This document outlines an agenda for a workshop on Red Hat Enterprise Linux 8. The workshop will cover an overview of RHEL 8, managing software from application streams, the future of infrastructure including container deployment with Podman, and other RHEL 8 features. It will run from 9:00-14:00 and include presentations and demos from two Red Hat solutions architects.
1. Learn, build, and deploy with
Red Hat Enterprise Linux 8:
An interactive workshop
Ahmed El-Rayess
Solutions Architect
Red Hat MEA
Mohamed Farag
Solutions Architect
Redington
1
3. EVENT PRESENTERS
3
Name: Ahmed El-Rayess
Role/team: MEA Solutions Architect
Where you’re from:
Egypt
Introductions
Name: Mohamed Farag
Role/team: Redington
Where you’re from:
Egypt
4. 4
LINUX IS THE FUTURE
Only two operating systems remain.
Source: Worldwide Server Operating Environments Market Shares, 2015: Linux Continues to Shape the Future (IDC #US41360517, December 2016)
5. 5
RED HAT LEADS PAID LINUX MARKET
WORLDWIDE LINUX SERVER OPERATING ENVIRONMENT NEW LICENSE PAID SHIPMENTS/SUBSCRIPTIONS
AND NON-PAID DEPLOYMENTS BY VENDOR, 2012–2016 (000)
Source: Worldwide Server Operating Environments Market Shares, 2015: Linux Continues to Shape the Future (IDC #US41360517, December 2016)
9. CONFIDENTIAL Designator
9
RED HAT ENTERPRISE LINUX 8
To deliver business advantages today,
organizations are shifting IT from
traditional infrastructure operations
and are focusing on service delivery.
10. CONFIDENTIAL Designator
10
RED HAT ENTERPRISE LINUX 8
Build your future on a stable, high-performing
platform that can scale to meet the needs of
your organization today and tomorrow.
11. WHAT’S NEW?
11
Easier adoption
for staff new to Linux®
More subscription value
with Red Hat Insights, now included in all
Red Hat Enterprise Linux subscriptions
A consistent experience
across bare-metal, virtual, and public and
hybrid cloud environments
Eased transition
to and adoption of containerized workloads with
community-driven, new container management
tools
Increased speed and ease of deployment
Security first
Further enhanced to cover the latest industry
requirements
Red Hat Enterprise Linux 8
12. 12
RED HAT ENTERPRISE LINUX 8
Trusted partner
Focus on your business
We focus on support and engineering so you
don’t have to
Speed integration with common platforms
Ease management and integration of your
business applications
Innovate faster
Get to your next big thing without
building ours
13. OPTIMIZED EXPERIENCES FOR MISSION-CRITICAL
DATABASES
13
● Red Hat Enterprise Linux is the
reference platform for SQL Server
on Linux
● Benchmark-breaking performance
● Fast deployment and portability
via containers
● Red Hat Enterprise Linux is 1 of only
2 certified Linux distributions
● More than 20 years of Red Hat and
SAP joint engineering collaboration
● Exceptional performance and
scalability —the largest SAP install in
the world runs on Red Hat
Enterprise Linux
RED HAT ENTERPRISE LINUX 8
17. WHAT YOU NEED
17
● Web console
● System roles
How we deliver it
● Everyone, not just those
comfortable with the command line,
can participate in the process.
Why you need it
DevOps
18. REMOTE SINGLE-SYSTEM VIEWS IN THE
WEB CONSOLE
18
Browser-based interface
Offers remotely accessible user interface
using host security mechanisms
Consolidated view
Provides single view of tasks to speed
understanding and completion
Standard management tools
Uses system tools to change state, not
a separate workflow
RED HAT ENTERPRISE LINUX 8
19. NEW IN THE WEB CONSOLE
19
RED HAT ENTERPRISE LINUX 8
Virtual machines
Create and manage virtual machines
Network-bound disk encryption
Enroll disks with Tang server and manage
LUKS keys
Single sign-on configuration
Automatically configure when joining a
domain
20. SPEED AUTOMATION CREATION WITH SYSTEM ROLES
20
Common automation
Manage multiple versions of
Red Hat Enterprise Linux from a single role
Reduced rework
Import provided roles to eliminate
task creation in playbooks
Easy switching of providers
Change between default and optional
tools quickly and safely
timesync
RED HAT ENTERPRISE LINUX 8
dbserver
SELinux
network
webserver
23. WHAT YOU NEED
23
● Application stream
● Predictable release cadence
How we deliver it
● You can’t wait for a new major release in
order to access new userspace packages
such as languages and frameworks
Why you need it
Open source
integration
24. YOU CAN’T SATISFY ALL THE PEOPLE
ALL THE TIME … OR CAN YOU?
Different people have different needs
24
Developer
I need a newer package than what is included
in the distribution!*
-or-
This software was built 2 years ago, I need the
2 years ago package, not the package thing!*
Architect or Administrator
I need to support the efforts of developers,
nay, plan for it!*
-and-
I need to manage the longevity of my
application, platform, or product!*
Independent Software Vendor
I went through this certification program
for my software I can’t do that for every dot
release, but need to be confident that I can
continue to support customers on this
version!*
* Source: Scenario based on conversions with Red Hat customers
25. RED HAT ENTERPRISE LINUX 8
25
Faster time to “Hello World”
Simpler deployment options
Use standardized platforms
for any environments
Ability to plan with confidence
Remove uncertainty from your
platforms
Latest stable tools
Combine open source innovation
with enterprise reliability
26. PREDICTABLE UPDATES
RED HAT ENTERPRISE LINUX 8
26
6 months
Minor updates
3 years
Major releases
2 phases
Support life cycle
27. APPLICATION STREAMS
RED HAT ENTERPRISE LINUX 8
27
PostgreSQL 9.6 stream
Red Hat®
Enterprise Linux®
8
PostgreSQL 10 stream
PostgreSQL 12 stream
Time of support
Red Hat Enterprise Linux 7
More choice
Offers versions of the open source
tools and frameworks developers need
Newer versions
Provides access to newer versions as
they stabilize
Simpler access
Maintains standard locations for tools
and libraries
28. SIMPLIFIED ACCESS TO SOFTWARE
RED HAT ENTERPRISE LINUX 8
28
Red Hat Enterprise Linux 7 repositories
server
optionalsupplementaryextras rhscl dotnet devtools
Red Hat Enterprise Linux 8 repositories
baseos
appstream supplementary codeready-builder
29. GRAPHICAL EXAMPLE OF DIFFERENT WAYS AN
APPLICATION STREAM COULD BE MANAGED
An Example Application Stream
29
May 2019 ...
SoftwareA
9.6 stream
SoftwareA
10 stream
SoftwareB
7.2 stream
SoftwareB
7.3 stream
May 2020 May 2021 May 2022 May 2023 ...
30. THE NEWEST YUM PACKAGE MANAGER: VERSION 4
30
New technology
Maintains the same experience while adding
new tools
Better dependency management
Offers faster resolution and easier
minimization of what's installed
Stable API
Provides new application programming
interface (API) for extending yum that will
progress into the future
RED HAT ENTERPRISE LINUX 8
Repository
rpm
rpm
rpm
rpm
rpm
rpm
metadata
rpm rpmrpm
system
yum
33. Frequently Asked Questions
33
No.
In the example on the earlier slide, postgresql 9.6 and 10 were
shown as simultaneously available versions. Can I have them both
installed?
36. Rules of the Road
36
Application stream rules of the
road:
An application stream may offer multiple versions of a package, but only one may be installed on the system
Each application stream will have one version set as the default
Generally, you will want to use the module subcommand of yum when working with an application stream
Recommended practice: when changing to a different version of software in the application stream is to remove the installed version,
then install the preferred version
37. Instructor Demonstration
37
Listing available application
streams:
# yum module list
Name Stream Profiles Summary
ruby 2.5 [d] common [d] An interpreter of object-oriented scripting language
The resulting output will contain all the available packages managed as application streams.
40. WHAT YOU NEED
40
● Amazon Web Services
● Microsoft Azure
● Google Cloud
● Bare metal
● Virtual
How we deliver it
● You get to enjoy the same Red Hat
Enterprise Linux experience
regardless of the underlying
infrastructure
Why you need it
Open hybrid cloud
and multi-cloud
41. WHAT YOU NEED
41
● Image builder
● Single variant for multiple use cases
● In-place upgrades
How we deliver it
● Your digital journey requires fast
adoption and deployment
Why you need it
Faster and easier
to deploy
42. CREATE IMAGES FOR ALL YOUR
ENVIRONMENTS WITH IMAGE BUILDER
42
Single source
Lets you create gold images for any environment
from the same blueprint increasing stability and
consistency
Any footprint
Supports public cloud, private cloud, enterprise
hypervisors, and bare metal
Simple interface
Provides web-based view within the web console
for selecting packages and creating blueprints
Blueprint
Bare metal
Hypervisors
Public clouds
Private clouds
RED HAT ENTERPRISE LINUX 8
43. 43
Faster and more consistent delivery
in any deployment
Maintain standards
Simple common machine
images for any environment
Improve automation
Automation expertise from the
engineers who wrote the platform
Gain rapid intelligence
Information that helps you focus on
business initiatives, not fighting fires
RED HAT ENTERPRISE LINUX 8
44. IN-PLACE UPGRADES FOR YOUR SYSTEMS
44
Reduced migrations
Analyze systems to determine if upgrading in
place can avoid a costly migration
Easy rollback options
Combine with bootable LVM snapshots for safety
Improved framework
Get better analysis and a simplified process with
a more extensible framework
RED HAT ENTERPRISE LINUX 8
Upgrade framework
Applications
7 8
45. RUN LEAPP
CREATE BOOTABLE
LVM SNAPSHOT
CAN I UPGRADE THIS HOST?
45
RED HAT ENTERPRISE LINUX 8
PICK
CANDIDATE
SERVER
ANALYZE CHECK
OUTPUT
REBOOT TO FINISH
UPGRADE
UPGRADE
COMPLETE
46. Flow for actioning on issues & vulnerabilities
46
Analyze Identify Prioritize Resolve
RED HAT ENTERPRISE LINUX 8
47. DETECT AND FIX ISSUES WITH RED HAT INSIGHTS
47
Proactive advice
Identification of issues before they
become problems
Continuous assessment
Real-world results to help find new risks
Simpler remediations
Tailored results at the host level
RED HAT ENTERPRISE LINUX 8
48. RED HAT INSIGHTS
Included with your Red Hat Enterprise Linux subscription
Assesses
customer’s Red Hat
environments
Remediates
findings with prescriptive
remediation steps or an
Ansible playbook
Insights
rule contributions directly
from Red Hat subject
matter experts
Identifying risks for availability, performance, stability and security
49. Quick Value in 15 Minutes or Less
No infrastructure cost
Quick setup
Planned response Tailored resolution
Real-time
risk assessment
Proactive alerts
SaaS
Insights installs in minutes
● Registers to Satellite or Customer Portal
● Automation-enabled
● Simple registration (one command)
● Reporting available instantly
● Client runs at customer defined interval
Security is built in. Insights customers
have control via blacklist and
obfuscation of any metadata collected.
50. ENTERPRISE INFRASTRUCTURE MONITORING
Value for Customers
PROACTIVE
GUIDANCE
Risks are identified before they ever
impact infrastructure or business
operations
CONTINUOUS
INSIGHTS
New checks added continuously as
new threats to enterprise workloads
are identified
REMEDIATION
PLAN
Issues identified should be
accompanied by tailored
step-by-step instructions for their
remediation
INTEGRATED
MANAGEMENT
Insights integrates with Red Hat’s
management portfolio providing
streamlined operations workflow
capabilities with automation
57. WHAT YOU NEED
57
● New tools
● Red Hat Universal Base Image
How we deliver it
● Building, running, and managing containers
shouldn’t need root privileges or a daemon
● The foundation for building
enterprise-ready containerized
applications is more secure and reliable.
Why you need it
Containers
58. WHY DO I CARE ABOUT RED HAT’S
CONTAINER TOOLS?
Different people have different needs
58
Developer Architect or Administrator
I need to support the efforts of
developers, but don’t want to have
additional attack surface on my systems*
-or-
I don’t want to provide root access to
non-administrators on my systems*
Independent Software Vendor
I need to build applications that I can
provide to customers*
* Source: Scenario based on conversions with Red Hat customers
I need to make containers that are Open
Container Initiative (OCI) compliant that I
can deploy *
59. CONTAINERS ARE LINUX
59
Namespaces
CPU Memory Storage Network
Cgroups
Seccomp
SELinux
Run
Build
CONTAINERS
Application dependencies
Application binaries
RED HAT ENTERPRISE LINUX 8
60. POWERING THE ADOPTION OF
CONTAINERIZED WORKLOADS
60
Red Hat Enterprise Linux
(Podman/Buildah/Skopeo)
TRADITIONAL DEVELOPMENT
Find Run Build Share
CLOUD-NATIVE
Integrate Deploy
Quay
Red Hat OpenShift®
(Kubernetes)
RED HAT ENTERPRISE LINUX 8
61. Red Hat Container Tools
Meet the container tools
61
Deploy containers
Familiar syntax, compared to other container flavors
Create new container images
Update/modify existing container images
Inspect, audit, and share container images
62. Why choose podman
62
Why podman?
● Open Container Initiative (OCI) compliant
● Daemonless
● Linux native technology stack
● Rootless deployments
● Compatible with other OCI compliant toolsets
63. MANAGE CONTAINERS WITH PODMAN
63
Fast and lightweight
No daemons required
Advanced namespace isolation
Rootless operations for container run
and build
Open standards compliant
Creates and maintains any standard
Open Containers Initiative (OCI)
-compliant containers and pods
Podman
RunC
Kernel
Images
RED HAT ENTERPRISE LINUX 8
64. CREATE IMAGES WITH BUILDAH
64
More control
Scriptable tooling for fine-grained
image control, and maximum control
starting from base or scratch images
Minimization of images
Elimination of unneeded dependencies
by using host-based tools
From base, multilayer From scratch, single layer
RED HAT ENTERPRISE LINUX 8
Java runtime and
dependencies, and
application
OS update layer
Java™ runtime layer
Application layer
Base Red Hat
Enterprise Linux
65. INSPECT AND TRANSPORT IMAGES WITH SKOPEO
65
Inspect images remotely
Examine image metadata without needing to
download
Publish and transfer images
Copy images from registries to hosts or directly
between registries
Sign and verify images
Supports GPG key signing on publish
Image registry Image registry
Image repositoryMetadata signature
Host
SKOPEO
RED HAT ENTERPRISE LINUX 8
67. Frequently Asked Questions
67
No. But if you really, really need a command called docker on your
system, try installing the podman-dockerpackage. (This isn’t
actually docker, though)
Does RHEL8 ship Docker?
68. Frequently Asked Questions
68
Yes! We distribute the Universal Base Image (UBI). This container
image is supported by Red Hat when deployed on a supported
Red Hat platform (RHEL/OpenShift).
Does Red Hat provide any supported container images?
69. Frequently Asked Questions
69
With the compatibility built into the Red Hat Container tools, you can use a
combination of both. Red Hat has two seats on the Technical Oversight Board of
the Open Container Initiative [a project of the Linux Foundation], which is a
commitment to delivering tools that use open standards. Included as part of Red
Hat Enterprise Linux, no additional subscriptions required.
Why should I use this instead of Docker?
71. Instructor Demonstration
71
Inspect available container
images:
# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.access.redhat.com/ubi8/ubi-init latest cda12d4c316c 6 weeks ago 255MB
72. Instructor Demonstration
72
Deploy a container:
Interactive, with a bash shell
# podman run -it ubi-init /bin/bash
Detached mode, with an exposed port
# podman run -dt -p 8080:80/tcp ubi-init
More options in the podman-run(1) manpage
73. Instructor Demonstration
73
Viewing deployed containers:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9df2431bf9b0 ...redhat.com/ubi8/ubi-init:latest /sbin/init 36 seconds Up 36 seconds romantic_feynman
Note: each container runtime is assigned a unique ID and NAME to use with other actions.
78. RECORDING USER TERMINAL SESSIONS
78
RED HAT ENTERPRISE LINUX 8
Audit activities
Create a record of actions taken for
review against security policies
Create visual guides
Build run books and training
materials with demonstrations
Record and play back
Logged via standard channels with
multiple playback options
79. WHERE ARE SOME SITUATIONS WHERE TERMINAL
SESSION RECORDING MIGHT BE USEFUL?
Different people have different needs
79
Architect
How do I know that we are capturing audit information for
users and administrators across our infrastructure?*
-and-
When there is a problem, outage, or issue, it would be great if
we could know what was happening on that system!*
* Source: Scenario based on conversions with Red Hat customers
Administrator
It would be really nice to know what the administrators on my
team are doing!
-and-
I just got a reported problem on a system, I wonder what has
been going on there lately!*
80. Quick facts for terminal session recording
80
Quick Facts:
● Based on tlog
● Official Red Hat guide available: https://red.ht/2pWcvni
● Other modes of session recording can still be used (auditd, script, sudo, etc.)
● Integrated into the web console
● Multiple players available for playback
81. Why choose terminal session recording
81
Why terminal session
recording?
● Data integrated into existing system logging
● Ability to disable capture of input (e.g. keylogging)
● Web console player includes searchability of the session transcript and accelerated playback
● Easily configure which users or groups should be recorded
83. Frequently Asked Questions
83
Configuring session recording with pam_tty_audit
captures the data entered by the audited user on the
command-line. Output and error messages are missing
from this method of collecting session data.
How is this different than capturing session
information with auditd?
96. WHAT YOU NEED
96
● Systemwide encryption policy
● Nftables/firewalld
● Terminal session recording
How we deliver it
● You spend less effort and time
managing and configuring
services for security needs,
without compromising core
security needs
● Activity auditing available
Why you need it
SECURITY
97. A HIGHLY SECURE PLATFORM
97
Latest protocol support
Including TLS 1.3 via OpenSSL 1.1.1
Hardened code
Including PIE and RELRO binaries and code analysis in
our pipelines
Integrated identity management
As a stand-alone provider or trusted member of an
Active Directory, with expanded integrations to tools
like the web console
Updated tools
Including the LUKS v2 on-disk format for encryption
RED HAT ENTERPRISE LINUX 8
Security
policy, process,
and procedures
DESIGN BUILD
RUN
MANAGE
ADAPT
98. CONFIGURING SYSTEMWIDE CRYPTOGRAPHIC
POLICIES
98
Central configuration
Set acceptable algorithms from
a single tool
Improved consistency
Covers multiple cryptographic
providers and consumers like
TLS, kerberos, and Java
Built-in policies
Including legacy systems
requiring 64-bit security and
FIPS allowed or approved
algorithms
RED HAT ENTERPRISE LINUX 8
Default
Legacy
Client
Future
Encryption
algorithm OpenSSL
httpd
Secured
communications
99. IMPROVED FIREWALL MANAGEMENT WITH
NFTABLES
99
Consolidated filtering
Supports IPv4, IPv6, ARP, and Bridge
filtering in a single tool
Simpler rule creation
Multiple matches and actions reduce
the number of rules required
Improved tracing
Provides easier debugging and
verification of actions taken on any
packet
RED HAT ENTERPRISE LINUX 8
100. HOW DOES IT BENEFIT ME?
Different people have different needs
100
developer
How can I test and adapt my applications
against current state-of-the art and
future cryptographic libraries?*
Architect or Administrator
How can I use a consistent way to enforce
security standards and best practices
across different applications running on
RHEL?*
Independent Software Vendor
How can I ensure that my software stack
is FIPS compliant?*
* Source: Scenario based on conversions with Red Hat customers
101. THE ISSUE: COMPLEXITY
Each crypto provider used its own configuration
● Difficult, and entirely manual, process to change the defaults
● No consistent means to enforce standard configurations or best practices
● Auditing is more difficult or relies on manual examination of each crypto library
● Configuring a system for FIPS compliance was more error prone
○ Though FIPS does force a standard across all cryptographic providers!
102. CONSISTENT AND STRONG CRYPTO POLICY
LEGACY
DEFAULT
FIPS 140
FUTURE
4 policies
● Solves the problem of ensuring systemwide consistent cryptography
settings for addressing compliance requirements
● Easy to use and easy to automate - far less error prone
# update-crypto-policies --set <<Crypto Policy>>
# update-crypto-policies --show
● Sets allowed key lengths, hashes, parameters, protocols, and algorithms
● Crypto policies can be found in man pages
# man crypto-policies
103. SYSTEMWIDE EFFECTS OF CRYPTO POLICY
libkrb5
OpenSSL
GnuTLS
Libreswan
NSS
BIND
OpenJDK
OpenSSH
Python
Applications and groups that follow the crypto policies
Guidance
● Use the Red Hat Enterprise
Linux-provided Crypto libraries and Red
Hat Enterprise Linux-provided utilities
● Test with DEFAULT and FUTURE policies
● Consider using SHA256 hashes
● Libssh, Golang and more coming!
107. Frequently Asked Questions
107
No. It only means that the system is using FIPS
140 compliant ciphers, which is not the only thing
necessary for FIPS compliance.
Does setting FIPS 140 crypto policy mean
that my instance is FIPS compliant?
109. Instructor Demonstration
109
Getting the currently set system
wide crypto policy:
# update-crypto-policies --show
DEFAULT
The resulting output will contain the crypto policy that is currently in effect. In this case, it is DEFAULT
110. Instructor Demonstration
110
Setting system-wide crypto
policies :
# update-crypto-policies --set FUTURE
Setting system policy to FUTURE
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change to policies to fully take place.
112. WHAT’S NEW?
112
Easier adoption
for staff new to Linux®
More subscription value
with Red Hat Insights, now included in all
Red Hat Enterprise Linux subscriptions
A consistent experience
across bare-metal, virtual, and public and
hybrid cloud environments
Eased transition
to and adoption of containerized workloads with
community-driven, new container management
tools
Increased speed and ease of deployment
Security first
Further enhanced to cover the latest industry
requirements
Red Hat Enterprise Linux 8
113. CUSTOMER CHALLENGES
Red Hat portfolio
IT optimization
Transform your
existing IT
infrastructure
Agile integration
Integrate your
applications &
services
Hybrid cloud
infrastructure
Improve & accelerate
IT service delivery
Cloud-native
development
Build innovative
applications faster
Automation
Automate infrastructure
& applications
114. TRANSFORM YOUR EXISTING IT INFRASTRUCTURE
Red Hat portfolio
Security & services
Applications & business processes
Developer
tools
Automation &
management
Physical hardware & cloud infrastructure
RH0075-02
Middleware & application services
Container platforms
Infrastructure software
115. IMPROVE & ACCELERATE IT SERVICE
DELIVERY
Red Hat portfolio
Infrastructure software
Security & services
Applications & business processes
Developer
tools
Automation &
management
Physical hardware & cloud infrastructure
RH0075-02
Middleware & application services
Container platforms
121. CONFIDENTIAL Designator
Demos
121
● Managing Software from an Application Stream
● Managing System Updates Using the Web Console
● Red Hat Insights
● Using Web console to build Virtual Images
● Creating Images with Buildah
● Deploying Containers Using Podman
● Configuring Terminal Session Recording
● Configuring the system-wide cryptographic policy
-