CentOS Linux 7 End of Life Guidance: How To Prepare
Updates and releases of CentOS Linux® 8 were discontinued on December 31, 2021, and will be discontinued for CentOS Linux 7 on June 30, 2024. In this article Rebecca Horton, Anglepoint’s Senior Director, Red Hat, explores the impact of CentOS reaching EOL and how your organization can prepare.
What is CentOS?
CentOS is the open-source project of Linux before it becomes Red Hat. This community project releases two distinct Linux distributions, CentOS Stream and CentOS Linux. CentOS Stream is the upstream development platform for upcoming Red Hat Enterprise Linux product releases. The developers that have written the code bring this together and harden that code to create a packaged product, resulting in CentOS. Software publishers like Red Hat, Oracle Linux, and SUSE take that same code and test it, harden it, secure it, and make it ready for the enterprise. So, CentOS is a package-ready version of Linux, and Red Hat Linux is an enterprise-ready version of Linux.
What is open-source software (OSS)?
It is software with source code that anyone can inspect, modify, and enhance. “Source code" is the technical backend piece of software that most computer users will never see, and this is where the programmers add code to make changes to how the software, program, or application works. They can improve it by fixing parts that aren’t functioning in the way they need them to. OSS is different from standard software in that it is not licensable – a more appropriate term would be a subscription, and this would include support, access to the updates, patches, and bug fixes.
As a general rule, OSS is not included in software asset management reconciliation results because it is not licensable and the cost is either internal development costs or third-party support costs. However, they are often some of the most critical systems to an organization. In fact, 100% of travel booking systems and airlines run on OSS, and about 80 to 90% of banking and trading systems run on OSS! Considering that OSS is so pervasive in every enterprise organization, operations focused on robust IT governance should certainly bring this in scope.
What is the Impact of End of Life (EOL)?
On June 30th 2024, the support package for CentOS will no longer provide support, patches, updates, and bug fixes. This will become a high risk and require migration of all the versions of CentOS across your environment to Red Hat as a matter of priority.
OSS is pervasive within enterprise organizations, and quite often organizations don’t know exactly where it is and what it’s doing. Historically, OSS systems have not been very well managed and maintained within an enterprise environment, meaning that instances that are not migrated and continue to run without the updates will be open to attack. Finding all the versions of CentOS, and other community versions of Linux, and migrating them will be critical to ensure security risks are mitigated.
It’s worth noting that about 60% of security threats are targeted at OSS systems. What exactly does that risk look like? We can think back to one of the most noted security breaches in the last five years, which involved Equifax, a global finance and credit agency who were the victims of a targeted attack on a known OSS vulnerability. However, due to failures in their discovery and ITAM practices, the vulnerability was not acted on in time to avoid the breach with global ramifications and a hefty fine of millions of pounds. This is why OSS software should be part of robust SAM, ITAM, Governance, and IT visibility practices.
To achieve IT visibility, software must first be discovered. This means understanding what’s deployed, where, how, who’s using it, what system it is connected to, and what data it is running. This is especially important for OSS due to the difficulty in discovering OSS. In the case of Equifax, as it was documented that they were aware of the issues, the story was a whole lot different. The takeaway here is to find it, but also make sure it is managed and (if necessary), migrated!
On June 30th, 2024, in addition to the CentOS Linux 7 EOL, Red Hat Enterprise Linux 7 is going end-of-maintenance. This means that it can still be used but there will be no updates, patches, or bug fixes. Customers will need to either upgrade to RHEL 8 or higher or purchase extended life cycle support (ELS) to continue to receive support and have access to patches and fixes. If organizations wish to maintain RHEL 7, and purchase ELS, it is important to note that Red Hat is no longer creating improvements to the RHEL 7 version (adding new features and functionality) but phone support is still available along with access to the legacy product documentation on the Red Hat customer portal, and access to any newly released fixes and patches.
How can Anglepoint help?
Anglepoint’s expert team will work with your organization to provide the discovery data and visibility of your CentOS (and other OSS) versions to support the migration to Red Hat. This information will be used to create an ELP or can be part of a SAM managed service, to provide tracking, management, reporting, budget, renewal, and contract negotiation support. If you would like to discuss the implications of CentOS Linux 7 EOL for your organization and find out how Anglepoint can ensure you are ready for June 30, 2024, get in touch with us here.