2.7. Networking

Read this section for a summary of changes to networking, network protocol support and relevant configuration tools between Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

2.7.2. Updates to NetworkManager

Red Hat Enterprise Linux 7 includes an updated version of NetworkManager, which provides a number of enhancements and some new features.
  • The nmcli tool now supports editing connections with the nmcli con edit and nmcli con modify commands.
  • A new text-based user interface (nmtui) provides a streamlined console-based tool for editing network configuration and controlling network connections. This replaces the system-config-network-tui tool.
  • Previously, NetworkManager ignored network interfaces it did not recognize (interfaces other than Ethernet, Infiniband, WiFi, Bridge, Bond, and VLAN). NetworkManager now recognizes any network interface picked up by ip link, and exposes these interfaces through the D-Bus interface and clients such as nmcli. This brings NetworkManager to closer parity with tools like ip.
  • NetworkManager now non-destructively takes ownership of interfaces that it can natively configure, such as Ethernet, InfiniBand, Bridge, Bond, VLAN, and Team interfaces. If these interfaces are configured before NetworkManager starts or restarts, the previously configured connections are not interrupted. This means that the NM_CONTROLLED option is no longer required.
  • Support for checking network connectivity, hotspots and portals. This behavior is disabled by default.
  • Support for team interfaces.
  • Basic, non-native support for GRE, macvlan, macvtap, tun, tap, veth, and vxlan devices.
  • A new NetworkManager-config-server package provides defaults that are suitable for servers, such as ignoring carrier changes and not creating default DHCP connections.
  • A new dns=none configuration option for NetworkManager.conf prevents NetworkManager from making changes to the resolv.conf file.
  • Support for fast user switching.
  • Support for locking a connection to the name of an interface in addition to, or instead of, the MAC address of an interface.
This update also changes configuration file monitoring behavior. NetworkManager no longer monitors on-disk configuration files for changes. Instead, users must manually reload changed configuration files with the nmcli con reload command.

2.7.3. New Network Naming Schema

Red Hat Enterprise Linux 7 provides methods for consistent and predictable network device naming for network interfaces. These features change the name of network interfaces on a system in order to make locating and differentiating the interfaces easier.
Traditionally, network interfaces in Linux are enumerated as eth[0123...], but these names do not necessarily correspond to actual labels on the chassis. Modern server platforms with multiple network adapters can encounter non-deterministic and counter-intuitive naming of these interfaces. This affects both network adapters embedded on the motherboard (Lan-on-Motherboard, or LOM) and add-in (single and multi-port) adapters.
In Red Hat Enterprise Linux 7, systemd and udevd support a number of different naming schemes. The default behavior is to assign fixed names based on firmware, topology, and location information. This has the advantage of names that are fully automatic and fully predictable, stay fixed even if hardware is added or removed (no re-enumeration takes place), and that broken hardware can be replaced seamlessly. The disadvantage to this behavior is that the names are sometimes harder to read than the name that has previously been used, for example, enp5s0 in place of eth0.
The following naming schemes for network interfaces are now supported by udevd natively.
Scheme 1
Names incorporating Firmware or BIOS provided index numbers for on-board devices, for example, eno1. systemd names interfaces according to this scheme by default if that information from the firmware is applicable and available, with scheme 2 used as a fallback.
Scheme 2
Names incorporating Firmware or BIOS provided PCI Express hotplug slot index numbers, for example, ens1. systemd names interfaces according to this scheme by default if that information from the firmware is applicable and available, with scheme 3 used as a fallback.
Scheme 3
Names incorporating physical location of the connector of the hardware, for example, enp2s0. systemd names interfaces according to this scheme by default if that information from the firmware is applicable and available, with scheme 5 used as a fallback.
Scheme 4
Names incorporating the interface's MAC address, for example, enx78e7d1ea46da. By default, systemd does not name interfaces according to this scheme, but it can be enabled if required.
Scheme 5
The traditional unpredictable kernel-native ethX naming, for example, eth0. systemd names interfaces according to this scheme if all other methods fail.
If the system has BIOSDEVNAME enabled, or if the user has added udevd rules that change the names of kernel devices, these rules will take precedence over the default systemd policy.
For further information about this new naming system, see the Red Hat Enterprise Linux 7 Networking Guide, available from http://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.

2.7.4. New networking utility (ncat)

A new networking utility, ncat, replaces netcat in Red Hat Enterprise Linux 7. ncat is a reliable back-end tool that provides network connectivity to other applications and users. It reads and writes data across the network from the command line, and uses both TCP and UDP for communication.
Some of the commands in ncat differ from those originally provided by netcat, or provide different functionality with the same options. These differences are outlined in the following list.
  • The netcat -P option took a specified user name to present to a proxy server that required authentication. The ncat option for this behavior is --proxy-auth user[:pass].
  • The netcat -X option took a specified protocol for the networking utility to use when communicating with a proxy server. The ncat option for this behavior is --proxy-type.
  • The netcat -x option took an address and an optional port for the networking utility to connect to with the proxy server. The ncat option for this behavior is --proxy, which takes an IP address and an optional port, like so: --proxy host[:port].
  • The netcat -d option disabled reading from stdin. The ncat -d option allows the user to specify a wait time between read or write operations. However, ncat provides the --recv-only option, which provides similar behavior to netcat -d.
  • The netcat -i option specified an interval between lines of text sent and received, or between connections to multiple ports. The ncat -i option specifies the amount of time a connection can idle before the connection times out and is terminated. There is no equivalent in ncat to the netcat -i option.
  • The netcat -w option specifies the amount of time a connection that cannot be established can idle before the connection times out and is terminated. The ncat -w option specifies the amount of time to attempt connection before timing out.
Some options that were available in netcat do not have equivalents in ncat. ncat cannot currently perform the following.
  • Enable debugging on the socket (previously provided by netcat -D).
  • Specify the size of the TCP send and receive buffers (previously provided by netcat -I and netcat -O).
  • Specify that source or destination ports are chosen randomly (previously provided by netcat -r).
  • Enable Protection of BGP Sessions avia the TCP MD5 Signature Option, RFC 2385 (previously provided by netcat -S).
  • Specify the IPv4 type of service (previously provided by netcat -T).
  • Specify the use of UNIX domain sockets (previously provided by netcat -U).
  • Specify the routing table to be used (previously provided by netcat -V).
  • Scan for listening daemons without transmitting data.
  • Specify an interval between lines of text sent and received, or between connections to multiple ports.
The ncat utility is provided by the nmap-ncat package. For more information about ncat, see the man page:
$ man ncat

2.7.5. Changes to Postfix

Red Hat Enterprise Linux 7 upgrades postfix from version 2.6 to version 2.10. While major compatibility issues are handled by the Preupgrade Assistant on upgrading from Red Hat Enterprise Linux 6 to 7, users should be aware of the following non-fatal compatibility issues.
  • Ensure that you execute postfix stop and postfix start commands before using the postscreen daemon, to avoid problems with the pass master service.
  • Default system-supplied CA certificates are no longer added to the *_tls_CAfile or *_tls_CApath lists. This means third-party certificates no longer receive mail relay permission when permit_tls_all_clientcerts is used. If your configuration requires certificate verification, enable backwards compatible behavior by setting tls_append_default_CA = yes.
  • The verify service now uses a persistent cache with periodic cleanup enabled by default. Support for the delete and sequence operations is required. To disable the cache, specify a blank address_verify_map parameter in main.cf. To disable periodic cleanup, set address_verify_cache_cleanup_interval to 0.
  • Previously the default next-hop destination, used when a filter next-hop destination was not specified, was the value of $myhostname. The default is now the recipient domain. To change the default next-hop destination, specify default_filter_nexthop = $myhostname. In pipe-based filters, this also enables FIFO delivery order, instead of round-robin domain selection.
  • The postmulti -e destroy command no longer attempts to remove files that are created after the postmulti -e create command is executed.
  • Postfix now requests default delivery status notifications when adding a recipient with the Milter smfi_addrcpt action.
  • When the result of virtual alias expansion exceeds virtual alias recursion or expansion limits, Postfix now reports a temporary delivery error instead of silently dropping excess recipients and delivering the message.
  • The local delivery agent now keeps the owner-alias attribute of a parent alias when delivering mail to a child alias that does not have an owner-alias. This makes repeated delivery to mailing lists less likely. To enable older behavior, specify reset_owner_alias = yes.
  • The Postfix SMTP client no longer appends the local domain when looking up a DNS name without ".". To enable older behavior, specify smtp_dns_resolver_options = res_defnames. Note that this may produce unexpected results.
  • The format of the postfix/smtpd[pid]: queueid: client=host[addr] log file record has changed. When available, the before-filter client information and before-filter queue ID are now appended to the end of the record.
  • By default, postfix no longer adds an undisclosed recipient header to messages with no specified recipient. To enable older behavior, specify the following in mail.cf:
    undisclosed_recipients_header = To: undisclosed-recipients:;
  • The SASL mechanism list is now re-computed after each successful completion of STARTTLS.
  • The smtpd_starttls_timeout default value is now stress-dependent.
  • DNSBL queries with a secret in the domain name must now hide that secret from postscreen SMTP replies. For example, in main.cf, specify:
    postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
    In dnsbl_reply, specify a separate DNSBL name:
    # Secret DNSBL name        Name in postscreen(8) replies
    secret.zen.spamhaus.org    zen.spamhaus.org
  • All programs that use postfix VSTREAMs must be recompiled, because VSTREAM errors now use separate flags for read and write errors.
  • The default value of smtp_line_length_limit is now 999, to remain consistent with the SMTP standard.
  • Sendmail now transforms all input lines ending in <CR><LF> into UNIX format (<LF>).
  • By default, the SMTP client no longer appends AUTH=<> to the MAIL FROM command.
  • Some log messages that were previously classified as fatal are now classified as error. Log file based alert systems may need to be updated accordingly. To re-enable older behavior, set daemon_table_open_error_is_fatal to yes.
  • Newly supported long queue file names are not supported prior to Postfix 2.9. To migrate back to Postfix 2.8 or earlier, any long queue file names must be converted. To do so, stop postfix, set enable_long_queue_ids to no, and then run the postsuper command until it no longer exports queue file name changes.
  • Postfix now logs the result of successful TLS negotiation with TLS logging levels of 0. See log level descriptions in the postconf man page for details.
  • The postfix SMTP server now always checks the smtpd_sender_login_maps table.
  • The default inet_protocols value is now all (use both IPv4 and IPv6). To avoid unexpected performance loss for sites without global IPv6 connectivity, the make upgrade and postfix upgrade-configuration commands currently append inet_protocols = ipv4 to main.cf when no explicit setting is present.
  • The default smtp_address_preference value is now any (choose IPv4 or IPv6 at random).
  • The SMTP server no longer reports transcripts of sessions where a client command is rejected because a lookup table is not available. To continue receiving such reports, add the data class to the value of the notify_classes parameter.
  • A new smtpd_relay_restrictions parameter has been added. By default this enables permit_mynetworks, permit_sasl_authenticated, and defer_unauth_destination. This prevents open relay problems due to mistakes with spam filter rules in smtpd_recipient_restrictions. However, if your site has a complex mail relay policy configured under smtpd_recipient_restrictions, some mail may be incorrectly deferred. To correct this, either remove smtpd_relay_restrictions configuration and use the existing policy in smtpd_recipient_restrictions, or copy the existing policy from smtpd_recipient_restrictions to smtpd_relay_restrictions.

2.7.6. Network Protocols

Read this section for a summary of changes to network protocols between Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

2.7.6.1. Network File System (NFS)

Red Hat Enterprise Linux 7 provides support for NFS 3, NFS 4.0, and NFS 4.1. NFS 2 is no longer supported as of Red Hat Enterprise Linux 7.
NFS 4.1 provides a number of performance and security enhancements, including client support for Parallel NFS (pNFS). Additionally, a separate TCP connection is no longer required for callbacks, allowing an NFS server to grant delegations even when it cannot contact the client, for example, when NAT or a firewall interferes.
NFS 3, NFS 4.0, and NFS 4.1 are supported on the server. Support for a particular version can be enabled or disabled in the /etc/sysconfig/nfs file, by changing the value of the RPCNFSDARGS parameter. For example, RPCNFSDARGS="-N4.1 -V3" enables support for NFS 3 and disables support for NFS 4.1. For further details, see the man page:
$ man rpc.nfsd
NFS clients attempt to mount using NFS 4.0 by default, and fall back to NFS 3 if the mount operation is not successful. Default behavior can be altered by editing the /etc/nfsmount.conf file and by using command line options. See the man pages for further details.
$ man nfs
$ man nfsmount.conf
2.7.6.1.1. Parallel NFS (pNFS)
Red Hat Enterprise Linux 7 provides client support for Parallel NFS (pNFS). pNFS improves the scalability of NFS and has the potential to improve performance. When the Red Hat Enterprise Linux 7 client mounts a server that supports pNFS, that client can access data through multiple servers concurrently. Note that Red Hat Enterprise Linux 7 supports the files layout type, with objects and blocks layout types being included as a technology preview. For more information about this protocol and its capabilities, see the Red Hat Enterprise Linux 7 Storage Administration Guide.

2.7.6.2. Apache Web Server (httpd)

Red Hat Enterprise Linux 7 provides an updated version of Apache Web Server. This new version (2.4) includes some significant packaging changes as well as a number of new features.
Changed proxy configuration
Apache Web Server (httpd) configurations that use an SSL back end must now use the SSLProxyCheckPeerName directive if the SSL certificate does not match the host name configured. Previously, host names in the SSL certificate of a proxy back end were not verified.
New control mechanisms
Because Red Hat Enterprise Linux moves the system away from SysV init scripts, the commands for controlling the httpd service have changed. Red Hat now recommends the apachectl and systemctl commands instead of the service command. For example, where you would previously have run service httpd graceful, Red Hat now recommends apachectl graceful.
Changed default subcommand behavior
The systemd unit file for httpd defines different behavior for the reload and stop subcommands. Specifically, the reload subcommand now gracefully reloads the service, and the stop command now gracefully stops the service by default.
Hard coded default configuration
Previous versions of httpd provided an exhaustive configuration file that listed all configuration settings and their defaults. Many common configuration settings are no longer explicitly configured in the default configuration files; instead, default settings are now hard coded. The default configuration file now has minimal content and is easier to manage as a result. The hard coded default values for all settings are specified in the manual, which by default is installed into /usr/share/httpd.
New Multi-Processing Model modules
Previous releases of Red Hat Enterprise Linux provided several Multi-Processing Models (prefork and worker) as different httpd binaries. Red Hat Enterprise Linux 7 uses a single binary and provides these Multi-Processing Models as loadable modules: worker, prefork (default), and event. Edit the /etc/httpd/conf.modules.d/00-mpm.conf file to select which module is loaded.
Directory changes
A number of directories have moved or are no longer provided in this updated version of httpd.
  • Content previously installed in /var/cache/mod_proxy has moved to /var/cache/httpd under either the proxy or the ssl subdirectory.
  • Content previously installed in /var/www has moved to /usr/share/httpd.
  • Content previously installed in /var/www/icons has moved to /usr/share/httpd/icons. This directory contains a set of icons used with directory indices.
  • The HTML version of the httpd manual previously installed in /var/www/manual has moved to /usr/share/httpd/manual.
  • Custom multi-language HTTP error pages previously installed in /var/www/error have moved to /usr/share/httpd/error.
Changes to suexec
The suexec binary no longer has its user identifier set to root at install time. Instead, a more restrictive set of permissions is applied using file system capability bits. This improves the security of the httpd service. Additionally, suexec now sends log messages to syslog instead of using the /var/log/httpd/suexec.log file. The messages sent to syslog appear in /var/log/secure by default.
Changes to module interface compatibility
Changes to the httpd module interface mean that this updated version of httpd is not compatible with third-party binary modules built against the previous version of httpd (2.2). Such modules will need to be adjusted as necessary for the httpd 2.4 module interface, and then rebuilt. See the Apache documentation for details of the API changes in version 2.4.
Change to apxs binary location
The apxs binary used to build modules from source has moved from /usr/sbin/apxs to /usr/bin/apxs.
New and moved configuration files
Configuration files that load modules are now placed in the /etc/httpd/conf.modules.d directory. Packages that provide additional loadable modules for httpd (like the php package) add files to this directory. Any configuration files in the conf.modules.d directory are processed before the main body of httpd.conf. Configuration files in the /etc/httpd/conf.d directory are now processed after the main body of httpd.conf.
Some additional configuration files are provided by the httpd package:
  • /etc/httpd/conf.d/autoindex.conf configures mod_autoindex directory indexing.
  • /etc/httpd/conf.d/userdir.conf configures access to user directories (http://example.com/~username/). By default this access is disabled for security reasons.
  • /etc/httpd/conf.d/welcome.conf configures the "welcome page" displayed on http://localhost/ when no content is present.
Changes to configuration compatibility
This version of httpd is not compatible with the configuration syntax of the previous version (2.2). Configuration files require updates to syntax before they can be used with this updated version of httpd. See the Apache documentation for details of the syntax changes made between version 2.2 and version 2.4.

2.7.6.3. Samba

Red Hat Enterprise Linux 7 provides Samba 4, a combined set of daemons, client utilities, and Python bindings that allow communicating using SMB1, SMB2, and SMB3 protocols.
The current implementation of Kerberos does not support the Samba 4 Active Directory Domain Controller functionality. This functionality has been omitted from Red Hat Enterprise Linux 7.0, but is expected to be included in future releases. All other functionality that does not rely on the Active Directory DC is included.
Red Hat Enterprise Linux 6.4 and later provided Samba 4 as a Technology Preview, and packaged it as a series of samba4-* packages to avoid conflicting with the stable Samba 3 packages (samba-*). Since Samba 4 is now fully supported and provides a number of enhancements over Samba 3, Red Hat Enterprise Linux 7 provides Samba 4 as the standard samba-* packages. The special samba4-* packages are obsolete.
For more information about Samba, see the Red Hat Enterprise Linux 7 System Administrator's Guide and System Administrators Reference Guide, available from http://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.

2.7.6.4. BIND

In Red Hat Enterprise Linux 6, installing the bind-chroot package changed the ROOTDIR environment variable in /etc/sysconfig/named to point to the chroot environment location. To run the named service normally (not in the chroot environment) required either removing the bind-chroot package or manually editing the ROOTDIR environment variable in /etc/sysconfig/named file.
In Red Hat Enterprise Linux 7, installing the bind-chroot package does not change how the named service runs. Instead, it installs a new service, named-chroot, that is started and stopped separately with the systemctl command, like so.
# systemctl start named-chroot.service
# systemctl stop named-chroot.service
The named-chroot service cannot run at the same time as the named service.

2.7.7. Default product certificate

Starting from Red Hat Enterprise Linux  7.2 release, the default certificate has been added to the redhat-release packages. This default certificate is stored in the /etc/pki/product-default/ directory.
The Subscription Manager now searches for the list of the certificates in the /etc/pki/product/ directory and then in the /etc/pki/product-default/ directory. Content in the /etc/pki/product-default/ directory is provided by redhat-release packages. Any certificate in the /etc/pki/product-default/ directory that is not located in /etc/pki/product/ is considered to be installed. The default product certificates are used until Subscription Manager fetches product certificates from the subscribed channels.