One Year after EOL: CentOS is Still a Force

One year ago, this month, CentOS 7 reached End of Life (EOL) and with this event, hundreds of thousands of deployments that used the beloved OS were left to make a decision on how to continue.

CentOS was popular as a ”free”, and functionally equivalent alternative to Red Hat Enterprise Linux (RHEL) and was widely deployed as the OS for web servers, database, and countless applications. For a while it was THE choice for anyone that needed a durable and low-maintenance server platform.

The EOL of CentOS 7 was announced by Red Hat in December of 2020 as they detailed a shift in the project's focus from CentOS Linux (the direct RHEL clone) to CentOS Stream, which is an upstream development platform for future RHEL releases.

Three and a half years later, on June 30 2024, CentOS was officially EOL. Since that time many have migrated to an alternative like Rocky Linux, but there are still over 300,000 companies that still use the OS and approximately 700,000 live websites still have it in production. However, continuing to use it without updates presents a significant risk to you and your business as you could be exposed to serious security threats and instability.

Security Vulnerabilities and CentOS 7

With EOL, new vulnerabilities discovered in the Linux kernel, system libraries (like glibc and OpenSSL), or other bundled software packages that were part of CentOS 7 do not receive official patches from the project. So those still using CentOS are becoming an increasingly easy target for cybercriminals who actively exploit known weaknesses.

And while there might not be a single "biggest" CVE hitting CentOS 7 specifically after its EOL (as it won't be getting specific patches from the project to attribute them to), the fundamental and most significant vulnerability is the lack of ongoing official security support itself.

Over time, the stability of CentOS 7 will be a risk as outdated packages and dependencies might create unexpected crashes and performance degradation. Without fixes these concerns will only grow and you’ll also miss out on new features, performance enhancements, and the essential hardware support found in current Linux distributions.

How to move on from the CentOS 7 EOL

There are a few options to choose from if you want to deal with EOL. You can do nothing, manually patch, get patches from a vendor, or migrate to another Linux distribution. Each has its benefits.

• Do nothing

  The only positive with doing nothing is that you’ll avoid tasks and have time to focus on other things. However, your security and stability risk will exponentially increase over time.

• Manually mitigate CVEs and apply updates

  While possible, you will need significant Linux expertise in both the kernel and the userspace to pull this off, so it is unlikely for most.

• Buy time: Use CIQ Bridge

  Ultimately, migration will become a reality, but there is a way to “bridge” yourself to that future so you can prep or possibly sunset an application or server. It supports the default 3.10 kernel and mission-critical API/ABI compatible userspace packages and offers remediations for critical and important CVEs. With CIQ Bridge, we do all the work to evaluate CVEs and push the necessary patches so you can remain secure, stable, and operational.

• Migrate to Rocky Linux

  As noted, a migration will eventually be necessary and Rocky Linux was created to be the target for a CentOS 7 migration. While you will still need to manage patches for CVEs, it is the logical choice and many have done so already. We are obviously fans and community members so we would love to have you join us.

• Migrate to Rocky Linux from CIQ (RLC)

  The final option is to migrate to RLC. This will not only get you migrated to Rocky Linux, but will also give you options for a more secure version of the OS or for an optimized version for AI. Further, you get ongoing support for issues and your packages, and image delivery will be automated and secure. You can learn more about RLC here.

Unfortunately, the EOL decision put those that loved the OS in a precarious position and now, at some point, the options to mitigate the associated risk with running it will narrow to only two: sunset your application or migrate. If you are still using CentOS 7, it’s likely time for you to make a move.

Webinar: One Year After EOL: The State of CentOS

Monday June 30, 11am PT

Want to delve into the current state of CentOS? Join us for our upcoming webinar, "One Year After EOL: The State of CentOS," on Monday, June 30th. Join our hosts Gregory Kurtzer, Chris Short, and Jim Walker as they explore the enduring CentOS community, what EOL means for users, a walkthrough of CVEs since EOL, and your options for moving forward. Register here.