Discover LinuxSecurity Features
Could Oracle Linux be the Logical Enterprise-Ready CentOS Replacement?
Red Hat’s recent decision to discontinue CentOS 8 has left a critical void in the enterprise Linux market, shifting the spotlight onto other enterprise-ready Linux distributions. One distro that stands out as a viable CentOS 8 replacement among respected enterprise Linux distributions such as Ubuntu, Red Hat Enterprise Linux (RHEL), AlmaLinux and SUSE is Oracle Linux, an OS compiled from the same open-source code as RHEL. Oracle Linux provides a secure open-source platform for the enterprise and is ideal for database environments. LinuxSecurity researchers worked with Honglin Su from the Oracle Linux and Virtualization product management team along with the Kernel development team to answer our questions regarding why Oracle Linux is an excellent OS for the security-conscious enterprise, what makes the distro a logical enterprise-ready CentOS replacement, what the future holds for Oracle Linux, and more!
Oracle Linux: A Comprehensive Open-Source OS with an Emphasis on Security
Since Oracle Linux's inception in 2006, Oracle Linux has been completely free to download and use without any license fee. Support contracts are available from Oracle for a complete operating environment that delivers an integrated suite of virtualization, management and cloud native computing tools, along with the Linx OS. Oracle Linux is optimized out of the box for all Oracle software workloads and enables enterprises to run Oracle Database on the same OS it was developed on.
With security breaches on the rise, the ability to apply security fixes quickly and seamlessly is becoming increasingly critical - especially as more businesses adopt container technology to build cloud-based applications. Oracle Linux mitigates the risk of attacks exploiting unpatched vulnerabilities with Ksplice automated patching without reboot, making it the only Linux distro that provides zero-downtime automated patching for kernel, hypervisor, and critical user-space libraries. By eliminating the trade-off between security and availability, Oracle Linux saves customers 500 hours each month, or about $375,000 each year.
What Makes Oracle Linux More Secure and Optimized?
Oracle Linux ships with secure defaults and brings top notch security features like zero-downtime updates via Ksplice patching for kernel, hypervisor and userspace, known exploit detection, and modern Linux kernels to the enterprise. More importantly, Oracle has "bet the farm" on Oracle Linux. As a leading database vendor and premier Cloud provider, everything Oracle does is built on and runs on Oracle Linux.
Oracle is a member of the industry’s Linux pre-embargo security response team, working with others on industry-wide security issues, enabling secure hardware technologies, addressing and removing security issues proactively, delivering innovative open source technologies such as SELinux, Kata containers, multiprocess QEMU, etc. FIPS validation and Common Criteria (CC) certification demonstrate Oracle’s commitment to security. In addition, Oracle performs routine auditing and has an internal “ethical hacking team”. They use fuzzing tools in their internal development workflow, and run multiple static analysis tools (parfait, etc.) as a normal part of the build process.
Many Linux distributions, especially in the enterprise space, tend to stick with the same kernel for five to 10 years and provide fixes and feature backports to that kernel. Oracle Linux comes with a choice of two kernels, the Unbreakable Enterprise Kernel (UEK), which is installed and enabled by default, and the Red Hat Compatible Kernel. UEK for Oracle Linux allows customers to take advantage of the latest developments in upstream Linux.
UEK closely follows the Linux Kernel's Long Term Stable (LTS) release, releasing a monthly update which is a KABI-stabilized version of those updates. The kernel LTS maintainer, Greg Kroah-Hartman has observed that nearly half of all security vulnerabilities reported against the kernel are "retroactive", i.e. they are filed for patches that are already included in upstream Linux, and often already included in the Long Term Stable branches. Oracle’s strategy of tracking modern Linux kernels means that customers can be running with the latest security fixes even before the CVE identifier is assigned to those patches. And if they aren't, that's where Oracle Ksplice comes in. Oracle Linux with UEK is well-tested and used to run Oracle’s Engineered Systems (Exadata, Private Cloud Appliance, and so on), Oracle Cloud Infrastructure, and large enterprise deployments for Oracle customers.
For example, UEK Release 6, based on the mainline Linux kernel 5.4.17, is available with Oracle Linux 7 and 8 and supports Intel/AMD (x86-64) as well as Arm (aarch64) platforms. It provides the latest open source innovations, key optimizations, and security to cloud and on-premises workloads. Customers can run the same modern Linux kernel across major Linux releases. While the corresponding RHEL 7 and 8 kernels are still based on the mainline kernels 3.10 and 4.18.
Running Oracle Linux can also enhance the security and performance of critical applications by implementing Oracle Linux KVM with Oracle Real Application Clusters (RAC), which helps create a virtualized data center for highly available applications. The DTrace feature provides comprehensive kernel and application tracing, enabling admins and developers to efficiently and concisely answer questions about the behavior of the OS and user programs in real-time.
The latest open-standards–based cloud native tools, along with KVM server virtualization and oVirt-based virtualization manager, are included at no extra cost with Oracle Linux Premier Support. Based on the Open Container Initiative (OCI) and Cloud Native Computing Foundation (CNCF) standards, Oracle Cloud Native Environment delivers a simplified framework for installations, updates, upgrades and configuration of key open source technologies for orchestrating microservices. Using a curated set of open source components that are tested and supported, such as Kubernetes and Kata Containers – Oracle Cloud Native Environment with Oracle Linux is ideal for Hybrid Cloud.
Need A Stable, RHEL-Compatible CentOS Replacement? Oracle Linux Has You Covered.
Red Hat’s decision to discontinue CentOS 8 has left many users scrambling to find a cost-efficient, secure and RHEL-compatible replacement. If you are currently faced with this important decision and are in the process of researching a viable CentOS replacement, don’t overlook Oracle Linux.
Oracle Linux could potentially be a better alternative to CentOS. The OS is reliable, affordable, and 100% RHEL-compatible. But there’s more - the distro gives you access to some of the most cutting-edge innovations in Linux such as Ksplice and DTrace. In addition, Oracle Linux releases consistently track Red Hat Enterprise Linux with errata typically released within 24 hours, update releases usually available within five business days and major version releases within three months, ensuring that by switching to Oracle Linux you don’t risk another inconvenient CentOS delay!
Now the question you’re likely asking yourself: “But is it free like CentOS?” The answer is “Yes, with an optional support offering.” You can decide which of your Oracle Linux systems should be under support. There is no all or nothing clause. However, non-paying users get the same kernel releases and rock-solid code quality as paying customers. A pretty good deal if you ask me, especially given Oracle develops and runs its business on Oracle Linux. Oracle Linux offers the same operating system on-premises in the data center and in the cloud for paying customers and non-paying users alike. All applications developed on Oracle Linux will also run—without modification—on Oracle Engineered Systems and Oracle Cloud Infrastructure. This consistency is essential for agility. To put the point into a real-world context, Oracle Linux provides customers/developers with the confidence they need to “develop once and run everywhere.”
Making the Switch from CentOS to Oracle Linux is Seamless & Easy!
The Oracle Linux team has created a simple script with instructions that you can use to switch your CentOS 8, 7 and 6 systems to Oracle Linux. The script has two main functions: it switches your yum configuration to use the Oracle Linux yum server to update some core packages and installs the latest Oracle Linux’s latest Unbreakable Enterprise Kernel. It is not necessary to restart after switching, but we recommend you do to take advantage of UEK. Yes - it really is that easy!