Product SiteDocumentation Site

3. Fedora 针​对​系​统​管​理​员​所​做​的​变​更​

3.1. 内​核​

Fedora 21 采​用​ 3.16.3 内​核​。​

3.1.1. 内​核​模​块​化​打​包​

kernel 软​件​包​现​在​是​一​个​元​软​件​包​,带​来​ kernel-core 和​ kernel-modules。​kernel-core 软​件​包​比​通​常​完​整​的​内​核​软​件​包​要​小​很​多​,适​用​于​虚​拟​环​境​。​通​过​选​择​性​地​卸​载​ kernel-modules,可​以​缩​小​云​计​算​镜​像​体​积​。​
如​果​在​真​实​硬​件​上​安​装​ Fedora,应​该​包​含​ kernel-modules 软​件​包​。​

Initramfs 的​变​更​

请​注​意​:新​的​ initramfs 仅​由​ kernel-core 软​件​包​自​动​生​成​,而​不​是​ kernel-modules。​如​果​您​一​开​始​只​安​装​了​ kernel-core,而​稍​后​又​安​装​了​ kernel-modules,并​且​新​安​装​的​模​块​对​系​统​引​导​有​关​键​影​响​时​,您​需​要​手​动​用​ dracut 创​建​新​的​ initramfs。​
dracut 用​于​创​建​ Fedora 上​的​ initramfs。​要​为​所​有​已​安​装​内​核​重​新​生​成​ initramfs,使​用​以​下​命​令​:
        # dracut --regenerate-all

3.2. 安​装​

3.2.1. Built-in Help in the Graphical Installer

Each screen in the installer's graphical interface and in the Initial Setup utility now has a Help button in the top right corner. Clicking this button opens the section of the Fedora Installation Guide relevant to the current screen using the Yelp help browser.
The help is only available in the English language.

3.2.2. zRAM Swap 支​持​

Anaconda 安​装​程​序​现​可​支​持​安​装​过​程​中​在​ zRAM 上​设​置​ swap 分​区​。​
zRAM 是​一​个​存​有​压​缩​内​容​的​标​准​块​设​备​。​在​安​装​过​程​中​将​ swap 分​区​置​于​此​设​备​上​可​让​安​装​程​序​在​内​存​中​存​储​更​多​数​据​,而​无​需​存​在​硬​盘​中​。​这​对​内​存​较​小​的​机​器​极​为​有​用​。​在​小​内​存​的​机​器​上​,启​用​此​功​能​后​可​让​安​装​进​度​变​得​更​快​。​
如​果​ Anaconda 检​测​到​内​存​为​ 2 GB 以​下​,则​该​功​能​自​动​启​用​;超​过​ 2 GB,该​功​能​禁​用​。​要​强​制​开​启​或​关​闭​ zRAM swap,可​在​引​导​菜​单​中​使​用​ inst.zram=on 或​ inst.zram=off 引​导​选​项​。​
具​体​限​制​、​数​量​及​实​现​方​式​可​能​会​在​以​后​变​更​。​

3.2.3. 引​导​选​项​的​变​更​

引​导​选​项​用​于​通​过​引​导​命​令​行​修​改​安​装​程​序​的​行​为​。​Fedora 21 加​入​了​以​下​引​导​选​项​:
  • inst.zram=:用​该​选​项​来​强​制​打​开​ (inst.zram=on) 或​关​闭​ (inst.zram=off) zRAM swap。​
  • inst.dnf:使​用​仍​在​实​验​当​中​的​ DNF 代​替​ YUM 作​为​软​件​包​安​装​的​后​端​。​
  • inst.memcheck:在​安​装​开​始​时​进​行​内​存​大​小​检​查​,以​确​定​是​否​有​足​够​的​可​用​内​存​。​如​果​监​测​到​内​存​不​够​,安​装​程​序​将​停​止​并​报​错​。​该​选​项​默​认​开​启​,可​使​用​ inst.memcheck=0 禁​用​。​

3.2.4. Anaconda 命​令​行​选​项​的​变​更​

Anaconda 命​令​行​选​项​用​于​在​已​安​装​系​统​的​终​端​中​运​行​安​装​程​序​的​情​形​。​比​如​要​将​系​统​安​装​到​磁​盘​镜​像​。​
  • 通​过​ anaconda -h 命​令​,内​置​帮​助​提​供​了​所​有​可​用​命​令​的​介​绍​。​
  • --memcheck:检​查​系​统​是​否​有​足​够​的​内​存​来​完​成​安​装​,如​果​内​存​不​足​则​退​出​安​装​。​这​是​个​近​似​的​检​查​。​安​装​过​程​中​的​内​存​使​用​取​决​于​软​件​包​的​选​择​,用​户​界​面​(图​形​还​是​字​符​)以​及​其​它​因​素​。​
  • --nomemcheck:不​检​查​系​统​是​否​有​足​够​的​内​存​来​完​成​安​装​。​
  • --leavebootorder:按​驱​动​器​的​已​有​顺​序​引​导​ - 用​于​覆​盖​ IBM Power 系​列​服​务​器​和​ EFI 系​统​上​默​认​会​引​导​至​新​安​装​驱​动​器​的​行​为​。​该​选​项​对​那​些​需​要​在​本​地​引​导​前​先​进​行​网​络​引​导​的​系​统​非​常​有​用​。​
  • --extlinux:使​用​ extlinux 做​引​导​程​序​。​请​主​意​:该​选​项​并​没​有​是​否​可​用​于​您​系​统​的​相​关​检​查​。​这​意​味​着​如​果​您​使​用​了​该​选​项​,可​能​无​法​在​安​装​完​成​后​引​导​您​的​系​统​。​(译​者​注​:因​为​不​做​检​查​,所​以​即​使​引​导​程​序​ extlinux 不​能​正​常​工​作​,也​会​安​装​。​)
  • --dnf:使​用​仍​在​实​验​当​中​的​ DNF 软​件​包​管​理​后​端​代​替​默​认​的​ YUM 软​件​包​管​理​程​序​。​有​关​ DNF 项​目​的​详​情​可​阅​读​ http://dnf.baseurl.org。​

3.2.5. Kickstart 语​法​的​变​更​

本​节​介​绍​了​ Kickstart 命​令​和​选​项​的​有​关​变​更​。​关​于​这​些​变​化​的​内​容​也​可​在​ Fedora 系​统​中​使​用​以​下​命​令​查​看​:
$ksverdiff -f F20 -t F21
该​命​令​仅​可​在​安​装​了​ pykickstart 的​ Fedora 21 上​工​作​。​
3.2.5.1. 新​命​令​和​选​项​
  • fcoe --autovlan:启​用​ VLAN 的​自​动​查​找​。​
  • bootloader --disabled:不​要​尝​试​安​装​引​导​程​序​。​该​选​项​覆​盖​所​有​其​它​引​导​程​序​的​配​置​选​项​,其​它​所​有​引​导​程​序​相​关​选​项​都​将​忽​略​,并​且​不​会​安​装​任​何​引​导​程​序​的​软​件​包​。​
  • network --interfacename=:为​ VLAN 设​备​指​定​自​定​义​的​接​口​名​称​。​该​选​项​应​当​在​ --vlanid= 选​项​生​成​的​默​认​名​称​不​符​合​预​期​要​求​时​使​用​。​它​必​须​与​ --vlanid= 选​项​一​起​使​用​。​
  • ostreesetup:新​增​的​可​选​命​令​。​用​于​ OSTree 安​装​。​可​用​选​项​有​:
    • --osname= (必​需​):操​作​系​统​安​装​管​理​根​。​
    • --remote=(可​选​项​):远​程​软​件​仓​库​的​名​称​。​
    • --url=(必​须​项​):软​件​仓​库​ URL。​
    • --ref=(必​须​项​):软​件​仓​库​内​部​分​支​的​名​称​。​
    • --nogpgcheck(可​选​项​):禁​用​ GPG 密​钥​验​证​。​
    有​关​ OSTree 的​更​多​信​息​可​阅​读​ https://wiki.gnome.org/action/show/Projects/OSTree。​
  • clearpart --disklabel=:重​新​标​记​磁​盘​时​创​建​自​定​义​磁​盘​标​签​。​
  • autopart --fstype=:指​定​文​件​系​统​类​型​(比​如​ ext4 或​者​ xfs)来​替​代​自​动​分​区​时​默​认​使​用​的​文​件​系​统​类​型​。​
  • repo --install:将​软​件​仓​库​信​息​写​到​ /etc/yum.repos.d/ 目​录​。​这​让​ Kickstart 中​配​置​的​软​件​仓​库​在​已​安​装​系​统​中​也​可​使​用​。​
  • %packages 部​分​的​变​更​:
    • 通​过​加​入​以​ @^ 开​头​的​环​境​名​称​,可​指​定​要​在​ %packages 部​分​中​安​装​的​环​境​。​例​如​:
      %packages
      @core
      @^Infrastructure Server
      %end
      
    • %packages --nocore 现​可​用​于​禁​用​ Core 软​件​组​的​安​装​。​
    • 您​可​以​在​安​装​中​排​除​内​核​包​。​这​跟​排​除​其​它​软​件​包​一​样​,即​在​软​件​包​名​称​前​添​加​ -
      %packages
      @core
      -kernel
      %end
      
3.2.5.2. 已​有​命​令​和​选​项​的​变​更​:
  • volgroup --pesize=:该​选​项​在​ Kickstart 中​没​有​默​认​值​。​手​动​和​ Kickstart 安​装​过​程​中​,新​卷​组​物​理​盘​的​默​认​大​小​均​由​安​装​程​序​决​定​。​这​意​味​着​ Kickstart 和​手​动​安​装​时​的​行​为​是​相​同​的​。​而​此​前​ Kickstart 安​装​的​默​认​值​是​ 32768。​

3.2.6. 其​它​变​更​

  • 图​形​化​界​面​中​的​软​件​ RAID 配​置​已​经​开​关​化​实​现​。​
  • 在​图​形​化​界​面​的​手​动​分​区​屏​幕​中​,可​使​用​ + 和​ - 做​快​捷​键​。​
  • ksverdiff 工​具​(pykickstart 软​件​包​的​一​部​分​)有​了​一​个​新​选​项​:--listversions。​该​选​项​可​列​出​所​有​可​用​的​操​作​系​统​版​本​,以​便​作​为​ --from= 和​ --to= 选​项​的​参​数​使​用​。​

3.3. 安​全​

3.3.1. SSSD 基​于​ GPO 的​访​问​控​制​

SSSD 现​可​通​过​组​策​略​对​象​ (Group Policy Objects, GPO) 在​ Active Directory (AD) 环​境​中​支​持​集​中​管​理​,基​于​主​机​的​访​问​控​制​。​
GPO 策​略​设​置​广​泛​用​于​在​ AD 环​境​中​管​理​基​于​主​机​的​访​问​控​制​。​SSSD 支​持​本​地​登​录​、​远​程​登​录​、​服​务​登​录​等​等​。​其​中​的​每​个​标​准​ GPO 安​全​选​项​均​可​映​射​到​任​何​ PAM 服​务​,以​允​许​管​理​员​全​面​配​置​他​们​的​系​统​。​
此​项​针​对​ SSSD 的​功​能​增​强​仅​与​ AD 策​略​设​置​的​检​索​和​增​强​相​关​。​管​理​员​可​继​续​使​用​已​有​的​ AD 工​具​集​指​定​策​略​设​置​。​
新​功​能​仅​影​响​ SSSD 的​活​动​域​服​务​且​不​影​响​其​他​ SSSD 服​务​(比​如​ IPA 服​务​)。​默​认​ SSSD 的​活​动​域​服​务​将​以​ "permissive" 模​式​安​装​,所​以​它​不​会​影​响​升​级​。​管​理​员​需​要​手​动​将​其​调​成​ "enforcing" 模​式​(查​阅​ sssd-ad(5))。​
更​多​关​于​此​变​更​的​信​息​请​查​看​:https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration

3.3.2. MD5 signed certificates are rejected

OpenSSL was patched to disallow verification of certificates that are signed with MD5 algorithm. The use of MD5 hash algorithm for certificate signatures is now considered as insecure and thus all the main crypto libraries in Fedora were patched to reject such certificates.
Certificates signed with MD5 algorithm are not present on public https web sites anymore but they may still be in use on private networks or used for authentication on openvpn based VPNs. It is highly recommended to replace such certificates with new ones signed with SHA256 or at least SHA1. As a temporary measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to allow verification of certificates signed with MD5 algorithm.

3.4. 文​件​系​统​

3.4.1. Autofs 学​习​及​映​射​图​

autofs 软​件​包​增​添​了​ amd 格​式​的​自​动​挂​载​映​射​图​支​持​。​在​过​去​,amd 映​射​由​ am-utils 处​理​,不​过​它​拒​绝​上​游​开​发​。​现​在​鼓​励​使​用​ amd 格​式​自​动​挂​载​映​射​图​的​用​户​测​试​ autofs 功​能​,汇​报​遇​到​的​问​题​或​者​功​能​请​求​于​https://bugzilla.redhat.com
有​关​使​用​信​息​可​参​考​ /usr/share/doc/autofs/README.amd-maps。​

3.5. 数​据​库​服​务​器​

3.5.1. Apache Accumulo

The Apache Accumulo sorted, distributed key/value store is a robust, scalable, high performance data storage and retrieval system. Apache Accumulo is based on Google's BigTable design and is built on top of Apache Hadoop, Zookeeper, and Thrift. Apache Accumulo features a few novel improvements on the BigTable design in the form of cell-based access control and a server-side programming mechanism that can modify key/value pairs at various points in the data management process.
请​注​意​ Accumulo 的​可​选​监​视​服​务​并​不​会​在​初​始​的​ F21 版​本​中​提​供​。​一​旦​它​的​依​赖​关​系​全​部​得​以​解​决​,便​可​马​上​提​供​。​
有​关​更​多​信​息​可​访​问​ https://accumulo.apache.org。​

3.5.2. Apache HBase

Apache HBase is used when you need random, real-time read/write access to your Big Data. Apache HBase hosts very large tables -- billions of rows X millions of columns -- atop clusters of commodity hardware. Apache HBase is a distributed, versioned, non-relational database modeled after Google's Bigtable: A Distributed Storage System for Structured Data by Chang et al. Just as Bigtable leverages the distributed data storage provided by the Google File System, Apache HBase provides Bigtable-like capabilities on top of Hadoop and HDFS.
更​多​信​息​请​参​考​ http://hbase.apache.org/。​

3.5.3. Apache Hive

The Apache Hive data warehouse software facilitates querying and managing large data sets residing in distributed storage. Hive provides a mechanism to project structure onto this data and query the data using a SQL-like language called HiveQL. At the same time this language also allows traditional map/reduce programmers to plug in their custom mappers and reducers when it is inconvenient or inefficient to express this logic in HiveQL.
更​多​信​息​请​参​考​ http://hive.apache.org/。​

3.5.4. MariaDB 10.0

In Fedora 21, MariaDB have been updated to the upstream version 10.0, which provides various bug fixes and enhancements. Among others, the support for parallel and multi-source replication has been added as well as the support for global transaction IDs. In addition, several new storage engines have been implemented.
有​关​所​有​变​更​信​息​,请​访​问​ MariaDB 知​识​库​ https://mariadb.com/kb/en/mariadb/what-is-mariadb-100/。​

3.6. Samba

3.7. Systemd

3.7.1. Journald

  • systemd-journal-remote 和​ systemd-journal-upload 软​件​包​提​供​了​收​、​发​守​护​进​程​。​日​志​消​息​无​需​使​用​ syslog 守​护​进​程​,即​可​转​发​到​远​程​系​统​上​。​通​讯​以​ HTTPS 协​议​进​行​。​
  • cupsd 服​务​会​将​记​录​写​到​日​志​中​。​详​情​可​见​ 第 4.5.1 节 “CUPS 日​志​记​录​”。​

3.7.2. systemd 215

Fedora 21 的​ systemd 更​新​至​版​本​ 215。​该​版​本​包​括​大​量​的​功​能​增​强​,资​源​管​理​改​进​,服​务​隔​离​以​及​其​他​安​全​方​面​的​提​升​,同​时​还​包​括​来​自​ systemd-networkd 的​网​络​管​理​。​
很​多​这​些​改​善​都​是​为​了​强​化​运​行​在​容​器​中​服​务​的​可​管​理​性​,以​及​对​容​器​自​身​的​管​理​。​systemd-nspawn 可​创​建​安​全​隔​离​容​器​,而​像​machinectl 一​类​的​工​具​则​可​用​来​管​理​它​们​。​systemd-networkd 为​容​器​提​供​网​络​服​务​,而​ systemd 自​身​则​负​责​资​源​分​配​。​
想​了​解​更​多​关​于​ systemd 的​改​善​,请​阅​读​:

3.7.3. Systemd PrivateDevices 及​ PrivateNetwork

新​添​加​了​两​个​安​全​相​关​的​选​项​可​供​ systemd 为​那​些​无​需​访​问​物​理​设​备​或​网​络​的​长​时​运​行​服​务​启​用​:
  • PrivateDevices 设​定​,当​设​置​为​ "是​" 时​,提​供​一​个​私​有​、​极​简​且​不​包​含​任​何​物​理​设​备​的​ /dev。​这​允​许​限​制​长​时​运​行​服​务​的​访​问​权​限​,从​而​提​高​安​全​性​。​
  • PrivateNetwork 设​定​,当​设​置​为​ "是​" 时​,提​供​仅​包​含​一​个​回​环​设​备​的​私​有​网​络​。​这​允​许​不​需​要​网​络​访​问​的​长​期​服​务​与​网​络​隔​离​。​
关​于​此​变​化​的​详​情​,请​查​阅​PrivateDevices 及​ PrivateNetwork Wiki 页​面​。​

3.8. 服​务​器​配​置​工​具​

3.8.1. Cockpit 管​理​控​制​台​

Fedora Documentation 现​已​提​供​ Cockpit 管​理​控​制​台​。​详​情​请​见​ 第 2.2.2 节 “Cockpit 管​理​控​制​台​”。​

3.9. 监​控​和​管​理​方​案​

3.9.1. Monitorix

轻​量​级​系​统​监​控​工​具​ Monitorix 更​新​至​ 3.6。​新​增​对​很​多​方​面​的​支​持​改​进​,其​中​包​括​ libvirtapcupsd 以​及​进​程​统​计​等​等​。​
关​于​该​项​目​的​变​更​日​志​请​查​阅​ http://www.monitorix.org/changelog.html。​

3.9.2. SystemTap

Fedora 21 中​的​ systemtap 数​据​收​集​套​件​更​新​至​ 2.6 版​。​新​版​本​加​入​很​多​新​功​能​,详​细​内​容​位​于​ /usr/share/doc/systemtap-runtime/NEWS。​systemtap 的​文​档​可​在​ https://sourceware.org/systemtap/documentation.html 找​到​。​

3.9.3. Zabbix

Fedora 21 中​的​ Zabbix 更​新​至​ 2.2.x。​Zabbix 项​目​团​队​在​每​个​新​版​本​中​都​会​对​该​工​具​做​改​进​和​扩​充​。​
有​关​ Zabbix 变​更​的​完​整​概​要​请​访​问​ https://www.zabbix.com/documentation/2.2/manual/introduction。​

3.10. 集​群​

3.10.1. Apache Ambari

Apache Ambari 项​目​诣​在​通​过​开​发​用​于​配​置​、​管​理​及​监​控​ Apache Haddop 集​群​的​软​件​来​简​化​ Hadoop 管​理​。​Ambari 提​供​了​由​其​ RESTful API 做​为​后​端​的​直​观​、​易​用​的​ Hadoop 管​理​网​络​用​户​界​面​。​
详​情​请​见​ http://ambari.apache.org/。​

3.10.2. Apache Mesos

Apache Mesos is a cluster manager that provides efficient resource isolation and sharing across distributed applications, or frameworks. It abstracts CPU, memory, storage, and other compute resources away from machines (physical or virtual), enabling fault-tolerant and elastic distributed systems to easily be built and run effectively. Apache Mesos is built using the same principles as the Linux kernel, only at a different level of abstraction. The Mesos kernel runs on every machine and provides applications (e.g., Hadoop, Spark, Kafka, Elastic Search) with APIs for resource management and scheduling across entire data center and cloud environments.
更​多​信​息​请​见​ http://mesos.apache.org/。​

3.10.3. Apache Oozie

Apache Oozie is a workflow scheduler to manage Hadoop jobs. It is integrated with the rest of the Hadoop stack and supports several types of Hadoop jobs out of the box (such as Java map-reduce, Streaming map-reduce, Pig, Hive, Sqoop and Distcp) as well as system specific jobs (such as Java programs and shell scripts).
更​多​信​息​请​参​考​ http://oozie.apache.org/。​

3.10.4. Apache Pig

Apache Pig is a platform for analyzing large data sets that consists of a high-level language for expressing data analysis programs, coupled with infrastructure for evaluating these programs. The salient property of Pig programs is that their structure is amenable to substantial parallelization, which, in turn, enables them to handle very large data sets. At the present time, Pig's infrastructure layer consists of a compiler that produces sequences of Map-Reduce programs, for which large-scale parallel implementations already exist (e.g., the Hadoop sub-project).
更​多​信​息​请​阅​读​:http://pig.apache.org/。​

3.10.5. Apache Spark

Apache Spark is a fast and general engine for large-scale data processing. It supports developing custom analytic processing applications over large data sets or streaming data. Because it has the capability to cache intermediate results in cluster memory and schedule DAGs of computations, Spark programs can run up to 100x faster than equivalent Hadoop MapReduce jobs. Spark applications are easy to develop, parallel, fast, and resilient to failure, and they can operate on data from in-memory collections, local files, a Hadoop-compatible filesystem, or from a variety of streaming sources. Spark also includes libraries for distributed machine learning and graph algorithms.
更​多​信​息​请​参​考​:http://spark.apache.org/。​