Chapter 7. Infrastructure services
7.1. Time synchronization
Accurate timekeeping is important for a number of reasons. In Linux systems, the Network Time Protocol (NTP)
protocol is implemented by a daemon running in user space.
7.1.1. Implementation of NTP
RHEL 7 supported two implementations of the NTP
protocol: ntp and chrony.
In RHEL 8, the NTP
protocol is implemented only by the chronyd
daemon, provided by the chrony
package.
The ntp
daemon is no longer available. If you used ntp
on your RHEL 7 system, you might need to migrate to chrony.
Possible replacements for previous ntp features that are not supported by chrony are documented in Achieving some settings previously supported by ntp in chrony.
7.1.2. Introduction to chrony suite
chrony is an implementation of NTP
, which performs well in a wide range of conditions, including intermittent network connections, heavily congested networks, changing temperatures (ordinary computer clocks are sensitive to temperature), and systems that do not run continuously, or run on a virtual machine.
You can use chrony:
-
To synchronize the system clock with
NTP
servers - To synchronize the system clock with a reference clock, for example a GPS receiver
- To synchronize the system clock with a manual time input
-
As an
NTPv4(RFC 5905)
server or peer to provide a time service to other computers in the network
For more information about chrony, see Configuring basic system settings.
7.1.2.1. Differences between chrony and ntp
See the following resources for information about differences between chrony and ntp:
7.1.2.1.1. Chrony applies leap second correction by default
In RHEL 8, the default chrony configuration file, /etc/chrony.conf
, includes the leapsectz
directive.
The leapsectz
directive enables chronyd
to:
-
Get information about leap seconds from the system tz database (
tzdata
) - Set the TAI-UTC offset of the system clock in order that the system provides an accurate International Atomic Time (TAI) clock (CLOCK_TAI)
The directive is not compatible with servers that hide leap seconds from their clients using a leap smear
, such as chronyd
servers configured with the leapsecmode
and smoothtime
directives. If a client chronyd
is configured to synchronize to such servers, remove leapsectz
from the configuration file.
7.1.3. Additional information
For more information about how to configure NTP
using the chrony suite, see Configuring time synchronization.
7.2. BIND - Implementation of DNS
RHEL 8 includes BIND (Berkeley Internet Name Domain) in version 9.11. This version of the DNS server introduces multiple new features and feature changes compared to version 9.10.
New features:
- A new method of provisioning secondary servers called Catalog Zones has been added.
-
Domain Name System Cookies are now sent by the
named
service and thedig
utility. - The Response Rate Limiting feature can now help with mitigation of DNS amplification attacks.
- Performance of response-policy zone (RPZ) has been improved.
-
A new zone file format called
map
has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster. -
A new tool called
delv
(domain entity lookup and validation) has been added, with dig-like semantics for looking up DNS data and performing internal DNS Security Extensions (DNSSEC) validation. -
A new
mdig
command is now available. This command is a version of thedig
command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query. -
A new
prefetch
option, which improves the recursive resolver performance, has been added. -
A new
in-view
zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory. -
A new
max-zone-ttl
option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated. - New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
-
The
nslookup
utility now looks up both IPv6 and IPv4 addresses by default. -
The
named
service now checks whether other name server processes are running before starting up. -
When loading a signed zone,
named
now checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately. - Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.
Feature changes:
-
The version
3 XML
schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version2 XML
schema is no longer supported. -
The
named
service now listens on both IPv6 and IPv4 interfaces by default. -
The
named
service no longer supports GeoIP databases. Access control lists (ACLs) defined by presumed location of query sender are unavailable. -
Since RHEL 8.2, the
named
service supports GeoIP2, which is provided in thelibmaxminddb
data format.
7.3. DNS resolution
In RHEL 7, the nslookup
and host
utilities were able to accept any reply without the recursion available
flag from any name server listed. In RHEL 8, nslookup
and host
ignore replies from name servers with recursion not available unless it is the name server that is last configured. In case of the last configured name server, answer is accepted even without the recursion available
flag.
However, if the last configured name server is not responding or unreachable, name resolution fails. To prevent such fail, you can use one of the following approaches:
-
Ensure that configured name servers always reply with the
recursion available
flag set. - Allow recursion for all internal clients.
Optionally, you can also use the dig
utility to detect whether recursion is available or not.
7.4. Postfix
By default in RHEL 8, Postfix
uses MD5 fingerprints with the TLS for backward compatibility. But in FIPS mode, the MD5 hashing function is not available, which may cause TLS to incorrectly function in the default Postfix
configuration. As a workaround, the hashing function needs to be changed to SHA-256
in the postfix configuration file.
For more details, see the related link: https://access.redhat.com/articles/5824391
7.5. Printing
7.5.1. Print settings tools
The Print Settings configuration tool, which was used in RHEL 7, is no longer available.
To achieve various tasks related to printing, you can choose one of the following tools:
- CUPS web user interface (UI)
- GNOME Control center
For more information about print setting tools in RHEL 8, see Configuring printing.
7.5.2. Location of CUPs logs
CUPS provides three kinds of logs:
- Error log
- Access log
- Page log
In RHEL 8, the logs are no longer stored in specific files within the /var/log/cups
directory, which was used in RHEL 7. Instead, all three types are logged centrally in systemd-journald together with logs from other programs.
For more information about how to use CUPS logs in RHEL 8, see Accessing the CUPS logs in the systemd journal.
7.5.3. Additional information
For more information about how to configure printing in RHEL 8, see Configuring printing.
7.6. Performance and power management options
7.6.1. Notable changes in the recommended TuneD profile
In RHEL 8, the recommended TuneD profile, reported by the tuned-adm recommend
command, is selected based on the following rules:
If the
syspurpose
role (reported by thesyspurpose show
command) containsatomic
, and at the same time:-
if TuneD is running on bare metal, the
atomic-host
profile is selected -
if TuneD is running in a virtual machine, the
atomic-guest
profile is selected
-
if TuneD is running on bare metal, the
-
If TuneD is running in a virtual machine, the
virtual-guest
profile is selected -
If the
syspurpose
role containsdesktop
orworkstation
and the chassis type (reported bydmidecode
) isNotebook
,Laptop
, orPortable
, then thebalanced
profile is selected -
If none of the above rules matches, the
throughput-performance
profile is selected
Note that the first rule that matches takes effect.
7.7. Other changes to infrastructure services components
The summary of other notable changes to particular infrastructure services components follows.
Name | Type of change | Additional information |
---|---|---|
acpid | Option change |
|
bind | Configuration option removal |
|
brltty | Configuration option change |
|
brltty | Configuration option removal |
|
brltty | Configuration option change |
A Bluetooth device address may now contain dashes (-) instead of colons (:). The |
cups | Functionality removal | Upstream removed support of interface scripts because of security reasons. Use ppds and drivers provided by OS or proprietary ones. |
cups | Directive options removal |
Removed |
cups | Directive options removal |
Removed |
cups | Directive options removal |
Removed |
cups | Directives moved between conf files |
|
cups | Directives moved between conf files |
|
cups-filters | Default configuration change | Names of remote print queues discovered by cups-browsed are now created based on device ID of printer, not on the name of remote print queue. |
cups-filters | Default configuration change |
|
cyrus-imapd | Data format change | Cyrus-imapd 3.0.7 has different data format. |
dhcp | Behavior change |
|
dhcp | Options incompatibility |
The |
dosfstools | Behavior change |
Data structures are now automatically aligned to cluster size. To disable the alignment, use the |
finger | Functionality removal | |
GeoIP | Functionality removal | |
grep | Behavior change |
|
grep | Behavior change |
|
grep | Behavior change |
|
grep | Behavior change |
|
grep | Behavior change |
When searching binary data, |
grep | Behavior change |
|
grep | Behavior change |
Context no longer excludes selected lines omitted because of |
irssi | Behavior change |
|
lftp | Change of options |
|
ntp | Functionality removal | ntp has been removed; use chrony instead |
postfix | Configuration change | 3.x version have compatibility safety net that runs Postfix programs with backwards-compatible default settings after an upgrade. |
postfix | Configuration change |
In the Postfix MySQL database client, the default option_group value has changed to |
postfix | Configuration change |
The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set
|
postfix | Configuration change |
ECDHE - |
postfix | Configuration change |
Changed defaults for |
postfix | Configuration change |
Changed defaults for |
postfix | Configuration change |
The |
powertop | Option removal |
|
powertop | Option change |
|
powertop | Option removal |
|
quagga | Functionality removal | |
sendmail | Configuration change |
sendmail uses uncompressed IPv6 addresses by default, which permits a zero subnet to have a more specific match. Configuration data must use the same format, so make sure patterns such as |
spamassasin | Command line option removal |
Removed |
spamassasin | Command line option change |
In spamc, the command line option |
spamassasin | Change in supported SSL versions | In spamc and spamd, SSLv3 is no longer supported. |
spamassasin | Functionality removal |
|
vim | Default settings change | Vim runs default.vim script, if no ~/.vimrc file is available. |
vim | Default settings change | Vim now supports bracketed paste from terminal. Include 'set t_BE=' in vimrc for the previous behavior. |
vsftpd | Default configuration change |
|
vsftpd | Default configuration change |
|
vsftpd | Functionality removal |
|
vsftpd | Default configuration change | TLSv1 and TLSv1.1 are disabled by default |
wireshark | Python bindings removal | Dissectors can no longer be written in Python, use C instead. |
wireshark | Option removal |
|
wireshark | Ouput change |
With the |
wvdial | Functionality removal |