Learn about Centmin Mod LEMP Stack today
Become a Member

AlmaLinux Rocky Linux CentOS 9.x Centmin Mod CentOS 9, Alma Linux 9, Rocky Linux 9 Compatibility Worklog

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, May 30, 2022.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    9:04 PM
    Nginx 1.21.x
    MariaDB 10.x
    Like the CentOS/Alma Linux/Rocky Linux 8 (EL8) compatibility worklog thread, this thread is for Centmin Mod's compatibility work for CentOS Stream 9, Alma Linux 9 and Rocky Linux 9 operating systems. Luckily, the hardest part and biggest changes were in EL7 to EL8, so my current work with Centmin Mod and EL8 compatibility is making it a lot easier to work with EL9 compatibility.

    All current EL8 and EL9 compatibility work as at May 30, 2022, is being done in Centmin Mod 130.00beta01 onwards. Right now EL8 and EL9 work is hidden behind optional flags so out of the box Centmin Mod 130.00beta01 will only work with CentOS 7 right now. Once compatibility work is done with EL8, then Centmin Mod 130.00beta01 will eventually enable those optional flags. Then finally when EL9 compatibility is done, those respective flags will also be enabled.

    Redhat/CentOS/Alma Linux/Rocky Linux 9 Release Notes, Manual & Info

    EL9 Community Forums

    Notes For EL9

    • EL8 vs EL9 Differences: Major differences between RHEL 8 and RHEL 9, including removed functionality, are documented in Considerations in adopting RHEL 9. Including:
      • The RPM database is now based on the sqlite library. Read-only support for BerkeleyDB databases has been retained for migration and query purposes. So how you handle YUM database corruption will differ in EL9 vs EL7/EL8.
      • RPM now supports the Zstandard (zstd) compression algorithm. In RHEL 9, the default RPM compression algorithm has switched to Zstandard (zstd). As a result, packages now install faster, which can be especially noticeable during large transactions.
      • In RHEL 9, TLS configuration is performed using the system-wide cryptographic policies mechanism. TLS versions below 1.2 are not supported anymore. DEFAULT, FUTURE and LEGACY cryptographic policies allow only TLS 1.2 and 1.3. See Using system-wide cryptographic policies for more information.
      • SCP not supported in RHEL 9. The secure copy protocol (SCP) protocol is no longer supported because it is difficult to secure. It has already caused security issues, for example CVE-2020-15778. In RHEL 9, SCP is replaced by the SSH File Transfer Protocol (SFTP) by default.
      • OpenSSH root password login disabled by default. The default configuration of OpenSSH in RHEL 9 disallows users to log in as root with a password to prevent attackers from gaining access through brute-force attacks on passwords.
      • NSS no longer support DBM and pk12util defaults changed. The Network Security Services (NSS) libraries no longer support the DBM file format for the trust database. In RHEL 8, the SQLite file format became the default format, and the existing DBM databases were opened on read-only mode and automatically converted to SQLite. Before you upgrade to RHEL 9, update all trust databases from DBM to SQLite. Additionally, the pk12util tool now uses the AES and SHA-256 algorithms instead of DES-3 and SHA-1 by default when exporting private keys.
      • RHEL 9 does not contain the legacy network scripts. RHEL 9 does not contain the network-scripts package that provided the deprecated legacy network scripts in RHEL 8. To configure network connections in RHEL 9, use NetworkManager. For details, see the Configuring and managing networking documentation.
      • Boot loader configuration files are unified across CPU architectures. Configuration files for the GRUB boot loader are now stored in the /boot/grub2/ directory on all supported CPU architectures. The /boot/efi/EFI/redhat/grub.cfg file, which GRUB previously used on UEFI systems, is now a symbolic link to the /boot/grub2/grub.cfg file.
      • NFSv2 is no longer supported. RHEL 9 NFS client and server no longer support NFSv2.
      • The unversioned form of the python command (/usr/bin/python) is available in the python-unversioned-command package. On some systems, this package is not installed by default. To install the unversioned form of the python command manually, use the dnf install /usr/bin/python command. In RHEL 9, the unversioned form of the python command points to the default Python 3.9 version and it is an equivalent to the python3 and python3.9 commands. The python command is intended for interactive sessions. In production, Red Hat recommends using python3 or python3.9 explicitly. You can uninstall the unversioned python command by using the dnf remove /usr/bin/python command. If you need a different python command, you can create custom symlinks in /usr/local/bin or ~/.local/bin or a Python virtual environment. Several other unversioned commands are available, such as /usr/bin/pip in the python3-pip package. In RHEL 9, all unversioned commands point to the default Python 3.9 version.
      • VM machine types based on RHEL 7.5 and earlier are unsupported. In RHEL 9, virtual machines (VMs) no longer support machine types based on RHEL 7.5 and earlier. For example, these include s390-ccw-virtio-rhel7.5.0
    • OpenSSL 3.0 Compatibility Issues: Looks like with Redhat Enterprise Linux 9, CentOS Stream 9, Alma Linux 9 or Rocky Linux 9, the default OpenSSL version 3.0 is installed instead of OpenSSL 1.0.2 for CentOS 7 and OpenSSL 1.1.1 for CentOS 8. This means to use EL9 distros out of the box, PHP web apps would need to use PHP 8.1 and higher as PHP 8.1 or higher are only versions that support EL9's OpenSSL 3.0.x PHP :: Doc Bug #81540 :: OpenSSL 3.0.0 is not supported prior to 8.1.0. With how slow newer PHP versions get adopted, you'd have to hope by EL9 mainstream release/usage, that all PHP applications are 100% working with PHP 8.1+ :) Luckily, for Centmin Mod 130.00beta01 and newer versions, I've fixed PHP-FPM's custom OpenSSL version support so we can build PHP 7.4, 8.0 and 8.1 with OpenSSL 1.1.1 instead of EL9 system's OpenSSL 3.0 https://community.centminmod.com/th...ssl-routine-in-130-00beta01.22812/#post-93085 :D
    • EL9 Modules: Unlike EL8, EL9 operating systems aren't relying on using modules as much this time https://almalinux.discourse.group/t/almalinux-9-dnf-module-list-is-empty/1181. From Redhat 9 Release notes,
    • SHA-1 Signatures Disabled: The use of SHA-1 for signatures is restricted in the default crypto policy. This may cause issues using SSH to access older systems, such as RHEL/CentOS 6. To allow SHA-1 you can run:
      Code (Text):
      update-crypto-policies --set DEFAULT:SHA1
      . Examples of issues you may encounter:
    • SELinux: Support for disabling SELinux through the SELINUX=disabled option in the /etc/selinux/config file has been removed from the kernel. When you disable SELinux only through /etc/selinux/config, the system starts with SELinux enabled but with no policy loaded. If your scenario requires disabling SELinux, add the selinux=0 parameter to your kernel command line. This could be problematic for Centmin Mod disabling SELinux in an unattended/automated way. You'd have to rely on VPS provider's default EL9 OS images to have SELinux disabled or for VPS providers to provide 2 sets of EL9 OS images - one with SELinux enabled and one with SELinux disabled.
    • ipset and iptables-nft deprecated: From deprecated release notes,
      Centmin Mod's CSF Firewall uses ipset on non-OpenVZ systems, so will be interesting to see how CSF Firewall handles loosing ipset.

    Last edited: May 30, 2022
Thread Status:
Not open for further replies.