CentOS 8.1 Released With New Security Tools For Servers And Containers
CentOS 8.1 (1911) is a free rebuild of the commercial GNU/Linux distribution Red Hat Enterprise Linux 8.1. The latest version supports live kernel patching and live conversion of LUKS1 images to LUKS2. Most of the improvements in this release are for containers and hybrid cloud deployments. Commonly used server-packages like Node.js, PHP, nginx and Ruby have been updated to newer versions.
CentOS is essentially a free version of IBM's commercial Red Hat Enterprise Linux distribution without the branding, they are functionally the same GNU/Linux distribution. There are some minor changes to a handful of core packages so CentOS releases tend to lag behind RHEL releases. RHEL 8.1 was released back in November. The CentOS equivalent is now available for those who want the latest RHEL version without having to pay a Red Hat subscription fee.
Desktop users will be disappointing to learn that there is virtually nothing new on the desktop side. The workspace switcher in the GNOME Classic desktop environment is changed and the kernels direct rendering manager sub-system has been rebased to Linux kernel 5.1. That's all there is on the desktop side.
The CentOS-8 (1911) Release Notes is limited to listing the RHEL packages which were modified by changed by CentOS. They refer to Red Hat's RHEL 8.1 release announcement for a list of the changes to the actual OS. Those are all in the container, cloud and server areas.
CentOS 8.1 includes PHP 7.3, Ruby 2.6, Node.js 12 and nginx 1.16 for those running web servers. The developer tools are also updated with GCC 9, LLVM 8.0.1, Rust 1.38 and Go Toolset 1.12.8.
Support for Live patching is a welcome feature to those who absolutely do not want to reboot their server to get the latest kernel security patches.
The good old Quagga routing daemon has been replaced with FRR. Those using CentOS advanced routing with BGP or other routing protocols should pay attention to this point. FRRouting is more modern and advanced with support for BGP, OSPFv2, OSPFv3, IS-IS, BFD, PBR and several other routing protocols.
chrony NTP time synchronization has been updated to version 3.5. RHEL and Fedora has had
chrony enabled by default for some time. Version 3.5 supports hardware timestamping.
RHEL 8.1 introduced a new SELinux tool for generating policies for containers called
udica. It makes it easy to configure restrictive security policies for containers which restricts their access to storage devices, network ports and interfaces and other resources.
A new policy framework called fapolicyd lets you whitelist and blacklist applications based on a user-defined policy. This is useful for servers where you may want deploy and allow one or two applications and prevent anything else from running.
The disk format for full disk encryption has been updated to LUKS2. CentOS 8.1 supports on-the-fly re-encryption of LUKS2 containers while the file system is in use. Do note that you can not re-encrypt LUKS1 containers to LUKS2 or encrypt unencrypted filesystems while they are in use.
cryptsetup reencrypt is for changing the encryption algorithm and/or volume keys on LUKS2 file systems.
The full CentOS 8.1 distribution can be downloaded from a long list of mirrors with several local mirrors in most countries. The link isoredirect.centos.org/centos/8/isos/x86_64/ will present a limited sub-set of those mirrors near your guesstimated location. The likely fastest way to download CentOS 8.1 is to use a BitTorrent clients to download the 7.1 GiB ISO installation image (which goes directly to the installer, it does not provide any live environment). There are also smaller more specialized cloud and container images available. These are much smaller, the container images are just 35 MiB and the "Generic Cloud" images is 683 MiB.