Opvizor Blog

Reviving Legacy Systems and Solving CentOS 7 Challenges

Written by blog | Aug 14, 2024 9:33:42 AM

Despite advancements, some people continue using outdated operating systems. In the security industry, it's common to encounter clients who rely on legacy systems, making it essential to ensure software compatibility with these older environments. Recently, the need to test a Python script on CentOS 7 highlighted the challenges of working with discontinued systems.

Finding CentOS 7

Locating a CentOS 7 ISO should be straightforward, but with Red Hat discontinuing CentOS, official download links are no longer functional. Fortunately, an ISO was found on CentOS Buildlogs, allowing for the setup of a minimal CentOS 7 VM.

The Real Challenge

Once CentOS 7 is up and running, the task of installing Python 3 reveals more complex issues.

Missing Repositories

CentOS 7 is no longer supported, and as a result, the yum package manager couldn't locate the necessary mirror list because the site http://mirrorlist.centos.org is no longer available.

Although the required packages are still hosted at vault.centos.org, CentOS 7’s outdated SSL libraries are incompatible with the vault's TLS requirements, preventing a direct connection.

Setting Up a Reverse Proxy

To circumvent this issue, a reverse proxy was established using HAProxy on a separate machine to serve the packages over plain HTTP. The following HAProxy configuration was employed:

frontend centos-vault-front
  mode http
  bind *:8180
  default_backend centos-vault-back

backend centos-vault-back
  server vault vault.centos.org:443 ssl check verify none sni str(vault.centos.org)
  http-request set-header host vault.centos.org
  option tcp-check
  tcp-check connect

Key configuration points include:

  • verify none to bypass SSL certificate verification.
  • sni str(vault.centos.org) to ensure the correct hostname is specified in the TLS request, necessary because the vault server hosts multiple sites on the same IP.
  • The switch to tcp-check avoids compatibility issues with the default HTTP check method.

Configuring YUM

With the proxy operational, yum was reconfigured on the CentOS 7 VM to utilize it. This required commenting out the mirrorlist and specifying the baseurl instead:

sed -i 's|^mirrorlist=|#mirrorlist=|' /etc/yum.repos.d/*.repo
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://192.168.100.1:8180|' /etc/yum.repos.d/*.repo

Note: The IP address 192.168.100.1 should be replaced with the actual IP of the HAProxy machine.

Upgrading Essential Packages

To ensure compatibility with secure web services, it's critical to upgrade ca-certificates, curl, openssl, and python. These updates address issues with outdated TLS protocols that would otherwise block access to many modern websites.

Conclusion

Navigating legacy systems like CentOS 7 can be challenging, but with the right strategies and tools, they can remain functional. The setup of a reverse proxy allowed continued access to essential packages, ensuring that software remains compatible across various environments.