Portal | Level: L1: Foundations | Topics: Linux Distribution Comparison, Debian & Ubuntu Ecosystem, Linux Fundamentals | Domain: Linux
Linux Distribution Comparison — Primer¶
Why This Matters¶
Choosing the right Linux distribution for a workload is an infrastructure decision with 5-10 year consequences. Migrations are painful, expensive, and risky. Knowing the trade-offs upfront saves your team from firefighting later.
The Major Families¶
Red Hat Family¶
Fedora (upstream) → RHEL (enterprise) → CentOS Stream (midstream)
→ AlmaLinux / Rocky Linux (rebuilds)
| Distro | Use Case | Support | Release Cycle |
|---|---|---|---|
| RHEL | Enterprise servers, regulated | 10+ years (paid) | Major every ~3 years |
| CentOS Stream | RHEL preview, development | Community | Rolling (ahead of RHEL) |
| AlmaLinux | Free RHEL binary compat | Community + sponsors | Follows RHEL |
| Rocky Linux | Free RHEL binary compat | Community (CIQ) | Follows RHEL |
| Fedora | Bleeding edge, workstations | ~13 months per release | Every 6 months |
Package manager: dnf (rpm) Init: systemd MAC: SELinux Firewall: firewalld Networking: NetworkManager (nmcli)
Debian Family¶
| Distro | Use Case | Support | Release Cycle |
|---|---|---|---|
| Debian Stable | Servers, stability-critical | ~5 years (LTS team extends) | Every ~2 years |
| Ubuntu LTS | Cloud, general servers | 5yr + 5yr ESM | Every 2 years (April) |
| Ubuntu interim | Developers, desktop | 9 months | Every 6 months |
Package manager: apt (dpkg) Init: systemd MAC: AppArmor Firewall: ufw (or raw nftables) Networking: Netplan (Ubuntu), ifupdown or NM (Debian)
SUSE Family¶
| Distro | Use Case | Support | Release Cycle |
|---|---|---|---|
| SLES | Enterprise (esp. SAP, mainframe) | 10+ years (paid) | Major every ~3-4 years |
| openSUSE Leap | Free enterprise-compatible | Community | Follows SLE |
| openSUSE Tumbleweed | Rolling release | Community | Continuous |
Package manager: zypper (rpm) Init: systemd MAC: AppArmor Firewall: firewalld Notable: YaST configuration tool, Btrfs with snapshots by default
Independent Distros¶
| Distro | Use Case | Key Feature |
|---|---|---|
| Arch Linux | Power users, custom builds | Rolling release, AUR, minimal base |
| Alpine Linux | Containers, embedded | Tiny (~5MB base), musl libc, apk |
| NixOS | Reproducible infra | Declarative config, atomic upgrades |
| Fedora CoreOS | Container hosts | Immutable, auto-updating, ignition |
| Flatcar | Container hosts | Immutable, successor to CoreOS |
Decision Matrix: Which Distro for What?¶
Enterprise Servers (Regulated, Long-Lived)¶
Best: RHEL or SLES - Vendor support contracts (required for compliance) - 10+ year lifecycle - Certified hardware and software - FIPS, Common Criteria, STIG compliance
Runner-up: Ubuntu LTS with Ubuntu Pro (ESM)
Cloud / General-Purpose Servers¶
Best: Ubuntu LTS - Default AMI on AWS, most popular on GCP/Azure - Widest third-party software support - Strong cloud-init integration - Large community, easy hiring
Runner-up: Debian Stable (if you want more control, less Canonical influence)
Container Base Images¶
Best: Alpine (size), Debian-slim (compatibility), Distroless (security) - See the Container Base Images topic for deep dive
Container Host OS¶
Best: Fedora CoreOS, Flatcar, Bottlerocket (AWS) - Immutable, auto-updating, minimal attack surface - Designed to run containers and nothing else
Runner-up: Ubuntu LTS minimal (if you need a general-purpose host)
Developer Workstations¶
Best: Fedora, Ubuntu, or Arch - Fedora: latest packages, RHEL-like for work compat - Ubuntu: widest app support, snap/flatpak - Arch: maximum control, rolling release
CI/CD Runners¶
Best: Ubuntu LTS - GitHub Actions default runner - Widest tool support - Predictable lifecycle
Embedded / IoT / Appliances¶
Best: Alpine, Buildroot, or Yocto - Minimal footprint - Fast boot times - Reduced attack surface
Lifecycle Comparison¶
RHEL 9: 2022 ────────────────────────────────────── 2032 (Full) ── 2035 (ELS)
Ubuntu 22.04: 2022 ────────── 2027 (Standard) ──────── 2032 (ESM)
Debian 12: 2023 ────── 2026 (Regular) ── 2028 (LTS) ── 2033 (ELTS)
SLES 15: 2018 ────────────────────────────────────── 2031 (LTSS)
Fedora 40: 2024 ── 2025 (EOL after ~13 months)
Arch: Rolling ──────────────────────────────── (no EOL, you maintain it)
Alpine 3.20: 2024 ── 2026 (2 year support)
Key insight: Enterprise distros (RHEL, SLES, Ubuntu LTS) give 10+ years. Community distros (Fedora, Arch, Alpine) give 0-2 years. Plan your upgrade cadence accordingly.
Package Management Cross-Reference¶
| Operation | Debian/Ubuntu | RHEL/Fedora | SUSE | Alpine | Arch |
|---|---|---|---|---|---|
| Update index | apt update | dnf check-update | zypper refresh | apk update | pacman -Sy |
| Upgrade all | apt upgrade | dnf upgrade | zypper update | apk upgrade | pacman -Su |
| Install | apt install X | dnf install X | zypper install X | apk add X | pacman -S X |
| Remove | apt remove X | dnf remove X | zypper remove X | apk del X | pacman -R X |
| Search | apt search X | dnf search X | zypper search X | apk search X | pacman -Ss X |
| File owner | dpkg -S /path | rpm -qf /path | rpm -qf /path | apk info -W /path | pacman -Qo /path |
| List files | dpkg -L pkg | rpm -ql pkg | rpm -ql pkg | apk info -L pkg | pacman -Ql pkg |
| Show info | apt show pkg | dnf info pkg | zypper info pkg | apk info pkg | pacman -Si pkg |
| Clean cache | apt clean | dnf clean all | zypper clean | apk cache clean | pacman -Sc |
Networking Stack Comparison¶
| Aspect | RHEL/Fedora | Ubuntu | Debian | SUSE |
|---|---|---|---|---|
| Default tool | nmcli | netplan | ifupdown/NM | wicked/NM |
| Config location | /etc/NetworkManager/ | /etc/netplan/ | /etc/network/interfaces | /etc/sysconfig/network/ |
| VLAN support | nmcli | netplan vlans: | vlan-raw-device | wicked |
| Bonding | nmcli | netplan bonds: | ifenslave | wicked |
| Firewall | firewalld | ufw | nftables (manual) | firewalld |
| DNS resolver | systemd-resolved | systemd-resolved | /etc/resolv.conf | netconfig |
MAC (Mandatory Access Control) Comparison¶
| Aspect | SELinux (RHEL) | AppArmor (Ubuntu/Debian/SUSE) |
|---|---|---|
| Model | Label-based (on inodes) | Path-based (on filenames) |
| Coverage | All processes by default | Only profiled processes |
| Learning | setenforce 0 (system-wide) | aa-complain (per-profile) |
| File labeling | semanage fcontext + restorecon | Edit profile paths |
| Booleans | setsebool -P | Tunables in /etc/apparmor.d/tunables/ |
| Debugging | ausearch, audit2why, audit2allow | aa-logprof, journalctl |
| Complexity | High (steep learning curve) | Medium (easier to start) |
| Strength | Stronger (covers everything) | Good (covers what you profile) |
Provisioning Comparison¶
| Method | Distro Family | Format |
|---|---|---|
| Kickstart | RHEL/Fedora | Custom scripting format |
| Preseed | Debian/Ubuntu | debconf key=value |
| AutoYaST | SUSE | XML profiles |
| cloud-init | All (universal) | YAML cloud-config |
| Ignition | Fedora CoreOS, Flatcar | JSON |
| Packer | All | HCL (builds any distro image) |
Modern approach: Use cloud-init for cloud VMs (works everywhere) and Packer for building golden images. Kickstart/Preseed for bare-metal.
Mixed-Fleet Considerations¶
Running multiple distros in the same fleet:
Challenges¶
- Different package managers need different Ansible modules or conditionals
- Different MAC systems (SELinux vs AppArmor) need different hardening playbooks
- Different networking stacks (nmcli vs netplan) need different config management
- Security patching cadence and tools differ
- Monitoring agents may have different package names
Ansible Pattern for Mixed Fleets¶
- name: Install web server (multi-distro)
ansible.builtin.package:
name: "{{ webserver_package }}"
state: present
# In group_vars/
# debian.yml:
# webserver_package: nginx
# firewall_cmd: ufw allow 'Nginx Full'
#
# redhat.yml:
# webserver_package: nginx
# firewall_cmd: firewall-cmd --add-service=http --permanent
# Or use ansible_os_family fact
- name: Configure firewall (Debian)
community.general.ufw:
rule: allow
name: 'Nginx Full'
when: ansible_os_family == "Debian"
- name: Configure firewall (RedHat)
ansible.posix.firewalld:
service: http
permanent: true
immediate: true
state: enabled
when: ansible_os_family == "RedHat"
Best Practice¶
Standardize on ONE distro family per environment role. Example: - Servers: Ubuntu LTS (or RHEL if enterprise) - Container hosts: Fedora CoreOS - Container images: Alpine or Debian-slim - CI runners: Ubuntu LTS - Developer workstations: flexible (Fedora or Ubuntu)
Wiki Navigation¶
Prerequisites¶
- Linux Ops (Topic Pack, L0)
Related Content¶
- Debian & Ubuntu Ecosystem (Topic Pack, L1) — Debian & Ubuntu Ecosystem, Linux Fundamentals
- /proc Filesystem (Topic Pack, L2) — Linux Fundamentals
- Advanced Bash for Ops (Topic Pack, L1) — Linux Fundamentals
- Adversarial Interview Gauntlet (30 sequences) (Scenario, L2) — Linux Fundamentals
- Bash Exercises (Quest Ladder) (CLI) (Exercise Set, L0) — Linux Fundamentals
- Case Study: CI Pipeline Fails — Docker Layer Cache Corruption (Case Study, L2) — Linux Fundamentals
- Case Study: Container Vuln Scanner False Positive Blocks Deploy (Case Study, L2) — Linux Fundamentals
- Case Study: Disk Full Root Services Down (Case Study, L1) — Linux Fundamentals
- Case Study: Disk Full — Runaway Logs, Fix Is Loki Retention (Case Study, L2) — Linux Fundamentals
- Case Study: HPA Flapping — Metrics Server Clock Skew, Fix Is NTP (Case Study, L2) — Linux Fundamentals
Pages that link here¶
- /proc Filesystem
- Anti-Primer: Linux Distro Comparison
- Debian & Ubuntu Ecosystem
- Disk Full Root - Services Down
- Linux Distribution Comparison
- Symptoms
- Symptoms
- Symptoms
- Symptoms
- Symptoms: Container Image Vuln Scanner False Positive, Blocks Deploy Pipeline
- Symptoms: Disk Full Alert, Cause Is Runaway Logs, Fix Is Loki Retention
- Symptoms: HPA Flapping, Metrics Server Clock Skew, Fix Is NTP Config