This release of RHEL comes with feature that will make any sysadmin happy. SELinux for OverlayFS, LiveFS for updating system without reboots and automated workflow via Ansible automation…

I have been covering Red Hat for more than 12 years now and what impresses me the most about this company is that they continue to evolve with the market. Red Hat knows very well where the market is heading and what the market needs, and they refine their products to address those needs. That’s what makes them the most successful Linux company.

The newly released Red Hat Enterprise Linux (RHEL) 7.4 clearly shows how Red Hat sees the market. While the company continues to increase its footprint in the private cloud/container space with new products, services and acquisition, Red Hat also continues to strengthen its position in the datacenter as the leading Linux vendor.

If you keep a close eye on the enterprise IT space, you are well aware that the common theme these days is security, or the lack of it. No surprises that RHEL 7.4 stresses a lot on ‘all-rounder’ security.

Security desktop and laptops

RHEL may be seen as a pure datacenter/cloud distribution, but the fact is it’s widely used on desktops and laptops. Hollywood Studios, for example, run RHEL on their systems. Red Hat needs to protect these systems.

There are exploits which can disguise USB devices as keyboards or mice, to bypass system policy and steal sensitive data or compromise enterprise systems. To mitigate such attacks, RHEL 7.4 comes with a feature called USB Guard that allows sysadmins to set policies around both known and unknown USB devices. It limits the damage such USB device by stopping them from leaking data out of the enterprise without correct approval or preventing something from coming in.

On the server side, RHEL comes with Security-Enhanced Linux (SELinux), which was developed by none other than NSA. SELinux mitigates a lot of threats through policies, but an increased amount of customers are now experimenting with containers. Containers/micro-services is the future and Red Hat is bringing SELinux to its container platform, Atomic Host.

The latest version of Red Hat Enterprise Linux Atomic Host is based on RHEL 7.4 and comes with a heavy focus on security. It gives sysadmins get the ability to turn on SELinux for OverlayFS,  which is useful in the container space.  In addition to that this release also offers full support for the overlay2 storage graph driver.

Steve Almy, principal product manager, Red Hat Enterprise Linux, Red Hat explained in an interview that it essentially allows root users in containers to be non-root users on a system overall. So these root users are collected into an unprivileged user in the underlying infrastructure. You need some root access in some environments and this allows for that without compromising the security of the system.

“It’s one thing to talk about containers and isolation, but making it work is a challenge. These features have made RHEL the most secure platform to run container workloads,” said Almy.

Atomic doesn’t use the traditional mechanism for updating and installing packages. It uses OS-tree, which that was developed by the Gnome project. Those who don’t know, rpm-ostree is a hybrid image/package system that offers many advantages over the traditional package management systems. One big advantage is atomic upgrade/rollback. If the upgrade is not complete, it won’t run and if something goes wrong you can rollback to the previous release.This release of Atomic Host comes with full support for package layering with rpm-ostree, providing a means of adding packages like monitoring agents and drivers to the host operating system.

Another piece of good news for sysadmins is the inclusion of a technology preview of LiveFS with this release. LiveFS allows users to install security updates and layer packages without a reboot.

No reboots!

Security is not the only focus of this release, though it’s the primary one. If there is one thing sysadmins love after security is automation. This release brings together the capabilities of Red Hat Satellite and automation via Ansible Tower to offer yet another preview of a new technology – Red Hat Enterprise Linux System Roles.

“System Roles provide a common management interface across all major versions of Red Hat Enterprise Linux, enabling an automated workflow via Ansible automation to be created once and used across large, heterogeneous Red Hat Enterprise Linux deployments without additional modifications,” Red Hat said in a press release.

Red Hat Enterprise Linux 7.4 is available across multiple architectures, including IBM Power, IBM System z and 64-bit ARM (as a Development Preview). With release, IBM Power Little Endian architecture gets support for the High Availability and Resilient Storage Add-Ons as well as the Open Container Initiative (OCI) runtime and image format.