How to Migrate from CentOS: Ubuntu 22.04 & Anolis 8.6 Configuration Guide

Background

With CentOS being discontinued, operations teams are looking for replacements. Considerations include compatibility, licensing, and support for the full open‑source stack.

Compatibility with CentOS to avoid major differences.

Whether the new OS is part of the “Xinchuang” ecosystem and its licensing.

Support for the full set of open‑source tools, middleware, and databases.

CentOS 7.9 is no longer maintained; new features such as cgroups v2 and rootless containers are unavailable, so preparation for a new OS is required.

This article summarizes the major configuration differences between Ubuntu 22.04, Anolis 8.6, and CentOS 7.9.

Ubuntu 22.04

DNS Settings

https://learnubuntu.com/change-dns-server/

1. View current DNS configuration

In systemd 239,

systemd-resolve

has been renamed to

resolvectl

.

<code>$ resolvectl status
Global (global configuration)
    Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub

Link 2 (enp1s0) (interface specific)
    Current Scopes: DNS
    Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    Current DNS Server: 8.8.8.8
    DNS Servers: 8.8.8.8 8.4.4.8
</code>

2. Temporary DNS setting

<code># vim /etc/resolv.conf
nameserver 1.1.1.2
nameserver 1.0.0.2
</code>

3. Permanent DNS setting

Method 1 – simplest

Use

resolvconf

to set DNS permanently.

<code># apt install resolvconf

# vim /etc/resolvconf/resolv.conf.d/head
nameserver 1.1.1.2
nameserver 1.0.0.2

# resolvconf -u
# systemctl enable --now resolvconf.service
</code>

Note: After editing, run

resolvconf -u

to apply. The configuration appears in

/etc/resolv.conf

but is not shown by

resolvectl status

; use

netplan apply

to see it globally.

4. Non‑simple method

Edit the Netplan YAML file.

<code># vim /etc/netplan/xxx.yml
network:
  ethernets:
    enp1s0:
      dhcp4: true
      nameservers:
        addresses: [8.8.8.8, 8.4.4.8]
  version: 2

# netplan apply
</code>

Note: This config applies only to the

enp1s0

interface; the DNS entries are not written to

/etc/resolv.conf

after

netplan apply

.

Time Synchronization

Ubuntu 22.04 uses

timedatectl

instead of

ntpdate

, and

systemd-timesyncd

replaces the client part of

ntpd

.

timedatectl

syncs at boot and after network activation;

timesyncd

syncs periodically and stores the last offset.

Difference:

ntpd

adjusts time gradually, while

timesyncd

jumps to the new time, which may affect services in production.

<code># vi /etc/systemd/timesyncd.conf
[Time]
# NTP=...
# FallbackNTP=ntp.ubuntu.com
# RootDistanceMaxSec=5
# PollIntervalMinSec=32
# PollIntervalMaxSec=2048

# timedatectl
</code>

Security Baseline

1. Password expiration

<code># vim /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 10
</code>

Password length is set via PAM modules.

2. Password complexity and retry limits

<code># apt install libpam-pwquality
# vim /etc/security/pwquality.conf
minlen = 8
dcredit = -1
lcredit = -1
ocredit = -1
ucredit = -1

# vim /etc/pam.d/common-password
password requisite pam_pwquality.so try_first_pass retry=3
password [success=1 default=ignore] pam_unix.so obsecure use_authtok yescrypt remember=5
</code>

3. Brute‑force protection

Replace removed

pam_tally2

with

pam_faillock

.

<code># faillock is included in libpam-modules
# grep -v '#' /etc/security/faillock.conf
dir = /var/run/faillock
audit
silent
deny = 3
fail_interval = 900
unlock_time = 120
</code>

Configure in

/etc/pam.d/common-auth

and

/etc/pam.d/common-account

:

<code># vim /etc/pam.d/common-auth
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=ignore] pam_unix.so nullok
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

# vim /etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_faillock.so
</code>

SELinux

Ubuntu 22.04 does not ship SELinux by default. To install and enable:

<code># apt update
# apt install policycoreutils selinux-utils selinux-basics
# selinux-activate
# selinux-config-enforcing   # then reboot
# setstatus   # shows status
# vim /etc/selinux/config
SELINUX=enforcing   # or SELINUX=disabled
# setenforce 0   # temporary disable
# setenforce 1   # enable
</code>

Firewall

Ubuntu uses

ufw

as the default firewall, which is disabled by default.

<code># apt install ufw
# ufw status verbose
</code>

Kernel Parameters

When tuning kernel parameters, note that

tcp_tw_recycle

was removed after kernel 4.10,

tcp_tw_reuse

remains usable, and changing

TCP_TIMEWAIT_LEN

is strongly discouraged.

Anolis 8.6

Although Anolis 8.6 is binary compatible with CentOS 7.9, its time‑synchronization mechanism differs.

Time Synchronization

Anolis no longer provides the

ntp

package; it uses

chrony

instead.

<code># vim /etc/chrony.conf
server 192.168.20.17 iburst

# systemctl restart chronyd.service
# chronyc tracking
# chronyc sources -v
# chronyc activity
# chronyc add server XXXX
# chronyc -a makestep
</code>

Summary

Ubuntu 22.04 and Anolis 8.6 are two of many possible replacements for CentOS 7.9; other options include Oracle Linux, OpenEuler, UnionTech UOS, Kylin, Galaxy Kylin, and Rocky Linux.