Try For Free

X

Keeping Linux CentOS Patched, Even After EOL

Patch Management

December 2021 marked the end of an era—literally. That’s when one of the world’s most popular operating systems, Red Hat’s CentOS Linux 8, reached its end of life. If you’re even tangentially involved in the Linux world, you already know this means there will be no further support or updates for CentOS 8 from Red Hat.

First forked from Red Hat Enterprise Linux 2.1 AS (advance server) in 2004 as an open-source, community-supported downstream version of RHEL’s paid product, CentOS quickly became a favorite for its extreme customizability, security, and stability. Enterprises running CentOS at one time included Disney, GoDaddy, Rackspace, Toyota, and Verizon—along with much of China’s telco infrastructure.

This hasn’t come as a surprise. After IBM acquired Red Hat in 2019, it announced almost immediately in 2020 that CentOS would continue only as an upstream development distribution for RHEL. 

Many saw the CentOS EOL as a breach of trust. They weren’t just users; they were fans, spending their own time finding vulnerabilities, submitting bug reports, and creating patches. Indeed, its highly involved community was one of the biggest advantages of CentOS. And yet, with its growth, many non-devotees adopted CentOS as well, for mission-critical applications that demanded high-level SLAs, like in the healthcare sector.

So where does this leave you if you’re still running CentOS?

An Inopportune Moment

With so much advance notice, it’s tempting to think everybody would have chosen one of the four possible options:

  • Switch to CentOS Stream. Unfortunately, as a rolling-release distro, CentOS Stream’s potential instability rules it out for organizations running mission-critical servers. And it may also be less secure, as according to Red Hat, “security issues will be updated in CentOS Stream [only] after they are solved in the current RHEL release.”
  • Switch to paid RHEL. This option may come with a big price hike; plus, many CentOS fans are experienced Linux pros who don’t need the handholding that comes with the price tag. However, RHEL has upped its free offerings to 16 systems, so this may work for some smaller organizations.
  • Roll back to CentOS 7. Strangely, this version doesn’t reach EOL until June 2024. However, given the eventuality of having to switch again soon, this is an inefficient solution.
  • Choose another distribution. This could be another RHEL-based distro—AWS Linux, Rocky, Alma, or one of the many other flavors, including Debian-based favorites like Ubuntu. Yet, each comes with a number of challenges, especially for legacy systems without any Linux specialists on staff.

Overall, migration is not always easy or feasible, especially when you’re heavily invested in a particular OS, lack the expertise to migrate, or require a very specific infrastructure. Which means there are still many organizations that have been left in the lurch by the CentOS 8 EOL. 

Risks of Being Out of the Loop

So what should you do if you simply can’t prioritize migrating away from CentOS 8 just yet? 

First, you need to know that there are a few hazards of running out-of-date, EOL systems:

  • Problems go unreported because the vendor doesn’t care.
  • The community dissipates, wandering off to greener pastures.
  • Patches aren’t being released—leaving you more and more vulnerable over time.

Meanwhile, all this is happening at a time when security is ever more critical with Linux attacks on the rise, as we’ve seen recently with malware like SysJoker and AvosLocker. You can’t leave your organization vulnerable to hackers who are becoming savvier and evolving their strategies to be ever-more sophisticated.

While there are a few open-source tools to help you secure your servers, these don’t provide the peace of mind you need when it comes to a production business environment.

For most organizations, the ultimate choice is probably migration, but that doesn’t always take top priority. So until that happens, you need products that can give you the best security even for any legacy systems you happen to be running.

CentOS Patching Environment

When it came to keeping systems up to date, CentOS was never the most user-friendly OS. While Linux patching is always preferable at the advisory level, CentOS never offered advisory-level patches that could be directly deployed. Instead, CentOS would translate advisory announcements from RHEL to CentOS, then distribute these announcements via email lists.

That often caused headaches for system administrators, along with all the drudgery of tracking CentOS updates manually, given that most of the available patching tools couldn’t automatically harvest this information. Most CentOS users also handled updates through the command line, fetching updates as needed from CentOS and third-party repositories.

But what was once a complex process has become even more so now that the OS has reached EOL. 

Essentially, once an OS version reaches EOL, the repository is archived and ceases to exist. That means tools like yum are helpless to retrieve updates until you reconfigure them. This can be done manually or by running a script (using existing Linux tools, like Ansible) that changes the repositories’ configuration on the CentOS machine, pointing it to the permanent archive repositories.

Survival Strategies

While migration may be ideal, as we’ve seen, that’s not always possible right away. But the presence of vulnerable EOL and legacy systems in your environment means you must be more vigilant than ever. This includes remediating vulnerabilities in your other systems to reduce the odds of lateral movement.

Here are a few steps that will help you keep safe until it’s time to migrate:

  • Inventory your entire environment to pinpoint EOL systems and other potential problems.
  • Plan your migration path for any EOL and legacy systems.
  • Implement intelligent patching to keep all environments up to date from a single console.
  • Use automation and prediction to cut time to remediation and up the odds of success.

JetPatch is a modern patching solution that provides all these services, taking the headache out of managing today’s complex and distributed environments, on-premises and in the cloud, including Windows and all major Linux distributions. 

And with full support for up to one year following extended EOL, JetPatch lets you keep on running legacy CentOS servers with peace of mind while you take the time you need to plan a full migration.

When you’re responsible for mission-critical Linux servers, JetPatch has your back with…

  • Easy onboarding for your entire Linux environment
  • Zero-touch continuous patch automation—even after EOL
  • A single solution that works across all your OSes

If you’re running CentOS 8 or other EOL and legacy systems, you truly can’t afford to wait. Get in touch today to start your free JetPatch trial and see how easy vulnerability management can be.

Todd Kirkland
schedule demoORlearn more
Start Patching the Right Way
Free Trial
ipt>