Why we have CentOS machines as well as Ubuntu ones

April 24, 2016

I'll start with the tweets that I ran across semi-recently (via @bridgetkromhout):

@alicegoldfuss: If you're running Ubuntu and some guy comes in and says 'we should use Redhat'...fuck that guy." - @mipsytipsy #SREcon16
mipsytipsy: alright, ppl keep turning this into an OS war; it is not. supporting multiple things is costly so try to avoid it.

This is absolutely true. But, well, sometimes you wind up with exceptions despite how you may feel.

We're an Ubuntu shop; it's the Linux we run and almost all of our machines are Linux machines. Despite this we still have a few CentOS machines lurking around, so today I thought I'd explain why they persist despite their extra support burden.

The easiest machine to explain is the one machine running CentOS 6. It's running CentOS 6 for the simple reason that that's basically the last remaining supported Linux distribution that Sophos PureMessage officially runs on. If we want to keep running PureMessage in our anti-spam setup (and we do), CentOS 6 is it. We'd rather run this machine on Ubuntu and we used to before Sophos's last supported Ubuntu version aged out of support.

Our current generation iSCSI backends run CentOS 7 because of the long support period it gives us. We treat these machines as appliances and freeze them once installed, but we still want at least the possibility of applying security updates if there's a sufficiently big issue (an OpenSSH exposure, for example). Because these machines are so crucial to our environment we want to qualify them once and then never touch them again, and CentOS has a long enough support period to more than cover their expected five year lifespan.

Finally, we have a couple of syslog servers and a console server that run CentOS 7. This is somewhat due to historical reasons, but in general we're happy with this choice; these are machines that are deliberately entirely isolated from our regular management infrastructure and that we want to just sit in a corner and keep working smoothly for as long as possible. Basing them on CentOS 7 gives us a very long support period and means we probably won't touch them again until the hardware is old enough to start worrying us (which will probably take a while).

The common feature here is the really long support period that RHEL and CentOS gives us. If all we want is basic garden variety server functionality (possibly because we're running our own code on top, as with the iSCSI backends), we don't really care about using the latest and greatest software versions and it's an advantage to not have to worry about big things like OS upgrades (which for us is actually 'build completely new instance of the server from scratch'; we don't attempt in-place upgrades of that degree and they probably wouldn't really work anyways for reasons out of the scope of this entry).

Comments on this page:

By Dan Astoorian (Dan.Astoorian) at 2016-04-25 11:55:41:

According to https://www.sophos.com/en-us/support/knowledgebase/119019.aspx CentOS 7/RHEL7 is supported by Sophos PureMessage version 6.3.0 just as Centos 6 is; so is Ubuntu 14.04.


By cks at 2016-04-25 12:18:04:

Well I'll be. That's a welcome surprise. I've been periodically checking Sophos's supported versions page when they put out PureMessage updates, but either I missed this or they updated their support page without updating the PMX version. That is good news, especially since it seems slightly less likely that PureMessage itself has been quietly abandoned.

(Previous versions of PMX definitely blew up on Ubuntu 12.04. At the time we had to replace our 10.04 PureMessage machine with something, CentOS 6 was definitely the only real option.)

Since we already have PureMessage running on a CentOS 6 machine, we probably won't bother changing the machine over to anything else. It's an appliance style machine and it works now, so we might as well leave it alone until the hardware gets too old. But at least we're going to have options when CentOS 6 starts to get too old.

Written on 24 April 2016.
« Why I think Illumos/OmniOS uses PCI subsystem IDs
Why you mostly don't want to do in-place Linux version upgrades »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 24 02:20:04 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.