This document is a work in progress. Check back every once in a while. Also keep an eye on Known Issues from CentOS community.
CentOS 8 has finally been released on September 25th, 2019. It is more than about time that I start working on a wiki page to add things I had to find out myself about the freshly baked community enterprise OS which is now under Redhat's umbrella.
And what is CentOS 8 Stream anyway? Whenever RHEL releases a new major version, CentOS takes the sources and releases a free community version a few months later. From now on, once this happens, CentOS Stream will act as a rolling release from which future RHEL minor versions will derivate. CentOS is now part of the Redhat development cycle. Does it mean that CentOS is now the new upstream for RHEL? No, let's call it a midstream. Fedora is and will stay the upstream of RHEL, but once RHEL is forked from Fedora and CentOS is released, CentOS Stream will be the upstream for each minor version of RHEL. Until a new major version is forked from Fedora again. Got it?
On a minimal CentOS 8 install, you can neither unpack the guest additions nor build them. Install these:
dnf install -y tar bzip2 kernel-headers kernel-devel gcc make elfutils-libelf-devel
Double-check that kernel-headers, kernel-devel and kernel release match. I've seen mirrors being desynced.
dnf info kernel kernel-headers kernel-devel | grep Release
Attach the ISO image to your virtual CD-ROM. Then mount the image and build the guest additions:
mount /dev/cdrom /mnt cd /mnt/ ./VBoxLinuxAdditions.run
On an server installation without desktop, run the installation with an extra parameter instead:
I am not yet sure what is causing this, but setting the ExecStart timeout to 120 seconds within a custom systemd unit file will fix this:
# cat /etc/systemd/system/NetworkManager-wait-online.service [Unit] Description=Network Manager Wait Online Documentation=man:nm-online(1) Requires=NetworkManager.service After=NetworkManager.service Before=network-online.target [Service] Type=oneshot ExecStart=/usr/bin/nm-online -s -q --timeout=120 RemainAfterExit=yes [Install] WantedBy=network-online.target
Once that file is in place, reload systemd and reboot.
systemctl daemon-reload reboot
That's right, CentOS has dropped jwhois, a hopelessly outdated client (last officially updated in 2007, last commit in 2015) and I am thankful for this. The jwhois.conf file was maintained by no one, and if I look at the file I can see why. Fedora uses the whois client by Marco d'Itri, which is updated with the latest GTLDs regularly. I have requested that this package gets included in CentOS 8.
A day later I received mail from the Fedora package maintainer as it's been added to EPEL8 Testing repository. It works fine: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-03721cf83e
If you can't wait, help yourself:
wget "http://repos.del.extreme-ix.org/epel/testing/8/Everything/x86_64/Packages/w/whois-5.5.1-1.el8.x86_64.rpm" wget "http://repos.del.extreme-ix.org/epel/testing/8/Everything/x86_64/Packages/w/whois-nls-5.5.1-1.el8.noarch.rpm" dnf install -y whois-nls-5.5.1-1.el8.noarch.rpm dnf install -y whois-5.5.1-1.el8.x86_64.rpm
The included whois.conf file is pretty recent and to my knowledge works with the latest GTLDs.
EPEL adds additional high quality software to CentOS (based on Fedora packages) not available from the official CentOS repositories.
On CentOS 8 it is recommended to also enable the PowerTools repository since EPEL packages may depend on packages from it.
dnf install epel-release dnf config-manager --set-enabled PowerTools
Running a SSH daemon on port 22 will lead to botnets hammering your machine with dictionary and brute-force attacks. It is advised to change your SSH port to something random, in this example port 24680.
There is no legit reason why you would run sshd on a static default port. I personally change the SSH ports to all my machines regularly. From my experience botnets restart attacking truely random high ports after only a few weeks. Additionally, please check out fail2ban or sshguard.
SELinux is turned on by default on CentOS 8. Please allow the new tcp port 24680 to be used by the ssh daemon.
dnf install -y policycoreutils-python-utils semanage port -a -t ssh_port_t -p tcp 24680
The SSH daemon needs to be configured to use the new SSH port. On a fresh installation, try this:
sed -i 's/#Port 22/Port 24680/g' /etc/ssh/sshd_config
On a new minimal installation there is no firewall active on CentOS 8. If you have chosen between firewalld or iptables-services then read on:
If you decide for firewalld, add the new SSH port to e.g. the public zone:
firewall-cmd --permanent --zone=public --add-port=24680/tcp firewall-cmd --reload
If you run iptables-services instead, look at the following files:
[root@centos8s ~]# grep 22 /etc/sysconfig/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT [root@centos8s ~]# grep 22 /etc/sysconfig/ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Using an editor, change dport 22 to 24680 in both files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. On a fresh installation you can speed this up:
sed -i 's/--dport 22/--dport 24680/g' /etc/sysconfig/iptables sed -i 's/--dport 22/--dport 24680/g' /etc/sysconfig/ip6tables
Now restart iptables for the firewall rules to become effective:
systemctl restart iptables systemctl restart ip6tables
Double-check that the port is now open by examining the iptables output (if there are no ACCEPT and REJECT rules then you are still running the defaults, all ports are open and you are fine).
[root@centos8s ~]# iptables -L -nv Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 36 2520 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:24680 3 217 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 1712 bytes) pkts bytes target prot opt in out source destination [root@centos8s ~]# ip6tables -L -nv Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED 7 1704 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:24680 0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 1344 bytes) pkts bytes target prot opt in out source destination
Looks good, port 24680 is accepted. We restart the SSH daemon now, don't disconnect from your current session.
systemctl restart sshd
Test if you can connect from a new SSH session. If that won't work, you can still revert or fix your change from the existing session. Why?
36 2520 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Because RHEL based distributions come with a default of allowing already established flows when reloading iptables.