Product SiteDocumentation Site

2. Changes in Fedora for System Administrators

2.1. Kernel

Fedora 17 features the 3.3.4 kernel.

2.2. Installation

Changes to Direct Kernel Boot

There are significant changes when installing via a direct kernel boot such as PXE. Normal installation from installation media is unaffected.
Advanced users may do any of a number of styles of network installation, generally involving setting up some minimal kernel environment to perform the installation. This operation has undergone significant changes in Fedora 17.
In F16, it is generally only necessary to specify the kernel and initrd location, and the install would work - kernel/initrd gets stage1, and stage1 gets stage2.
With noloader, this is no longer the case: when doing a direct kernel boot, the location for stage2 must be specified. In other words: pass repo= or stage2= (or inst.repo= or inst.stage2=, as is now preferred), pointing to a repository. If the stage2 image is on one server but then the installation packages are on some other server, stage2= must be used: repo= should only be used if the single server contains everything needed for the install (both the stage2 image and all the packages to install). Note that stage2= still expects to see a 'repository' tree, you cannot just pass the path direct to a squashfs.img file (which is how stage2= worked when it previously existed in F15 and earlier).
For example:
label linux
kernel vmlinuz
append initrd=initrd.img
is no longer valid. It is necessary to specify repo:
label linux
kernel vmlinuz
append initrd=initrd.img repo=http://dl.fedoraproject.org/pub/fedora/linux/development/17/x86_64/os/
or stage2:
label linux
kernel vmlinuz
append initrd=initrd.img stage2=http://my.internal.server/17/x86_64/os/
(or any other valid mirror).

2.3. Security

2.3.1. Password Quality Checking

Fedora now has a single configurable library, libpwquality, for checking the quality of new passwords used for system accounts. The system wide password quality checks provided by this library are configured by modifying the /etc/security/pwquality.conf configuration file.
Developers wishing to call this API from their applications will find the API description in the pwquality.h file provided by the libpwquality-devel package. A python wrapper, python-pwquality, is also provided.

2.3.2. SELinux Deny Ptrace

A new SELinux boolean, deny_ptrace, has been added. It is recommended that users who do not plan to debug applications on their machine turn this boolean on. The boolean prevents rogue processes from being able to read the memory of, or otherwise attack, other processes using debugging tools including ptrace and gdb.
Such attacks are prevented even where the rogue process is running as the root user or attacking a process running with the same SELinux context and label. To permanently enable the protection provided by the deny_ptrace boolean, execute the following command as root:
# setsebool -P deny_ptrace 1
To disable the protection provided by the deny_ptrace boolean temporarily, execute the following command as root:
# setsebool deny_ptrace 0

2.3.3. Services Private /tmp

A number of services managed by systemd have been modified to make use of its ability to provide them with a private /tmp directory. Privileged services using /tmp and /var/tmp have previously been found to be open to being interfered with by unprivileged users, potentially leading to privilege escalation. Using private /tmp directories for services prevents this style of exploit.
The directive added to the systemd unit files for the modified services is:
[Service]
PrivateTmp=true

2.3.4. Secure Containers

A new tool, sandbox, has been created to streamline creation of secure libvirt containers. When provided with an executable sandbox determines the mount points and libvirt container information required to run the application in a container. The container is then launched by libvirt with SELinux context that will prevent it interacting with other processes on the system, including other containers, while still being able to share system data.
This allows an administrator to run multiple instances of a service simultaneously, while preventing them from breaking the host machine or other processes on the system, even when run as root. To use sandbox, install the libvirt-sandbox package.
2.3.4.1. krb5-workstation
Fedora 17 upgrades the Kerberos authentication system to version 1.10. This adds support for changing passwords over a NAT and support for localization. The kswitch command is added to switch between credential caches. Additional cache support has been added to other commands. Credential choice can be controlled with the file $HOME/.k5identity.

2.4. File Systems

2.4.1. Large filesystems

Fedora 17 will support file systems larger than 16 terabytes on the default file system (ext4). With the latest version of e2fsprogs, ext4 file systems can now be up to 100 TB.

2.4.2. Encrypted filesystems

Fedora 17 uses version 1.4.1 of the cryptsetup package, which removes deprecated API calls. In addition, it supports placing LUKS headers on separate devices and the creation of shared, non-overlapping encrypted segments on a single device.

2.4.3. btrfs

btrfs is not available as a target file system during installation. This is a temporary situation and will be resolved in Fedora 18. btrfs is still available after installation.

2.5. Virtualization

2.5.1. QEMU

The QEMU open source machine emulator has been updated to version 1.0. Notable features include:
  • QEMU now supports live migration of running guests.
  • KVM users are now able to run standard performance profiling tools within KVM guests.
  • QEMU and libvirt now support image streaming. Image streaming lets an administrator start new virtual machines quickly based on existing images; virtual machines are then provisioned completely in the background as they run.
  • QEMU and KVM support a new advanced SCSI-based storage stack, virtio-scsi. Support for this new storage stack will be added to libvirt in a later release.
The full list of changes included in this release is available upstream at http://wiki.qemu.org/ChangeLog/1.0.

2.5.2. libvirt

The libvirt toolkit for interacting with the virtualization capabilities of various hosts has been updated to version 0.9.10. The full list of changes included in this release is available upstream at http://libvirt.org/news.html.

2.5.3. Virtual Machine Manager (virt-manager)

Virtual Machine Manager has been updated to version 0.9.1. As well as numerous bug fixes this release adds:
  • Support for adding USB redirection devices.
  • An option to change the USB controller to support USB 2.0.
  • An option to specify the machine type for non-x86 guests.
The full list of changes included in this release is available upstream at http://virt-manager.org/download.html.

2.6. Cloud

2.6.1. OpenNebula

Also new to Fedora 17 is OpenNebula. OpenNebula provides an IaaS platform geared toward data center virtualization. Management of the environment can be done through command line or graphical interfaces. Compatibility with Amazon EC2 the Open Cloud Computing Interface (OCCI) is included.

2.6.2. OpenStack

Fedora 17 includes the latest version of the OpenStack suite, code named "Essex". Included in this new release are the latest versions of the web management interface ("Horizon") and virtual networking ("Quantum"). The use of Qpid as an alternative to RabbitMQ for the AQMP backend is new in Fedora 17. In addition, the availability of libguestfs to support multiple virtual disk formats will make Fedora's OpenStack offering more flexible.

2.6.3. Open vSwitch

Fedora 17 includes Open vSwitch, a software-based network switch used to provide networking services to virtual machines. Open vSwitch supports OpenFlow for ease-of-management.

2.7. Database Servers

2.7.1. mysql

Fedora 17 includes mysql 5.5.20, updated from 5.5.14 in Fedora 16.

2.7.2. postgresql

postgresql has been upgraded to 9.1.2

Potentially Incompatible Change

If you rely on the information_schema.referential_constraints view, or if you have columns of type citext, you may need to take special action. Refer to http://www.postgresql.org/docs/9.1/static/release-9-1-2.html.
This is primarily a bugfix release.

2.7.3. sqlite

sqlite has been upgraded to 3.7.9

Potentially Incompatible Change

If a search token (on the right-hand side of the MATCH operator) in FTS4 begins with "^" then that token must be the first in its field of the document.
There are many changes and improvements:
  • Orders of magnitude performance improvement for CREATE INDEX on very large tables.
  • Improved the windows VFS to better defend against interference from anti-virus software.
  • Improved query plan optimization when the DISTINCT keyword is present.
  • Allow more system calls to be overridden in the unix VFS - to provide better support for chromium sandboxes.
  • Increase the default size of a lookahead cache line from 100 to 128 bytes.
  • Enhancements to the test_quota.c module so that it can track preexisting files.
  • Added options SQLITE_DBSTATUS_CACHE_HIT and SQLITE_DBSTATUS_CACHE_MISS to the sqlite3_db_status() interface.
  • Removed support for SQLITE_ENABLE_STAT2, replacing it with the much more capable SQLITE_ENABLE_STAT3 option.
  • Enhancements to the sqlite3_analyzer utility program, including the --pageinfo and --stats options and support for multiplexed databases.
  • Enhance the sqlite3_data_count() interface so that it can be used to determine if SQLITE_DONE has been seen on the prepared statement.
  • Added the SQLITE_FCNTL_OVERWRITE file-control by which the SQLite core indicates to the VFS that the current transaction will overwrite the entire database file.
  • Increase the default lookaside memory allocator allocation size from 100 to 128 bytes.
  • Enhanced the query planner so that it can factor terms in and out of OR expressions in the WHERE clause in an effort to find better indices.
  • Added the SQLITE_DIRECT_OVERFLOW_READ compile-time option, causing overflow pages to be read directly from the database file, bypassing the page cache.
  • Remove limits on the magnitude of precision and width value in the format specifiers of the sqlite3_mprintf() family of string rendering routines.

2.8. Release Notes Directory Change

Release Notes to Move

Beginning the next release, the Fedora Release Notes will have a new location.
Traditionally, the Release Notes have been installed in /usr/share/doc/HTML/fedora-release-notes/. Over time, most of the documentation stored in the /usr/share/doc/HTML/ directory tree have moved out of that tree to application specific directories.
For most users, this change will be invisible because the Release Notes are viewed by selecting the menu choice. However, some users go directly to the file, or may have their own internal links. For these users, changing the location without warning before the release could be a problem, so the Release Notes are not being moved this release.
Beginning with Fedora 18, the Release Notes will be stored in /usr/share/doc/fedora-release-notes-18.0/.

2.9. System Daemons

2.9.1. pciutils

The pciutils package, which provides tools for inspecting and configuring PCI devices, has been upgraded to version 3.1.9 in Fedora 17. This adds support for reading speed and link status fields for PCI Express Generation 3 hardware.

2.9.2. brltty

Fedora 17 includes version 4.3 of brltty, the Braille display daemon. Version 4.3 includes new logging and configuration options as well as support for additional devices.

2.10. Xorg

2.10.1. Software Rendering for GNOME Shell

The GNOME Shell experience is now available on all hardware, including devices that use software rendering. Users still wishing to use GNOME's fallback mode can enable it manually by accessing the System Info control panel applet, selecting Graphics, and setting the Forced Fallback Mode option to ON.

2.10.2. Multi-touch Support

The X server and libraries in Fedora 17 support version 2.2 of the XInput extension, this includes multi-touch support. Applications that choose to will now be able to take advantage of multi-touch support on Fedora.

2.10.3. Smooth Scrolling Support

The updated X server also provides smooth scrolling for drivers, and devices, that support it. Scroll data is now exported as axis values in addition to the legacy button press events. This allows applications to take velocity into account and provide a smoother scrolling experience. Like multi-touch, to take advantage of smooth scrolling support for it must also be actively written into client applications themselves.

2.10.4. DRI2 Drivers

The i810, mga, r128, savage, sis, tdfx, and unichrome DRI drivers are no longer supplied, as they are no longer included by Mesa. Impacted hardware includes variants of the following devices:
  • Intel i810 and i815 motherboard chipsets
  • Matrox MGA G200, G400, G450 and G550 cards
  • ATI Rage 128 cards
  • S3 Savage 3D and Savage 4 cards
  • SiS 300, 540, 630, and 730 chipsets
  • 3dfx Voodoo 3, Voodoo 4, and Voodoo 5 cards
  • VIA Unichrome and Unichrome Pro chipsets
This hardware is now supported by the llvmpipe software 3D driver which, unlike the older DRI drivers, exposes OpenGL 2.x functionality.