Web-based management interface, sessions recording. RHEL 8 part III

In the third part of this article, we will go through further improvements of the RHEL8 system, like:

  • more efficient and secure graphic environment (GNOME and Wayland),
  • recording of administrative sessions (terminal session recording),
  • web-based management interface (Cockpit and its integration with Red Hat Satellite),
  • simplified support for advanced disk system functions,
  • better use of disk space in XFS.

A more efficient and secure graphic environment

In version 8 of the RHEL system we will only find the GNOME desktop environment, which by default works on the Wayland basis.

Wayland and X11 are display servers that run between the Linux kernel and a user interface such as GNOME or KDE. Red Hat has withdrawn its support for KDE in RHEL8. In the new GNOME, we can find better and more convenient operation of several workspaces and monitors. Despite the fact that the user cannot see the differences, the use of Wayland server significantly improves security and speed of the environment.

Wayland can isolate any application, which was not possible with X11. Thanks to this, reading characters typed from the keyboard into the window of another application or downloading the contents of its window is not possible with Wayland. This approach significantly hinders the effective use of malicious software, which until now was too easy with the X11 server.

Wayland works closer to the kernel and hardware level and is adopted to only Linux-based systems. Thanks to this, it is able to work and implement graphic processing faster and more efficiently. X11 aims to be independent of the system, hence works on many platforms, like Linux, BSD, Plan9 and Solaris.

X11 has been on the market much longer than Wayland, hence some applications may require running the graphical environment on its basis. The RHEL8 system provides this option (selection of the display server during login), but as time progresses this less and less should be needed.

Terminal session recording

In the new version of the RHEL system, it is possible to start recording terminal sessions for all or only selected users and groups.

For privacy reasons, saving of entered passwords is turned off by default. Sessions are logged in text format (JSON), making them convenient to search. You can also play the session in a similar form to the movie, where you can see step by step what the user is doing. Watching the recordings, we also have the option of selecting and copying the text appearing in it.

Recording administrative sessions can now be used for regulatory and control purposes. While the recordings can be searched and played directly from the CLI, there is also a convenient web interface through which we can access the recordings. It is built into the RHEL web management interface called Cockpit.

Web-based management interface

The Cockpit is a web-based management interface in which, among other things, you can manage services, users, network interfaces, hard drives and a firewall. It also supports the above-mentioned playback of terminal session recordings. It has built-in diagnostic tools, reports and charts showing the load on the system.

By nature, Wayland focuses only on the local system. It does not allow work through the so-called “SSH Forwarding”, which was often used for remote management via the graphical interface with X11. The Cockpit should be used for this purpose in RHEL8.

The change also applies to the virtual machines management, which is also implemented in the RHEL8 system via Cockpit. While the virt-manager is still available in the new system, it is marked as “deprecated”, so we can expect it to disappear quite soon.

Finally, it is worth mentioning the ability to support multiple servers in one Cockpit interface (local and remote management) and the integration of Cockpit with Red Hat Satellite. Thanks to this, from one place, directly from the Red Hat Satellite interface, you can easily go to any WebUI or CLI of all your managed servers. This is smooth and very convenient thanks to SSO (Single Sign On) support.

Simplified support for advanced disk system functions

Despite the very large number of advanced disk system functions in Linux-based systems, their mutual multilayer integration and subsequent operation is not easy. That’s why Red Hat introduce the Stratis!

Stratis is VMF (Volume-Managing Filesystem), whose task is to simplify the operation of advanced disk functions that the Linux kernel provides to us.

Disk space pools created by Stratis can contain block devices as well as LVM volumes. XFS file systems are created from these pools. All data is in the shared pool, and the created file systems can grow dynamically and cyclically return unused space to the pool (fstrim). This is just a general outline. It is worth adding that the snapshot function from the file system is also supported.

Stratis is to become a tool that will allow us to configure encryption, multipathing, tiering, compression, deduplication and many other advanced disk system functions in an easy and consistent way.

More details about the operation and development of subsequent versions of Stratis can be found in Stratis Software Design¹.

Better use of XFS disk space

COW (Copy-on-Write) in XFS saves time and disk space during file cloning. It works well even with large virtual machine files. New disk space is consumed only during data modification.

While this function is similar to hard links, it is very different from them. Hard links have only 1-inode, hence all of its metadata, such as permissions or owner, must have been the same. Also, any modifications affect all “copies” created with a hard link.

COW creates so-called reflink, in which each clone of the original file has its own inode, hence it can have different metadata. Changes made to one of the files do not modify its other clones. Only modified areas are copied and take up disk space. Areas that are the same between clones are on the disk only once. This is why we can call it a file snapshot.

Features available in RHEL7 and RHEL8

While we’re writing here about the new RHEL8 capabilities, you can’t forget about everything that was supported in RHEL7 and still will be supported in RHEL8. It is not possible to mention everything, but the most interesting features definitely include:

  • VDO (Virtual Data Optimizer), which provides very large data reduction through the use of deduplication, compression and Zero-Block Elimination. More about VDO can be found on the Red Hat blog².
  • LUKS2 (Linux Unified Key Setup v2), which gives the ability to encrypt hard disk data.
  • NBDE (Network Bound Disk Encryption), which makes LUKS2 scalable and convenient to use on a large number of servers. Thanks to NBDE, each server can download the key needed to decrypt a hard drive from one or one of several servers working in HA (High Availability) group. This means that we do not have to enter the password for each drive manually when the operating system starts. If the system secured in this way is removed and it loses access to the key server, the only option to access its data will be entering the password manually.
  • IEEE 802.1AE (MACSec), which can provide encryption between the network card of the RHEL system and the device to which it is connected. The new Cisco Catalyst 9000 access switch models support IEEE 802.1AE (MACSec), hence network integration in this area should not be a problem.

More about what’s new in RHEL8 available in:

 


¹ https://stratis-storage.github.io/StratisSoftwareDesign.pdf
² https://www.redhat.com/en/blog/look-vdo-new-linux-compression-layer

0 Comments
Marcin Ślęczek
Senior Network Engineer
Profile

Related posts

Leave a Reply

avatar