Skip to main content

Red Hat Enterprise Linux 8 — Release Summary & Best Practices

Red Hat Enterprise Linux 8 — Release Summary & Best Practices

Release Summary

Red Hat Enterprise Linux 8 (RHEL 8) was released in May 2019, based on Fedora 28 and the Linux kernel 4.18. It was the first RHEL release to ship with Application Streams (AppStream), which fundamentally changed how software versioning and lifecycle management work on Red Hat systems. RHEL 8 is currently in Maintenance Support 2 phase and remains widely deployed across enterprise environments.

⚠️ Lifecycle Note: RHEL 8 Full Support ended in May 2024. It entered Maintenance Support on June 1, 2024 (receiving critical/important security fixes only). New deployments should target RHEL 9. RHEL 8 reaches end of Extended Life Support in May 2029.

Key Highlights

Area Detail
Kernel 4.18 base — updated per minor release through 8.10
Python Python 3.6 default (unversioned python removed — use python3 explicitly)
Security System-wide crypto policy framework introduced; SHA-1 still enabled in DEFAULT
Networking nftables introduced; iptables still available (nftables backend); NetworkManager primary
Storage XFS default; VDO (Virtual Data Optimizer) included; Stratis 1.x tech preview
Init systemd 239
Containers Podman 1.x/2.x + Buildah + Skopeo (Docker removed)
Package Management DNF replaces Yum (yum is a symlink); AppStream + BaseOS repo split
Web Console Cockpit introduced as the standard web management interface
Support Lifecycle Full Support ended May 2024; Maintenance until May 2029

Major Changes from RHEL 7

  • Yum replaced by DNFyum commands still work as aliases but DNF is the engine
  • Python 2 deprecatedpython command removed; use python2 or python3 explicitly
  • Docker removed — replaced by Podman, Buildah, and Skopeo
  • iptables backend replaced by nftables (iptables commands still work via compatibility layer)
  • AppStream introduced — allows multiple versions of software (e.g., PHP 7.2, 7.3, 7.4) to coexist
  • Modularity — applications packaged as streams with independent lifecycles from the OS
  • Cockpit replaces manual web administration
  • LDAP/Kerberos configuration via authselect replaces authconfig

Minor Release Timeline

Release Date Kernel
RHEL 8.0 May 2019 4.18.0-80
RHEL 8.1 Nov 2019 4.18.0-147
RHEL 8.2 Apr 2020 4.18.0-193
RHEL 8.3 Nov 2020 4.18.0-240
RHEL 8.4 May 2021 4.18.0-305
RHEL 8.5 Nov 2021 4.18.0-348
RHEL 8.6 May 2022 4.18.0-372
RHEL 8.7 Nov 2022 4.18.0-425
RHEL 8.8 May 2023 4.18.0-477
RHEL 8.9 Nov 2023 4.18.0-513
RHEL 8.10 May 2024 4.18.0-553

Installation Best Practices

  • Use Kickstart for all automated installs — the RHEL 8 installer supports %pre and %post scripts natively
  • Choose the Minimal Install server profile — install only what you need via AppStream post-install
  • Partition with LVM: separate /, /boot, /var, /tmp, /home at minimum
  • Enable FIPS mode at install time if required — applying FIPS after install is more complex: 
    # Enable FIPS during install via Kickstart
%pre
dracut -f
%end
# Or pass fips=1 as kernel boot parameter during install
  • Register with Red Hat immediately: subscription-manager register --username <user> --password <pass> --auto-attach
  • Disable kdump on non-critical VMs to free reserved memory

AppStream & Package Management

AppStream is one of RHEL 8's biggest changes — understanding it is essential.

# List available module streams
dnf module list

# Enable a specific stream (e.g., PHP 7.4)
dnf module enable php:7.4
dnf module install php:7.4

# Switch streams (reset first)
dnf module reset php
dnf module enable php:8.0
dnf module install php

# View installed module info
dnf module info --installed

# Search across AppStream and BaseOS
dnf search nginx
dnf info nginx
  • BaseOS — core OS packages with traditional lifecycle
  • AppStream — application components with their own versioned lifecycles
  • Never mix streams without resetting — causes dependency conflicts
  • Pin your stream version in Kickstart or Ansible to ensure consistency across environments

Security Best Practices

System Crypto Policies

# Check current policy
update-crypto-policies --show

# Apply FIPS policy
update-crypto-policies --set FIPS
reboot

# Apply DEFAULT:NO-SHA1 subpolicy to disable SHA-1 without full FIPS
update-crypto-policies --set DEFAULT:NO-SHA1

# List available policies
ls /etc/crypto-policies/policies/
  • RHEL 8 DEFAULT still allows SHA-1 — apply NO-SHA1 subpolicy if your security posture requires it
  • FIPS mode requires a reboot and changes the kernel boot parameters — plan accordingly
  • OpenSSL 1.1.1 is the baseline in RHEL 8 (OpenSSL 3.0 comes in RHEL 9)

SSH Hardening

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowGroups ssh-users
Banner /etc/issue.net
Protocol 2

# Apply and verify
systemctl restart sshd
sshd -T | grep -i 'permitroot\|passwordauth\|protocol'

SELinux

# Always enforce — never disable
getenforce           # Must return: Enforcing
cat /etc/selinux/config  # SELINUX=enforcing

# Troubleshoot AVC denials
ausearch -m avc -ts recent | audit2why
ausearch -m avc -ts recent | audit2allow -M mycustom
semodule -i mycustom.pp

# Check file contexts
ls -lZ /var/www/html
restorecon -Rv /var/www/html   # Restore default contexts

# Boolean management
getsebool -a | grep httpd
setsebool -P httpd_can_network_connect on

Firewall (firewalld over nftables)

# Check status
firewall-cmd --state
firewall-cmd --list-all

# Add services and ports permanently
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reload

# Rich rules for more granular control
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.0.0/16" service name="ssh" accept'
firewall-cmd --reload

# Use zones for network segmentation
firewall-cmd --get-active-zones
firewall-cmd --zone=internal --add-interface=eth1 --permanent
firewall-cmd --reload

User Authentication (authselect)

# Configure SSSD for AD integration
authselect select sssd with-mkhomedir --force

# Verify
authselect current

# Configure faillock (account lockout)
authselect select sssd with-faillock --force
# Then edit /etc/security/faillock.conf:
# deny = 5
# unlock_time = 900

Kernel Hardening (sysctl)

# /etc/sysctl.d/99-hardening.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_syncookies = 1
kernel.randomize_va_space = 2
kernel.dmesg_restrict = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.core_uses_pid = 1

sysctl --system   # Reload all sysctl files

Networking Best Practices

RHEL 8 uses NetworkManager as the primary network management daemon — configure with nmcli or keyfiles:

# List connections
nmcli connection show

# Configure static IP using nmcli
nmcli connection add type ethernet con-name "prod-eth0" ifname eth0 \
  ip4 10.10.100.50/24 gw4 10.10.100.1

nmcli connection modify "prod-eth0" \
  ipv4.dns "10.10.100.10 10.10.100.11" \
  ipv4.dns-search "casino.local" \
  connection.autoconnect yes

nmcli connection up "prod-eth0"

# Check interface status
ip addr show
ip route show

Note: ifcfg files (/etc/sysconfig/network-scripts/) still work in RHEL 8 but are deprecated. Begin migrating to NetworkManager keyfiles now before RHEL 10 removes them entirely.

# Configure NTP with chrony
dnf install -y chrony
systemctl enable --now chronyd

# /etc/chrony.conf — add your NTP servers
server time.casino.local iburst

systemctl restart chronyd
chronyc tracking
chronyc sources -v

Storage Best Practices

# Filesystem usage
df -hT
du -sh /var/log/*

# LVM operations
pvdisplay; vgdisplay; lvdisplay

# Extend LV and filesystem online
lvextend -L +20G /dev/mapper/rhel-var
xfs_growfs /var    # For XFS (no unmount needed)
# resize2fs /dev/mapper/rhel-var   # For ext4

# Create a new LV and format it
lvcreate -L 50G -n data rhel
mkfs.xfs /dev/rhel/data
echo "/dev/rhel/data /data xfs defaults,nodev,nosuid 0 2" >> /etc/fstab
mount -a

# fstrim for SSDs
systemctl enable --now fstrim.timer
systemctl status fstrim.timer

Mount Options for Security

# /etc/fstab — recommended options per mount
/dev/rhel/tmp  /tmp   xfs  defaults,nodev,nosuid,noexec  0 0
/dev/rhel/home /home  xfs  defaults,nodev,nosuid          0 0
/dev/rhel/var  /var   xfs  defaults,nodev                 0 0

System Management Best Practices

DNF Package Management

# Essential DNF operations
dnf check-update                    # Check for available updates
dnf update -y                       # Apply all updates
dnf update --security -y            # Security updates only
dnf install package-name -y         # Install a package
dnf remove package-name -y          # Remove a package
dnf autoremove -y                   # Remove unused dependencies
dnf clean all                       # Clear cache

# History and rollback
dnf history
dnf history info <ID>
dnf history undo <ID>

# List installed packages
dnf list installed
rpm -qa | grep httpd                # Check specific package

# Verify package integrity
rpm -V httpd                        # Verify files match RPM database

Subscription Management

# Check subscription status
subscription-manager status
subscription-manager list --consumed

# Refresh entitlements
subscription-manager refresh

# Enable/disable repos
subscription-manager repos --list
subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
subscription-manager repos --disable rhel-8-for-x86_64-supplementary-rpms

Logging

# journald — primary structured logging
journalctl -xe                      # Recent errors with context
journalctl -u httpd --since today   # Service-specific logs
journalctl -p err -b                # Errors since last boot
journalctl --disk-usage             # Check journal size

# rsyslog — still active in RHEL 8 alongside journald
# Forward to remote syslog server:
# /etc/rsyslog.d/01-remote.conf
# *.* @10.10.100.60:514         # UDP
# *.* @@10.10.100.60:514        # TCP

systemctl restart rsyslog

Performance & Tuning

# tuned profiles
tuned-adm list
tuned-adm recommend
tuned-adm profile virtual-guest     # For VMs
tuned-adm profile throughput-performance  # For DB/batch

# Performance tools
dnf install -y sysstat              # iostat, mpstat, sar
dnf install -y perf                 # Kernel performance analysis

# I/O stats
iostat -xz 5
sar -u 5 10     # CPU — 10 samples at 5 second intervals
sar -r 5 10     # Memory
sar -d 5 10     # Disk

Container Best Practices (Podman 2.x/3.x)

Docker is not available in RHEL 8 — Podman is the supported alternative:

# Basic Podman usage
podman pull registry.access.redhat.com/ubi8/ubi:latest
podman images
podman run -it --rm ubi8/ubi:latest bash
podman ps -a

# Build an image
podman build -t myapp:1.0 -f Dockerfile .

# Run as a systemd service
podman run -d --name myapp -p 8080:8080 --restart=always myimage:latest
podman generate systemd --name myapp --files --new
cp container-myapp.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now container-myapp

# Rootless Podman setup
loginctl enable-linger myuser   # Allow user services to run without login
  • Use UBI8 (Universal Base Image) as base for all custom images — fully supported and redistributable
  • Store images in a private registry — do not rely on Docker Hub in production
  • Apply --security-opt label=disable only when troubleshooting SELinux — not for persistent use
  • Use podman network create for custom container networking rather than relying on default bridge

RHEL 8 → RHEL 9 Migration Considerations

If you're planning a migration path from RHEL 8 to RHEL 9, be aware of these breaking changes:

Area RHEL 8 RHEL 9
Python 3.6 default 3.9 default
OpenSSL 1.1.1 3.0 (API changes)
iptables Available (deprecated) Removed (nftables only)
ifcfg scripts Deprecated Removed
SHA-1 Allowed (DEFAULT) Deprecated (DEFAULT)
SSH root Configurable Disabled by default
Podman 2.x / 3.x 4.x

Use Leapp for in-place RHEL 8 → RHEL 9 upgrades:

dnf install leapp-upgrade
leapp preupgrade    # Run assessment — fix all inhibitors before proceeding
leapp upgrade       # Perform the upgrade
reboot

Compliance & Auditing

# OpenSCAP compliance scanning
dnf install openscap-scanner scap-security-guide

# Run CIS benchmark scan
oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis \
  --results /tmp/scan-results.xml \
  --report /tmp/scan-report.html \
  /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

# View report
firefox /tmp/scan-report.html

# auditd — system call auditing
systemctl enable --now auditd
auditctl -l                         # List active rules
ausearch -k logins -ts recent       # Search audit log by key
aureport --summary                  # Summary report

RHEL 8 support lifecycle: Full Support ended May 2024 · Maintenance Support until May 2029
⚠️ Plan migration to RHEL 9 before May 2029 — new deployments should use RHEL 9.

No comments to display

Back to top