Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3. Feature Updates

Block Device Encryption
Red Hat Enterprise Linux 5.3 includes support for block device encryption using the Linux Unified Key Setup (LUKS) specification. Encrypting a device protects all data on a block device against unauthorized access, even if the device has been physically removed from a system. To access the contents of an encrypted device, a user must provide a passphrase or key as authentication.
For information on setting up disk encryption, refer to Chapter 28 of the Red Hat Enterprise Linux Installation Guide at: http://redhat.com/docs/
mac80211 802.11a/b/g WiFi protocol stack (mac80211)
The mac80211 stack (formerly known as the devicescape/d80211 stack) is now a supported feature in Red Hat Enterprise Linux 5.3. It enables the iwlwifi 4965GN wireless driver for Intel® WiFi Link 4965 hardware which allows certain wireless devices to connect to any WiFi network.
Although the mac80211 component is supported in Red Hat Enterprise Linux 5.3, the symbols are not included in the symbol whitelist for the kernel.
Global File System 2 (GFS2)
GFS2 is an incremental advancement of GFS. This update applies several significant improvements that require a change to the on-disk file system format. GFS file systems can be converted to GFS2 using the utility gfs2_convert, which updates the metadata of a GFS file system accordingly.
In Red Hat Enterprise Linux 5.2, GFS2 was provided as a kernel module for evaluation purposes. In Red Hat Enterprise Linux 5.3, GFS2 is now part of the kernel package. If the Red Hat Enterprise Linux 5.2 GFS2 kernel modules have been installed they must be removed to use GFS2 in Red Hat Enterprise Linux 5.3.
Improvements in Driver Disk Support
A driver disk, supplied by an OEM, is a single image file (*.img), containing potentially multiple driver RPMs and kernel modules. These drivers are used during installation to support hardware that otherwise would not be recognized. The RPMs are installed on the system and placed into the initrd so that they are supported when the machine reboots.
With Red Hat Enterprise Linux 5.3, installation can automatically detect the presence of a driver disk based on its file system label, and use the content of that disk during installation. This behavior is controlled by the installation command line option dlabel=on, which enables the automatic search. All block devices with the file system label OEMDRV are examined and drivers are loaded from these devices in the order in which they are encountered.
iSCSI Boot Firmware Table
Red Hat Enterprise Linux 5.3 now fully supports the iSCSI Boot Firmware Table (iBFT) which allows for booting from iSCSI devices. This support required that iSCSI disks (nodes) are no longer marked to start up automatically; the installed system will no longer automatically connect and login to iSCSI disks when entering runlevel 3 or 5.
iSCSI is usually used for the root filesystem, in which case this change does does not make a difference as the initrd will connect and login to the needed iSCSI disks even before the runlevel is entered.
However if iSCSI disks need to be mounted on non root directories, for example /home or /srv, then this change will impact you, since the installed system will no longer automatically connect and login to iSCSI disks that are not used for the root filesystem.
Using iSCSI disks mounted on non root directories is still possible, but requires the use of one of the following workarounds:
  1. Install the system without use of iSCSI disks mounted on non root directories and later configure the relevant disks and mount points manually
  2. Boot the installed system into runlevel 1, and mark any iSCSI disks that are not used for the root filesystem for automatic startup by using the following command once per disk:
    iscsiadm -m node -T target-name -p ip:port -o update -n node.startup -v automatic
rhythmbox
the rhythmbox audio player has been updated to version 0.11.6. This update provides the option to use proprietary GStreamer plugins.
lftp Rebase
lftp has now been rebased to version 3.7.1. This applies several upstream feature updates and bug fixes, including:
  • A security flaw in the way lftp quoted scripts generated by mirror --script (which could cause unauthorized privilege escalation) is now fixed.
  • Using lftp with the option -c no longer causes lftp to hang.
  • lftp no longer corrupts files during a transfer when using sftp.
For more information on lftp updates applied in this release, refer to http://lftp.yar.ru/news.html.
TTY Input Auditing
TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type TTY.
You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY.
The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.
SystemTap Re-base
SystemTap has been re-based to version 0.7.2. This update of SystemTap introduces several minor improvements, along with a few major features. These new features include:
  • SystemTap now supports symbolic probing on x86, x86-64 and PowerPC architectures. This enables SystemTap scripts to place probes into user-space applications and shared libraries. As a result, SystemTap can now provide the same level of debugger probing on some user-space applications as kernel probing.
    For example, if coreutils-debuginfo is installed, you can print a callgraph of the ls command using /usr/share/doc/systemtap-version/examples/general/callgraph.stp, as in:
    stap para-callgraph.stp 'process("ls").function("*")' -c 'ls -l'
    In order to reduce the likelihood of an undetected version mismatch between the binary and its debuginfo RPMs, Red Hat advises that you set the SYSTEMTAP_DEBUGINFO_PATH environment variable to the value +:.debug:/usr/lib/debug:build.
    SystemTap's support for symbolic probes also extends to markers placed into the kernel of this release. To use these markers, load the kernel-trace kernel module in /etc/rc.local (using modprobe kernel-trace).
  • SystemTap also supports remote compilation services. This enables a single computer on the network to act as a debuginfo/compiler server for local SystemTap clients. The clients auto-locate the server using mDNS (avahi), and only need the systemtap-client and systemtap-runtime packages to work.
    At present, this feature does not use security mechanisms like encryption. As such, it is advisable to use remote compilation services only within trusted networks. For more information, refer to man stap-server.
  • The kernel update for this release includes a kernel API extension that significantly improves shutdown of SystemTap scripts. This added kernel API extension eliminates unnecessary synchronization between individual probe removal operations. As a result, SystemTap scripts that have hundreds of kernel probes are processed much faster.
    This is especially useful for administrators that use scripts with probes containing wildcards that capture numerous kernel events, such as probe syscall.* {}.
For a complete list of SystemTap updates included in this release, refer to the following URL:
http://sources.redhat.com/git/gitweb.cgi?p=systemtap.git;a=blob_plain;f=NEWS;hb=rhel53
Cluster Manager Update
The Cluster Manager utility (cman) has been updated to version 2.0.97. This applies several bug fixes and enhancements, most notably:
  • cman now uses the following firmware versions: APC AOS v3.5.7 and APC rpdu v3.5.6. This fixes a bug that prevented the APC 7901 from using simple network management protocol (SNMP) properly.
  • fence_drac, fence_ilo, fence_egenera, and fence_bladecenter agents now support ssh.
  • fence_xvmd key files can now be reloaded without restarting.
  • A single fence method can now support up to 8 fence devices.
RPM Re-Base
The RedHat Package Manager (RPM) is now re-based to the Fedora 9 upstream version. rpm now adds secondary architecture-specific macro files on multi-arch systems. In addition, rpm now meets all certification criteria for inclusion in Red Hat Enterprise Linux 5.
This update also applies several upstream enhancements and bug fixes to rpm, including:
  • rpm no longer generates unnecessary .rpmnew and .rpmsave files on multi-arch systems.
  • A bug in the rpmgiNext() function of rpm prevented proper error reporting. This update applies the proper semantics for error reporting, thereby ensuring that rpm returns the correct exit code in all instances.
Open Fabrics Enterprise Distribution (OFED) / opensm
opensm has been updated to the upstream version 3.2, including a minor change to the opensm library API.
  • The format of the opensm.conf file has changed. If you have made custom modifications to your existing opensm.conf, rpm will automatically install the new opensm.conf file as /etc/ofed/opensm.conf.rpmnew. You will need to migrate your modifications to this file and then replace the existing opensm.conf file with the result.
  • Red Hat closely tracks the upstream Open Fabrics Enterprise Distribution (OFED) code base in order to provide a maximal level of enablement for this still evolving technology. As a consequence, Red Hat can only preserve API/ABI compatibility across minor releases to the degree that the upstream project does. This is an exception from the general practice in the development of Red Hat Enterprise Linux.
    Because of this, applications build on top of the OFED stack (listed below), might require recompilation or even source-level code changes when moving from one minor release of Red Hat Enterprise Linux to a newer one.
    This generally is not required for other applications, built on the Red Hat Enterprise Linux software stack. The components affected are:
    • dapl
    • compat-dapl
    • ibsim
    • ibutils
    • infiniband-diags
    • libcxgb3
    • libehca
    • libibcm
    • libibcommon
    • libibmad
    • libibumad
    • libibverbs
    • libipathverbs
    • libmlx4
    • libmthca
    • libnes
    • librmdacm
    • libsdp
    • mpi-selector
    • mpitests
    • mstflint
    • mvapich
    • mvapich2
    • ofed-docs
    • openib
    • openib-mstflint
    • openib-perftest
    • openib-tvflash
    • openmpi
    • opensm
    • perftest
    • qlvnictools
    • qperf
    • rds-tools (future)
    • srptools
    • tvflash
Net-SNMP Re-Base
Net-SNMP has been re-based to upstream version 5.3.2.2. This update adds Stream Control Transmission Protocol (SCTP) support (as per RFC 3873, http://www.ietf.org/rfc/rfc3873.txt) and introduces two new configuration options (to be used in /etc/snmpd.conf):
  • dontLogTCPWrappersConnects — suppresses logging of connection attempts.
  • v1trapaddress — enables administrators to set an agent's IP address inside outgoing SNMP traps.
This update also features several bug fixes from upstream, including:
  • The snmpd daemon now functions properly on systems with more than 255 network interfaces. In addition, snmpd also reports an error now when it is configured to listen on any port higher than 65535.
  • A race condition that caused the snmpd daemon to leak file descriptors when reading from /proc is now fixed.
  • The snmpd daemon now correctly reports hrProcessorLoad object IDs (OID), even on multi-CPU hardware. Note, however, that it takes approximately one minute from daemon startup to calculate the value of the OID.
  • The net-snmp-devel package is now dependent on the lm_sensors-devel package.
OpenSSL Re-Base for FIPS Certification
The openssl packages upgrade the OpenSSL library to a newer upstream version, which is currently undergoing the Federal Information Processing Standards validation process (FIPS-140-2). The FIPS mode is disabled by default, to ensure that the OpenSSL library maintains feature parity and ABI compatibility with the previous releases of the openssl packages in Red Hat Enterprise Linux 5.
This update also applies the following upstream fixes:
  • By default, zlib compression is used for SSL and TLS connections. On IBM System z architectures with Central Processor Assist for Cryptographic Function (CPACF), compression became the main part of the CPU load, and total performance was determined by the speed of the compression (not the speed of the encryption). When compression is disabled, the total performance is much higher. In these updated packages, zlib compression for SSL and TLS connections can be disabled with the OPENSSL_NO_DEFAULT_ZLIB environment variable. For TLS connections over a slow network, it is better to leave compression on, so that the amount of data to be transferred is lower.
  • When using the openssl command with the s_client and s_server options, the default CA certificates file (/etc/pki/tls/certs/ca-bundle.crt), was not read. This resulted in certificates failing verification. In order for certificates to pass verification, the -CAfile /etc/pki/tls/certs/ca-bundle.crt option had to be used. In these updated packages, the default CA certificates file is read, and no longer needs to be specified with the -CAfile option.
yum Re-Base
yum has been re-based to upstream version 3.2.18. This update improves the speed at which yum operates, thereby alleviating the problem posed by the ever-growing number of packages included with each minor release. In addition, this update also introduces the reinstall command, improves the interface for several commands, and applies several bug fixes, including:
  • Any yum commands would fail if the -c option was used to specify a configuration file residing on a web address (http). This bug is now fixed.
  • A checkSignal() function in yum called an incorrect exit function; as such, exiting yum would result in a traceback instead. With this release, yum now exits properly.
flash-plugin Re-Base
The flash-plugin package has been re-based to version 10.0.12.36. This update applies several security fixes that were included in a previous flash-plugin ASYNC update. Further, this updated plugin also contains Adobe Flash Player 10, which includes the following bug fixes and feature enhancements:
  • Improved stability on the Linux platform by fixing a race condition issue in sound output.
  • New support for custom filters and effects, native 3D transformation and animation, advanced audio processing, a new, more flexible text engine, and GPU hardware acceleration.
For more information about this update, refer to the Adobe Flash Player 10 release notes at the following link:
http://www.adobe.com/support/documentation/en/flashplayer/10/Flash_Player_10_Release_Notes.pdf
gdb Rebase
gdb has now been rebased to version 6.8. This applies several upstream feature updates and bug fixes, most notably: support for breakpoints inside C++ templates, constructors and inline functions.
For more information on gdb updates applied in this release, refer to http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/NEWS?rev=1.259.2.1&cvsroot=src.
Instruction Based Sampling on AMD Family10h processors
New hardware profiling support for the AMD Family10h processors has been added for Red Hat Enterprise Linux 5.3. These new AMD CPUs support Instruction Based Sampling (IBS). IBS support requires changes to the oProfile driver to gather this information and initialize the new Model Specific Registers (MSRs) associated with these new features.
This update adds the new IBS_FETCH and IBS_OP profiling samples to the per CPU buffers and the event buffers of the oProfile driver. New control entries have also been added to /dev/oprofile to control IBS sampling. These changes are backward compatible with the previous PMC only version of the driver, and a separate patch is available to oProfile 0.9.3 to use this new data.
For more information on IBS refer to the paper: Instruction-Based Sampling: A New Performance Analysis Technique for AMD Family 10h Processors, November 19, 2007
Squid Re-base
Squid has been re-based to the latest stable upstream version (STABLE21). This update addresses several bugs, including:
  • The squid init script always incorrectly returned an exit code of 0. This bug is now fixed, making squid compliant now with Linux Standard Base.
  • Using the refresh_stale_hit directive causes error message Clock going backwards to appear in the squid log file.
  • The squid installation process did not set up correct ownership of the /usr/local/squid directory. With this release, the user squid is now the default owner of /usr/local/squid.
  • Whenever squid attempts to use the function hash_lookup(), it could abort with signal 6.
  • Using squid_unix_group could cause squid to crash.
Event Multi-Processing Model in Apache
httpd, the Apache HTTP Server package, now includes the experimental event Multi-Processing Model (MPM). This MPM improves performance by using dedicated threads to handle keepalive connections.
libgomp re-base
libgomp has been re-based to version 4.3.2-7.el5. The re-base improves OpenMP performance and adds support for OpenMP version 3.0 when used with the gcc43 compiler.
iSCSI target capability
The iSCSI target capability, delivered as part of the Linux Target (tgt) framework, moves from Technology Preview to full support in Red Hat Enterprise Linux 5.3. The linux target framework allows a system to serve block-level SCSI storage to other systems that have a SCSI initiator. This capability is being initially deployed as a Linux iSCSI target, serving storage over a network to any iSCSI initiator.
To set up the iSCSI target, install the scsi-target-utils RPM and refer to the instructions in: /usr/share/doc/scsi-target-utils-[version]/README and /usr/share/doc/scsi-target-utils-[version]/README.iscsi