What is the problem with using Fedora for servers?

Saurabh Barjatiya asked:

I have used Fedora for hosting servers a lot of times. I have never faced any problem. Still all the new users come and tell Fedora is not secure. We should use Ubuntu / CentOS or some other distribution but not Fedora. I never understand what is the problem with Fedora. What makes other distributions more secure.

Few points:
1. Fedora comes with iptables configured to allow only SSH. Plus we can always configure iptables to even block SSH if we want too. So no short coming on firewall.

  1. Fedora releases updates regularly (both security and general patches).

  2. People say distro X releases new version once in 5 years and Fedora once in 6 months. How come releasing once in 5 years makes things secure. IF you feel 5 year old things are secure install five year old OS or dont upgrade for 5 years even if new version comes. Personally I feel not giving new version for 5 years does not adds to security. You would have to release patches for 5 years as and when bugs get detected. So using very old OS just means more patches. If we use recently released version then we have to apply less updates / patches. How releasing once in 5 years makes things secure I have never understood.

  3. All OS uses similar packages like Gnome, Open-Office, KDE, Open-SSH, Apache. Do other distribution developers spend time reading source code of these packages and correcting security errors, if any? Even if they do wont they publish those flaws and all other distributions would release patches for it including Fedora. Or would they secure their own distributions and not bother to notify others. This all assuming they do read all millions of lines of codes of packages as big as apache, gcc, Open-Office. If this things are same in every distribution, what makes Fedora more vulnerable.

  4. Fedora comes with seLinux preinstalled and nicely configured.

  5. Bind runs in chroot by default in fedora. Now with Fedora 11 DNSSEC support is also present by default. See question DNS Server on Fedora 11 where some one pointed Fedora in not good for hosting DNS. I do not know why.

In fact one of the new admins installed Cent-OS 5.3 on one of the test machines. I used it to ping one IP which was not there. I got ping replies. I was astonished since it was not possible. I tried to find out the location from where replies are coming but failed. At end after trying for more than a hour, I removed network cable from CentOS machine. I was still able to ping the IP. Then I tried to ping IP address of the machine. I could ping that too. So I was able to ping two IPs (not others, I tried them too) when machine was configured with one IP and no aliases (eth0:1, etc.) were present. I checked ifconfig output too. I lost complete trust in so called server distributions and installed Fedora 11 on all test machines. Now I do not face such strange problems for things as basic as ping.

I would really appreciate if I could get real life examples which indicate Fedora is unsecure and if in that case it were any other distribution things would have been fine. Do not give examples were admin made mistakes. We cant blame a distribution for that. Also do not give very old Fedora 1, 2 or Fedora 3 examples. Fedora project is very mature now especially last two versions 10, 11. If you have faced security issues which are particular to only them, please share your experiences.

My answer:

I thought I didn’t have anything to add to this, but after having run Fedora in production for nearly two years – for my very important Zabbix monitoring system! – it seems I do have a couple of things to say.

First, it was not my first choice. Typically for anything even vaguely important I will choose CentOS/RHEL for the long-term stability benefits that these distributions provide. However, for this particular deployment I absolutely required features in Zabbix 2.0, while the EPEL repo only provided 1.8. (EPEL now has Zabbix 2.0 and 2.2 packages in addition to 1.8, though it did not at the time. If it had, I would never have tried this.)

So the tradeoff here is: Fedora has the latest software, but its releases are on a very short 13-month lifecycle, with new releases made about every six months. This means I had to plan for a maintenance window to upgrade Fedora twice a year, in addition to the usual periodic installation of updates.

For a monitoring system which is supposed to be keeping track of everything else, it’s vital that such maintenance periods be as infrequent and as short as possible. With the requirement to upgrade so frequently, this would usually rule out such a distribution, but remember that I had more pressing concerns; it would be useless without the features I needed. So this is a tradeoff I made with (nearly) full knowledge of the consequences.

Not long ago, I did the Fedora 18-19 upgrade on this server, using Fedora’s new fedup upgrade tool. I planned for a two-hour outage, with another two hours to possibly deal with any of the monitored services that might have died and that fact missed since Zabbix was down.

The actual service downtime was 11 minutes. That’s from the time Zabbix stopped before reboot to the time it was back up and monitoring services after the completed upgrade. I did not realize that the downtime would be so short! I was expecting much more trouble, even though I know from experience that significant upgrade problems are uncommon with Fedora. (And it’s been improved further: When I did the Fedora 19-20 upgrade, the complete downtime was an amazing six minutes. The same time for 20-21.)

This service will almost certainly be moved onto RHEL 7 when it becomes available. After this experience I’m much more confident in Fedora as a server and now intend to keep it, even with a major upgrade every six months. Moving off to RHEL would be much more disruptive, and might limit me in the future, because of the following:

It’s unfortunate that Red Hat has such a long time between major releases; a similar delay between EL5 and EL6 led me to actually put an Ubuntu installation into production, something I am still kicking myself over to this day. (For that system, I considered Fedora, but strangely it did not have the software I needed packaged at all at the time, despite an older version being in EPEL.)

One “problem” no one mentioned about running Fedora is that you will see many new things, both large software projects and tiny enhancements, well in advance of their inclusion in RHEL. So when you go to manage your RHEL/CentOS systems you will miss them. For example, Fedora has a large number of bash completions which aren’t yet in RHEL by default; one notable one is tab completion for package names in the yum command line.

So, it’s certainly possible to use Fedora in production, so long as you can accept the tradeoffs:

  • There are no support contracts. You must have in-house expertise sufficient to manage the server and its services and deal with any issues that may arise; only community support is available, and there are no guarantees there. RHEL experience helps, as they are quite similar.
  • You must have a maintenance window to upgrade at least annually. Though every six months is better; if you upgrade annually you will have to upgrade two releases at once, which doubles the number of potential issues you will have to deal with at 3 am.
  • Updates may bring new versions of software, which you will have to deal with; however these will be point releases and not major versions. In rare cases significant new functionality might be added (e.g. BZ#319901). Typically, though, software remains on the same version number throughout the life of the release, with fixes backported; only some packages (such as PHP) track upstream point releases.
  • While there’s no significant difference in the pace of security updates, they may not always be isolated from bugfix updates (again, such as PHP). Whether this is a problem depends on the service you are planning to run.

All things considered, Fedora is still not my first choice for a server platform, and probably never will be. (Though I’ve been a happy Fedora desktop user for its entire existence.) In the case where you absolutely need more current versions of software not available in a more “enterprisey” distribution, and you can accept the tradeoffs, then there is nothing wrong with using Fedora.

Finally, since you asked specifically about security, a few words on that.

As previously noted, there’s no real difference in the pace of security updates between Fedora and any other distribution. Fedora packagers make special efforts to stay close to upstream and get these sorts of updates out as quickly as possible, sometimes even before the upstream project does.

Like its enterprisey big brother, Fedora also ships with a fairly locked down security configuration: services (except ssh) ship off by default; the default-deny firewall is enabled by default for both IPv4 and IPv6; SELinux is enforcing by default. In addition, Fedora is hardened in a number of other ways.

On the other hand, you get to see new security technology very early; one example is the recent introduction of FirewallD, which still isn’t quite ready for prime time, though switching back to the previous firewall is easy.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.