Learn about Centmin Mod LEMP Stack today
Become a Member

CentOS Stream 10 is released

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Jun 15, 2024.

  1. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:58 PM
    CentOS Stream 10 is available, although not yet announced, nor officially released.
    The bits are available from their mirror(s) system below. For example the ISO files:


    Index of /10-stream/BaseOS/x86_64/iso

    Although I am not a Stream user, am not an AlmaLinux (based on Stream+) user, nor Rocky Linux or any related Stream based distro, and only uses RHEL based systems. Please note that: "CentOS Stream may seem like a natural choice to replace CentOS Linux, but it is not designed for production use."

    But apparently there are a few "Greg kool-aid" fascinated users on the forum that; thinking I'm just a Rocky user.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:58 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Here we go again :D

    Number 10. Wow has it been that long? :)

    Looking forward to EL10 to see what goodies we get. Newer Linux Kernel, GCC 14 devtoolset I believe and newer glibc versions.

    Any word if curl and openssl and other packages will get native HTTP/3 QUIC support? Or will be still need to custom compile those ?

    I had to build my own curl and dependencies for HTTP/3 QUIC testing and tools I use

    curl 8.9.0 with quicTLS openssl 3.1.5 fork for HTTP/3 QUIC and build custom nghttp2 h2load with HTTP/3 QUIC support too :)
    Code (Text):
    curl -V
    curl 8.9.0-DEV (x86_64-pc-linux-gnu) libcurl/8.9.0-DEV quictls/3.1.5 zlib/1.2.13 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.1 ngtcp2/1.6.0 nghttp3/1.4.0 OpenLDAP/2.6.8
    Release-Date: [unreleased]
    Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets zstd
    
     
  3. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:58 PM
    EL 10 seems to be going to use the OpenSSL 3.2 edition. As can been seen at Stream (RHEL beta): https://mirror.stream.centos.org/10-stream/BaseOS/x86_64/os/Packages/openssl-3.2.2-1.el10.x86_64.rpm

    Perhaps more fun to report. It also appears that EL9 is upgrading from OpenSSL 3.0.* to the OpenSSL version 3.2 in the near future. And by that I mean at a 9.-5,6 etc release. As CentOS Stream 9 is already running on OpenSSL 3.2. And package nginx is confirming this change by: "- Resolves: RHEL-40371- openssl 3.2 ENGINE regression" in their EL 9.5 branch.

    Back to the native HTTP/3 QUIC support subject. I simply wouldn't know since Nginx only offers this HTTP/3 option as "experimental". And as you know I may not use experimental features from 3th party's, nor an 'experimental feature' from Red Hat; professionally. Then for me privately, there is little point in putting time into that.

    In my opinion, it also makes little sense to invest a lot of time because during "previews," a lot often changes from preview to finally the goldmaster.

    But since "OpenSSL 3.3 Brings Extended QUIC Support". It seems to me that even 3.2 cannot yet support http/3 in its completeness, and thus not even should it be compiled with Nginx.
     
    Last edited: Jun 16, 2024
  4. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:58 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nice detective work as this is great news as OpenSSL 3.2 performance is definitely better than OpenSSL 3.0/3.1. While OpenSSL 1.1.1 is still faster, OpenSSL 3.2 is best choice :)
    Yeah seems if you want HTTP/3 QUIC still need alternative crypto libraries like quicTLS OpenSSL fork, AWS-LC or BoringSSL or BoringSSL/Cloudflare Quiche. Luckily, Centmin Mod 130.00beta01 supports all these alternative crypto libraries for Nginx to support HTTP/3 QUIC. Just need to see which alternative crypto library wins out on overall stability, feature set (i.e. retain dual RSA + ECDSA SSL certs, OCSP stapling etc). Right now from testing AWS-LC > quicTLS fork > BoringSSL for me :)
     
  5. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:58 PM
    I wonder if http/3 can run fully and stably on Nginx anytime soon. Since Nginx was a 100% based Russian company. And American owner F5 shut down everything in Russia after the Russian/Ukraine conflict. Seems when you look at the changelogs http/3 is at a low ebb. It is purely Nginx Plus (enterprise) where the focus is full.

    Not to mention OpenSSL's remarkable move to reinvent the wheel with http/3. Instead of integrating developer commits into it with the click of a mouse. the request commit was completely ready.

    Even high-ranking OpenSSL dev's could not agree with this decision at all. The OpenSSL then closed the discussion. Obviously without a factual account with a reason. There apparently isn't one.
     
  6. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:58 PM
    [​IMG]

    This is what CentOS Stream 10 looks like at this moment. It looks like a very early copy / of Fedora 40 which is being rebranded to EL10. Including the EL additions, excluding a bunch of Fedora packages. Since EL is pretty slim and most of the fuss is going to EPEL.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:58 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Probably not anytime soon - Nginx HTTP/3 QUIC is still marked beta experimental. Though I do understand their cautious approach. When you have 100s of millions of sites using Nginx, you don't want things to break. But I wonder if their slow approach is just due to OpenSSL HTTP/3 QUIC support being so slow to progress. They're probably wanting system OpenSSL versions getting HTTP/3 QUIC support?

    Anyway, reason I am looking at AWS-LC as alternative to slower OpenSSL 3.0/3.1/3.2/3.3 is not for AWS-LC's HTTP/3 QUIC support but it's HTTP/2 support and equivalent or better performance for now deprecated OpenSSL 1.1.1. AWS-LC's HTTP/3 QUIC support is a bonus though :D

    Yeah never understood their decision to reinvent the wheel.

    Cheers for that. Don't use desktop side but looks sleek :)
     
  8. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:58 PM
    I think both. They would have done market research, where apparently http/3 does not have that much demand, nor priority among its paid customers. And second, http/3 with OpenSSL is an uncertain factor because the OpenSSL implementation of http/3 With their own implementation of http/3. Differs from the other SSL software vendors (BoringSSL, LibreSSL, Amazon-SSL).
    I do have a suspicion on "their decision to reinvent the wheel" and I think I have written it down before. The OpenSSL team has quite a few freelancers. If some freelancer then implement http/3 with a single off-the-shelf very easily, fully supplied code-commit by I believe it where Akamai developers. Then these freelancers cut out their own work and thus their own income.. I think that they sought reasons to justify their own implementation to management and not the other way around.

    Once more because almost every external developer with high prestige. Expressed their absolute astonishment in that same commit conversation. Not one external developer agreed with the OpenSSL team. And then finally the OpenSSL team who failed to come up with a substantive response. Quickly locked the topic.

    It remains conjecture and I have no inside sources. But extremely strange is certainly the situation. At least when you ask me.
    I very occasionally use Server + GUI, for some bare-metal servers. I'd rather not, but some servers are not continuously or not connected to a lan and/or wan. Besides, I can show a terminal screenshot but that won't help anyone. The above image gives a nice first look, but I know it's not that super special either.