Review: Red Hat Enterprise Linux 4
Linux 4 adds Logical Volume Manager 2 and directory support for better stability and performance. But poor documentation and complicated SELinux policy management could spell trouble.
• CFQ (Complete Fair Queue) Scheduler. Manages I/O requests and bandwidth on a per-process basis; good for workloads requiring low latency and high throughput.
• Deadline scheduler. Gives I/O requests a deadline by which they must be served; best for applications like databases that require frequent disk access.
• Anticipatory scheduler. Extends the deadline scheduler by adding heuristics that reorder I/O access and increase throughput.
• No-op scheduler. Schedules I/O requests without any algorithmic preference for one request over another; optimal for a virtualized environment that takes advantage of an existing scheduler.
RHEL 4 uses the Ext3 file system and has added enhancements surrounding file access and synchronization. Also included in this release is LVM2 (Logical Volume Manager 2), which lets you manipulate files systems. I tested this feature using the CLI (command-line interface) and found it effective and easy to use. For example, I used lvreduce within LVM2 to decrease the size of LogVol01 from 1.94 GB to 1.84 GB with a single command. Next, I used lvextend to bring it back to its original size.
A full suite of command-line tools lets you manipulate each logical volume in a volume group, which surely beats symbolically linking directories to alternate file systems when you run out of room. But beware: The tools can be dangerous. Indeed, they'll warn you that decreasing the size of a volume may result in data loss.
Tight Security
The inclusion of the NSA (National Security Agency)'s SELinux (Security Enhanced Linux) is a boon, even if its initial integration with Red Hat's management tools is minimal. SELinux uses a flexible and fine-grained MAC (Mandatory Access Control) architecture, called Flask, that can be built into the Linux kernel. SELinux doesn't modify or impose restrictions on the existing Linux user-ID scheme, but instead maintains separate attributes, thus enforcing control without affecting compatibility with the existing system.
You can manipulate the SELinux policy with regard to specific Internet services over the Gnome 2.8 desktop included with RHEL 4. Supported services in this release include DHCP, DNS, HTTP, MySQL, NIS, NTP, Postgres, SNMP, Squid and Syslog. The GUI for the SELinux policy allows for minimal configuration of the policy regarding capabilities of each service, including settings, such as limiting file access and execution by the HTTP daemon, and allowing or disallowing master zone transfers through DNS.
Good • Easy integration with Active Directory servers• Supports 32- and 64-bit x86 architectures• Integration with SELinux provides fine-grained RBAC for services and files• Supports PCI Express Bad • SELinux policies are cumbersome to create• Difficult to manage some of the new features, such as SELinux and LVM2 Red Hat Enterprise Linux 4, starts at $179. Red Hat, (888) 733-4281, (919) 754-3700. www.redhat.com |
If you're brave, you can create SELinux policies manually using the included command-line tools. I poked around in the policy directories and read up on the language used, but decided that the complexity of the job was far beyond the scope of this review.
Policy Based Access ControlClick to Enlarge |
I hope Red Hat will improve RHEL's integration and management of SELinux and LVM2, perhaps through a more intuitive GUI. Although the inclusion of both LVM2 and SELinux is a step forward, the tools might be complicated for folks to use to their advantage. On the upside, I found the detailed logs hella-cool; they'll come in handy when it comes to compliance-based initiatives.
Authentication Control
Another advance in RHEL 4 is the upgrade to Samba 3.0 and easy integration with Active Directory (AD). Using the GUI, I selected Winbind as an authentication mechanism. A dialog box let me specify the use of an ADS or domain model; I chose the former. I configured Winbind to use our NWC Inc. AD 2000 server, then provided the proper credentials to let the system access AD. Next, I logged out and logged back in as an AD user who did not yet exist on the RHEL 4 system.
The Winbind support alone is reason enough to upgrade to RHEL 4. What's more, you get a wealth of productivity applications, including the first appearance of Mozilla Firefox and Thunderbird, as well as the standard Citrix, RDP and Terminal Service client options. The move to SELinux to provide fine-grained control over file and service access is positive, though it's difficult for the uninitiated to use. All in all, RHEL 4 is a step in the right direction.
Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].
About the Author
You May Also Like