Table of Contents

Things to know about CentOS 8 / CentOS 8 Stream

This document is a work in progress. Check back every once in a while. Also keep an eye on Known Issues from CentOS community.

CentOS 8 has finally been released on September 25th, 2019. It is more than about time that I start working on a wiki page to add things I had to find out myself about the freshly baked community enterprise OS which is now under Redhat's umbrella.

And what is CentOS 8 Stream anyway? Whenever RHEL releases a new major version, CentOS takes the sources and releases a free community version a few months later. From now on, once this happens, CentOS Stream will act as a rolling release from which future RHEL minor versions will derivate. CentOS is now part of the Redhat development cycle. Does it mean that CentOS is now the new upstream for RHEL? No, let's call it a midstream. Fedora is and will stay the upstream of RHEL, but once RHEL is forked from Fedora and CentOS is released, CentOS Stream will be the upstream for each minor version of RHEL. Until a new major version is forked from Fedora again. Got it?

Multiple issues installing VirtualBox Guest Additions

On a minimal CentOS 8 install, you can neither unpack the guest additions nor build them. Install these:

dnf install -y tar bzip2 kernel-headers kernel-devel gcc make elfutils-libelf-devel

Double-check that kernel-headers, kernel-devel and kernel release match. I've seen mirrors being desynced.

dnf info kernel kernel-headers kernel-devel | grep Release
At the time of this writing, the current VirtualBox version 6.0.12 guest additions fail to build. Grab the Latest 6.0.x Testbuild Guest Additions from https://www.virtualbox.org/wiki/Testbuilds.

Attach the ISO image to your virtual CD-ROM. Then mount the image and build the guest additions:

mount /dev/cdrom /mnt
cd /mnt/
./VBoxLinuxAdditions.run

On an server installation without desktop, run the installation with an extra parameter instead:

./VBoxLinuxAdditions.run --nox11

NetworkManager-wait-online fails to start

I am not yet sure what is causing this, but setting the ExecStart timeout to 120 seconds within a custom systemd unit file will fix this:

# cat /etc/systemd/system/NetworkManager-wait-online.service
[Unit]
Description=Network Manager Wait Online
Documentation=man:nm-online(1)
Requires=NetworkManager.service
After=NetworkManager.service
Before=network-online.target
 
[Service]
Type=oneshot
ExecStart=/usr/bin/nm-online -s -q --timeout=120
RemainAfterExit=yes
 
[Install]
WantedBy=network-online.target

Once that file is in place, reload systemd and reboot.

systemctl daemon-reload
reboot

There is no whois client in CentOS 8

That's right, CentOS has dropped jwhois, a hopelessly outdated client (last officially updated in 2007, last commit in 2015) and I am thankful for this. The jwhois.conf file was maintained by no one, and if I look at the file I can see why. Fedora uses the whois client by Marco d'Itri, which is updated with the latest GTLDs regularly. I have requested that this package gets included in CentOS 8.

A day later I received mail from the Fedora package maintainer as it's been added to EPEL8 Testing repository. It works fine: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-03721cf83e

If you can't wait, help yourself:

wget "http://repos.del.extreme-ix.org/epel/testing/8/Everything/x86_64/Packages/w/whois-5.5.1-1.el8.x86_64.rpm"
wget "http://repos.del.extreme-ix.org/epel/testing/8/Everything/x86_64/Packages/w/whois-nls-5.5.1-1.el8.noarch.rpm"
dnf install -y whois-nls-5.5.1-1.el8.noarch.rpm
dnf install -y whois-5.5.1-1.el8.x86_64.rpm

The included whois.conf file is pretty recent and to my knowledge works with the latest GTLDs.

The proper way to add EPEL repository in CentOS 8

EPEL adds additional high quality software to CentOS (based on Fedora packages) not available from the official CentOS repositories.
On CentOS 8 it is recommended to also enable the PowerTools repository since EPEL packages may depend on packages from it.

dnf install epel-release
dnf config-manager --set-enabled PowerTools

How to change the SSH port

Running a SSH daemon on port 22 will lead to botnets hammering your machine with dictionary and brute-force attacks. It is advised to change your SSH port to something random, in this example port 24680.

There is no legit reason why you would run sshd on a static default port. I personally change the SSH ports to all my machines regularly. From my experience botnets restart attacking truely random high ports after only a few weeks. Additionally, please check out fail2ban or sshguard.

SELinux

SELinux is turned on by default on CentOS 8. Please allow the new tcp port 24680 to be used by the ssh daemon.

dnf install -y policycoreutils-python-utils
semanage port -a -t ssh_port_t -p tcp 24680

OpenSSH

The SSH daemon needs to be configured to use the new SSH port. On a fresh installation, try this:

sed -i 's/#Port 22/Port 24680/g' /etc/ssh/sshd_config

Firewalling

On a new minimal installation there is no firewall active on CentOS 8. If you have chosen between firewalld or iptables-services then read on:

firewalld

If you decide for firewalld, add the new SSH port to e.g. the public zone:

firewall-cmd --permanent --zone=public --add-port=24680/tcp
firewall-cmd --reload

iptables-services

If you run iptables-services instead, look at the following files:

[root@centos8s ~]# grep 22 /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[root@centos8s ~]# grep 22 /etc/sysconfig/ip6tables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Using an editor, change dport 22 to 24680 in both files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. On a fresh installation you can speed this up:

sed -i 's/--dport 22/--dport 24680/g' /etc/sysconfig/iptables
sed -i 's/--dport 22/--dport 24680/g' /etc/sysconfig/ip6tables

Now restart iptables for the firewall rules to become effective:

systemctl restart iptables
systemctl restart ip6tables

Finalizing the change

Double-check that the port is now open by examining the iptables output (if there are no ACCEPT and REJECT rules then you are still running the defaults, all ports are open and you are fine).

[root@centos8s ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   36  2520 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:24680
    3   217 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT 19 packets, 1712 bytes)
 pkts bytes target     prot opt in     out     source               destination
 
 
[root@centos8s ~]# ip6tables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
    7  1704 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 state NEW tcp dpt:24680
    0     0 ACCEPT     udp      *      *       ::/0                 fe80::/64            udp dpt:546 state NEW
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-adm-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-adm-prohibited
 
Chain OUTPUT (policy ACCEPT 14 packets, 1344 bytes)
 pkts bytes target     prot opt in     out     source               destination

Looks good, port 24680 is accepted. We restart the SSH daemon now, don't disconnect from your current session.

systemctl restart sshd

Test if you can connect from a new SSH session. If that won't work, you can still revert or fix your change from the existing session. Why?

 36  2520 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Because RHEL based distributions come with a default of allowing already established flows when reloading iptables.