Although Sunday will be the last day that CentOS 7 will be officially supported, you don’t have to move to something else right away. There are plenty of support services you can use to keep your workloads safe and secure until you’re ready to migrate.
Let’s face it. With less than a week remaining on the clock, if you’re still running CentOS 7 you’re not going to get it changed to something else by the time it reaches end-of-life — especially if you have thousands of servers to swap out.
That’s OK though, because in spite of all the doomsday advice you’ve been seeing online to the contrary, you absolutely don’t have to be in any sort of hurry to shut down your instances of CentOS 7. What you do have to do in a hurry, if you haven’t done it already, is find affordable support, and that’s easily done — but more on that later. First we’ll talk about the mess that CentOS users currently find themselves in, and how we got here.
“A large organization, if it has a few hundred systems, or thousands or dozens of thousands for the very large deployments, is already out of time to do the migration,” Tux Care’s Joao Correia told me in an interview in early April, back when CentOS 7 still had two-and-a-half months before it reached its “expires on” date. “There’s no way that they can plan and migrate and operate and get stuff back in working order before the end-of-life date.”
Even in normal times, a mass migration such as this would not be doable, and these aren’t normal times for CentOS by any stretch of the imagination.
For starters, there is no CentOS 8 to which to migrate. Red Hat quit supporting it a little more than two years after its release, at the end of 2021, even though it was initially supposed to be supported until 2029. This short life with a quick end meant that most large enterprises were unable to make the move to CentOS 8, which was fairly necessary for any kind of easy path away from CentOS to another Red Hat Enterprise Linux clone.
What’s left of CentOS, which is CentOS Stream, certainly doesn’t offer a solution. As a development distro that’s meant to be a line-by-line copy of what the next version of RHEL will be (or what Red Hat devs are right now thinking the next version of RHEL will be), it’s not even a close relative to what traditional CentOS had been since its first release in 2004, which was a line-by-line copy of what the current version of RHEL already is.
This means it’s not a jumping off place to get anywhere and it’s not a place to end your migration, even though these days Red Hat is trying to sell it as a viable CentOS replacement. (Red Hat knows better, by the way. Back in 2020, before Chris Wright became Red Hat’s CTO he wrote in a blog that as a platform “to more quickly and easily see what’s coming next in RHEL,” that “CentOS Stream isn’t a replacement for CentOS Linux.”)
Speaking of Stream’s shortcomings as a CentOS’s replacement, Correia explained, “You anticipate that with CentOS you’ll get updates, for example, every couple of weeks, or you’ll get critical updates like once a month, or something like that. With Stream you’re likely to get updates every other day, and that just doesn’t fall into the right schedule for what you’re used to doing at your operational level.
“Your vulnerability managers are going to start flagging systems that are lacking updates because they just dropped today. You don’t have maintenance windows to deploy those updates because it’s going to be disruptive, so your compliance reports are going to be all full of red flags. It’s just not a feasible alternative. It’s really difficult to get companies to accept CentOS Stream as the alternative when it breaks everything and all the processes that they’re used to doing.”
Correia knows what he’s talking about. For nearly four years he’s been a technical evangelist for TuxCare, which supplies third-party support for many enterprise Linux distributions that are no longer officially supported. During the same period he’s had the same role at CloudLinux, TuxCare’s parent organization, which develops and maintains a commercial Linux distribution that’s been security hardened and tweaked to meet the needs of web hosting companies.
Oh, and because CloudLinux is a RHEL-based distribution that was originally built using CentOS (meaning it lost its build method with CentOS’s demise), it’s also the founding entity behind AlmaLinux, one of the two major Linux distributions that have been picking up and reassembling the pieces left behind by CentOS.
CentOS Linux Still Dominates Data Centers
Considering that CentOS was “only” a downstream clone of Red Hat’s flagship distro, you might be excused for thinking that CentOS 7’s upcoming EOL is only going to affect very small percentage of the servers running in the world’s data centers.
That’s not the case. While it’s true that few desktop Linux users are likely to be affected, the distro’s death will have a huge impact on data centers.
“The evidence we have shows us that a few years back the majority of web servers on the internet were running CentOS,” Correia answered when I asked him about the impact. “It’s difficult to imagine that all of those servers moved away to something else, so there is still a significant portion of the internet running on top of CentOS.”
“It’s very likely that the majority of the RHEL ecosystem is actually running CentOS and not RHEL,” he added. “The portion of systems that are actually running RHEL on the RHEL ecosystem is the minority. That’s why CentOS was so successful and that’s why all the alternatives that have popped up since are so successful. It’s because people want to remain on the same ecosystem, but they don’t want to to go through the hassle and the cost of licensing the systems with with Red Hat.”
He said the notion that the space was dominated by RHEL is “actually a misconception that I believe even Red Hat started believing at some point.”
“The reason I’m not sure if they understand this or not is because with the initial slashing of the support for CentOS 8, and essentially killing it before CentOS 7, and now the move with restricting access to the sources, they are acting in a way that hurts the ecosystem more than I think they are expecting it to.
“They might be in a position where application developers no longer see the ecosystem as appealing as it once was because of all the the hurdles that Red hat is putting in front of anybody trying to create something in that space. At some point, if the ecosystem shrinks so that it only affects and includes the the RHEL systems, it might be that it becomes insignificant for the application developers, and they start looking elsewhere, say Debian for example.”
The Natural Inclination to Avoid Migration
Even if Red Hat hadn’t turned CentOS into a dead-end by removing the upgrade path and there was still a CentOS 8 (with by now a CentOS 9, and a CentOS 10 in the works), it’s likely there would still be a lot of servers and workstations still running CentOS 7 with no plans to move in the foreseeable future. That’s just the nature of software deployments, and the reason why TuxCare still has customers receiving support for CentOS 6 nearly four years after it went EOL.
When I asked why an an enterprise would still be running production workloads on operating systems that are no longer officially supported, Correia spat out a long list of reasons:
“First, there’s the obvious: the time efforts and the cost associated with moving a bunch of systems to a different distribution, and all the breaking changes that has, not just for the systems but for your tooling, for your applications, for your certifications, and for the stuff that you’re running.
“Then there’s the compliance aspect. When you’ve already certified the solution and you already went through all the the administrative hurdles that come along with having a compliance certified system — you did all the checks and you have the applications running on the system just as you want them — all the costs that you put on top of that just to move the system to something different, and then to get everything else back into the same state as it was before, is like burning money. You’re paying just to be in the same position as you were in before, but now with at different OS.
“At some point, people just start to realize that they’re willing to take the risk and just stick with what they have. Everything is working fine, just as we want it, so why would we actually want to move?
“If your whole fleet is running on Centos 6, for example, and you have 10,000 systems, it’s going to be disruptive, it’s going to be very costly, and it’s going to take a lot of time. You’re going to have to do a lot of preparation work, you’re going to have to do a lot of testing, and you’ll need to make sure that not only the operating systems are running correctly, but also your applications and your workloads. Simple stuff like libraries being renamed — and we know that happens — files not being in the same place as the scripts expected, and different directories being in play can all break your your existing tooling and break your existing workloads, so that’s the practical reason.
“At the end of the day you might just not want to move your your infrastructure. You might not want to work and go through all that hassle, when five or six years down the line you’ll have to repeat the same process again.”
At that point he paused to explain that those are the reasons you’ll get from trained IT people who understand the risks. He said that just as often, or perhaps even more often, the decision is being made by bean counters and C-suite executives who aren’t tech-savvy, and who don’t understand the risks involved nearly as much as they understand the expense.
“In the real world, most companies are not tech-savvy,” he said. “Most CEOs don’t see the value in changes like that. Most C-level people will not approve the expenditure that comes with something like that, simply because they don’t understand the benefits they might reap from it, and it’s hard for the IT people to justify, ‘OK, I need you guys to allocate $50,000 to buy new equipment or to allocate new people to this,’ just to stay in the same place. Everything is working, but we still need to spend the money to change something in the chain: that’s very difficult to grasp.
“That’s where some of our customers come from. Different industries, not IT related, that have their systems running just fine, whether in industry, in agriculture, or automation.”
“Factory equipment, for example,” he suddenly added after a brief pause, almost as an afterthought. “There are factories out there that are running the same pieces of equipment that build the products that they sell that they were using 20 years ago and it’s running perfectly fine. There’s no way you can tell that manufacturer that they have to update their systems just because some breaking change there affect security. Nobody along the chain is going to have the power to enforce that change, and it’s very difficult to make them realize that.”
I’ve heard similar stories from IBM, about airlines running their businesses on the same software they’ve been using since the 1960s.
Avoid the Rush by Remaining on CentOS 7
Which brings us back to point of all of this, which is that in spite of what you might have heard you don’t have to be making plans to migrate away from CentOS 7 in the next six days. Sure, after June 30 you’re not going to be receiving any more security patches directly from CentOS, but just because a distro is no longer officially supported doesn’t mean that support isn’t available. There are plenty of outfits such as TuxCare that will be happy to support your fleet of CentOS 7 machines.
If you’re thinking that aftermarket support won’t help you because you’re in a highly regulated business with compliance requirements, that’s likely not the case. Regulatory agencies generally don’t require that your software be supported by the vendor, just that it’s being adequately supported and that known vulnerabilities are being patched in a timely matter.
“You will obviously not be able to meet most compliance requirements if you’re running a system without any support, because any compliance that has any requirements that touch in any way on how long it should take to plug a gap or to address a vulnerability is impossible to meet by default without support for your software,” Correia said. “If you don’t receive updates, you will fail. But if you’re still getting security updates from somewhere, even if not the official vendor, then you can continue to run the system, and you can still meet the compliance requirements.”
Companies Offering CentOS 7 Support
TuxCare, where Correia works, is just one of many companies that are vying for the opportunity to keep you supported until you can move to a more modern distribution. As it does with CentOS 6 and CentOS 8 (and similar to what it does with some no longer supported versions of Oracle Linux and Ubuntu), TuxCare is promising to support CentOS 7 for the next four years on a per system basis for $4.25 a month or $42.50 a year.
There is also no minimum order with TuxCare’s service. If you’re running a single server, TuxCare will happily keep you supplied with patches for that $4.25 monthly fee.
“We will provide you with the same security updates that you would be getting if it came from the official vendor,” Correia said. “We backport the fixes from the upstream projects just like the original vendor did, we package them in exactly the same way, and it’s delivered the same way. You receive the updates and you just do your regular patching operations.”
In fact, according to Correia, with TuxCare you’re likely to find that more vulnerabilities are being patched than previously.
“One thing that we noticed when we were doing our research around the the patching times that Red Hat was doing with CentOS and how long it takes them to deploy patches and all that, we identified 60 or 70 vulnerabilities that Red Hat avoided having to create and release patches for by scoring the vulnerabilities differently,” he said. “So, if you get extended life cycle support from us, you will already receive more updates than you were receiving from Red Hat, and that’s going to continue.”
And because TuxCare’s support of CentOS 7 only buys you four additional years of security patches, for an additional fee, the company also offers to help hold the reins and assist you as you migrate from CentOS 7 to something that’s still under active development.
“We will gladly provide advice and recommendations to help you find the right distribution fit, or combination of platform/distro for the specific workloads,” Correia said. “We will gladly engage in more detail in each specific circumstance, since no two environments are alike, and the level of the actual involvement will definitely depend on the environment. I doubt anyone would let a third party go into their infrastructure and start making changes, so this will always be a collaborative effort.”
Similar extended support services, including migration support, are offered by other companies as well. I’ve listed three that are closely associated with the RHEL ecosystem.
CIQ
The company behind the RHEL clone Rocky Linux offers to similarly extend support of CentOS 7, in this case for three years, through its CIQ Bridge offering. In addition, it also offers a migration service to help organizations migrate from CentOS 7 to Rocky Linux. Although information about these services is available on the company’s website, pricing is not. I’ve reached out to CIQ for additional information and have been promised that will be coming soon. An update will be published as soon as I hear something.
In the meantime, if you’re interested you can inquire about pricing yourself by filling out an online form.
OpenLogic
Another company offering continued support for CentOS 7 is OpenLogic, which has been owned by the software development company Perforce since 2019. The company has been around since 1998, however, and has always been seen as primarily an open-source company.
It also has plenty of experience working with CentOS. In 2012, for example, it partnered with Microsoft Azure to provide a platform as a service version of CentOS, and in 2016 it provided a security hardened CentOS PaaS offering on Amazon Web Services.
It’s also currently offering to support CentOS 7 for five years, until 2029. Like CIQ, it’s not making its pricing public (when I asked in a chat on its website I was offered a Zoom meeting with an account manager for a quote, which I declined), and like TuxCare and CIQ, it’s also offering help with migration.
SUSE Liberty Linux Lite
In the last several years, SUSE has become something of a major player in the RHEL clone arena. It started in 2021 when SUSE introduced Liberty Linux, it’s own RHEL-based distro, as an off ramp for stranded CentOS users. Last year, it made big news when it partnered with Oracle and CIQ to form the Open Enterprise Linux Association for “the development of distributions compatible with Red Hat Enterprise Linux (RHEL) by providing open and free enterprise Linux source code.”
On June 18, SUSE became a latecomer to CentOS 7 extended support when it announced Liberty Linux Lite, a clone of CentOS 7 that it will keep patched at least through June 30, 2028. This means that CentOS 7 users only need to point to SUSE’s Liberty Lite repositories for patches once they sign up for Liberty Linux Lite support.
For deployments of 100 servers or more, the cost per server for this solution is pretty low, at $25 per year, which drops even further — to $20 — if you license 1,000 or more servers. Small companies with 10-20 servers are pretty much SOL, however, since the program requires a minimum spend of $2,500 yearly.
Advice for Support Hunters
So, what should you look for if you let your fingers to the walking and you begin sending emails or texts as inquiries to companies offering to support CentOS 7 until you make arrangements to move to another platform?
“You should be looking for a comprehensive list of supported packages because you don’t use just a single package on your system, there are hundreds deployed there,” Correia said. “You want to make sure that you get updates for all of them, or at least the vast majority of the ones that you depend on, the ones that directly impact your workload — and not only those, but the ones that keep your system running.
“I mean OpenSSL. I mean all the the tool sets, Apache — mod_ssl — all the the main packages on your system. Then the the day-to-day stuff like Bash and tar, and all of those smaller packages.Get the the support option that provides the most comprehensive list of of packages.”
“We have a very comprehensive list of packages,” he added, “but those are some of the things you should look for.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment