Migrating from CentOS to Ubuntu: Our Experience and Best Practices
After CentOS 8 was declared end-of-life (EOL), we had to find an alternative operating system (OS) for our on-premise solution, as did many other teams and organizations.
Although our deployment is container-based, we still had to prepare the groundwork for different OS areas, from security patches and network modifications to installing required packages. We had been happy with CentOS 7 for a while, and anticipated that the effort of upgrading to CentOS 8 would not be significant.
While we knew we still had some time to go with CentOS 7, we were unable to remove the Python 2 vulnerability from it without resulting in an unstable state. We had to find an alternative.
The End of an Era: Why We Had to Say Goodbye to CentOS
CentOS (Community Enterprise Operating System) used to be your free go-to RHEL (Red Hat Enterprise Linux) Linux OS. They routinely provided stable releases which were safe to use in production environments.
When CentOS was discontinued, it was announced that users could still use “CentOS Stream”, which is an upstream version for RHEL. However, CentOS Stream was – by design – unstable and not recommended for production deployments. As the one accountable for our product’s stability, I was not willing to take the risk of using brand new OS features in production.
For CentOS users, the options were to either stay with the dying CentOS 7 (which would reach EOL in 2024), or migrate to an alternative OS.
Rocky Linux, AlmaLinux, and Oracle Linux: Other Alternatives We Considered
We obviously hoped to find a close-enough candidate that would allow us to migrate without changing too many factors and interfaces. We still wanted our next OS to be:
- With a large community of production users
To make a long story short, unfortunately we did not find a direct successor for CentOS. However, we found a few interesting alternatives that are worth mentioning.
Rocky Linux is probably the most renowned alternative operating system that branched out of CentOS. Created by CentOS founder Gregory Kurtzer, Rocky Linux was a response to the discontinuation of the original CentOS. They offer production-ready stability, as well as a migration tool to help users make the from other various Linux distributions.
This should have been the obvious go-to choice. However, we wanted a more mature distro that would guarantee stable scheduled releases. Rocky Linux might be a valid candidate in a few years from now, but we couldn’t take our chances with it now in its current format.
AlmaLinux was established by CloudLinux as another free production-ready successor to CentOS. As with Rocky Linux, this OS is still young and did not strike us as steady enough to service our production needs. We concluded that AlmaLinux is yet again a promising yet brand new project that will be building its community right up from the ground.
Oracle Linux is a RHEL-based distro by Oracle; currently, it’s free. However, we did not want to take a chance with Oracle, as other products that they used to offer for free now require payment.
As a penetration testing-centered company, we are no strangers to Kali Linux. It’s basically a swiss knife OS for penetration testing tools and hacker utilities.
Unlike all of the other distributions, Kali is a Debian-based distro, which was less preferable to us as we wanted to stay in the RHEL domain. More importantly though, Kali is another upstream OS which – as mentioned before – does not suit our production requirements.
Why We Chose Ubuntu: The Benefits of a Mature, Free, and Production-Ready OS
Ubuntu was a leading candidate from the beginning. It’s a well known, production ready distro with a large community. The only thing we were not sure about is how challenging it would be to migrate from the RHEL-based CentOS to the Debian-based Ubuntu.
Talking to our customers, we received very positive feedback about migrating to Ubuntu. Many of them already work with Ubuntu in their own environment and were very satisfied with it.
Another pro of using Ubuntu over CentOS was the predictability of its release cycle. CentOS’s releases (while it was alive) followed the RHEL version release, occurring every 3-4 years. There was no way to predict when a major release would be published. On the other hand, Ubuntu LTS (long term supported) versions are guaranteed to be released every 2 years in April, and are named after their release date (20.04, 22.04). Minor releases of kernel and security updates are often published as well, in an easy to maintain fashion.
Knowing that our customers would want us to always keep up to date with the latest releases, betting on a horse that promises predictable and stable releases every 2 years was an obvious choice.
In sum, we concluded that Ubuntu is a stable, free, well adopted OS with a large supporting community. Therefore, although the migration would be challenging, we decided to ditch RHEL and CentOS and rely on Ubuntu as our next long-term OS.
Migrating to Ubuntu: Our Step-by-Step Process and Best Practices
The project consisted of several stages, on which I am going to elaborate on in this section. We took an incremental approach: migrate big chunks of our deployment all at once, then fix the issues that come up – from the most major ones to the least impactful, in that order. We ended up with four stages:
- Initial migration – the big 80%
- Package management
- Python versions
- Network tools
Initiation: Migrating the 80%
We were surprised to find out that in spite of these two operating systems being based on different distribution families (RHEL vs. Debian), vast sections of our deployment scripts ran smoothly on Ubuntu without requiring any modifications. This was thanks to the container-based infrastructure that most of our system utilizes, making it agnostic to the OS.
However, as can be expected, some of the system files and directories sit in different locations, which required additional resolution. For example:
CentOS: /etc/resolv.conf, Ubuntu: /run/systemd/resolve/resolv.conf
CentOS: /etc/pki/ca-trust/source/anchors, Ubuntu: /usr/local/share/ca-certificates
Of course, these are not too difficult to find and fix. But beyond the directory locations, what are the main differences you should take into consideration when transitioning from CentOS to Ubuntu?
In CentOS (like other RHEL-based distros), we worked with YUM as our RPM package manager and we had to switch to using APT in Ubuntu that works with DEB files. Most of the package names were actually the same, except for a few specific packages which we had to find the equivalent alternatives to.
Python Versions and Network Tools: Challenges and Solutions in the Migration
In CentOS 7, you are not able to remove Python 2, as they are coupled. In fact, some OS system scripts are written in Python 2;therefore, removing it (which we required for security reasons) was not possible.
That was one of the major motivations for us to switch to Ubuntu 20.04, which enabled us to migrate our Ansible and other Python scripts to Python 3. Not only that, but Ubuntu 20.04 does not ship with Python 2 natively installed. Before migrating from CentOS 7, make sure your deployment is compatible with Python 3.
With CentOS, we used ‘NetworkManager’ (nmcli/nmtui) which is not included natively in Ubuntu. These commands were used across our entire R&D department in order to perform manual network configurations. Therefore, we were faced with a choice: Either install ‘NetworkManager’ as part of our deployment, or have the entire company adopt the Ubuntu network tools.
Ubuntu depends on the ‘ip’ unix command, and the brand new ‘netplan’ command. We decided to switch to ‘netplan’, primarily due to its simplicity and OS nativity, which can be translated to long term stability and support.
When we decided to manually install ‘NetworkManager’ for Ubuntu, we did so here:
sudo apt-get update
sudo apt-get install network-manager
Embracing Change: Our Journey from CentOS to Ubuntu
When we first addressed our need to choose a new OS, we were looking to learn from other people’s experience. I wrote this guide because I wished there was something similar out there when we embarked on our journey.
The process and information I provided above suits Pentera, and we are very satisfied with the results. If you are using CentOS for production purposes and are looking for an alternative before the product is officially end-of-lifed, Ubuntu may be a strong solution for you. However, every solution and organization has its own considerations and priorities. If you have to stay in the RHEL-based domain, you might find a solution with one of CentOS’s successors, such as Rocky Linux or AlmaLinux.
I hope this guide will help you make the right decision for you.
Despite major investments in their security suites, organizations continue to be breached. Our Co-founder and CTO, Arik Liberzon, recently sat down with CyberNews to discuss the value of the adversarial perspective and where his inspiration from Pentera came from. Starting out, I arrived at the idea for Pentera and Automated Security Validation in a pretty...
In this post, we will examine one method of encrypting data-at-rest, specifically how to achieve Data-at-Rest Encryption for MongoDB Community Edition (CE) containers through eCryptfs. Introduction Our goal at Pentera was to implement a solution that prevents data discovery upon theft when the system is offline (e.g. if a host is stolen or someone is...
In this article, we will show how it’s possible to use reflective loading to run Mimikatz while evading detection by Windows Defender. While this is a known attack method, recent improvements in windows defender blocked the method from working properly, so we needed to find a new way to handle dependencies. Read on to see...