rpcbind",pid=8920,fd=4),("systemd",pid=1,fd=76))  
LISTEN 0        128               0.0.0.0:mountd          0.0.0.0:*      users:(("rpc.mountd",pid=8936,fd=8))                       
LISTEN 0        128               0.0.0.0:ssh             0.0.0.0:*      users:(("sshd",pid=917,fd=5))                              
LISTEN 0        128               0.0.0.0:54425           0.0.0.0:*      users:(("rpc.statd",pid=8925,fd=9))                        
LISTEN 0        64                0.0.0.0:nfs             0.0.0.0:*

We don’t need sunrpc with NFSv4, mask them both service and socket:

1
systemctl mask --now rpc-statd rpcbind.service rpcbind.socket

Then we have nfs and mounted port only, only nfs port needs firewalld setting:

1
2
3
4
5
6
ss -tl -4

State           Recv-Q           Send-Q                      Local Address:Port                         Peer Address:Port           
LISTEN          0                128                               0.0.0.0:mountd                            0.0.0.0:*              
LISTEN          0                128                               0.0.0.0:ssh                               0.0.0.0:*              
LISTEN          0                64                                0.0.0.0:nfs                               0.0.0.0:*

Let’s create some shared files:

1
2
3
4
5
mkdir /share
# copy *.txt under /usr/share/doc to /share
# {} represents the content find finds
# \; is used for find command, escape in bash
find /usr/share/doc -name '*.txt' -exec cp {} /share \;

Go to edit /etc/exports file

1
2
3
4
5
6
7
8
9
10
# Here only rw, in my previous work, we use (rw,insecure,async,no_root_squash)
# 这里其他默认设置够用了
/share *(rw)

# launch
exportfs -rav
# check options applied
exportfs -v

/share          <world>(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)

Configure firewall:

1
firewall-cmd --add-service=nfs --permanent

Then go to the client and mount /share folder. 后面讲了SElinux对NFS的支持,目前用不到, 也没明白.

Storage Management Stratis

Stratis resources:

视频中的讲解比RedHat的练习更好一些,在mount的时候,用的是/etc/fstab persistent configuration.

In creating filesystem, the author chooses xfs, so what is the difference comparing to ext4?

Virtual Data Optimizer

To make use of block level deduplication, compression, thin-provisioning to save space.

Example Use Case: To reduce the amount of operational and storage costs in data centers, we use the deduplication and compression features in VDO to decrease the footprint of data.

0%