AlmaLinux 2026: The Complete Guide to Enterprise Linux Without the Enterprise Price Tag

When Red Hat announced the end of CentOS Linux in December 2020, the enterprise Linux world faced a crisis. Thousands of organizations running CentOS needed a replacement - fast. AlmaLinux OS emerged as the answer: a free, community-governed, 1:1 binary-compatible replacement for RHEL that launched in March 2021 and quickly became the most popular CentOS successor.

Today, AlmaLinux powers servers at CERN, the European Space Agency, and thousands of enterprises worldwide. Backed by CloudLinux Inc. with over $1 million in annual funding and governed by a non-profit foundation, it delivers enterprise-grade stability without the enterprise price tag.

This guide covers everything you need to know about AlmaLinux - from initial installation to production-ready server hardening - organized into 15 practical sections that you can reference daily.

1. Why AlmaLinux? Understanding the Landscape

Before diving into technical details, it is important to understand why AlmaLinux exists and how it compares to alternatives.

The CentOS Shift

CentOS Linux was the go-to free enterprise Linux for nearly two decades. When Red Hat converted it to CentOS Stream (a rolling-release upstream of RHEL rather than a downstream rebuild), the community needed alternatives that maintained the traditional model: take RHEL source code, remove branding, rebuild, and distribute freely.

AlmaLinux vs Rocky Linux vs CentOS Stream

All three serve different purposes:

• AlmaLinux - 1:1 binary-compatible with RHEL. Non-profit foundation governance. First to market (March 2021). Backed by CloudLinux.
• Rocky Linux - Also 1:1 RHEL-compatible. Founded by CentOS co-founder Gregory Kurtzer. Non-profit CIQ backing.
• CentOS Stream - Rolling release that sits upstream of RHEL. Gets packages before RHEL, not after. Best for RHEL development/testing.

AlmaLinux stands out for its rapid release cadence (typically first to release point updates after RHEL), comprehensive cloud images on all major providers, and the AlmaLinux Migration Tool that converts existing CentOS, RHEL, Rocky, or Oracle Linux installations in-place.

2. Installation and First Boot

AlmaLinux supports multiple installation methods to fit any environment:

Installation Methods

• ISO Install - Download the DVD (full offline), Boot (network install), or Minimal ISO from almalinux.org
• Cloud Images - Pre-built images on AWS Marketplace, Azure Gallery, Google Cloud Platform, and Oracle Cloud
• Containers - Official Docker/Podman images: docker pull almalinux:9
• Kickstart - Automated unattended installations for provisioning server fleets
• Migration - Convert existing systems in-place with almalinux-deploy tool

Post-Installation Essentials

After installation, these are your first commands:

dnf update -y                                    # Update all packages
hostnamectl set-hostname server01.example.com     # Set hostname
timedatectl set-timezone Europe/Budapest          # Set timezone
timedatectl set-ntp true                          # Enable NTP sync
dnf install -y epel-release                       # Enable EPEL repo
dnf install -y vim wget curl htop tar git         # Install essentials
useradd -m -s /bin/bash admin                     # Create admin user
usermod -aG wheel admin                           # Add to sudo group
systemctl enable --now cockpit.socket             # Enable web management

Cockpit provides a web-based management interface on port 9090 that lets you manage the server through a browser - perfect for those transitioning from GUI-based administration.

3. Package Management with DNF

DNF (Dandified YUM) is the default package manager on AlmaLinux. It handles dependency resolution, repository management, and transactional operations.

Essential DNF Commands

dnf search nginx                  # Search for packages
dnf info nginx                    # Show package details
dnf install nginx -y              # Install a package
dnf remove nginx -y               # Remove a package
dnf update -y                     # Update all packages
dnf list installed                # List installed packages
dnf provides /usr/bin/dig         # Find which package provides a file
dnf history                       # View transaction history
dnf history undo 15               # Undo a specific transaction
dnf autoremove                    # Remove unused dependencies
dnf group install "Development Tools"  # Install package groups

AppStream Modules

One of AlmaLinux most powerful features is AppStream modules, which allow multiple versions of software to coexist in the same repository. Need PHP 8.2 instead of the default version? Just switch the stream:

dnf module list php               # Show available PHP streams
dnf module enable php:8.2         # Enable PHP 8.2
dnf module install php:8.2        # Install PHP 8.2 with default profile
dnf module reset php              # Reset to switch streams later

This is invaluable for running specific application versions without third-party repositories.

Repository Management

Two repositories you will almost certainly need:

• EPEL (Extra Packages for Enterprise Linux) - Adds 5000+ packages not in base AlmaLinux: dnf install epel-release
• CRB (CodeReady Builder) - Development headers and libraries: dnf config-manager --set-enabled crb

4. Systemd Service Management

Every service on AlmaLinux is managed through systemd. Understanding systemctl and journalctl is fundamental to Linux administration.

systemctl Essentials

systemctl start nginx             # Start a service
systemctl stop nginx              # Stop a service
systemctl restart nginx           # Restart a service
systemctl reload nginx            # Reload config without restart
systemctl enable --now nginx      # Enable at boot AND start now
systemctl status nginx            # Show status and recent logs
systemctl list-units --failed     # List failed services
systemctl mask nginx              # Completely prevent from starting
systemctl daemon-reload           # Reload after editing unit files

journalctl Log Analysis

journalctl -u nginx               # Logs for specific service
journalctl -u nginx --since "1 hour ago"  # Recent logs
journalctl -u nginx -f            # Follow in real-time
journalctl -p err                 # Error-level messages only
journalctl -b                     # Current boot only
journalctl --vacuum-size=500M     # Limit log storage

For custom applications, create a systemd unit file at /etc/systemd/system/myapp.service with [Unit], [Service], and [Install] sections. Set Restart=on-failure for automatic crash recovery.

5. User Management and Permissions

Proper user management is the foundation of system security. Every process runs as a user, and file access is controlled through the permission system.

User and Group Commands

useradd -m -s /bin/bash john       # Create user with home directory
useradd -r -s /sbin/nologin svc   # Create service account (no login)
usermod -aG wheel john             # Add to sudo group
passwd john                        # Set password
chage -M 90 john                   # Max password age: 90 days
id john                            # Show UID, GID, groups

File Permission Model

Linux permissions follow the Owner | Group | Others model with Read (4), Write (2), and Execute (1) bits:

chmod 755 script.sh    # rwxr-xr-x (owner full, others read+execute)
chmod 644 config.conf  # rw-r--r-- (owner read/write, others read)
chmod 600 id_rsa       # rw------- (owner only - private keys)
chown john:devs file   # Change owner and group

For more granular control, Access Control Lists (ACLs) allow per-user permissions: setfacl -m u:john:rwx /project.

6. Storage and LVM

AlmaLinux uses XFS as the default filesystem (same as RHEL). For flexible disk management, LVM (Logical Volume Manager) is essential.

LVM Workflow

pvcreate /dev/sdb                  # Initialize physical volume
vgcreate datavg /dev/sdb           # Create volume group
lvcreate -L 50G -n datalv datavg   # Create logical volume
mkfs.xfs /dev/datavg/datalv        # Format with XFS
mount /dev/datavg/datalv /data     # Mount it

The power of LVM is live resizing. Need more space? Add a disk and extend:

vgextend datavg /dev/sdc           # Add new disk to volume group
lvextend -L +20G /dev/datavg/datalv  # Extend the volume
xfs_growfs /data                   # Grow the filesystem (online!)

Always use UUID in /etc/fstab for persistent mounts - device names like /dev/sdb can change between reboots.

7. Firewall Configuration with firewalld

AlmaLinux uses firewalld, a dynamic zone-based firewall. Unlike raw iptables, firewalld organizes rules into zones based on trust levels.

Essential firewalld Commands

firewall-cmd --get-active-zones         # Show active zones
firewall-cmd --list-all                 # List all rules
firewall-cmd --add-service=http --permanent   # Allow HTTP
firewall-cmd --add-service=https --permanent  # Allow HTTPS
firewall-cmd --add-port=8080/tcp --permanent  # Custom port
firewall-cmd --add-rich-rule="rule family=ipv4
  source address=1.2.3.4 drop" --permanent   # Block an IP
firewall-cmd --reload                   # Apply changes

Key zones: drop (reject everything), public (default, selective access), trusted (allow everything). Always use --permanent flag plus --reload to persist rules across reboots.

For brute-force protection, install fail2ban from EPEL: dnf install epel-release fail2ban -y. It monitors log files and automatically bans IPs that show malicious patterns.

8. SELinux - Your Mandatory Access Control Layer

SELinux is arguably the most misunderstood component of RHEL-based systems. Many administrators disable it at the first sign of trouble - this is a critical mistake. SELinux provides an essential security layer that standard permissions cannot offer.

How SELinux Works

Every file, process, and port has a security context in the format user:role:type:level. SELinux policies define which types can interact. If a web server process (type httpd_t) tries to read a file labeled user_home_t, SELinux blocks it - even if standard file permissions would allow it.

Practical SELinux Management

getenforce                           # Check current mode
sestatus                             # Detailed status
ls -lZ /var/www/html                 # View file contexts
ps auxZ | grep nginx                 # View process contexts

# Fix context for custom web directory
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?";
restorecon -Rv /web

# Common booleans
setsebool -P httpd_can_network_connect on    # Allow web server outbound connections
setsebool -P httpd_can_sendmail on           # Allow sending email

# Allow custom port
semanage port -a -t http_port_t -p tcp 8080  # Add port for httpd

When something is blocked: check ausearch -m avc -ts recent, fix file contexts with restorecon, check booleans with getsebool, and add ports with semanage port. Only use audit2allow as an absolute last resort.

9. Web Server Setup

AlmaLinux supports both Nginx and Apache (httpd) as web servers, with PHP-FPM for PHP processing.

Nginx + PHP-FPM Stack

# Install and start Nginx
dnf install nginx -y
systemctl enable --now nginx

# Install PHP 8.2
dnf module enable php:8.2 -y
dnf install php-fpm php-mysqlnd php-pgsql php-cli php-mbstring php-xml php-gd -y
systemctl enable --now php-fpm

# Firewall
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

SSL/TLS with Let us Encrypt

dnf install epel-release certbot python3-certbot-nginx -y
certbot --nginx -d example.com -d www.example.com
certbot renew --dry-run   # Test auto-renewal

Set up a cron job for automatic renewal: 0 3 * * * certbot renew --quiet

For SELinux, remember to set proper contexts on custom web directories and enable the necessary booleans for your application requirements.

10. Database Servers

AlmaLinux supports both PostgreSQL and MariaDB through AppStream modules.

PostgreSQL Setup

dnf module enable postgresql:16 -y
dnf install postgresql-server -y
postgresql-setup --initdb
systemctl enable --now postgresql

sudo -u postgres psql
CREATE USER app WITH PASSWORD 'securepass';
CREATE DATABASE mydb OWNER app;
GRANT ALL ON DATABASE mydb TO app;

Tuning essentials: Set shared_buffers to 25% of RAM, effective_cache_size to 75%, work_mem to 4-16MB, and enable scram-sha-256 authentication in pg_hba.conf.

MariaDB Setup

dnf install mariadb-server -y
systemctl enable --now mariadb
mysql_secure_installation        # Secure the initial setup

For both databases: bind to localhost only, use strong authentication, open database ports only to application servers (never public), and set up automated daily backups with tested restore procedures.

11. Containers with Podman

AlmaLinux ships with Podman by default - a daemonless, rootless container engine that is fully compatible with Docker CLI commands. Podman is the RHEL-recommended container runtime.

Why Podman over Docker?

• No daemon - Podman uses a fork-exec model, no background service required
• Rootless by default - Run containers without root privileges (major security advantage)
• CLI compatible - alias docker=podman and most Docker commands work identically
• Systemd integration - Generate systemd units directly from containers
• Pod support - Native Kubernetes-like pods for grouping containers

Essential Podman Commands

podman pull docker.io/library/nginx           # Pull image
podman run -d -p 8080:80 --name web nginx     # Run container
podman ps                                      # List running containers
podman logs -f web                             # Follow logs
podman exec -it web /bin/bash                  # Shell into container
podman stop web && podman rm web               # Stop and remove
podman volume create mydata                    # Create persistent volume
podman system prune -a                         # Clean up everything

For rootless containers that start at boot, use podman generate systemd --name web to create a systemd unit, then loginctl enable-linger username to allow the user services to run without an active login session.

12. Security Hardening

A production AlmaLinux server needs hardening beyond the default configuration. Here is a systematic approach:

SSH Hardening

Edit /etc/ssh/sshd_config:

Port 2222                          # Change default port
PermitRootLogin no                 # Disable root login
PasswordAuthentication no          # Key-only authentication
MaxAuthTries 3                     # Limit attempts
ClientAliveInterval 300            # 5-minute timeout
AllowUsers admin deploy            # Whitelist users

After changes: sshd -t (test syntax), update SELinux port (semanage port -a -t ssh_port_t -p tcp 2222), update firewalld, then systemctl restart sshd.

Security Scanning

• Lynis - Comprehensive system security audit: lynis audit system
• OpenSCAP - CIS benchmark and DISA STIG compliance scanning
• rkhunter / chkrootkit - Rootkit detection
• AIDE - File integrity monitoring (detect unauthorized changes)
• ClamAV - Antivirus scanning for shared hosting environments

Enable the Linux Audit System (auditd) to track security-relevant events: file modifications, authentication attempts, privilege escalation, and command execution.

Automatic Security Updates

dnf install dnf-automatic -y
# Configure /etc/dnf/automatic.conf
systemctl enable --now dnf-automatic-install.timer

13. Monitoring and Performance Tuning

Production servers need continuous monitoring. AlmaLinux provides built-in tools and supports enterprise monitoring stacks.

Quick Diagnostic Commands

top / htop                # Real-time process monitoring
vmstat 1 5                # Memory and CPU statistics
iostat -xz 1              # Disk I/O performance
sar -u 1 10               # CPU usage over time
free -h                   # Memory summary
ss -tulnp                 # Listening ports and processes
dmesg -T | tail -50       # Recent kernel messages

Performance Tuning Quick Wins

• Swap: Set vm.swappiness=10 for server workloads (reduces unnecessary swapping)
• Filesystem: Mount with noatime to skip access time updates
• Network: Increase net.core.somaxconn and net.ipv4.tcp_max_syn_backlog for busy web servers

Monitoring Stack Options

For single servers, Cockpit is pre-installed (just enable the socket). For multi-server environments, consider Prometheus + Grafana (metrics and dashboards), Zabbix (enterprise monitoring), or Netdata (per-server real-time metrics with easy installation).

14. Backup and Disaster Recovery

Follow the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 copy offsite.

Backup Tools

# rsync (incremental file backup)
rsync -avz /data/ /backup/data/                    # Local
rsync -avz -e ssh /data/ user@backup:/backup/      # Remote

# tar (compressed archives)
tar czf /backup/data-20260306.tar.gz /data  # Dated archive

# Database backups
pg_dump mydb | gzip > /backup/db-20260306.sql.gz
mysqldump --single-transaction mydb > backup.sql

Automate with cron: 0 2 * * * /opt/scripts/daily-backup.sh. Set up retention policies (keep 30 daily, 12 monthly, 2 yearly). Most importantly: test your restores monthly. An untested backup is not a backup.

15. Troubleshooting Quick Reference

When things go wrong, a systematic approach saves time:

Common Issues and Solutions

• Web server 403 Forbidden - Almost always SELinux context: restorecon -Rv /var/www
• Service won't start - Check logs: journalctl -u service -n 50, check port conflicts: ss -tulnp
• Disk full - Find largest directories: du -sh /* | sort -rh | head -10
• Cannot SSH - Check firewalld rules, sshd_config, SELinux port policy, and fail2ban status
• Slow performance - Check for swap thrashing (free -h), I/O wait (iostat), and high load (uptime)
• Package conflicts - Reset AppStream module: dnf module reset package

Emergency Server Recovery

1. Check if SSH is accessible. If not, use out-of-band console (IPMI, iLO, cloud console)
2. Check system load: uptime, top, dmesg -T
3. Check disk space: df -h (full /var or /tmp causes cascading failures)
4. Check memory: free -h (OOM killer messages in dmesg)
5. Check failed services: systemctl list-units --failed

Download the Complete Reference

This article covers the essential concepts, but for a printable quick-reference you can keep at your desk, download our free AlmaLinux Complete Guide 2026 - a comprehensive 15-page PDF covering all 15 topics with commands, tables, and checklists ready for daily use.

Recommended Reading

If you want to go deeper into Linux system administration, these books from our collection cover the topics in this guide in much greater detail:

• Linux Administration Fundamentals - Core sysadmin skills for any enterprise distribution
• Linux System Administration Handbook - Comprehensive reference for daily server management
• SELinux & AppArmor Guide - Deep dive into mandatory access control systems
• Firewall Configuration: The Complete Guide - Master firewalld, iptables, and network security
• Linux Web Server Setup - Production-grade Nginx and Apache configuration
• Linux Performance Tuning - Optimize your servers for maximum throughput
• Linux Troubleshooting Techniques - Systematic approaches to diagnosing and fixing issues

Related Articles

• What is Linux? A Complete Beginner's Guide (2026)
• 15 SSH Tips and Tricks Every Linux Admin Should Know
• SSL/TLS Certificate Setup: The Complete HTTPS Guide for Linux Servers
• Nginx Reverse Proxy: Route Multiple Apps Through One Server

AlmaLinux proves that enterprise-grade Linux does not require an enterprise budget. With 10-year support cycles, 1:1 RHEL compatibility, and a thriving community, it is the ideal choice for production servers, development environments, and everything in between. Install it, harden it, and build on a foundation that will be supported through 2032 and beyond.