Product SiteDocumentation Site

3. Changes in Fedora for System Administrators

3.1. Kernel

Fedora 15 features version 2.6.38 of the Linux kernel. Among other improvements, this version includes the "patch that does wonders" which improves responsiveness under heavy loads.
Refer to http://kernelnewbies.org/LinuxChanges for details of this and all the changes.

3.2. Boot

3.2.1. systemd

systemd is a system and service manager, replacement for SysVinit and Upstart. After a six months shift, during which it has been more granularly tested, Fedora 15 brings in, by default, a new system daemon whose code is designed from scratch, with the objective to take the maximum advantage offered by modern Linux kernels.
With systemd, Fedora 15 boots-up faster, particularly on SSD; native systemd service configuration files (or units) are much easier to understand and configure compared to sysvinit scripts, as systemd uses .service files instead of bash script; all daemons are sorted into their own Linux cgroups, which you may explore beneath /cgroup/systemd in the file system hierarchy; administrative features of the init system are considerably extended.
Powering down the system
In earlier versions, the halt command could be used to power off the system. This no longer works with systemd. The following alternatives, however, do work:
poweroff
halt -p
init 0
shutdown -P now
There are numerous other changes in the way runlevels and services are handled with systemd. Refer to https://fedoraproject.org/wiki/Systemd for more complete information on systemd in Fedora.

3.2.2. /run directory

Fedora 15 has a /run directory for storing runtime data. /run is now a tmpfs, and /var/run is bind mounted to it. /var/lock is bind mounted to /run/lock. Applications can use /run the same way as /var/run. Several programs including udev, dracut, mdadm, mount and initscripts used hidden directories under /dev for runtime data during early bootup before /var is mounted. However /dev/ is supposed to be used for only device nodes and there is consensus between major distributions to shift to using /run instead. Fedora 15 is leading this change. Details including the benefits are explained here.
This change is compliant with the Filesystem Hierarchy Standard, which allows distributions to create new directories in the root hierarchy as long as there is careful consideration of the consequences. Co-author of the latest FHS specification has expressed support for this change. Lennart Poettering has filed a request to update the FHS standard to include this change as well.

3.2.3. /var/run and /var/lock

/var/run and /var/lock are now bind mounted to /run and /run/lock from tmpfs, and hence emptied on reboot. Applications must ensure to recreate their own files/dirs on startup, and cannot rely that doing this at package installation will suffice. It is possible to use systemd's tmpfiles.d mechanism to recreate directories and files beneath /var/run and /var/lock on boot, if necessary. See tmpfiles.d(5) for details (http://0pointer.de/public/systemd-man/tmpfiles.d.html) and the conf files in /etc/tmpfiles.d for examples of such configuration. Fedora packaging guidelines for tmpfiles.d is at http://fedoraproject.org/wiki/Packaging:Tmpfiles.d.

3.2.4. 4kB Sector disk boot support

Booting 4kB sector disks in UEFI environments is now supported.

3.3. Security

This section describes the security changes and enhancements available in Fedora 15.

3.3.1. Dynamic Firewall

Fedora 15 adds support for the optional firewall daemon (FirewallD), providing a dynamic firewall management with a D-Bus interface.
The previous firewall model with system-config-firewall, was static and required a full firewall restart for all changes, even simple ones. This resulted in termination of filtered connections. Firewalld can modify the firewall dynamically and no firewall recreation is needed. At this stage, it supports iptables, ip6tables and ebtables. In Fedora 15 a simple tray applet shows the firewall state, and firewall services can be enabled and disabled.

3.3.2. FreeIPA 2.0

FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 (formerly known as Fedora Directory Server), MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools.
Features of FreeIPA v2.0 include:
  • Centralized authentication via Kerberos or LDAP
  • Identity management for users, groups, hosts and services
  • Pluggable and extensible framework for UI/CLI
  • Rich CLI
  • Web-based User Interface
  • Server X.509 v3 certificate provisioning capabilities
  • Managing host identities including grouping hosts
  • Defining host-based access control rules that will be enforced on the client side by the IPA back end for SSSD
  • Serving netgroups based on user and host objects stored in IPA
  • Serving sets of automount maps to different clients
  • Finer-grained management delegation
  • Group-based password policies
  • Centrally-managed SUDO
  • Automatic management of private groups
  • Compatibility with broad set of clients
  • Painless password migration
  • Optional integrated DNS server managed by IPA
  • Optional integrated Certificate Authority to manage server certificates managed by IPA
  • Can act as NIS server for legacy systems
  • Supports multi-server deployment based on the multi-master replication
  • User and group replication with MS Active Directory
For all details please refer to http://www.freeipa.org/.

3.3.3. OpenSCAP

First introduced in Fedora 14, OpenSCAP is a set of open source libraries providing an easier path for integration of the SCAP line of standards, managed by NIST and created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.
In Fedora 15, openscap, the set of open source libraries enabling integration of the SCAP line of standards, has been upgraded from version 0.6.3 to 0.6.8. During these development stage there has been introduced full support for perl regular expression by default, OVAL float type support, XSL transformation improvements and Dublin Core support, added OVAL schemas version 5.6 and improved XCCDF reporting.
secstate, the Security State Configuration Tool, has been rebuilt in Fedora 15 against version 0.4.1.
firstaidkit, the System Rescue Tool that automates simple and common system recovery tasks, has been upgraded from 0.2.17 to version 0.2.18.
For more information visit this page: http://www.open-scap.org/page/Main_Page .

3.3.4. authoconfig ecryptfs

Fedora 15 brings in improved support for eCryptfs, a stacked cryptographic filesystem for Linux. Now when a ecryptfs user logs in, authconfig will automatically mount his private encrypted part of the home directory.
For details please refer to the wiki page https://fedoraproject.org/wiki/Features/EcryptfsAuthConfig .

3.3.5. setroubleshoot

The user interface of setroubleshoot has been redesigned to make it easier to diagnose SELinux problems. In the current setroubleshooter the "best" match is returned for a solution to the customer. In the new redesign, all matches will be returned. For example if samba tried to read content that it is not allowed, we would like to tell the admin that he could label the content samba_share_t or he could set up SELinux to allow samba to share all content Read Only, or Read Write, or samba should not be trying to read this content, it could be a bug or an attack.
The interface has also been simplified with easier to explain definitions, like
If you want samba to share the entire system read/only,  then 
you need to tell SELinux system about this, by setting the 
samba_export_all_ro boolean. 

Execute the following command as root.

  setsebool -P samba_export_all_ro=1

3.3.6. Remove setuid

Fedora 15 removes setuid applications and instead specifically assigns the capabilities required by an application, modifing the spec files of most applications that include a setuid application to remove the setuid flag and change to file capabilities.
Please refer to https://fedoraproject.org/wiki/Features/RemoveSETUID for all details.

3.4. Virtualization

3.4.1. Boxgrinder

BoxGrinder Build is an easy to use command line tool to create appliances (virtual images) from simple plaintext appliance definition files. BoxGrinder can produce appliances for a variety of virtual and cloud platforms using plugins supporting technologies such as VMware or EC2.
See the Quick Start page (http://boxgrinder.org/tutorials/boxgrinder-build-quick-start/) for an overview of how to use BoxGrinder.

3.4.2. Spice support in virt-manager

With Fedora 15, virt-manager has been updated to support Spice, the complete open source solution for interaction with virtualized desktop. It's now possible to create a virtual machine with Spice support without touching the command line, and benefiting all the Spice enhancements without hassles directly from virt-manager. Thanks to the spice-gtk library, you can also develop a client in Python or C, or with gobject-introspection bindings.

3.4.3. Numerous libvirt improvements

With Fedora 15, libvirt has been updated to support a number of new APIs for interacting with various virtual machines. There is now support for graphics using SPICE, using smartcards with KVM guests, managing SMBIOS fields seen in guests, managing memory and blkio cgroup parameters to limit guest resource usage, support for IPv6 networking to guests, improved auditing, and better debugging of qemu-kvm guests via arbitrary monitor commands.

3.5. Web Servers and Web Applications

3.5.1. Apache

httpd was updated from 2.2.16 to 2.2.17. This version includes mod fixes and core fixes and changes.
Core fixes and changes:
  • (re)-introduce -T commandline option to suppress documentroot check at startup.
  • check symlink ownership if both FollowSymlinks and SymlinksIfOwnerMatch are set.
  • fix origin checking in SymlinksIfOwnerMatch.

3.5.2. Drupal renamed to Drupal6

Starting with Fedora 15, the drupal package and all module packages have been renamed from drupal* to drupal6*. In addition, all filesystem locations will reflect this change. Simply copying your old content to the new locations should work, as the versions should be the same.
This change was made to facilitate easier maintenance of parallel drupal versions across Fedora/EPEL releases with the release of drupal7.

3.6. Database Servers

3.6.1. mysql

mysql has been updated to version 5.5.10. Included are improved scalability and performance. From the release announcement: "Higher availability: New semi-synchronous replication and Replication Heart Beat improve failover speed and reliability."
This update includes increasing the shared library version number of libmysqlclient, so applications using that library will need to be recompiled.

3.6.2. postgresql

postgresql has been updated from 8.4.7 to 9.0.3. In addition to numerous security and other bugfixes, this release contains a number of new features:
  • Built-in replication, based on log shipping, supports multiple read-only slave servers
  • Easier database object permissions management
  • Broadly enhanced stored procedure support
  • More advanced reporting queries
  • New trigger features
  • Deferrable unique constraints
  • Mass updates to unique keys are now possible without trickery
  • Exclusion constraints
  • New and enhanced security features
  • New high-performance implementation of the LISTEN/NOTIFY feature
  • New implementation of VACUUM FULL
  • Multiple performance enhancements for specific types of queries, including elimination of unnecessary joins
  • EXPLAIN enhancements
  • hstore improvements
In addition, there is a new contrib module pg_upgrade to support in-place upgrades from 8.4 to 9.0. This means that you can upgrade from a Fedora 12 or later database without a database dump and restore. To do that, install the postgresql-upgrade package and run service postgresql upgrade as root. It's advisable to have a separate backup in case of trouble, but the actual database conversion requires only a few minutes with this approach.

3.7. System Daemons

3.7.1. Administrative User

Fedora 15 introduces the concept of an administrator group. Users who are in this group are able to:
  • sudo, using their password
  • authorize for various administrative tasks using PolicyKit with their own password
  • authorize for various administrative tools using consolehelper/userhelper with their own password
Details here.
This is implemented via the 'wheel' group. Users can be added to the administrative group in the GNOME User Accounts panel, in the Users and Groups configuration utility (system-config-users) or in firstboot. For adding a new user as an administrator in GNOME, click on the user menu on the top right, click on "My Account", unlock by providing the root user password and click on the "+" button to add a new user. Select "Account Type" as "Administrator" instead of "Standard".
If you are using KDE, run "Administration / Users and Groups" from the menu, enter the root password to unlock system-config-users, go to the "Groups" tab, select "wheel", click "Properties" in the toolbar, go to the "Group Users" tab of the dialog, check your user name in the resulting list and click OK.

3.7.2. Bacula

Bacula director and storage daemons are now running as bacula user by default. Director's log file has moved to /var/log/bacula directory.
Default user can be changed in /etc/sysconfig/bacula-* files.
When upgrading please make sure that bacula has permissions to access configuration files, log files and database.

3.8. File Systems

3.8.1. squashfs

The kernel and squashfs-tools now support xz compression. The default is still gzip. You can request xz compression when using mksquashfs using the -comp xz option.

3.9. Xorg

3.9.1. Xorg server

Xorg server has been updated to the 1.10.x stream. Features highlights and major bug fixes include:
  • For RANDR-based drivers with an asymmetric multi-head setup (two non-overlapping monitors with different sizes), previously there was a "dead space" in which the mouse cursor would appear to go off the screen. For example, 1280x800 + 1600x1200 horizontally adjacent with top edges aligned would have a 1280x400 dead area below the left monitor. This is now fixed, and the cursor will stop at all exterior output edges.
  • The XFixes extension has been updated to version 5, which adds a new "pointer barrier" feature. Similar to the above, this allows applications to put invisible walls on the display that the cursor cannot cross, or that it can only cross in one direction. A typical use is gnome-shell's "Activities" mouseover in multi-head setups; when it's not in the actual top-left of the screen (say, because the rightmost head is primary), the barrier makes it possible to stop the cursor on the Activities mouseover and not slide through to the next output.
  • XI2 now supports per-axis valuator modes on input devices, for example, relative events on the X axis but absolute events on the Y axis.
  • The XFixes and Composite extensions now work in Xinerama multi-GPU setups.

3.9.2. Intel

The Intel graphics driver has been updated from 2.12.0 to 2.14.0. Highlights include:
  • Adds support for Sandybridge GPUs.
  • Adds support for interlaced video modes.

3.9.3. Radeon

The Radeon graphics driver has been updated from 6.13.0 to 6.14.0. Highlights include:
  • Adds support for media sync counters in OpenGL.
  • Adds page flipping support for KMS.
  • Adds accelerated 2D, video, and 3D for Evergreen GPUs.
  • Adds accelerated 2D and video for Northern Islands GPUs.

3.9.4. Nouveau

The Nouveau driver has been updated to the latest snapshot. Highlights include:
  • Adds accelerated 2D, video, and 3D for Fermi.
  • Adds support for media sync counters in OpenGL.

3.9.5. Mesa

Mesa has been updated from version 7.9 to a development snapshot of 7.11. In addition to the driver specific 3D support added it includes the following highlights:
  • Adds support for the OpenGL embedded subset via new packages mesa-libEGL and mesa-libGLES.
  • Software GL renderer has switched to gallium llvm backend for greatly enhanced feature set and performance.
  • Radeon 3D support for R600 and above is now gallium based.
  • Nouveau 3D driver is now installed by default.
  • DRI1-based drivers (everything but intel/nouveau/radeon/software) are split to mesa-dri-drivers-dri1 subpackage, and not installed by default.