Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 7. Infrastructure services

7.1. Time synchronization

Accurate timekeeping is important for a number of reasons. In Linux systems, the Network Time Protocol (NTP) protocol is implemented by a daemon running in user space.

7.1.1. Implementation of NTP

RHEL 7 supported two implementations of the NTP protocol: ntp and chrony.

In RHEL 8, the NTP protocol is implemented only by the chronyd daemon, provided by the chrony package.

The ntp daemon is no longer available. If you used ntp on your RHEL 7 system, you might need to migrate to chrony.

Possible replacements for previous ntp features that are not supported by chrony are documented in Achieving some settings previously supported by ntp in chrony.

7.1.2. Introduction to chrony suite

chrony is an implementation of NTP, which performs well in a wide range of conditions, including intermittent network connections, heavily congested networks, changing temperatures (ordinary computer clocks are sensitive to temperature), and systems that do not run continuously, or run on a virtual machine.

You can use chrony:

  • To synchronize the system clock with NTP servers
  • To synchronize the system clock with a reference clock, for example a GPS receiver
  • To synchronize the system clock with a manual time input
  • As an NTPv4(RFC 5905) server or peer to provide a time service to other computers in the network

For more information about chrony, see Configuring basic system settings.

7.1.2.1. Differences between chrony and ntp

See the following resources for information about differences between chrony and ntp:

7.1.2.1.1. Chrony applies leap second correction by default

In RHEL 8, the default chrony configuration file, /etc/chrony.conf, includes the leapsectz directive.

The leapsectz directive enables chronyd to:

  • Get information about leap seconds from the system tz database (tzdata)
  • Set the TAI-UTC offset of the system clock in order that the system provides an accurate International Atomic Time (TAI) clock (CLOCK_TAI)

The directive is not compatible with servers that hide leap seconds from their clients using a leap smear, such as chronyd servers configured with the leapsecmode and smoothtime directives. If a client chronyd is configured to synchronize to such servers, remove leapsectz from the configuration file.

7.1.3. Additional information

For more information about how to configure NTP using the chrony suite, see Configuring time synchronization.

7.2. BIND - Implementation of DNS

RHEL 8 includes BIND (Berkeley Internet Name Domain) in version 9.11. This version of the DNS server introduces multiple new features and feature changes compared to version 9.10.

New features:

  • A new method of provisioning secondary servers called Catalog Zones has been added.
  • Domain Name System Cookies are now sent by the named service and the dig utility.
  • The Response Rate Limiting feature can now help with mitigation of DNS amplification attacks.
  • Performance of response-policy zone (RPZ) has been improved.
  • A new zone file format called map has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster.
  • A new tool called delv (domain entity lookup and validation) has been added, with dig-like semantics for looking up DNS data and performing internal DNS Security Extensions (DNSSEC) validation.
  • A new mdig command is now available. This command is a version of the dig command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query.
  • A new prefetch option, which improves the recursive resolver performance, has been added.
  • A new in-view zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory.
  • A new max-zone-ttl option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated.
  • New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
  • The nslookup utility now looks up both IPv6 and IPv4 addresses by default.
  • The named service now checks whether other name server processes are running before starting up.
  • When loading a signed zone, named now checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately.
  • Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.

Feature changes:

  • The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version 2 XML schema is no longer supported.
  • The named service now listens on both IPv6 and IPv4 interfaces by default.
  • The named service no longer supports GeoIP databases. Access control lists (ACLs) defined by presumed location of query sender are unavailable.
  • Since RHEL 8.2, the named service supports GeoIP2, which is provided in the libmaxminddb data format.

7.3. DNS resolution

In RHEL 7, the nslookup and host utilities were able to accept any reply without the recursion available flag from any name server listed. In RHEL 8, nslookup and host ignore replies from name servers with recursion not available unless it is the name server that is last configured. In case of the last configured name server, answer is accepted even without the recursion available flag.

However, if the last configured name server is not responding or unreachable, name resolution fails. To prevent such fail, you can use one of the following approaches:

  • Ensure that configured name servers always reply with the recursion available flag set.
  • Allow recursion for all internal clients.

Optionally, you can also use the dig utility to detect whether recursion is available or not.

7.4. Postfix

By default in RHEL 8, Postfix uses MD5 fingerprints with the TLS for backward compatibility. But in FIPS mode, the MD5 hashing function is not available, which may cause TLS to incorrectly function in the default Postfix configuration. As a workaround, the hashing function needs to be changed to SHA-256 in the postfix configuration file.

For more details, see the related link: https://access.redhat.com/articles/5824391

7.5. Printing

7.5.2. Location of CUPs logs

CUPS provides three kinds of logs:

  • Error log
  • Access log
  • Page log

In RHEL 8, the logs are no longer stored in specific files within the /var/log/cups directory, which was used in RHEL 7. Instead, all three types are logged centrally in systemd-journald together with logs from other programs.

For more information about how to use CUPS logs in RHEL 8, see Accessing the CUPS logs in the systemd journal.

7.5.3. Additional information

For more information about how to configure printing in RHEL 8, see Configuring printing.

7.6. Performance and power management options

7.6.1. Notable changes in the recommended TuneD profile

In RHEL 8, the recommended TuneD profile, reported by the tuned-adm recommend command, is selected based on the following rules:

  • If the syspurpose role (reported by the syspurpose show command) contains atomic, and at the same time:

    • if TuneD is running on bare metal, the atomic-host profile is selected
    • if TuneD is running in a virtual machine, the atomic-guest profile is selected
  • If TuneD is running in a virtual machine, the virtual-guest profile is selected
  • If the syspurpose role contains desktop or workstation and the chassis type (reported by dmidecode) is Notebook, Laptop, or Portable, then the balanced profile is selected
  • If none of the above rules matches, the throughput-performance profile is selected

Note that the first rule that matches takes effect.

7.7. Other changes to infrastructure services components

The summary of other notable changes to particular infrastructure services components follows.

Table 7.1. Notable changes to infrastructure services components

NameType of changeAdditional information

acpid

Option change

-d (debug) no longer implies -f (foreground)

bind

Configuration option removal

dnssec-lookaside auto removed; use no instead

brltty

Configuration option change

--message-delay brltty renamed to --message-timeout

brltty

Configuration option removal

-U [--update-interval=] removed

brltty

Configuration option change

A Bluetooth device address may now contain dashes (-) instead of colons (:). The bth: and bluez: device qualifier aliases are no longer supported.

cups

Functionality removal

Upstream removed support of interface scripts because of security reasons. Use ppds and drivers provided by OS or proprietary ones.

cups

Directive options removal

Removed Digest and BasicDigest authentication types for AuthType and DefaultAuthType directives in /etc/cups/cupsd.conf. Migrate to Basic.

cups

Directive options removal

Removed Include from cupsd.conf

cups

Directive options removal

Removed ServerCertificate and ServerKey from cups-files.conf use Serverkeychain instead

cups

Directives moved between conf files

SetEnv and PassEnv moved from cupsd.conf to cups-files.conf

cups

Directives moved between conf files

PrintcapFormat moved from cupsd.conf to cups-files.conf

cups-filters

Default configuration change

Names of remote print queues discovered by cups-browsed are now created based on device ID of printer, not on the name of remote print queue.

cups-filters

Default configuration change

CreateIPPPrinterQueues must be set to All for automatic creation of queues of IPP printers

cyrus-imapd

Data format change

Cyrus-imapd 3.0.7 has different data format.

dhcp

Behavior change

dhclient sends the hardware address as a client identifier by default. The client-id option is configurable. For more information, see the /etc/dhcp/dhclient.conf file.

dhcp

Options incompatibility

The -I option is now used for standard-ddns-updates. For the previous functionality (dhcp-client-identifier), use the new -C option.

dosfstools

Behavior change

Data structures are now automatically aligned to cluster size. To disable the alignment, use the -a option. fsck.fat now defaults to interactive repair mode which previously had to be selected with the -r option.

finger

Functionality removal

 

GeoIP

Functionality removal

 

grep

Behavior change

grep now treats files containining data improperly encoded for the current locale as binary.

grep

Behavior change

grep -P no longer reports an error and exits when given invalid UTF-8 data

grep

Behavior change

grep now warns if the GREP_OPTIONS environment variable is now used. Use an alias or script instead.

grep

Behavior change

grep -P eports an error and exits in locales with multibyte character encodings other than UTF-8

grep

Behavior change

When searching binary data, grep may treat non-text bytes as line terminators, which impacts performance significantly.

grep

Behavior change

grep -z no longer automatically treats the byte '\200' as binary data.

grep

Behavior change

Context no longer excludes selected lines omitted because of -m.

irssi

Behavior change

SSLv2 and SSLv3 no longer supported

lftp

Change of options

xfer:log and xfer:log-file deprecated; now available under log:enabled and log:file commands

ntp

Functionality removal

ntp has been removed; use chrony instead

postfix

Configuration change

3.x version have compatibility safety net that runs Postfix programs with backwards-compatible default settings after an upgrade.

postfix

Configuration change

In the Postfix MySQL database client, the default option_group value has changed to client, set it to empty value for backward compatible behavior.

postfix

Configuration change

The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set TZ=UTC in main.cf:import_environment. For example,

import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ=UTC XAUTHORITY DISPLAY LANG=C.

postfix

Configuration change

ECDHE - smtpd_tls_eecdh_grade defaults to auto; new parameter tls_eecdh_auto_curves with the names of curves that may be negotiated

postfix

Configuration change

Changed defaults for append_dot_mydomain (new: no, old: yes), master.cf chroot (new: n, old: y), smtputf8 (new: yes, old: no).

postfix

Configuration change

Changed defaults for relay_domains (new: empty, old: $mydestination).

postfix

Configuration change

The mynetworks_style default value has changed from subnet to host.

powertop

Option removal

-d removed

powertop

Option change

-h is no longer alias for --html. It is now an alias for --help.

powertop

Option removal

-u removed

quagga

Functionality removal

 

sendmail

Configuration change

sendmail uses uncompressed IPv6 addresses by default, which permits a zero subnet to have a more specific match. Configuration data must use the same format, so make sure patterns such as IPv6:[0-9a-fA-F:]*:: and IPv6:: are updated before using 8.15.

spamassasin

Command line option removal

Removed --ssl-version in spamd.

spamassasin

Command line option change

In spamc, the command line option -S/--ssl can no longer be used to specify SSL/TLS version. The option can now only be used without an argument to enable TLS.

spamassasin

Change in supported SSL versions

In spamc and spamd, SSLv3 is no longer supported.

spamassasin

Functionality removal

sa-update no longer supports SHA1 validation of filtering rules, and uses SHA256/SHA512 validation instead.

vim

Default settings change

Vim runs default.vim script, if no ~/.vimrc file is available.

vim

Default settings change

Vim now supports bracketed paste from terminal. Include 'set t_BE=' in vimrc for the previous behavior.

vsftpd

Default configuration change

anonymous_enable disabled

vsftpd

Default configuration change

strict_ssl_read_eof now defaults to YES

vsftpd

Functionality removal

tcp_wrappers no longer supported

vsftpd

Default configuration change

TLSv1 and TLSv1.1 are disabled by default

wireshark

Python bindings removal

Dissectors can no longer be written in Python, use C instead.

wireshark

Option removal

-C suboption for -N option for asynchronous DNS name resolution removed

wireshark

Ouput change

With the -H option, the output no longer shows SHA1, RIPEMD160 and MD5 hashes. It now shows SHA256, RIPEMD160 and SHA1 hashes.

wvdial

Functionality removal