At the supercomputing site I work at, we have been using Red Hat Enterprise Linux on our compute nodes. But now the subscription to updates has expired, and it is extremely difficult to figure out how to renew the subscription. It is not clear which “flavor” of RHEL we need, and the fact that we started with RHEL 4, and RHEL 6 is current, only complicates matters. Pricing information I can find suggests this is going to be pretty expensive – assuming we can ever find out how to order a new subscription! Mind you, we are not against paying something to Red Hat. We very much depend on their product and want to see them remain in business!
Meanwhile, not updating our systems is not an option. Our users need to be able to SSH into our landing pads and submit their own programs as jobs to run on the compute nodes. So we can not tolerate even vulnerabilities that can only be exploited by local users – our users are local.
So what else can we use? On many other systems I have managed, I have used the excellent CentOS distribution, a rebuild from RHEL source RPMs. The CentOS developers expend a great deal of effort making sure their rebuilt RPMs are binary-compatible with the corresponding RPMs in RHEL. CentOS is free, and there is only one “flavor” of CentOS. Moreover, CentOS offers the CentOS Extras repository, which provides useful additional packages such as DRBD. I have encouraged many others with limited budgets to choose CentOS instead of RHEL.
However, this absolute binary compatibility comes at the price of timeliness. It has been several months since Red Hat released RHEL 5.6, and at the time of this writing, we are still waiting for CentOS 5.6. Meanwhile, there are no errata, including security errata, being published for CentOS 5. The CentOS developers do promise that fixes for any remotely-exploitable vulnerabilities will be published quickly, but as I noted, we need protection from even locally-exploitable bugs. More disturbing is that there is no information from the developers. Offers to provide help are met with hostility. So while we have been happy with CentOS on our servers, it is increasingly obvious we need a different solution for our compute nodes and our landing pads. Given the ugly state of the CentOS community, we might want some other solution even for our servers.
Happily, there is an alternative in Scientific Linux. This is a Linux distribution produced by several scientific laboratories, including Fermilab and CERN, and is another rebuild of Red Hat Enterprise Linux, with some additional or changed packages. While binary-compatibility with Red Hat is not as stringent as with CentOS, it is still very close. There is still no SL 5.6 release either, but we do see that security errata are published very quickly, including defenses for local exploits.
We are now testing compute node and landing pad images built with Scientific Linux. If our testing is successful, we may well put these images into production. As for our servers, that remains to be seen. Servers running CentOS will probably remain using CentOS for the long term.