CentOS-7 (1708) Release Notes

Last updated: March 21, 2018

Contents

Translations
Introduction
Install Media
Verifying Downloaded Installation Images
Major Changes
Deprecated Features
Known Issues
Fixed Issues
Packages and Applications
Sources
How to help and get help
Further Reading
Thanks

1. Translations

Translations of these release notes are available for the following languages:

English (en)

日本語 (ja) - Hajime Taira

한국어 (ko) - Inyong Hwang

2. Introduction

The CentOS Project does not provide any verification, certification, or software assurance with respect to security for CentOS Linux. The Security Profiles provided in the CentOS Linux installers are a conversion of the ones included in RHEL Source Code. If certified / verified software that has guaranteed assurance is what you are looking for, then you likely do not want to use CentOS Linux. See this link if you plan to use Security Profiles.

Hello and welcome to the fifth CentOS-7 release. The CentOS Linux distribution is a stable, predictable, manageable and reproducible platform derived from the sources of Red Hat Enterprise Linux (RHEL)¹. You can read our official product announcement for this release here.

CentOS conforms fully with Red Hat's redistribution policy and aims to have full functional compatibility with the upstream product. CentOS mainly changes packages to remove Red Hat's branding and artwork.

We have decided not to follow Red Hat's usage of Installation Roles. In CentOS Linux all content from every distribution 'channel' is made available to the user at time of installation.

The continuous release (CR) repository makes generally available packages that will appear in the next point release of CentOS, on a testing and hotfix basis until formally released. Please read through the other sections before trying an install or reporting an issue.

3. Install Media

Various installation images are available for installing CentOS. Which image you need to download depends on your installation environment. All of these images can either be burned on a DVD or dd’ed to an USB memory stick.

If you are unsure which image to use, pick the DVD image. It allows selecting which components you want to install and contains all packages that can be selected from the GUI installer. The 'Everything' DVD is almost twice the size of the ordinary DVD and is not required for most common installs - it is intended for use by sysadmins who want to run their own local mirror.

Live media images are also available, both for Gnome and KDE desktop environments. These allow you to test out CentOS by booting from the DVD or USB stick. You can also install CentOS to your hard disk from the live media images, but please note that what gets installed on your hard disk is exactly the same as you see when using the live media. For more flexibility in selecting which packages you want to have installed, please use the DVD image.

The netinstall image can be used for doing installs over network. After booting the computer with the netinstall image, the installer will ask from where it should fetch the packages to be installed.

The everything image contains all the packages that are available for CentOS-7, including those that are not directly installable from the installer. If you want to install those other packages, you must mount the install media on your installed system after the installation, and copy or install the packages from there. For most users installing from the DVD image and then installing the other packages with ”yum install <packagename>” instead is probably easier.

Attention
At least 1024 MB RAM is required to install and use CentOS-7 (1708). When using the Live ISOs for install, 1024 MB RAM produces very slow results and even some install failures. At least 1536 MB RAM is recommended for LiveGNOME or LiveKDE installs.

4. Verifying Downloaded Installation Images

Before copying the image to your preferred installation media you should check the sha256sum of the downloaded installation images.

sha256sum x86_64:
ec7500d4b006702af6af023b1f8f1b890b6c7ee54400bb98cef968b883cd6546  CentOS-7-x86_64-DVD-1708.iso
8593f5a1631ebfb7581193a7b4ef96d44f500d3ceb49cc4cfbfd71d5698e4173  CentOS-7-x86_64-Everything-1708.iso
9941f5e1257d74e763652ceae5096ed73ddc94a9703ae116931d8713b801fec0  CentOS-7-x86_64-LiveGNOME-1708.iso
4ba63634a8430d134d8a9535c62ff1341c33c898fb1c768a0c6e54fbc92a9133  CentOS-7-x86_64-LiveKDE-1708.iso
bba314624956961a2ea31dd460cd860a77911c1e0a56e4820a12b9c5dad363f5  CentOS-7-x86_64-Minimal-1708.iso
fe3d960cce4d2c1c9f1b66817fe87cc0ee1a1c6c5dd126204cb5c33d51a45620  CentOS-7-x86_64-NetInstall-1708.iso

5. Major Changes

Since release 1503 (abrt>= 2.1.11-19.el7.centos.0.1) CentOS-7 can report bugs directly to bugs.centos.org. You can find information about that feature at this page.
Various new packages include among others: python-gssapi, python-netifaces, mod_auth_openidc, pidgin and Qt5.
SSH1-support has been removed from the SSH-server. Along with this move, all cryptographic protocols and algorithms which are considered insecure have been deprecated. More on this can be found here and here.
OpenSSL now supports DTLS (TLS via UDP) and ALPN.
NVMe Over Fabric is now supported in the NVM-Express kernel driver.
There have been various changes/enhancements to cryptographic abilities of various packages. I.e. sendmail now supports ECDHE, OpenSSH now using SHA2 for public key signatures, ... among others. All changes are too numerous to mention here, so please take a look at the upstream release notes.
Various packages have been rebased. Some of those are openLDAP, samba, clufter, ipmitool, tcpdump, shim, GNOME, NetworkManager, Kernel-GRE-module, openssh, openSSL, libreswan, chrony, rsyslog, sudo and libvirt. Users of openldap should see the note in the known issues section below.

Because of these rebases some 3rd party repositories (Like EPEL, nux!, etc.) may not have all their packages rebuilt to use the newer packages in this release. This may cause the inability to update to the new release until those repositories fix their dependencies. However, at this point in time, more than 1 month after the release of 7.4, all these issues should be sorted out.

ca-certificates and nss now meet the recommendations as published with the latest Mozilla Firefox ESR.
Amazon ENA drivers have been added to the kernel. For more information about ENA go to this page.
Lots of updated storage, network and graphics drivers.
Technology Preview: Among others support of ansible and System Roles, OverlayFS, Btrfs, CephFS kernel client, the Cisco VIC and usNIC kernel driver, nested virtualization with KVM and multi-threaded xz compression with rpm-builds.

More information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/index.html.

If you plan to use Security Profiles in Anaconda, please see this link.

6. Deprecated Features

This release - as already mentioned - features various changes to cryptographic abilities of various packages. Some insecure cryptographic algorithms and protocols are removed from the distro. For a complete list of all removed functions and deprecated packages please take a look at this page.

7. Known Issues

A list of known upstream issues can be found here. Given that we build from the same sources, many if not all of those issues will likely also apply to CentOS Linux. You can also find information on notable updates here.

The version of libgpod in EPEL is newer than the version release in RHEL-7.4, and therefore in CentOS-7 (1708). This will lead to an update error in CentOS-7 if you have libgpod from EPEL installed. You can use yum downgrade libgpod to bring in the proper libgpod, and after it completes, then continue with your upgrade with a yum update.

Updating a system without checking the packages being installed as deps pulls in various i686 packages. This is due to rdma. More on this behaviour can be found here. As a workaround you can use this command yum update rdma-core.x86_64 && yum update. If you see transaction check conflicts when trying to install rdma-core, try yum update rdma-core.x86_64 ibacm instead.

If you are running CentOS-7 as a Xen domU in ParaVirtualization (PV) mode, an upgrade to CentOS-7 (1708) will cause the VM to not be able to boot. You must use HVM (full emulation) or PV-on-HVM mode to run this version of CentOS with the Xen hypervisor. Please see this mailing list thread for more details.

If you use network bonding then there is an upstream bug report about the 7.4 kernel and using non-zero values for updelay= and downdelay=. If either are specified and are non zero then the bond will fail and your logs will be spammed with messages about being unable to bring one of the component interfaces up. The workaround is to use updelay=0 and/or downdelay=0 as part of the BONDING_OPTS= line. Redhat have now released a new kernel with the fix for this - yum update to at least kernel-3.10.0-693.5.2.el7 to get that.

samba may fail with "symbol krb5_get_init_creds_opt_set_pac_request, not defined". This is because of a missing dependency for a newer version of krb5-libs. The issue is resolved by installing krb5-libs-1.15.1-8.el7. See BZ 1480310 for more details.

keepalived users should note that the 7.4 keepalived 1.3.5 packages have an unspecified requirement for the 7.4 selinux-policy packages >= 3.13.1-166 or you may experience segfaults. You must update selinux-policy as well as the keepalived package.

samba share with sssd authentication is broken. This is being worked on upstream. A workaround is to downgrade the samba packages to an earlier version.

Users of the openldap-servers package who use the ppolicy overlay need to take action before the upgrade as per the link in https://bugs.centos.org/view.php?id=13750 to https://lists.ltb-project.org/pipermail/ltb-users/2015-December/000653.html - there are also instructions in the second link on how to recover if you did the update without taking action first.

The first vte291 package that was released to the CR repo was built against incorrect libraries. The package has since then been rebuilt. If, for example, your GNOME Terminal has colours that are too dark, a yum reinstall vte291 should help. This does not affect those users who had not used the pre-release packages from the CR repo.

VirtualBox (5.1.26 or older) is not fully compatible with CentOS-7 (1708). Use 5.1.28 or later.

In VMware, building the vmnet.ko kernel module fails. There is a patch to fix this. See their post for details.

The initramfs files are now significantly bigger than in CentOS-7 (1503). You may want to consider lowering installonly_limit in /etc/yum.conf to reduce the number of installed kernels if your /boot partition is smaller than 400MB. New installations should consider using 1GB, which is now the upstream recommended, as the size of the /boot partition.

Users connecting to a Cisco Meraki VPN server using libreswan may find that the connection will no longer establish after the update from libreswan 3.15 to 3.20. To allow these connections to complete you will need to add the algorithms used by the VPN server to the libreswan list. You can check the output from ipsec status from prior to the update like ipsec status | grep "algorithm newest" and add those to the list. If using a manual setup then you need to edit /etc/ipsec.d/$connection.conf and add ike= and esp= lines to the connection. If using NetworkManager you can use the GUI to add them in the "IPSec Settings.../Advanced" window in the "Phase1 Algorithms" (the ike=) and "Phase2 Algorithms" (the esp=). For the Meraki I use, that means adding 3DES-SHA1;MODP1024 to ike= and 3DES-HMAC_SHA1 to the esp= list. Be aware that this may not be as secure as it should be and the issue should probably be reported to Meraki support.

As part of the sudo rebase, it now uses /var/db/sudo/lectured for keeping track of who has seen the sudo "lecture". Due to this change you can expect to see the lecture again for all users using sudo for the first time after the update.

Rhythmbox cover art placeholder visible when viewing disabled BZ 1396775

The GNOME version rebase will lead to icons with an increased size on the desktop or in nautilus. Changing the icon zoom factor in nautilus will also affect the size on the desktop. You can do this in nautilus itself, or through cli: gsettings set org.gnome.nautilus.icon-view default-zoom-level 'small' (where value can be small, standard, large, larger). See also bug 13768

Many people have complained that Ethernet interfaces are not started with the new default NetworkManager tool/have to be explicitly enabled during installation. See CentOS-7 FAQ#2. This has been the case since the initial release of CentOS 6.0 so is not new.

At least 1024 MB RAM is required and 1536MB+ is recommended to install and use CentOS-7 (1708). When using the Live ISOs for install, 1024 MB RAM produces very slow results and even some install failures. At least 1536 MB RAM is recommended for LiveGNOME or LiveKDE installs.

If your screen resolution is 800x600 or lower, parts of the images shown at the bottom during install are clipped. This has been the case for all CentOS 7 versions.

Old VMware Workstation/VMware ESXi versions allow to install two different virtual SCSI adapters: BusLogic and LsiLogic. However the default kernel from CentOS-7 does not include the corresponding driver for any of them thus resulting in an unbootable system if you install on a SCSI disk using the defaults for CentOS Linux. If you select 'Red Hat Enterprise Linux' as OS, the paravirtualized SCSI adapter is used, which works. This does not seem to be an issue with newer VMWare versions which select a newer model of controller.

Commonly used utilities such as ifconfig/netstat have been marked as deprecated for some considerable time and the 'net-tools' package is no longer part of the @core group so will not be installed by default. Use nmcli c up ifname <interfacename> to get your network up and running and use yum to install the package if you really need it. Kickstart users can pull in the net-tools package as part of the install.

The AlpsPS/2 'ALPS DualPoint TouchPad' edge scrolling does not work by default on CentOS-7. See bug 7403 for the command to make this feature work.

There is an issue with using iptables and ip6tables where the iptables service fails to start and affects systems where firewalld is disabled and BOTH iptables AND ip6tables are enabled: BZ1477413 has more on this issue. There should be a released fix soon. Note: This issue was fixed for CentOS with iptables-1.4.21-18.0.1.el7 which was included in the CR release and is also on the newly created install media. There is no CentOS package with this problem. This issue is not yet fixed in RHEL.

Some security profiles enable a global repo_gpgcheck option in /etc/yum.conf to cryptographically verify the repository metadata. While this works for CentOS repositories, some third party repositories (such as EPEL) do not support GPG signed metadata. You may need to either remove repo_gpgcheck from /etc/yum.conf or set repo_gpgcheck=0 for each individual repository that does not support GPG signed metadata.

8. Fixed Issues

For all the fixed issues it is best to look at the errata release page here and look for fixes dated starting August 1st 2017.

9. Packages and Applications

9.1. Packages modified by CentOS

abrt
anaconda
apache-commons-net
basesystem
chrony
cloud-init
compat-glibc
dhcp
firefox
glusterfs
grub2
httpd
initial-setup
ipa
iptables
kabi-yum-plugins
kde-settings
kernel
libreport
ntp
openssl098e
oscap-anaconda-addon
PackageKit
pcs
plymouth
redhat-lsb
redhat-rpm-config
scap-security-guide
shim
shim-signed
sos
subscription-manager
system-config-date
system-config-kdump
thunderbird
xulrunner
yum

9.2. Packages removed from CentOS that are included upstream

Red_Hat_Enterprise_Linux-Release_Notes-7-*
redhat-access-gui
redhat-bookmarks
redhat-indexhtml
redhat-logos
redhat-release-*
subscription-manager-firstboot
subscription-manager-migration
subscription-manager-migration-data

9.3. Packages added by CentOS that are not included upstream

centos-bookmarks
centos-indexhtml
centos-logos
centos-release

9.4. Packages released as 7.3.1611 updates with older packages on the 7.4.1708 install media

bind
graphite2
java-1.8.0-openjdk

10. Sources

All CentOS-7 sources are hosted at git.centos.org. All code released into the distribution originated from git.centos.org.

Source RPMs will also be published once the release is done, in the usual location at http://vault.centos.org/centos/7/

From a CentOS machine you can easily retrieve sources using the yumdownloader --source <packagename> command.

11. How to help and get help

As a CentOS user there are various ways you can help out with the CentOS community. Take a look at our Contribute page for further information on how to get involved.

11.1. Special Interest Groups

CentOS consists of different Special Interest Groups (SIGs) that bring together people with similar interests. The following SIGs already exist (among others):

Artwork - create and improve artwork for CentOS releases and promotion
Promotion - help promoting CentOS online or at events
Virtualization - unite people around virtualization in CentOS

And we encourage people to join any of these SIGs or start up a new SIG, e.g.

ARM, PPC and i386 port - help with porting CentOS to other architectures
Hardware compatibility - provide feedback about specific hardware
RPM Packaging - contribute new useful RPM packages
Translation - help translating the documentation, website and Wiki content

11.2. Mailing Lists and Forums

Another way you can help others in the community is by actively helping and resolving problems that users come up against in the mailing lists and the forums.

11.3. Wiki and Website

Even as an inexperienced CentOS user we can use your help. Because we like to know what problems you encountered, if you had problems finding specific information, how you would improve documentation so it becomes more accessible. This kind of feedback is as valuable to others as it would have been to you so your involvement is required to make CentOS better.

So if you want to help out and improve our documentation and Wiki, register on the Wiki or subscribe to the centos-docs mailing list.

11.4. IRC Presence

The CentOS project maintains a presence on the freenode IRC network as an additional venue for community support and interaction. Please see our IRC wiki article for more information.

12. Further Reading

The following websites contain large amounts of information to help people with their CentOS systems:

Upstream release notes and documentation : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
http://www.centos.org/
http://wiki.centos.org/
http://lists.centos.org/
CentOS-7 forums
http://bugs.centos.org/
http://planet.centos.org/
http://seven.centos.org/

13. Thanks

We thank everyone involved for helping us produce this product and would like to specifically acknowledge the extra effort made by the QA Team. Without them working lots and lots of hours in evenings, nights, weekends and holidays, we couldn't have released this Release in the time we did. A special thanks also goes to the CentOS-community. A more complete list of the contributors to this release can be found at /usr/share/doc/centos-release/Contributors of your new CentOS-7 installation.

Visit http://www.redhat.com/rhel/ (1)

This is a read-only archived version of wiki.centos.org