Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 8. Infrastructure services
8.1. Time synchronization
Accurate timekeeping is important for a number of reasons. In Linux systems, the Network Time Protocol (NTP) protocol is implemented by a daemon running in user space.
8.1.1. Implementation of NTP
RHEL 7 supported two implementations of the NTP protocol: ntp and chrony.
In RHEL 8, the NTP protocol is implemented only by the chronyd daemon, provided by the chrony package.
The ntp daemon is no longer available. If you used ntp on your RHEL 7 system, you might need to migrate to chrony.
Possible replacements for previous ntp features that are not supported by chrony are documented in Achieving some settings previously supported by ntp in chrony.
8.1.2. Introduction to chrony suite
chrony is an implementation of NTP, which performs well in a wide range of conditions, including intermittent network connections, heavily congested networks, changing temperatures (ordinary computer clocks are sensitive to temperature), and systems that do not run continuously, or run on a virtual machine.
You can use chrony:
-
To synchronize the system clock with
NTPservers - To synchronize the system clock with a reference clock, for example a GPS receiver
- To synchronize the system clock with a manual time input
-
As an
NTPv4(RFC 5905)server or peer to provide a time service to other computers in the network
For more information about chrony, see Configuring basic system settings.
8.1.2.1. Differences between chrony and ntp
See the following resources for information about differences between chrony and ntp:
8.1.2.1.1. Chrony applies leap second correction by default
In RHEL 8, the default chrony configuration file, /etc/chrony.conf, includes the leapsectz directive.
The leapsectz directive enables chronyd to:
-
Get information about leap seconds from the system tz database (
tzdata) - Set the TAI-UTC offset of the system clock in order that the system provides an accurate International Atomic Time (TAI) clock (CLOCK_TAI)
The directive is not compatible with servers that hide leap seconds from their clients using a leap smear, such as chronyd servers configured with the leapsecmode and smoothtime directives. If a client chronyd is configured to synchronize to such servers, remove leapsectz from the configuration file.
8.1.3. Additional information
For more information about how to configure NTP using the chrony suite, see Configuring time synchronization.
8.2. BIND - Implementation of DNS
RHEL 8 includes BIND (Berkeley Internet Name Domain) in version 9.11. This version of the DNS server introduces multiple new features and feature changes compared to version 9.10.
New features:
- A new method of provisioning secondary servers called Catalog Zones has been added.
-
Domain Name System Cookies are now sent by the
namedservice and thedigutility. - The Response Rate Limiting feature can now help with mitigation of DNS amplification attacks.
- Performance of response-policy zone (RPZ) has been improved.
-
A new zone file format called
maphas been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster. -
A new tool called
delv(domain entity lookup and validation) has been added, with dig-like semantics for looking up DNS data and performing internal DNS Security Extensions (DNSSEC) validation. -
A new
mdigcommand is now available. This command is a version of thedigcommand that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query. -
A new
prefetchoption, which improves the recursive resolver performance, has been added. -
A new
in-viewzone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory. -
A new
max-zone-ttloption, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated. - New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
-
The
nslookuputility now looks up both IPv6 and IPv4 addresses by default. -
The
namedservice now checks whether other name server processes are running before starting up. -
When loading a signed zone,
namednow checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately. - Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.
Feature changes:
-
The version
3 XMLschema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version2 XMLschema is no longer supported. -
The
namedservice now listens on both IPv6 and IPv4 interfaces by default. -
The
namedservice no longer supports GeoIP databases. Access control lists (ACLs) defined by presumed location of query sender are unavailable. -
Since RHEL 8.2, the
namedservice supports GeoIP2, which is provided in thelibmaxminddbdata format.
8.3. DNS resolution
In RHEL 7, the nslookup and host utilities were able to accept any reply without the recursion available flag from any name server listed. In RHEL 8, nslookup and host ignore replies from name servers with recursion not available unless it is the name server that is last configured. In case of the last configured name server, answer is accepted even without the recursion available flag.
However, if the last configured name server is not responding or unreachable, name resolution fails. To prevent such fail, you can use one of the following approaches:
-
Ensure that configured name servers always reply with the
recursion availableflag set. - Allow recursion for all internal clients.
Optionally, you can also use the dig utility to detect whether recursion is available or not.
8.4. Postfix
By default in RHEL 8, Postfix uses MD5 fingerprints with the TLS for backward compatibility. But in FIPS mode, the MD5 hashing function is not available, which may cause TLS to incorrectly function in the default Postfix configuration. As a workaround, the hashing function needs to be changed to SHA-256 in the postfix configuration file.
For more details, see the related link: https://access.redhat.com/articles/5824391
8.5. Printing
8.5.1. Print settings tools
The Print Settings configuration tool, which was used in RHEL 7, is no longer available.
To achieve various tasks related to printing, you can choose one of the following tools:
- CUPS web user interface (UI)
- GNOME Control center
For more information about print setting tools in RHEL 8, see Configuring printing.
8.5.2. Location of CUPs logs
CUPS provides three kinds of logs:
- Error log
- Access log
- Page log
In RHEL 8, the logs are no longer stored in specific files within the /var/log/cups directory, which was used in RHEL 7. Instead, all three types are logged centrally in systemd-journald together with logs from other programs.
For more information about how to use CUPS logs in RHEL 8, see Accessing the CUPS logs in the systemd journal.
8.5.3. Additional information
For more information about how to configure printing in RHEL 8, see Configuring printing.
8.6. Performance and power management options
8.6.1. Notable changes in the recommended TuneD profile
In RHEL 8, the recommended TuneD profile, reported by the tuned-adm recommend command, is selected based on the following rules:
If the
syspurposerole (reported by thesyspurpose showcommand) containsatomic, and at the same time:-
if TuneD is running on bare metal, the
atomic-hostprofile is selected -
if TuneD is running in a virtual machine, the
atomic-guestprofile is selected
-
if TuneD is running on bare metal, the
-
If TuneD is running in a virtual machine, the
virtual-guestprofile is selected -
If the
syspurposerole containsdesktoporworkstationand the chassis type (reported bydmidecode) isNotebook,Laptop, orPortable, then thebalancedprofile is selected -
If none of the above rules matches, the
throughput-performanceprofile is selected
Note that the first rule that matches takes effect.
8.7. Other changes to infrastructure services components
The summary of other notable changes to particular infrastructure services components follows.
| Name | Type of change | Additional information |
|---|---|---|
| acpid | Option change |
|
| bind | Configuration option removal |
|
| brltty | Configuration option change |
|
| brltty | Configuration option removal |
|
| brltty | Configuration option change |
A Bluetooth device address may now contain dashes (-) instead of colons (:). The |
| cups | Functionality removal | Upstream removed support of interface scripts because of security reasons. Use ppds and drivers provided by OS or proprietary ones. |
| cups | Directive options removal |
Removed |
| cups | Directive options removal |
Removed |
| cups | Directive options removal |
Removed |
| cups | Directives moved between conf files |
|
| cups | Directives moved between conf files |
|
| cups-filters | Default configuration change | Names of remote print queues discovered by cups-browsed are now created based on device ID of printer, not on the name of remote print queue. |
| cups-filters | Default configuration change |
|
| cyrus-imapd | Data format change | Cyrus-imapd 3.0.7 has different data format. |
| dhcp | Behavior change |
|
| dhcp | Options incompatibility |
The |
| dosfstools | Behavior change |
Data structures are now automatically aligned to cluster size. To disable the alignment, use the |
| finger | Functionality removal | |
| GeoIP | Functionality removal | |
| grep | Behavior change |
|
| grep | Behavior change |
|
| grep | Behavior change |
|
| grep | Behavior change |
|
| grep | Behavior change |
When searching binary data, |
| grep | Behavior change |
|
| grep | Behavior change |
Context no longer excludes selected lines omitted because of |
| irssi | Behavior change |
|
| lftp | Change of options |
|
| ntp | Functionality removal | ntp has been removed; use chrony instead |
| postfix | Configuration change | 3.x version have compatibility safety net that runs Postfix programs with backwards-compatible default settings after an upgrade. |
| postfix | Configuration change |
In the Postfix MySQL database client, the default option_group value has changed to |
| postfix | Configuration change |
The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set
|
| postfix | Configuration change |
ECDHE - |
| postfix | Configuration change |
Changed defaults for |
| postfix | Configuration change |
Changed defaults for |
| postfix | Configuration change |
The |
| powertop | Option removal |
|
| powertop | Option change |
|
| powertop | Option removal |
|
| quagga | Functionality removal | |
| sendmail | Configuration change |
sendmail uses uncompressed IPv6 addresses by default, which permits a zero subnet to have a more specific match. Configuration data must use the same format, so make sure patterns such as |
| spamassasin | Command line option removal |
Removed |
| spamassasin | Command line option change |
In spamc, the command line option |
| spamassasin | Change in supported SSL versions | In spamc and spamd, SSLv3 is no longer supported. |
| spamassasin | Functionality removal |
|
| vim | Default settings change | Vim runs default.vim script, if no ~/.vimrc file is available. |
| vim | Default settings change | Vim now supports bracketed paste from terminal. Include 'set t_BE=' in vimrc for the previous behavior. |
| vsftpd | Default configuration change |
|
| vsftpd | Default configuration change |
|
| vsftpd | Functionality removal |
|
| vsftpd | Default configuration change | TLSv1 and TLSv1.1 are disabled by default |
| wireshark | Python bindings removal | Dissectors can no longer be written in Python, use C instead. |
| wireshark | Option removal |
|
| wireshark | Ouput change |
With the |
| wvdial | Functionality removal |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}