Friday, December 11, 2009

Problems I have with CentOS

Let me start off by saying that I like CentOS. Don't get me wrong. It is basically a free version of RedHat Enterprise Linux. Having said that though, I have encountered a couple of annoyances with the distrobution that I would like to address.

I have not had any first hand experience dealing with RHEL. My complaints about Cent could very likely hold true within RHEL, I do not know for certain. If this happens to be the case please feel free to comment on this article and let me know.

CentOS is your basic rpm based distrobution which is another RedHat spinoff. I have installed Cent on a few different machines and have been maintaining system updates. Yum, which is a very handy tool, is extremely easy to use for system packages. However, one thing I cannot comprehend is the way CentOS package versioning works. This in itself is my main complaint.

For example, you have installed the httpd apache package onto your system. A security update has been released and a new version of apache is available. Yum check-update will inform you that a new version is out and you should update. Using yum update you can easily download the new package and install it on your server. Here is where the problem begins.

The Cent Apache version reports that it is version 2.2.3. However, 2.2.3 is an extremely outdated version of Apache. The latest version acording to the Apache website is 2.2.14. This is definitely a reason for concern. The problem is that the Cent version of Apache 2.2.3 is really equivalent to 2.2.14. The CentOS moderators have applied all the patches needed to step version 2.2.3 up to version 2.2.14. If this is the case why do you still see 2.2.3 you might wonder.

The 2.2.3 package contains all the fixes associated with the new version, they (Cent) merely apply the fixes to the older package and leave the version number. I had a hard time understanding this at first but after working with it for a while I am beginning to comprehend. Even though remotely I detect 2.2.3 it is truly 2.2.14. The problem I have with this has to do with compliance.

For example, say you are an e-commerce site that gets PCI audits. The PCI compliance auditor scans your server and reports that the version of Apache you are running is old, outdated, and contains security problems. We know that this is not true due to the CentOS versioning strategy, however it still pops up on the report and we have to deal with the problem. The same goes for other packages such as kernel files or ssl versions.

Why does Cent feel they should patch and release the old version as opposed to releasing a new updated package which contains the appropriate version number. These type of problems can cause much greif for administrators. Would someone please give me a logical explaination as to why they would update packages in this fashion? It just does not make sense to me at all.

The rpm file might give more detail about the package / version combination that you have installed on your system but that does not really matter. I say it doesn't matter because the security scanners will be coming from external sources and will not have any knowledge of the actual system packages. Only the version reported by the daemon itself will be used for testing.

Another complaint I have regarding Cent has to do with yum. I really like the yum tool for installing packages and system updates. However I have found a few problems using the automated yum installer/updater.

First, I have a system which I had installed apache/php through the yum repositories. A few weeks pass and there are updates for those 2 packages. After applying the updates I find myself looking at 3 php modules that now fail to load. Sure, this is my fault I guess. However, the point of a tool such as yum is to make things as easy as possible. If those packages get updated yum should be intuitive enough to fetch updates for the other packages that are built based on php or Apache. I now receive a size mismatch module load error from php which I have fixed for now by disabling the three modules in question. Why would yum not have knocked this out the box to begin with? The automated tool I am relying on doesn't seem to keep my system packages aligned.

Second, I had to install the rpmforge packages to get anything useful outside the base distro packages. I do not have a problem with that, it is helpful that something such as rpmforge exists. However, I have ran into problems with other packages that I typically use. RKHunter is a very useful tool that I like to install on my linux systems. After installing rpmforge it was very easy to install. yum install rkhunter. boom, just like that after answering y to the prompt I have rkhunter installed. When I attempt to run rkhunter --update it fails miserably based on a null variable error. The script doesn't seem to locate the version number and throws an exception when it hits an if statement that evaluates version numbers.

This is kind of annoying. It spits out some xml code blurps and dies off. When running the rkhunter -c command it works and runs through the system checklist. It finds a few typical CentOS directories and has a fit about them /dev/.udev as I remember and a few others. If this package has been configured for CentOS then why would you not fix these common problems? It's little things such as these that are a turn off for other people. I have been using Linux for long enough that I can most likely identify and fix the issue, but your average newbie admin would be hitting the wall here and thinking about another solution.

Cent seems to be rock solid, it has some Unix like features such as the sysctl configurations. I think it is a great alternative to paying for RedHat Linux and I will continue to use it. I just have a few problems... that's all.

No comments:

Post a Comment