RHEL/CentOS, Debian, Fedora, Ubuntu & FreeBSD Comparison

Over the years I’ve used a number of Linux distributions (and FreeBSD), these are my top 5 and how I rank them:

centos_debian_fedora_ubuntu_freebsd_score

Desktop

Gnome ScreenshotI’m not a big fan of Ubuntu’s Unity, so Ubuntu-Gnome, Kubuntu, Debian and Fedora are my top distros for desktop choices.  If you want the latest Gnome features Fedora gets them first.  For KDE I think Kubuntu does a great job at reasonable default settings (like say, having the Start button open the KDE menu, why is it KDE programmers think that shouldn’t be default behavior?) where I have to do quite a bit more tweaking on other distros.  Ubuntu-Gnome also provides an optional PPA which tracks the latest version of Gnome bringing it almost as up to date as Fedora is.

Ugly fonts – for some reason, on FreeBSD, Fedora, CentOS, and Debian the fonts look ugly… I don’t know if they can’t detect my video card properly or if there’s something wrong with the fonts themselves but on every system I’ve tried the fonts look much better on Ubuntu based distributions.

If you’re interested in FreeBSD for a desktop PC-BSD is worth a look, but in my experience Linux runs a lot better on the desktop than FreeBSD.

Server

FreeBSD is historically my favorite server OS, but they tend to lag behind on some things and I have trouble getting some software working on it so for the most part I use Ubuntu for servers as it seems to have the best out of the box setup.  90% of the time I’m deploying in virtual environments and open-vm-tools is now enabled by default in 16.04.

With perhaps the exception of Fedora all the distros make decent servers.

Packages

All the package management systems are pretty decent, I do prefer apt just because I never have any problems with it and it’s faster.  Debian and Ubuntu have the most packages available, and Ubuntu has PPA support which makes it easy to manage 3rd party repositories.

One thing I don’t like about Debian, while it does have a lot of packages is a lot of packages are out of date.  A few months ago I tried to install Redmine from the repository and even though the repository had it at version 3.0 the actual version that was installed was 2.6.  Someone needs to do some clean up.

CentOS hardly offers any packages so you have to enable the EPEL just to make it functional and even then it’s limited.   My main issue with CentOS is it seems if you want to do anything other than a very basic install you’re dealing with not finding packages (like rdiff-backup, why isn’t that in the repos?) or needing packages from conflicting repositories and sometimes having to download them manually.  It’s a nightmare.

One other thing I like about apt is the philosophy of Debian and Ubuntu of setting up some sensible default configurations and enabling the service.  After installing packages on Fedora, CentOS, or FreeBSD I’m often left manually creating configuration files.  CentOS is the most annoying–maybe it’s just me but if I install a service I want SELinux to not block me from running that service… and when I make a change in SELinux it should take effect immediately instead of arbitrarily taking a few minutes to come to it’s senses.

Free Software

Richard Stallman
By – Thesupermat – CC BY-SA 3.0

While Richard Stallman wouldn’t endorse any of the distributions I’m comparing, if he had to choose from these Debian would likely be his choice.

Debian LogoAll the OSes include or provide ways of obtaining non-free software, but Debian is at the forefront of making it a goal to move to Free Software.  Fortunately I think they do this in a smart way where they’re still including ways to install non-free drivers so you can at least make a system usable.  I think Debian does the best job of making it clear what’s free and what isn’t, and allowing the user to make the choice.

 

Evilness

RedHat LogoI used to be a big RedHat fan back in the RH 6 and 7 days.  Then one day my loyalty was rewarded when out of the blue RedHat decided to start charging for updates for their “Free” OS… RedHat’s new free alternative was Fedora which was so unstable it was unusable.  I was suddenly going to need to buy lots of licenses… this left me scrambling for a solution and I eventually switched over to Ubuntu.  Since then I’m wary about anything related to RedHat.  CentOS is now the free version of RedHat while Fedora is where all the new features are available and it’s not so unstable these days.  And, yes, RedHat, I’m still bitter.

Ubuntu introduced Amazon ad supported searches and even worse was by default sending search keywords from the unity lens to Canonical.  I’d consider this an invasion of privacy and really the first time I started looking for Ubuntu alternatives after I switched from RedHat.   Fortunately the feature was easy to disable, and now Ubuntu has since disabled it.

Out of Box Hardware Support

Dell XPS 13 with UbuntuUbuntu has the best out of box hardware support.  Dell’s XPS 13 even comes in a developer edition that ships with Ubuntu 14.04 LTS.  It works outUbuntu Logo of the box on just about every laptop I’ve tried it on.  Also it was the first distro to support VMware’s VMXNET3 and SCSI Paravirtual driver in the default install and now I believe it’s the only distro that has open-vm-tools pre-installed.  All this cuts down on the amount of time and effort it takes to deploy.

I wish Debian did better here.  Debian excludes some non-free drivers which is good for the FSF philosophy but it’s also means I had no WiFi on a fresh Debian install.  Apparently you’re supposed to download the drivers separately.  This is particularly bad when your laptop doesn’t have an Ethernet port so you have no way to download the WiFi drivers.  I suppose I could have re-installed Ubuntu then downloaded the Debian, WiFi drivers, save them off to a USB drive, re-install Debian and side-load the WiFi drivers… but what a hassle.

Automatic Security Updates

Ubuntu and Debian give the option of enabling automatic security updates at install time.  The other systems have ways of enabling automatic updates but there isn’t an option to enable it by default at install time.  My opinion is all operating systems should automatically install security updates by default.

Init System

FreeBSD DaemonFreeBSD avoids the nonsense for the win here.  I do not like systemd.  I’d rather spend time not fighting systemd.  Maybe I can figure it out someday.  Why didn’t we all switch to upstart?  I liked upstart.

Cutting Edge vs Stability

Fedora LinuxFor cutting edge Fedora or Ubuntu standard (every 6 month) releases keep you up to date, great for wanting to stay cutting edge on a Desktop Environment.

FreeBSD is the most stable OS I’ve ever used.  If I was told I was building a solution that would still be around in 30 years I’d probably choose FreeBSD.  Changes to the base system are rare and well thought out.  If you wrote a program or script on FreeBSD 10 years ago it would probably still work today on the latest version.   In the Linux world I like Debian stable or Ubuntu’s LTS (after the first point release) and CentOS (aslo after the first point release) are great options.

Ubuntu provides the best of both worlds getting cutting edge with LTS releases which I find very beneficial for having a stable environment but still having relevant development tools and up to date server environments.  If you need something newer you have PPAs, but most of the time the standard packages are new enough.  Right now for example Ubuntu 16.04 LTS is the only distribution that ships with a version of OpenSSL and NGINX that supports an http/2 implementation that works with Google Chrome.  To top if off both OpenSSL and NGINX packages fall under Ubuntu’s 5-year support.  You don’t have to add 3rd party repos, solve dependency issues.  Just one command: “apt install nginx” and you’re good for 5-years.

Ubuntu 16.04 LTS is the only distro that supports http/2

(above screenshot from: https://www.nginx.com/blog/supporting-http2-google-chrome-users/)

Upgrading

FreeBSD LogoFreeBSD is the best OS I’ve ever used at upgrading to a newer release.  You could probably start at FreeBSD 4, and upgrade all the way to 11 and have no issues.  Debian and Ubuntu also have pretty good upgrade support… in all cases I test upgrading before doing it on a production system.

Long Term Support (LTS)

CentOS LogoCentOS has the longest support offering at 10-years!  Combined with the EPEL repository (which also has the same goal) I’d say RedHat/CentOS is the best distribution for a “deploy and forget” application that gets thrown in /opt if you don’t want to worry about changes or upgrades breaking the app for the next 10-years.  This is probably why enterprise applications like this distribution.

Debian is just starting a 5-year LTS program through a volunteer effort.  I’m looking forward to seeing how this goes.  I’m glad to see this change as lack of LTS was one of the main reasons I decided on Ubuntu over Debian.

Ubuntu offers 5-year LTS.  Ubuntu’s LTS not only covers the base system but also the Ubuntu team supports many packages (use “apt-cache show packagename”) and if you see 5y you’re good.

Predictable Release Cadence

release-chart-desktop

Ubuntu has the most predictable release cadence.  They release every 6 months with a 5-year LTS release every 2-years.  Having been a sysadmin and a developer I like knowing exactly how long systems are supported.  I plan out development, deployments, and upgrades years in advance based on Ubuntu’s release cadence.

My Thoughts

When I was younger it was fun to build my entire system from scratch using Gentoo and compile FreeBSD packages from ports (I also compiled the kernel).  Linux wasn’t as easy back then.  I remember just trying to get my scroll wheel working in RedHat 7.

Screenshot of how to get the scroll wheel working
I found this old note.  I finally got the scroll wheel working in RedHat 7.1!

Linux distributions are tools.  At some point you have to stop trying to build the perfect hammer and start using it to put nails in things.

Now days I don’t have time to compile from scratch, solve RPM dependency issues, or find out why packages aren’t the right version.  In the year 2000 I could understand having to fix ugly font issues and messing around with wifi-drivers.  But we should be beyond that now.  That was the past.

Calvin and Hobbes Comic Strip
By Bill Waterson, 1995-08-27, Fair Use – 17 U.S.C. § 107

Onward

Ben wearing RedHat
I used to wear the official RedHat Fedora

Fonts, automatic updates, scroll wheel, touchpad, bluetooth, wifi, printers, and hardware in general should be working out of the box by now–if it isn’t I’m not going to put a lot of effort into getting the distro working.  It’s time to move forward and focus work on things beyond the distribution–while I love all sorts of distros, I don’t want to be like Calvin fighting the computer the whole way.  I actually do work on them and need something stable and up to date out of the box with sane default settings.  Having predictable release cycles also helps.  If I could combine the philosophy of Debian with the few extras that Ubuntu provides I’d have the perfect distro.  But for the time being Ubuntu is close enough to what I want–I’ve been using it probably since 5.04 (Hoary Hedgehog) and standardized on it when they started doing LTS releases.  That doesn’t mean it’s for everyone, not everyone likes it, some people prefer the more vanilla feel from Debian, others might want something easier like Mint.  If you prefer CentOS, Fedora, Arch, etc. and they work well for you, use them.

Actually I don’t use Ubuntu for everything.  For my production environment I’ve standardized on Windows 10 for desktops, ESXi for virtualization, FreeNAS for storage, pfSense for firewalls, and Ubuntu for servers.  Honestly, none of the above systems were my first choice… but I’m at where I am because my first choices let me down.  It will likely evolve in the future, but for the time being that’s my setup and it works pretty well.

The great thing about modern day Linux distributions (and FreeBSD) is they’re all pretty good.  I haven’t had to hack an Xorg file to get the scroll wheel working in a long time.

 

 

Free SSL Certificates from StartCom

Here’s a quick tutorial on how to obtain and setup a certificate from StartCom.

https

StartCom offers free personal certificates, these aren’t the fake certs where you have to setup your own CA and it only works when people have your CA cert installed.  These are real certs that work out of the box in just about every OS / browser I’ve tried (OSX, XP SP3 to Windows 8, IE, Firefox, Safari, Chrome, iOS, Android, Windows 8 Phone, etc.).

Validate Your Ownership of the Domain

1. Select Domain Name Validation

startcom_1_validation

2. Enter the domain name you want to validate.

startcom_2_domain

3. Select an address you can receive email at, the final address comes from your whois record which should be the domain owner’s email address.  StartCom will send you a validation code, once entered you have verified domain ownership and can create certificates for 30 days.

startcom_3_verification_email

startcom_4_validation

4. Generate Certificate Request.  SSH into your server and create a new key and CSR, it is of extreme importance that “Common Name” should be your fully qualified domain name.  StartCom won’t let you enter a naked domain (e.g. b3n.org) here, you must enter a sub-domain (such as www.b3n.org)  or in the example below I used reader.  The cert will also be good for your naked domain.

startcom_5_generate_key

Skip the generate cert option (since you’ve already generated it) and paste the contents of the CSR file you create into the certificate request form.

startcom_6_skip_generate_private_key  

startcom_7_paste_csr

startcom_8_cert_request_received

5. Here you select the domain the certificate will fall under, then the subdomain for your certificate (must be the same as your certificate request).

startcom_9_select_domain

startcom_10_subdomain

startcom_11_cert_ready

6. StartCom will give you your certificate, paste it into a .crt file.  Also BE SURE to download the intermediate and root certs.

startcom_12_save_cert

7.  Now you have a SSL Certificate (.csr) and Key (.key)

startcom_13_save_cert 

8. Configure Apache2.  …this goes below the directory directive in your site config: (e.g. /etc/apache2/sites_available/reader.gondolin.us)  be sure to reference your certificate and key as well as StartCom’s root certificate, and chain (this will help out older browers).  Note that the certificate can be used for just about any purpose including (IMAP, SMTPS, Mumble server, etc.)

 

403 Forbidden on Ubuntu LAMP

403 forbidden errorOver the last few days some of you noticed a 403 forbidden error from time to time.  So I’d login, check the Apache error logs and see this entry “(13)Permission denied: /home/benjamin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable.”  Well the permissions were set, I had the executable +x bit for www-data set on all the parent folders.  I would login and restart apache2 or chmod 755 my /home/benjamin directory again and it seemed to work for awhile…

This morning I saw the 403 error again.  I log in, refresh the page and it works.  So it appears to be an intermittent issue… wait a minute!  It starts working when I login!  I logout, and the 403 error is back.  Login again, and it’s back to normal.  Turns out I enabled home directory encryption on my account!  I moved my wordpress folder to a location outside my home directory and now all should be good.