How to Migrate from CentOS: Ubuntu 22.04 & Anolis 8.6 Configuration Guide

Background

With CentOS being discontinued, operations teams are looking for replacements. Considerations include compatibility, licensing, and support for the full open‑source stack.

Compatibility with CentOS to avoid major differences.

Whether the new OS is part of the “Xinchuang” ecosystem and its licensing.

Support for the full set of open‑source tools, middleware, and databases.

CentOS 7.9 is no longer maintained; new features such as cgroups v2 and rootless containers are unavailable, so preparation for a new OS is required.

This article summarizes the major configuration differences between Ubuntu 22.04, Anolis 8.6, and CentOS 7.9.

Ubuntu 22.04

DNS Settings

https://learnubuntu.com/change-dns-server/

1. View current DNS configuration

In systemd 239, systemd-resolve has been renamed to resolvectl.

$ resolvectl status
Global (global configuration)
    Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub

Link 2 (enp1s0) (interface specific)
    Current Scopes: DNS
    Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    Current DNS Server: 8.8.8.8
    DNS Servers: 8.8.8.8 8.4.4.8

2. Temporary DNS setting

# vim /etc/resolv.conf
nameserver 1.1.1.2
nameserver 1.0.0.2

3. Permanent DNS setting

Method 1 – simplest

Use resolvconf to set DNS permanently.

# apt install resolvconf

# vim /etc/resolvconf/resolv.conf.d/head
nameserver 1.1.1.2
nameserver 1.0.0.2

# resolvconf -u
# systemctl enable --now resolvconf.service

Note: After editing, run resolvconf -u to apply. The configuration appears in /etc/resolv.conf but is not shown by resolvectl status; use netplan apply to see it globally.

4. Non‑simple method

Edit the Netplan YAML file.

# vim /etc/netplan/xxx.yml
network:
  ethernets:
    enp1s0:
      dhcp4: true
      nameservers:
        addresses: [8.8.8.8, 8.4.4.8]
  version: 2

# netplan apply

Note: This config applies only to the enp1s0 interface; the DNS entries are not written to /etc/resolv.conf after netplan apply.

Time Synchronization

Ubuntu 22.04 uses timedatectl instead of ntpdate, and systemd-timesyncd replaces the client part of ntpd. timedatectl syncs at boot and after network activation; timesyncd syncs periodically and stores the last offset.

Difference: ntpd adjusts time gradually, while timesyncd jumps to the new time, which may affect services in production.

# vi /etc/systemd/timesyncd.conf
[Time]
# NTP=...
# FallbackNTP=ntp.ubuntu.com
# RootDistanceMaxSec=5
# PollIntervalMinSec=32
# PollIntervalMaxSec=2048

# timedatectl

Security Baseline

1. Password expiration

# vim /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 10

Password length is set via PAM modules.

2. Password complexity and retry limits

# apt install libpam-pwquality
# vim /etc/security/pwquality.conf
minlen = 8
dcredit = -1
lcredit = -1
ocredit = -1
ucredit = -1

# vim /etc/pam.d/common-password
password requisite pam_pwquality.so try_first_pass retry=3
password [success=1 default=ignore] pam_unix.so obsecure use_authtok yescrypt remember=5

3. Brute‑force protection

Replace removed pam_tally2 with pam_faillock.

# faillock is included in libpam-modules
# grep -v '#' /etc/security/faillock.conf
dir = /var/run/faillock
audit
silent
deny = 3
fail_interval = 900
unlock_time = 120

Configure in /etc/pam.d/common-auth and /etc/pam.d/common-account:

# vim /etc/pam.d/common-auth
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=ignore] pam_unix.so nullok
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

# vim /etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_faillock.so

SELinux

Ubuntu 22.04 does not ship SELinux by default. To install and enable:

# apt update
# apt install policycoreutils selinux-utils selinux-basics
# selinux-activate
# selinux-config-enforcing   # then reboot
# setstatus   # shows status
# vim /etc/selinux/config
SELINUX=enforcing   # or SELINUX=disabled
# setenforce 0   # temporary disable
# setenforce 1   # enable

Firewall

Ubuntu uses ufw as the default firewall, which is disabled by default.

# apt install ufw
# ufw status verbose

Kernel Parameters

When tuning kernel parameters, note that tcp_tw_recycle was removed after kernel 4.10, tcp_tw_reuse remains usable, and changing TCP_TIMEWAIT_LEN is strongly discouraged.

Anolis 8.6

Although Anolis 8.6 is binary compatible with CentOS 7.9, its time‑synchronization mechanism differs.

Time Synchronization

Anolis no longer provides the ntp package; it uses chrony instead.

# vim /etc/chrony.conf
server 192.168.20.17 iburst

# systemctl restart chronyd.service
# chronyc tracking
# chronyc sources -v
# chronyc activity
# chronyc add server XXXX
# chronyc -a makestep

Summary

Ubuntu 22.04 and Anolis 8.6 are two of many possible replacements for CentOS 7.9; other options include Oracle Linux, OpenEuler, UnionTech UOS, Kylin, Galaxy Kylin, and Rocky Linux.