CentOS is end of life: Replacement options
CentOS (EL) is the operating system frequently used (as yet) by server administrators as a free alternative to the Red Hat Enterprise Linux (RHEL) distribution. In fact, CentOS was the most popular Linux operating system for web servers in 2010. CentOS is end of life (EOL) effectively as of 31 December 2021. However you could migrate an existing CentOS system to CentOS Stream.
CentOS Stream is being marketed as: Stable, Continuous Delivery and Always Ready RHEL. At the same time it seems, in many buzzwords, a Perpetual beta version of Red Hat Enterprise Linux on a continual improvement process. Since Red Hat's CTO has stated that CentOS Stream is not a RHEL replacement. And: "a rolling preview of what's next in RHEL".
Our biggest question mark with CentOS Stream can be expressed as. There is no guarantee of timely fixed (CVE) security vulnerabilities in the software:
"Security issues will be updated in CentOS Stream after they are solved in the current RHEL release".
Since security issues will be fixed in Red Hat Enterprise Linux first and only then in CentOS Stream. The reverse path is deployed compared with regular updates. In other words. If new (pre-released RHEL) software is allowed to be tested, you are the first as CentOS Stream 'Beta' user. If it is about security and for example a critical security vulnerability? Just close behind. Such an odd coincidence? In our opinion, this makes CentOS Stream absolutely unsuitable for business use. Or in fact, unsuitable for any use.
CentOS was a Linux distribution that offered a free and open-source operating system compatible with its upstream source, Red Hat Enterprise Linux. Or in short, CentOS developers simply used Red Hat's open-source code to rebuild RHEL and rebrand it as CentOS. More commonly known as a distribution clone.
Most CentOS based servers will continue to run without modification, but without new updates. Which is not recommended due to the risk of future security and stability issues. With just one simple migration script or another migration script here. The server will continue to run up-to-date where it left off.
Why is CentOS discontinued by Red Hat?
Top companies have their own expertise and are backed by large IT teams. Since the source code is freely available. They can debug a software problem (by any means) themselves in most cases. So Red Hat service is not always necessary either. Then the situation is quite simple if you're a company: Download the free bits and you're good to go! And Red Hat remains empty-handed.
CentOS drop-in replacements
Of course there are substitute options. These are the drop-in replacements. Which have binary compatibility and are compatible with CentOS, Red Hat Enterprise Linux and derivatives:
AlmaLinux, Circle Linux, EuroLinux, Navy Linux, Oracle Linux, Rocky Linux, SUSE Liberty Linux and VzLinux.
In which SUSE Liberty Linux should actually not be considered a "full" alternative. It cannot be licensed by default and is only available on demand. Probably 'only' for use at large customer infrastructures, who will eventually switch completely to SUSE own distribution. Within a fixed, predetermined and agreed upon date. And for now can continue to run their 'mixed Linux environment', without too many interchanges, until the final moment arrives.
Of the most popular alternatives we briefly outline the options, the advantages and disadvantages. Created from the user's perspective. Should you be looking for an alternative to a CentOS or Red Hat Enterprise Linux replacement? These are our findings so far, in alphabetical order.
AlmaLinux has a number of advantages and is recommended by several Red Hat (CentOS) contributors.
AlmaLinux works with a number of Red Hat developers. With a confirmation that the organisation behind AlmaLinux, get everything they need. To make a good clone of Red Hat Enterprise Linux. AlmaLinux is therefore 1:1 binary compatible with RHEL.
"If people want or need (or think they do) a 1:1 RHEL rebuild… we are working very closely with Alma to make sure that they have what they need".
Updates are made available on average within the same day. Looking at the changelogs, the packages and updates are partly provided by CloudLinux-related personnel.
AlmaLinux does not seem to rely entirely on volunteers and volunteering when desirable. But rotating in a shift. CloudLinux basically has exactly the same philosophy as AlmaLinux. Both of which can take a smart approach. By leveraging each other's knowledge and expertise. After all, Red Hat Enterprise Linux was already repackaged anyway, by the same CloudLinux staff to deliver the CloudLinux distribution.
The infrastructure is already there, the people and the knowledge were already there, and the repackaged RPMs more or less already too. Albeit in a slightly different form. A different branding with the standard RHEL compatible kernel and without additional web-related APPS that specifically serve Cloud Linux's CageFS encapsulating users (end-users can't bother each other with excessive use of system resources), distinguish CloudLinux from AlmaLinux.
Unfortunately, there are also disadvantages: There are users who feel that they aren't pioneers of free software. AlmaLinux main supporter Cloud Linux's owns software like CageFS, which isn't open source. Hopefully they keep the promise on their homepage:
"Always free, always open source", "AlmaLinux OS Foundation members, sponsors and partners back the AlmaLinux OS with investments and long support commitments to ensure the distribution is free of limitations, fees and charges".
And it doesn't degenerate into paid ad-dons (just like CloudLinux related software and services) that the 'parent company' forces on its free product. Another option could be that they will start offering ads in the future. Like Ubuntu did with Amazon Ads Pre-Installed and default Ubuntu Enterprise services (as can be observed by default at the: login-terminal-welcome-message). After all, there is no free meal. So there shoud be a cost benefit from somewhere?
CloudLinux associated personnel, has set up a foundation to ensure the independence of AlmaLinux. But as pointed out above. There are CloudLinux-related (probably paid) employees involved. CloudLinux has invested quite a lot of money in AlmaLinux ,annually. In both labour and finance.
"As a standalone, completely free OS, AlmaLinux OS enjoys $1M in annual sponsorship from CloudLinux Inc and support from other sponsors. Ongoing development efforts are governed by the members of the community".
Is this sponsorship still there with that same nice sponsorship amount? After lets say 8 of 9 years? Also during a crisis or what if CloudLinux is acquired? So will we perhaps get another CentOS/Red Hat episode? Also given the advertised support period of 10 years. That applies to every version. 10 years which is a very long time in IT land.
In other words what if CloudLinux pulls out of AlmaLinux due to whatever reason? AlmaLinux does not seem self-sufficient without the provision of staff by and investment from CloudLinux. Is there another company willing to immediately take over this sponsorship deal, under the same conditions, if needed?
The benefits we have found. Advantages: Oracle Linux, a clone of Red Hat Enterprise Linux that has been around since 2006. With 16 years (at the time of writing) of experience. It has a solid proven track record. Compatibility with other Oracle products is guaranteed: Oracle Linux thus has strong integration with Oracle's own hardware and software products. Including its own widely used database applications.
Updates released by upstream are available from Oracle Linux on average within the same day. Oracle is a large company with more than enough personnel. When needed: available 24/7. For example, in case of a critical CVE. Releasing bug fixes or security updates on time is generally no problem for Oracle Linux.
Johan Cruyff once said: Every disadvantage has its advantage. This also applies to Oracle Linux. Unfortunately every Oracle advantage. Has its Oracle disadvantage. Oracle Linux is binary compatibility with RHEL. Not always literally 1:1. Oracle adds its own code (non upstream), code (example) and bug fixes. Oracle seems to be focused on making money. Who's going to say: Oracle Linux will remain free!?
Several administrators heavily dislike Oracle to the infinite. And various programmers still feel that Oracle is notorious for its tactics and actions:
"A combination of assertive, short-term sales actions, limited expression of interest in customer success [with Oracle products]. Unexpected and substantially cost-driving LMS (License Management Service). And incomprehensible pricing structure revisions, has firmly antagonized many Oracle customers".
"The diminishing quality of the support organization at equal high costs and the extra cost of calling in (ACS) to get problems solved have also created a lot of bad blood. Oracle is perceived as rigid, blunt, abusing customer dependency and misplaced arrogance. You don't want to do business with a company that treats you that way. After all, those products are not that special. Loosely translated from Amis".
You might ask the question: Does this contribute to the positive atmosphere in the team (team importance). When choosing Oracle Linux to work with on the long term? If there are colleagues fiercely opposed to start using Oracle products. Because you obviously don't pick a new distribution every day.
Rocky Linux is fully community-based and 1:1 binary compatible with RHEL. Updates released on average within the same day or within a few days, cross-referencing after upstream releases them. On the face of it, this seems like the open source dream. But what about the rest? The organisation around and behind Rocky Linux could be considered "too activist".
"Rocky has been built mainly on a platform of: “Red Hat betrayed us and WE WILL HAVE OUR REVENGE”.
Is this good for the long-term stability? Will they stick around the project or is this only fun for the first few years and only a single statement: That Open Source Software should be free. The founder of Rocky, is the same founder of CentOS. And previously stepped down from CentOS. Because he has gone down this road before. If he has more experience now. Has he learned from the past?
With a team of volunteers. Can they release on updates on time? If you depend on volunteers and rely on volunteers. As with the founder's similar project: CentOS (pre Red Hat). Updates came out later, regularly much later with 200+ days delay. Which is also not surprising as a volunteer, on top of your job.
Volunteering is great. In the beginning, everything is new, fun and exciting in a pleasant way. The demand for a CentOS replacement was high at the beginning, following CentOS' announcement to discontinue its regular version of the operating system. But what about 9 and even 10 years later from now on? Are there still so many volunteers active for Rocky Linux? Active in the sense of active with lots of available volunteer hours per week, not just an hour a week.
After all, maintaining and publishing an operating system is secretly time-consuming. Since Rocky Linux advertises 10 years+ of general availability. This is a good-practice example. It all seems so nice at the beginning. Reality is for later.
Coming back to Rocky Linux. It seems Rocky Linux is owned by one person: Gregory Kurtzer and is a for-profit B-corp. How does this reflect from the owner, employees to the volunteers. Who voluntarily work in a for-profit company. Which could start giving a lopsided ratio between volunteers and paid staff? Performing exactly the same work.
Is it desirable that one person has or can take absolute power? Nice to see a group of volunteers being built up and supporting Rocky Linux. That one person can decide everything? The question is, can this be successful in an Open Source Software (OSS) project?
There is even a concrete example of a similar case. In the same landscape of RHEL and clones. And that is the case that CentOS almost went down in the past. Why would it be so much better anno 2023?
A few years later. Which CentOS replacement option should I choose?
It is circa 2023 still relatively early to conclude which CentOS fork is or will be the first choice, for the majority of users. Although quite a lot has changed anyway. It would appear that the first two CentOS replacements: VzLinux and Navy Linux, ceased its activity. For now a randomly selected analyses (Hyperion Research on the high performance computing (HPC) market) and state charts demonstrates that: Rocky Linux seems the current King of the Mountain, compared to, main opponents: AlmaLinux and Oracle Linux. Even more active Rocky Linux 8 and 9 servers than its own upstream source: Red Hat's Enterprise Linux.
Although we have not formally done any official research and the website in question seems to be affiliated with the organisation behind Rocky Linux. The statistics are freely downloadable and thus verifiable in one way or another. As always, in the case of a single source. This covers only the MCS 2022 visitors and servers that are connected to the Extra Packages for Enterprise Linux (EPEL) repository. Not every EL server administrator attended the MCS 2022. Including the fact that not every EL server uses EPEL. And/or mandatory updates from a public mirror. However, it does give a nice picture between all EL competitors.
Remarkable to see that there are still huge numbers of CentOS 8 (EOL) systems that are still updating EPEL packages. But are no longer able to obtain CentOS updates. Since CentOS 8 has gone end-of-life at the end of 2021.There are potential vulnerabilities, who are bound to appear in the future. Unless te server is using aftermarket services that still support CentOS 8 for an additional period of time.
For example an Extended Life Cycle Support (ELS) Add-on. It seems to us that those kinds of aftermarket services occur only in a unique case. And then almost exclusively at Red Hat Enterprise Linux-related systems, with mission-critical applications. Such as controlling a hospital, or other critical infrastructure. As this is sensitive. You didn't even start with CentOS anyway.
A few words of caution regarding the Hyperion and EPEL analysis and statistics:
- Only MCS 2022 respondents.
- Not every RHEL or EL based servers do have EPEL enabled. EPEL does not stand for Extra for nothing. Extra software which is not included with RHEL by default. And there's a reason for that, of course.
- Some servers use a local mirror of EPEL and are not counted in these charts.
- Oracle Linux does have its own active EPEL repository upon their own Oracle CDN network. As it is using its own infrastructure. It is not counted in these graphs. Unless the Oracle Linux based server administrator, conscious reconfigured the upstream EPEL mirror link.
- The most popular source does not necessarily mean it is the best option to choose.
- These statistics are easy to artificially inflate. Just look carefully at the data and make your own analysis if wanted.
Which CentOS alternative did others choose?
It is interesting to see what choice anyone else has made when looking for a CentOS alternative. And far more interesting: Why? To be used into your own moment of choice.
Rakuten Mobile is migrating from CentOS to Rocky Linux:
"It’ll take a year but then Rakuten Mobile will run on Rocky Linux".
The European Organization for Nuclear Research (CERN) and the Fermi National Accelerator Laboratory (Fermilab). Have opted for AlmaLinux as the standard distribution. As their CentOS 8 alternative. And GitLab has switched from CentOS 8 to AlmaLinux as a supported platform.
Since there are several top companies using CentOS. And/or have built their own product around CentOS like Disney, Toyota and Verizon. We are probably going to see more companies finding their own CentOS alternative in the near future.
Nevertheless, you should obviously choose what suits you best. Hopefully you were able to find a CentOS alternative. With a little bit of help based on the options we have investigated.