2.7.1. Recommended naming practices
host.example.com. The hostnamectl tool allows static and transient host names of up to 64 characters including a-z, A-Z, 0-9,
.only. Underscores are technically permissible in the current specification. However, since older specifications forbid them, Red Hat does not recommend using underscores in host names.
.yourcompany) to the public register. Therefore, Red Hat strongly recommends that you do not use a domain name that is not delegated to you, even on a private network, as this can result in a domain name that resolves differently depending on network configuration. As a result, network resources can become unavailable. Using domain names that are not delegated to you also makes DNSSEC more difficult to deploy and maintain, as domain name collisions add manual configuration penalties to DNSSEC validation.
2.7.2. Updates to NetworkManager
- The nmcli tool now supports editing connections with the
nmcli con editand
nmcli con modifycommands.
- A new text-based user interface (nmtui) provides a streamlined console-based tool for editing network configuration and controlling network connections. This replaces the system-config-network-tui tool.
- Previously, NetworkManager ignored network interfaces it did not recognize (interfaces other than Ethernet, Infiniband, WiFi, Bridge, Bond, and VLAN). NetworkManager now recognizes any network interface picked up by
ip link, and exposes these interfaces through the D-Bus interface and clients such as nmcli. This brings NetworkManager to closer parity with tools like ip.
- NetworkManager now non-destructively takes ownership of interfaces that it can natively configure, such as Ethernet, InfiniBand, Bridge, Bond, VLAN, and Team interfaces. If these interfaces are configured before NetworkManager starts or restarts, the previously configured connections are not interrupted. This means that the
NM_CONTROLLEDoption is no longer required.
- Support for checking network connectivity, hotspots and portals. This behavior is disabled by default.
- Support for team interfaces.
- Basic, non-native support for GRE, macvlan, macvtap, tun, tap, veth, and vxlan devices.
- A new NetworkManager-config-server package provides defaults that are suitable for servers, such as ignoring carrier changes and not creating default DHCP connections.
- A new
dns=noneconfiguration option for
NetworkManager.confprevents NetworkManager from making changes to the
- Support for fast user switching.
- Support for locking a connection to the name of an interface in addition to, or instead of, the MAC address of an interface.
nmcli con reloadcommand.
2.7.3. New Network Naming Schema
eth[0123...], but these names do not necessarily correspond to actual labels on the chassis. Modern server platforms with multiple network adapters can encounter non-deterministic and counter-intuitive naming of these interfaces. This affects both network adapters embedded on the motherboard (Lan-on-Motherboard, or LOM) and add-in (single and multi-port) adapters.
enp5s0in place of
- Scheme 1
- Names incorporating Firmware or BIOS provided index numbers for on-board devices, for example,
eno1. systemd names interfaces according to this scheme by default if that information from the firmware is applicable and available, with scheme 2 used as a fallback.
- Scheme 2
- Names incorporating Firmware or BIOS provided PCI Express hotplug slot index numbers, for example,
ens1. systemd names interfaces according to this scheme by default if that information from the firmware is applicable and available, with scheme 3 used as a fallback.
- Scheme 3
- Names incorporating physical location of the connector of the hardware, for example,
enp2s0. systemd names interfaces according to this scheme by default if that information from the firmware is applicable and available, with scheme 5 used as a fallback.
- Scheme 4
- Names incorporating the interface's MAC address, for example,
enx78e7d1ea46da. By default, systemd does not name interfaces according to this scheme, but it can be enabled if required.
- Scheme 5
- The traditional unpredictable kernel-native ethX naming, for example,
eth0. systemd names interfaces according to this scheme if all other methods fail.
BIOSDEVNAMEenabled, or if the user has added udevd rules that change the names of kernel devices, these rules will take precedence over the default systemd policy.
2.7.4. New networking utility (ncat)
netcat -Poption took a specified user name to present to a proxy server that required authentication. The ncat option for this behavior is
netcat -Xoption took a specified protocol for the networking utility to use when communicating with a proxy server. The ncat option for this behavior is
netcat -xoption took an address and an optional port for the networking utility to connect to with the proxy server. The ncat option for this behavior is
--proxy, which takes an IP address and an optional port, like so:
netcat -doption disabled reading from stdin. The
ncat -doption allows the user to specify a wait time between read or write operations. However, ncat provides the
--recv-onlyoption, which provides similar behavior to
netcat -ioption specified an interval between lines of text sent and received, or between connections to multiple ports. The
ncat -ioption specifies the amount of time a connection can idle before the connection times out and is terminated. There is no equivalent in ncat to the
netcat -woption specifies the amount of time a connection that cannot be established can idle before the connection times out and is terminated. The
ncat -woption specifies the amount of time to attempt connection before timing out.
- Enable debugging on the socket (previously provided by
- Specify the size of the TCP send and receive buffers (previously provided by
- Specify that source or destination ports are chosen randomly (previously provided by
- Enable Protection of BGP Sessions avia the TCP MD5 Signature Option, RFC 2385 (previously provided by
- Specify the IPv4 type of service (previously provided by
- Specify the use of UNIX domain sockets (previously provided by
- Specify the routing table to be used (previously provided by
- Scan for listening daemons without transmitting data.
- Specify an interval between lines of text sent and received, or between connections to multiple ports.
$ man ncat
2.7.5. Changes to Postfix
- Ensure that you execute
postfix startcommands before using the
postscreendaemon, to avoid problems with the
- Default system-supplied CA certificates are no longer added to the
*_tls_CApathlists. This means third-party certificates no longer receive mail relay permission when
permit_tls_all_clientcertsis used. If your configuration requires certificate verification, enable backwards compatible behavior by setting
tls_append_default_CA = yes.
verifyservice now uses a persistent cache with periodic cleanup enabled by default. Support for the delete and sequence operations is required. To disable the cache, specify a blank
main.cf. To disable periodic cleanup, set
- Previously the default next-hop destination, used when a filter next-hop destination was not specified, was the value of
$myhostname. The default is now the recipient domain. To change the default next-hop destination, specify
default_filter_nexthop = $myhostname. In pipe-based filters, this also enables FIFO delivery order, instead of round-robin domain selection.
postmulti -e destroycommand no longer attempts to remove files that are created after the
postmulti -e createcommand is executed.
- Postfix now requests default delivery status notifications when adding a recipient with the Milter
- When the result of virtual alias expansion exceeds virtual alias recursion or expansion limits, Postfix now reports a temporary delivery error instead of silently dropping excess recipients and delivering the message.
- The local delivery agent now keeps the owner-alias attribute of a parent alias when delivering mail to a child alias that does not have an owner-alias. This makes repeated delivery to mailing lists less likely. To enable older behavior, specify
reset_owner_alias = yes.
- The Postfix SMTP client no longer appends the local domain when looking up a DNS name without "
.". To enable older behavior, specify
smtp_dns_resolver_options = res_defnames. Note that this may produce unexpected results.
- The format of the
postfix/smtpd[pid]: queueid: client=host[addr]log file record has changed. When available, the before-filter client information and before-filter queue ID are now appended to the end of the record.
- By default, postfix no longer adds an undisclosed recipient header to messages with no specified recipient. To enable older behavior, specify the following in
undisclosed_recipients_header = To: undisclosed-recipients:;
- The SASL mechanism list is now re-computed after each successful completion of
smtpd_starttls_timeoutdefault value is now stress-dependent.
- DNSBL queries with a secret in the domain name must now hide that secret from
postscreenSMTP replies. For example, in
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_replyIn
dnsbl_reply, specify a separate DNSBL name:
# Secret DNSBL name Name in postscreen(8) replies secret.zen.spamhaus.org zen.spamhaus.org
- All programs that use postfix VSTREAMs must be recompiled, because VSTREAM errors now use separate flags for read and write errors.
- The default value of
999, to remain consistent with the SMTP standard.
- Sendmail now transforms all input lines ending in
<CR><LF>into UNIX format (
- By default, the SMTP client no longer appends
- Some log messages that were previously classified as
fatalare now classified as
error. Log file based alert systems may need to be updated accordingly. To re-enable older behavior, set
- Newly supported long queue file names are not supported prior to Postfix 2.9. To migrate back to Postfix 2.8 or earlier, any long queue file names must be converted. To do so, stop postfix, set
no, and then run the
postsupercommand until it no longer exports queue file name changes.
- Postfix now logs the result of successful TLS negotiation with TLS logging levels of 0. See log level descriptions in the
postconfman page for details.
- The postfix SMTP server now always checks the smtpd_sender_login_maps table.
- The default
inet_protocolsvalue is now
all(use both IPv4 and IPv6). To avoid unexpected performance loss for sites without global IPv6 connectivity, the
postfix upgrade-configurationcommands currently append
inet_protocols = ipv4to
main.cfwhen no explicit setting is present.
- The default
smtp_address_preferencevalue is now
any(choose IPv4 or IPv6 at random).
- The SMTP server no longer reports transcripts of sessions where a client command is rejected because a lookup table is not available. To continue receiving such reports, add the
dataclass to the value of the
- A new
smtpd_relay_restrictionsparameter has been added. By default this enables
defer_unauth_destination. This prevents open relay problems due to mistakes with spam filter rules in
smtpd_recipient_restrictions. However, if your site has a complex mail relay policy configured under
smtpd_recipient_restrictions, some mail may be incorrectly deferred. To correct this, either remove
smtpd_relay_restrictionsconfiguration and use the existing policy in
smtpd_recipient_restrictions, or copy the existing policy from
2.7.6. Network Protocols
126.96.36.199. Network File System (NFS)
/etc/sysconfig/nfsfile, by changing the value of the
RPCNFSDARGSparameter. For example,
RPCNFSDARGS="-N4.1 -V3"enables support for NFS 3 and disables support for NFS 4.1. For further details, see the man page:
$ man rpc.nfsd
/etc/nfsmount.conffile and by using command line options. See the man pages for further details.
$ man nfs
$ man nfsmount.conf
188.8.131.52.1. Parallel NFS (pNFS)
184.108.40.206. Apache Web Server (httpd)
- Changed proxy configuration
- Apache Web Server (
httpd) configurations that use an SSL back end must now use the
SSLProxyCheckPeerNamedirective if the SSL certificate does not match the host name configured. Previously, host names in the SSL certificate of a proxy back end were not verified.
- New control mechanisms
- Because Red Hat Enterprise Linux moves the system away from SysV init scripts, the commands for controlling the
httpdservice have changed. Red Hat now recommends the
systemctlcommands instead of the
servicecommand. For example, where you would previously have run
service httpd graceful, Red Hat now recommends
- Changed default subcommand behavior
systemdunit file for httpd defines different behavior for the
stopsubcommands. Specifically, the
reloadsubcommand now gracefully reloads the service, and the
stopcommand now gracefully stops the service by default.
- Hard coded default configuration
- Previous versions of httpd provided an exhaustive configuration file that listed all configuration settings and their defaults. Many common configuration settings are no longer explicitly configured in the default configuration files; instead, default settings are now hard coded. The default configuration file now has minimal content and is easier to manage as a result. The hard coded default values for all settings are specified in the manual, which by default is installed into
- New Multi-Processing Model modules
- Previous releases of Red Hat Enterprise Linux provided several Multi-Processing Models (
worker) as different httpd binaries. Red Hat Enterprise Linux 7 uses a single binary and provides these Multi-Processing Models as loadable modules:
event. Edit the
/etc/httpd/conf.modules.d/00-mpm.conffile to select which module is loaded.
- Directory changes
- A number of directories have moved or are no longer provided in this updated version of httpd.
- Content previously installed in
/var/cache/mod_proxyhas moved to
/var/cache/httpdunder either the
- Content previously installed in
/var/wwwhas moved to
- Content previously installed in
/var/www/iconshas moved to
/usr/share/httpd/icons. This directory contains a set of icons used with directory indices.
- The HTML version of the httpd manual previously installed in
/var/www/manualhas moved to
- Custom multi-language HTTP error pages previously installed in
/var/www/errorhave moved to
- Changes to suexec
suexecbinary no longer has its user identifier set to root at install time. Instead, a more restrictive set of permissions is applied using file system capability bits. This improves the security of the httpd service. Additionally,
suexecnow sends log messages to syslog instead of using the
/var/log/httpd/suexec.logfile. The messages sent to syslog appear in
- Changes to module interface compatibility
- Changes to the httpd module interface mean that this updated version of httpd is not compatible with third-party binary modules built against the previous version of httpd (2.2). Such modules will need to be adjusted as necessary for the httpd 2.4 module interface, and then rebuilt. See the Apache documentation for details of the API changes in version 2.4.
- Change to apxs binary location
apxsbinary used to build modules from source has moved from
- New and moved configuration files
- Configuration files that load modules are now placed in the
/etc/httpd/conf.modules.ddirectory. Packages that provide additional loadable modules for httpd (like the php package) add files to this directory. Any configuration files in the
conf.modules.ddirectory are processed before the main body of
httpd.conf. Configuration files in the
/etc/httpd/conf.ddirectory are now processed after the main body of
httpd.conf.Some additional configuration files are provided by the httpd package:
/etc/httpd/conf.d/userdir.confconfigures access to user directories (
http://example.com/~username/). By default this access is disabled for security reasons.
/etc/httpd/conf.d/welcome.confconfigures the "welcome page" displayed on
http://localhost/when no content is present.
- Changes to configuration compatibility
- This version of httpd is not compatible with the configuration syntax of the previous version (2.2). Configuration files require updates to syntax before they can be used with this updated version of httpd. See the Apache documentation for details of the syntax changes made between version 2.2 and version 2.4.
ROOTDIRenvironment variable in
/etc/sysconfig/namedto point to the chroot environment location. To run the
namedservice normally (not in the chroot environment) required either removing the bind-chroot package or manually editing the
ROOTDIRenvironment variable in
namedservice runs. Instead, it installs a new service,
named-chroot, that is started and stopped separately with the
systemctlcommand, like so.
# systemctl start named-chroot.service
# systemctl stop named-chroot.service
named-chrootservice cannot run at the same time as the
2.7.7. Default product certificate
/etc/pki/product/directory and then in the
/etc/pki/product-default/directory. Content in the
/etc/pki/product-default/directory is provided by redhat-release packages. Any certificate in the
/etc/pki/product-default/directory that is not located in
/etc/pki/product/is considered to be installed. The default product certificates are used until Subscription Manager fetches product certificates from the subscribed channels.