Chapter 2. Major Changes and Migration Considerations

Red Hat Enterprise Linux 7 introduces the GRUB2 boot loader, which replaces legacy GRUB in Red Hat Enterprise Linux 7.0 and later. GRUB2 supports more file systems and virtual block devices than its predecessor. It automatically scans for and configures available operating systems. The user interface has also been improved, and users have the option to skip boot loader installation.

However, the move to GRUB2 also removes support for installing the boot loader to a formatted partition on BIOS machines with MBR-style partition tables. This behavior change was made because some file systems have automated optimization features that move parts of the core boot loader image, which could break the GRUB legacy boot loader. With GRUB2, the boot loader is installed in the space available between the partition table and the first partition on BIOS machines with MBR (Master Boot Record) style partition tables. BIOS machines with GPT (GUID Partition Table) style partition tables must create a special BIOS Boot Partition for the boot loader. UEFI machines continue to install the boot loader to the EFI System Partition.

The recommended minimum partition sizes have also changed as a result of the new boot loader. Table 2.1, “Recommended minimum partition sizes” gives a summary of the new recommendations. Further information is available in MBR and GPT Considerations.

Users can install GRUB2 to a formatted partition manually with the force option at the risk of causing file system damage, or use an alternative boot loader. For a list of alternative boot loaders, see the Installation Guide.

If you have a dual-boot system, use GRUB2’s operating system detection to automatically write a configuration file that can boot either operating system:

grub2-mkconfig -o /boot/grub2/grub.cfg

# grub2-mkconfig -o /boot/grub2/grub.cfg

systemd is the system and service manager that replaces the SysV init system used in previous releases of Red Hat Enterprise Linux.

systemd is the first process to start during boot, and the last process to terminate at shutdown. It coordinates the remainder of the boot process and configures the system for the user. Under systemd, interdependent programs can load in parallel, making the boot process considerably faster.

systemd is largely compatible with SysV in terms of user experience and scripting APIs. However, some exceptions do exist. See Section 2.2.2.1, “Backwards Compatibility” for details.

The move to systemd also involves a change in administration tools for Red Hat Enterprise Linux. See the systemctl man page or the System Administrator’s Guide for details.

For further information about the boot process, see the Installation Guide. For further information about systemd, see the System Administrator’s Guide.

Red Hat Enterprise Linux 7 replaces firstboot with the Initial Setup utility, initial-setup, for better interoperability with the new installer. Basic firstboot functionality has been moved to the installer and initial-setup.

Third-party modules written for firstboot continue to work in Red Hat Enterprise Linux 7. However, firstboot is expected to be deprecated in future releases. Maintainers of third-party modules should therefore consider updating their modules for use with the installer or the Initial Setup tool.

Earlier versions of Red Hat Enterprise Linux booted regardless of whether all partitions specified in /etc/fstab could be mounted. This could result in a system appearing "up" and healthy, while booting without required partitions.

To prevent this situation, in Red Hat Enterprise Linux 7, if a partition defined in /etc/fstab cannot be mounted at boot, boot fails. If a partition should not cause boot to fail in the event that it cannot be mounted, use the new nofail parameter in /etc/fstab.

/dev/critical   /critical  xfs  defaults     1 2
/dev/optional   /optional  xfs  defaults,nofail  1 2

/dev/critical   /critical  xfs  defaults     1 2
/dev/optional   /optional  xfs  defaults,nofail  1 2

In this example, the device mounted at /optional would not cause boot to fail if it could not be mounted successfully.

In the previous versions of the Red Hat Enterprise Linux, the /etc/issue file contained the product name and the release number of the machine. As of Red Hat Enterprise Linux 7, the product name and the release number have been moved into the /etc/os-release file and the first line of /etc/issue now contains an agetty escape code \S. The \S escape code expands in the console displaying a product name and the release number of the machine. The code is represented by the PRETTY_NAME variable, which is defined in the /etc/os-release file.

For more information about \S, see the agetty man pages.

Traditionally, only the minimum necessary content was included in the /bin and /lib directories to avoid slowing down the boot process. Some of the utilities needed to be at the root (/) level in order to mount the /usr partition. This created a situation where other utilities spread their content over multiple levels of directories, for example, in both /bin and /usr/bin.

Red Hat Enterprise Linux 7 moves the /bin, /sbin, /lib and /lib64 directories into /usr. Because the /usr file system can now be mounted by initramfs rather than by utilities in root level directories, there is no longer a need to split package contents between the two different directory levels. This allows for a much smaller root file system, enabling systems that can more efficiently share disk space, and systems that are easier to maintain, more flexible, and more secure.

To lessen the impact of this change, the previous /bin directory is now a symbolic link to /usr/bin, /sbin to /usr/sbin, and so on.

mv -f /var/run /var/run.runmove~
ln -sfn ../run /var/run
mv -f /var/lock /var/lock.lockmove~
ln -sfn ../run/lock /var/lock

# mv -f /var/run /var/run.runmove~
# ln -sfn ../run /var/run
# mv -f /var/lock /var/lock.lockmove~
# ln -sfn ../run/lock /var/lock

dmesg
journalctl -ab --full

# dmesg
# journalctl -ab --full

Red Hat Enterprise Linux 7 offers the ability to use /tmp as a mount point for a temporary file storage system (tmpfs).

When enabled, this temporary storage appears as a mounted file system, but stores its content in volatile memory instead of on a persistent storage device. No files in /tmp are stored on the hard drive except when memory is low, in which case swap space is used. This means that the contents of /tmp are not persisted across a reboot.

To enable this feature, execute the following command:

systemctl enable tmp.mount

# systemctl enable tmp.mount

To disable this feature, execute the following command:

systemctl disable tmp.mount

# systemctl disable tmp.mount

Red Hat recommends the following uses for the various types of temporary storage space in Red Hat Enterprise Linux 7.

Previous versions of Red Hat Enterprise Linux allowed some programs to store runtime data in the /dev directory during early boot, prior to the /var directory being mounted. Consensus between major Linux distributions is that /run should be used instead, as the /dev directory should be used only for device nodes.

Therefore, in Red Hat Enterprise Linux 7, the /run directory is a temporary file storage system (tmpfs) that bind mounts the /var/run directory. Likewise, the /run/lock directory now bind mounts the /var/lock directory. Files stored in /run and /run/lock are no longer persistent and do not survive a reboot. This means that applications must recreate their own files and directories on startup, rather than doing this once at installation time. An /etc/app_name directory would be ideal for this.

For details on how to recreate files and directories at startup, see the tmpfiles.d man page: man tmpfiles.d. For example configuration, see the configuration files in /etc/tmpfiles.d.

In Red Hat Enterprise Linux 6, non-root users were restricted to a total of 1024 processes per PAM session. In Red Hat Enterprise Linux 7, this has been increased to 4096 processes per PAM session by default.

The default value is specified in the /etc/security/limits.d/*-nproc.conf file (usually /etc/security/limits.d/20-nproc.conf on Red Hat Enterprise Linux 7). If this file is not present, the maximum number of processes that a non-root user can own is determined programmatically, as described in What determines the default value of nproc(ulimit -u) on Red Hat Enterprise Linux?.

You can find out the current number of processes available to non-root users per PAM session by running the ulimit -u command.

In Red Hat Enterprise Linux 6, the export command was used in configuration files to export the values defined in those files. Variables that did not use the export command were not exported and were used only as configuration values for the corresponding init script. This is an example /etc/sysconfig/sshd file:

AUTOCREATE_SERVER_KEYS=YES
export SSH_USE_STRONG_RNG=1
export OPENSSL_DISABLE_AES_NI=1

AUTOCREATE_SERVER_KEYS=YES
export SSH_USE_STRONG_RNG=1
export OPENSSL_DISABLE_AES_NI=1

In Red Hat Enterprise Linux 6, only the values of SSH_USE_STRONG_RNG and OPENSSL_DISABLE_AES_NI were exported to the environment of the ssh daemon. The variable AUTOCREATE_SERVER_KEYS was used to tell the init script to automatically create RSA and DSA server private and public keys.

In Red Hat Enterprise Linux 7, the export command is no longer required for these values to be exported to the environment of the service being configured. Therefore the following example /etc/sysconfig/sshd file exports all three values to the environment of the ssh daemon:

AUTOCREATE_SERVER_KEYS=YES
SSH_USE_STRONG_RNG=1
OPENSSL_DISABLE_AES_NI=1

AUTOCREATE_SERVER_KEYS=YES
SSH_USE_STRONG_RNG=1
OPENSSL_DISABLE_AES_NI=1

Red Hat Enterprise Linux 7 introduces a new logging daemon, journald, as part of the move to systemd. journald captures the following types of message for all services:

It then stores these messages in native journal files: structured, indexed binary files that contain useful metadata and are faster and easier to search.

Journal files are not stored persistently by default. The amount of data logged depends on the amount of free memory available; when the system runs out of space in memory or in the /run/log/journal directory, the oldest journal files will be removed in order to continue logging.

On Red Hat Enterprise Linux 7, rsyslog and journald coexist. The data collected by journald is forwarded to rsyslog, which can perform further processing and store text-based log files. By default, rsyslog only stores the journal fields that are typical for syslog messages, but can be configured to store all the fields available to journald. Red Hat Enterprise Linux 7 therefore remains compatible with applications and system configurations that rely on rsyslog.

For further details about the logging subsystem, see the System Administrator’s Guide.

As part of the move to the new init system, systemd, localization settings have moved from /etc/sysconfig/i18n to /etc/locale.conf and /etc/vconsole.conf.

In Red Hat Enterprise Linux 6, the hostname variable was defined in the /etc/sysconfig/network configuration file. In Red Hat Enterprise Linux 7, as part of the move to the new init system (systemd), the hostname variable is defined in /etc/hostname.

Red Hat Enterprise Linux 7 includes an updated version of yum, which includes a number of changes and enhancements. This section lists changes that may affect yum users moving from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7.

For further information about yum, see the man page:

man yum

$ man yum

Red Hat Enterprise Linux 7 provides an updated version of RPM Package Manager. This update includes a number of changes to behavior that may affect migration.

This update also includes the following enhancements:

The format of output from the deprecated ifconfig tool has changed in Red Hat Enterprise Linux 7. Scripts that parse ifconfig output may be affected by these changes, and may need to be rewritten.

Red Hat recommends using the ip utility and its subcommands (ip addr, ip link) instead of the deprecated ifconfig tool.

The kernel uses control groups to group processes for the purpose of system resource management. Red Hat Enterprise Linux 7 introduces a number of changes to control groups.

For further information about these changes, see the Resource Management Guide.

The kernel crash collection tool, kdump, previously generated an initial RAMDisk (initrd) for the kdump capture kernel with a custom mkdumprd script. In Red Hat Enterprise Linux 7 the initial RAMDisk is generated with dracut, making the process of generating the initial RAMDisk easier to maintain.

As a result of this move, the following changes have been made to kdump and its configuration files.

For further details about kdump, see the Kernel Administration Guide.

In Red Hat Enterprise Linux 6, the -g option of the usermod command did not manipulate group ownership. From Red Hat Enterprise Linux 7.0 to Red Hat Enterprise Linux 7.2 release, the -g option modified the group ownership of the files in the /home directory tree. Starting from Red Hat Enterprise Linux 7.3, usermod changes the group ownership of the files inside of the user’s home directory only if the home directory user ID matches the user ID being modified.

The default range of IDs for system users, normal users and groups has changed in Red Hat Enterprise Linux 7 release as follows:

This change might cause problems when migrating to Red Hat Enterprise Linux 7 with existing users having UIDs and GIDs between 500 and 999. The default ranges of UID and GID can be manually changed in the /etc/login.defs file.

In Red Hat Enterprise Linux 6, the hwclock command for accessing the hardware clock, was run automatically on every system shutdown or reboot. This behaviour changes with Red Hat Enterprise Linux 7 arrival. Now, when the system clock is synchronized by the Network Time Protocol (NTP) or Precision Time Protocol (PTP), the kernel automatically synchronizes the hardware clock to the system clock every 11 minutes.

For details about configuring NTP, PTP, and setting the hardware clock, see the System Administrator’s Guide.

XFS is a very high performance, scalable file system and is routinely deployed in the most demanding applications. In Red Hat Enterprise Linux 7, XFS is the default file system and is supported on all architectures.

Ext4, which does not scale to the same size as XFS, is fully supported on all architectures and will continue to see active development and support.

Details of Red Hat support limits for XFS are available at https://access.redhat.com/site/articles/rhel-limits.

For further details about using and administering the XFS file system, see the Storage Administration Guide.

mount -o acl /dev/loop0 test

$ mount -o acl /dev/loop0 test
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
    missing codepage or helper program, or other error

    In some cases useful info is found in syslog - try
    dmesg | tail or so.

Red Hat Enterprise Linux 7 introduces btrfs as a Technology Preview. Btrfs is a next generation Linux file system that offers advanced management, reliability, and scalability features. Btrfs provides checksum verification for files as well as metadata. It also offers snapshot and compression capabilities, and integrated device management.

Details of Red Hat support limits for btrfs are available at https://access.redhat.com/site/articles/rhel-limits. For more information about the level of support available for Technology Preview features, see https://access.redhat.com/site/support/offerings/techpreview/.

For further details about using and administering btrfs, see the Storage Administration Guide.

part /mnt/example --fstype=xfs

part /mnt/example --fstype=xfs

btrfs mount_point --data=level --metadata=level --label=label partitions

btrfs mount_point --data=level --metadata=level --label=label partitions

Red Hat Enterprise Linux 7 introduces a unified extended file system driver that provides support for Ext2, Ext3, and Ext4.

However, Ext2 is considered deprecated as of Red Hat Enterprise Linux 7, and should be avoided if possible.

For further information about these file systems, see the Storage Administration Guide.

If a storage device is configured to mount at boot time, and that device cannot be found, or does not mount correctly, Red Hat Enterprise Linux 7 fails to boot. This is an intentional change of behavior to prevent systems from booting without important storage devices. Earlier versions of Red Hat Enterprise Linux booted regardless of whether all storage devices that were configured to mount at boot were found or mounted correctly.

If a device should not prevent the system from booting, you can mark it with the nofail option, as shown.

/dev/essential-disk			/essential			xfs	auto,defaults				0 0
/dev/non-essential-disk		/non-essential		xfs	auto,defaults,nofail		0 0

/dev/essential-disk			/essential			xfs	auto,defaults				0 0
/dev/non-essential-disk		/non-essential		xfs	auto,defaults,nofail		0 0

As of Red Hat Enterprise Linux 6.3, users can reserve space on their logical volumes to use as storage space for snapshots. The system can then be rolled back to the snapshot in the event that an upgrade or migration fails.

If you want to use an LVM snapshot as a secondary rollback method, you may need to add space to allow room for a complete snapshot. To add more space, you can do any of the following:

Be aware of the following potential limitations of using LVM snapshots for rollback:

Previous versions of Red Hat Enterprise Linux used tgtd for iSCSI target support and LIO, the Linux kernel target, only for Fibre-Channel over Ethernet (FCoE) targets through the fcoe-target-utils package.

Red Hat Enterprise Linux 7 now uses the LIO kernel target subsystem for FCoE, iSCSI, iSER (Mellanox InfiniBand) and SRP (Mellanox InfiniBand) storage fabrics. All fabrics can now be managed with the targetcli tool.

Red Hat Enterprise Linux 7 makes the management of devices on the system easier by storing the mapping of device names (for example, sda, sdb, and others) and persistent device names (provided by udev in /dev/disk/by-*/) in kernel messages. This lets the system administrator identify the messages associated with a device, even if the device name changes from boot-to-boot.

The kernel /dev/kmsg log, which can be displayed with the dmesg command, now shows the messages for the symbolic links, which udev has created for kernel devices. These messages are displayed in the following format: udev-alias: device_name (symbolic_link symbolic link …​). For example:

udev-alias: sdb (disk/by-id/ata-QEMU_HARDDISK_QM00001)

udev-alias: sdb (disk/by-id/ata-QEMU_HARDDISK_QM00001)

Any log analyzer can display these messages, which are also saved in /var/log/messages through syslog.

To enable this feature add udev.alias=1 to the kernel command line in /etc/default/grub.

LVM cache volume functionality is fully supported as of Red Hat Enterprise Linux 7.1. This feature allows users to create logical volumes with a small, fast device performing as a cache for larger, slower devices. See the lvmcache manual page for information on creating cache logical volumes.

A host name can be a free-form string of up to 64 characters in length. However, Red Hat recommends that both static and transient names match the fully-qualified domain name (FQDN) used for the machine in DNS, such as host.example.com. The hostnamectl tool allows static and transient host names of up to 64 characters including a-z, A-Z, 0-9, -, and . only. Underscores are technically permissible in the current specification. However, since older specifications forbid them, Red Hat does not recommend using underscores in host names.

The Internet Corporation for Assigned Names and Numbers (ICANN) sometimes adds previously unregistered Top-Level Domains (such as .yourcompany) to the public register. Therefore, Red Hat strongly recommends that you do not use a domain name that is not delegated to you, even on a private network, as this can result in a domain name that resolves differently depending on network configuration. As a result, network resources can become unavailable. Using domain names that are not delegated to you also makes DNSSEC more difficult to deploy and maintain, as domain name collisions add manual configuration penalties to DNSSEC validation.

For further information about this issue, see ICANN FAQ on domain name collision.

Red Hat Enterprise Linux 7 includes an updated version of NetworkManager, which provides a number of enhancements and some new features.

This update also changes configuration file monitoring behavior. NetworkManager no longer monitors on-disk configuration files for changes. Instead, users must manually reload changed configuration files with the nmcli con reload command.

Red Hat Enterprise Linux 7 provides methods for consistent and predictable network device naming for network interfaces. These features change the name of network interfaces on a system in order to make locating and differentiating the interfaces easier.

Traditionally, network interfaces in Linux are enumerated as eth[0123…​], but these names do not necessarily correspond to actual labels on the chassis. Modern server platforms with multiple network adapters can encounter non-deterministic and counter-intuitive naming of these interfaces. This affects both network adapters embedded on the motherboard (Lan-on-Motherboard, or LOM) and add-in (single and multi-port) adapters.

In Red Hat Enterprise Linux 7, systemd and udevd support a number of different naming schemes. The default behavior is to assign fixed names based on firmware, topology, and location information. This has the advantage of names that are fully automatic and fully predictable, stay fixed even if hardware is added or removed (no re-enumeration takes place), and that broken hardware can be replaced seamlessly. The disadvantage to this behavior is that the names are sometimes harder to read than the name that has previously been used, for example, enp5s0 in place of eth0.

The following naming schemes for network interfaces are now supported by udevd natively.

If the system has BIOSDEVNAME enabled, or if the user has added udevd rules that change the names of kernel devices, these rules will take precedence over the default systemd policy.

For further information about this new naming system, see the Networking Guide.

A new networking utility, ncat, replaces netcat in Red Hat Enterprise Linux 7. ncat is a reliable back-end tool that provides network connectivity to other applications and users. It reads and writes data across the network from the command line, and uses both TCP and UDP for communication.

Some of the commands in ncat differ from those originally provided by netcat, or provide different functionality with the same options. These differences are outlined in the following list.

Some options that were available in netcat do not have equivalents in ncat. ncat cannot currently perform the following.

The ncat utility is provided by the nmap-ncat package. For more information about ncat, see the man page:

man ncat

$ man ncat

Red Hat Enterprise Linux 7 upgrades postfix from version 2.6 to version 2.10. While major compatibility issues are handled by the Preupgrade Assistant on upgrading from Red Hat Enterprise Linux 6 to 7, users should be aware of the following non-fatal compatibility issues.

Read this section for a summary of changes to network protocols between Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

man rpc.nfsd

$ man rpc.nfsd

man nfs

$ man nfs

man nfsmount.conf

$ man nfsmount.conf

systemctl start named-chroot.service

# systemctl start named-chroot.service

systemctl stop named-chroot.service

# systemctl stop named-chroot.service

Starting from Red Hat Enterprise Linux 7.2 release, the default certificate has been added to the redhat-release packages. This default certificate is stored in the /etc/pki/product-default/ directory.

The Subscription Manager now searches for the list of the certificates in the /etc/pki/product/ directory and then in the /etc/pki/product-default/ directory. Content in the /etc/pki/product-default/ directory is provided by redhat-release packages. Any certificate in the /etc/pki/product-default/ directory that is not located in /etc/pki/product/ is considered to be installed. The default product certificates are used until Subscription Manager fetches product certificates from the subscribed channels.

In Red Hat Enterprise Linux 6, luci controlled both Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 high availability clusters.

Red Hat Enterprise Linux 7 removes luci and replaces it with pcs. pcs can control only Red Hat Enterprise Linux 7 pacemaker-based clusters. It cannot control Red Hat Enterprise Linux 6 rgmanager-based high availability clusters.

The Load Balancer Add-On for Red Hat Enterprise Linux 7 now includes the keepalived service, which provides both the functionality available in piranha and additional functionality. piranha is therefore superseded by the keepalived service in Red Hat Enterprise Linux 7.

As a result, the configuration file and its format have changed. keepalived is configured in the /etc/keepalived/keepalived.conf file by default. Details on the configuration format and syntax expected by this file are covered in the keepalive.conf man page:

man keepalived.conf

$ man keepalived.conf

Online migration from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 is not supported for clusters.

Additionally, the Red Hat Enterprise Linux 6 high availability stack is not compatible with the Red Hat Enterprise Linux 7 high availability stack, so online migration is not supported from a Red Hat Enterprise Linux 6 to a Red Hat Enterprise Linux 7 high availability cluster.

As of Red Hat Enterprise Linux 7, rgmanager and cman are replaced by pacemaker and corosync.

Pacemaker is a high availability resource manager with many useful features.

For further information about Pacemaker, see High Availability Add-On documentation.

Red Hat Enterprise Linux 7 introduces resource agents that work with the Pacemaker resource manager. Resource agents abstract cluster resources and provide a standard interface for managing resources in a cluster environment. For further information about the resource agents available in Red Hat Enterprise Linux 7, see High Availability Add-On documentation.

Support for IBM DB2 resource agents to drive and manage DB2 as cluster resource in High Available environments has been added in Red Hat Enterprise Linux 7.2.

qdiskd, as it was shipped in Red Hat Enterprise Linux 6, has been removed from Red Hat Enterprise Linux 7. The new quorum implementation is provided by votequorum, which is included in the corosync package, and which has been extended to replace qdiskd for most use cases. The extensions (wait_for_all, auto_tie_breaker and last_man_standing) are fully documented in the votequorum.5 man page.

man 5 votequorum

$ man 5 votequorum

GNOME Classic is the default session of the GNOME 3 desktop environment on Red Hat Enterprise Linux 7. This environment is provided as a set of extensions to the GNOME 3 desktop environment, and includes its powerful new features while retaining the familiar look and feel of GNOME 2.

In GNOME Classic, the user interface has two major components:

For a complete guide to GNOME Classic and its features, as well as the other desktop environments available in Red Hat Enterprise Linux 7, see the Desktop Migration and Administration Guide.

Red Hat Enterprise Linux 7 also supports the GNOME 3 session of the GNOME 3 desktop environment. This environment is designed for ease-of-use and user productivity. It provides great integration with online document storage services, calendars, and contact lists, so that you are always up to date.

In GNOME 3, the user interface has three major components:

For a complete guide to GNOME 3 and its features, as well as the other desktop environments available in Red Hat Enterprise Linux 7, see the Desktop Migration and Administration Guide.

Red Hat Enterprise Linux 7 provides version 4.10 of KDE Plasma Workspaces (KDE), previously known as K Desktop Environment. This updated version of KDE provides a number of enhancements, including the following:

However, users should note that Kmail is no longer included in Red Hat Enterprise Linux 7.

Red Hat Developer Toolset provides access to the latest stable versions of open source development tools on a separate, accelerated life cycle. It is available to Red Hat customers with an active Red Hat Developer subscription.

Red Hat Developer Toolset 2 does not currently support developing applications on Red Hat Enterprise Linux 7. However, Red Hat Developer Toolset does support developing applications on Red Hat Enterprise Linux 6, for deployment on supported minor releases of Red Hat Enterprise Linux 6 or Red Hat Enterprise Linux 7.

Red Hat Enterprise Linux 7 contains some compatibility libraries that support interfaces from previous releases of Red Hat Enterprise Linux. These libraries are included in accordance with Red Hat’s Compatibility Policy, and at Red Hat’s discretion. For further details, see the Application Compatibility Guide.

The following compatibility libraries are included in Red Hat Enterprise Linux 7.

Red Hat Enterprise Linux 7 also includes the compat-gcc-44 and compat-gcc-44-c++ packages, which represent the system compiler shipped with Red Hat Enterprise Linux 6, and can be used along with the compat-glibc package for building and linking legacy software.

In Red Hat Enterprise Linux 6, firewall capabilities were provided by the iptables utility, and configured either at the command line or through the graphical configuration tool, system-config-firewall. In Red Hat Enterprise Linux 7, firewall capabilities are still provided by iptables. However, administrators now interact with iptables through the dynamic firewall daemon, firewalld, and its configuration tools: firewall-config, firewall-cmd, and firewall-applet, which is not included in the default installation of Red Hat Enterprise Linux 7.

Because firewalld is dynamic, changes to its configuration can be made at any time, and are implemented immediately. No part of the firewall needs to be reloaded, so there is no unintentional disruption of existing network connections.

The primary differences between the firewall in Red Hat Enterprise Linux 6 and 7 are:

For additional information and assistance configuring the firewall in Red Hat Enterprise Linux 7, see the Security Guide.

firewall-offline-cmd

$ firewall-offline-cmd

Previously, PolicyKit used key value pairs in .pkla files to define additional local authorizations. Red Hat Enterprise Linux 7 introduces the ability to define local authorizations with JavaScript, allowing you to script authorizations if necessary.

polkitd reads .rules files in lexicographic order from the /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d directories. If two files share the same name, files in /etc are processed before files in /usr. When the old .pkla files were processed, the last rule processed took precedence. With the new .rules files, the first matching rule takes precedence.

After migration, your existing rules are applied by the /etc/polkit-1/rules.d/49-polkit-pkla-compat.rules file. They can therefore be overridden by .rules files in either /usr or /etc with a name that comes before 49-polkit-pkla-compat in lexicographic order. The simplest way to ensure that your old rules are not overridden is to begin the name of all other .rules files with a number greater than 49.

For further information about this, see the Desktop Migration and Administration Guide.

In Red Hat Enterprise Linux 6, the base user identifier was 500. In Red Hat Enterprise Linux 7, the base user identifier is now 1000. This change involves replacing the /etc/login.defs file during the upgrade process.

If you have not modified the default /etc/login.defs file, the file is replaced during upgrade. The base user identifier number is changed to 1000, and new users will be allocated user identifiers at and above 1000. User accounts created before this change retain their current user identifiers and continue to work as expected.

If you have modified the default /etc/login.defs file, the file is not replaced during upgrade, and the base user identifier number remains at 500.

As of Red Hat Enterprise Linux 7, the libuser library no longer supports configurations that contain both the ldap and files modules, or both the ldap and shadow modules. Combining these modules results in ambiguity in password handling, and such configurations are now rejected during the initialization process.

If you use libuser to manage users or groups in LDAP, you must remove the files and shadow modules from the modules and create_modules directives in your configuration file (/etc/libuser.conf by default).

Previous versions of Red Hat Enterprise Linux used the opencryptoki key store version 2, which encrypted private token objects with a secure key in hardware. Red Hat Enterprise Linux 7 uses version 3, which encrypts private token objects with a clear key in software. This means that private token objects created by version 2 must be migrated before they can be used with version 3.

To migrate private token objects, perform the following procedure:

If you encounter problems with the migration, check the following: