Legal Notice
Copyright © 2010 Red Hat, Inc..
The text of and illustrations in this document are licensed by Red Hat
under a Creative Commons Attribution–Share Alike 3.0 Unported license
("CC-BY-SA"). An explanation of CC-BY-SA is available at
http://creativecommons.org/licenses/by-sa/3.0/.
In accordance with CC-BY-SA, if you distribute this document or an
adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to
enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest
extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss,
MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red
Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
The Migration Planning Guide documents the migration of any minor
version of a Red Hat Enterprise Linux 5 installation to Red Hat
Enterprise Linux 6 by highlighting key behavioral changes worthy of note
when migrating.
This guide is intended to increase ease of use of Red Hat Enterprise
Linux 6 by providing guidelines for changes in the product between Red
Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. This guide is
however not designed to explain all new features: it is focused on changes to the behavior
of applications or components which were part of Red Hat Enterprise
Linux 5 and have changed in Red Hat Enterprise Linux 6 or whose
functionality has been superseded by another package.
1.1. Red Hat Enterprise Linux 6
Red Hat Enterprise Linux is the leading platform for open source
computing. It is sold by subscription, delivers continuous value and is
certified by top enterprise hardware and software vendors. From the
desktop to the datacenter, Enterprise Linux couples the innovation of
open source technology and the stability of a true enterprise-class
platform.
Red Hat Enterprise Linux 6 is the next generation of Red Hat's
comprehensive suite of operating systems, designed for mission-critical
enterprise computing and certified by top enterprise software and
hardware vendors. This release is available as a single kit on the
following architectures:
i386
AMD64/Intel64
System z
IBM Power (64-bit)
In this release, Red Hat brings together improvements across the
server, systems and the overall Red Hat open source experience. The
following are some of the many improvements and new features that are
included in this release:
Tickless kernel and improvements through the application stack to
reduce wakeups, power consumption measurement by PowerTOP, Power
Management (ASPM, ALPM), and adaptive system tuning by Tuned.
Comprehensive IPv6 support (NFS 4, CIFS, mobile support [RFC 3775],
ISATAP support), FCoE, iSCSI, and a new and improved mac80211 wireless
stack.
System level enhancements from industry collaborations to make the most of hardware RAS capabilities and NUMA architectures.
Improved scheduler and better resource management in the kernel via Completely Fair Scheduler (CFS) and Control Groups (CG).
ext4 is the default filesystem, and xfs offers robustness, scalability, and high-performance.
KVM includes performance improvements and new features, sVirt
protects the host, VMs, and data from a guest breach, SRIOV and NPIV
deliver high performance virtual use of physical devices, and libvirt
leverages kernel CG controller functionality.
SELinux includes improved ease of use, application sandboxing, and
significantly increased coverage of system services, while SSSD provides
unified access to identity and authentication services as well as
caching for off-line use.
SystemTap (allows instrumentation of a running kernel without
recompilation), ABRT (simple collection of bug information), and
improvements to GCC (version 4.4.3), glibc (version 2.11.1), and GDB
(version 7.0.1).
1.2. Application Compatibility
This release of Red Hat Enterprise Linux provides dependencies so
applications designed to run on earlier versions of the operating system
continue to run with minimum disruption. To that end, older versions of
key libraries are included to preserve legacy interfaces that might
have changed between this release and prior versions. These libraries
serve as dependencies primarily for applications written in C/C++.
Please note that it is not necessary to re-test or re-certify
applications between minor releases of Red Hat Enterprise Linux. Red Hat
Enterprise Linux compatibility policies ensure that applications
running on a version of the release will continue to run throughout the
life of the release. For example, applications certified on Red Hat
Enterprise Linux 6.0 will be fully compatible on Red Hat Enterprise
Linux 6.1 and so on.
Refer to the following table for details on these compatibility packages:
Table 1.1. Compatibility Libraries
|
Package
|
Description
|
|---|
|
compat-db
|
The Berkeley DB database compatibility library. The Berkeley
Database (Berkeley DB) is a programmatic toolkit that provides embedded
database support for both traditional and client/server applications.
This package contains various versions of Berkeley DB which were
included in previous releases.
|
|
compat-expat1
|
Expat is a stream-oriented XML parser. This package provides library compatibility with previous versions.
|
|
compat-glibc
|
glibc is the C library used for system calls and other basic
facilities. This package provides compatibility (and runtime libraries)
for the compiling of binaries that require older glibc versions, and
allows them to run on this release of Red Hat Enterprise Linux.
|
|
compat-libf2c-34
|
This package provides older versions of Fortran 77 shared
libraries, which are needed to run dynamically-linked Fortran 77
programs.
|
|
compat-libgcc-296
|
Contains the 2.96 libgcc.a library and support object files to retain compatibility with older versions of GCC.
|
|
compat-libgfortran-41
|
This package includes a Fortran 95 runtime library for compatibility with GCC 4.1.x compiled Fortran applications.
|
|
compat-libstdc++-295
|
Provides compatibility with the GNU standard C++ library version 2.95.
|
|
compat-libstdc++-296
|
Provides compatibility with the GNU standard C++ library version 2.96.
|
|
compat-libstdc++-33
|
Provides compatibility with the GNU standard C++ library version 3.3.
|
|
compat-libtermcap
|
This package provides compatibility for older termcap-based programs.
|
|
compat-openldap
|
OpenLDAP is an open source suite of LDAP (Lightweight Directory
Access Protocol) applications and development tools. The compat-openldap
package includes older versions of the OpenLDAP shared libraries which
may be required by some applications.
|
|
openssl098e
|
This package provides OpenSSL 0.98e, which may be required for some SSL applications.
|
Chapter 3. Storage and File Systems
Performing an upgrade from a dmraid set to an mdraid set is not supported. A warning will be displayed when an upgrade of this type is attempted. Upgrades from existing mdraid sets and creation of new mdraid sets are possible.
The new default superblock can cause problems when upgrading sets.
This new superblock format (used on all devices except when creating a
RAID1 /boot partition) is now at the beginning of the array, and any
file system or LVM data is offset from the beginning of the partition.
When the array is not running, LVM and file system mount
commands may not detect the device as having a valid volume or file
system data. This is intentional, and means that if you want to mount a
single disk in a RAID1 array, you need to start the array having only
that single disk in it, then mount the array. You can not mount the bare
disk directly. This change has been made as mounting a bare disk
directly can silently corrupt the array if a resync is not forced.
On subsequent reboots, the RAID system may then consider the disk
that was not included in the array as being incompatible, and will
disconnect that device from the array. This is also normal. When you are
ready to re-add the other disk back into the array, use the mdadm
command to hot add the disk into the array, at which point a resync of
the changed parts of the disk (if you have write intent bitmaps) or the
whole disk (if you have no bitmap) will be performed, and the array will
once again be synchronized. From this point, devices will not be
disconnected from the array, as the array is considered to be properly
assembled.
The new superblock supports the concept of named mdraid arrays. Dependency on the old method of array enumeration (for instance, /dev/md0 then /dev/md1, etc.) for distinguishing between arrays has been dropped. You can now choose an arbitrary name for the array (such as home, data, or opt). Create the array with your chosen name using the --name=opt option. Whatever name is given to the array, that name will be created in /dev/md/
(unless a full path is given as a name, in which case that path will be
created; or unless you specify a single number, such as 0, and mdadm will start the array using the old /dev/mdx
scheme). The Anaconda installer does not currently allow for the
selection of array names, and instead uses the simple number scheme as a
way to emulate how arrays were created in the past.
The new mdraid arrays support the use of
write intent bitmaps. These help the system identify problematic parts
of an array, so that in the event of an unclean shutdown, only the
problematic parts need to be resynchronized, and not the entire disk.
This drastically reduces the time required to resynchronize. Newly
created arrays will automatically have a write intent bitmap added when
suitable. For instance, arrays used for swap and very small arrays (such
as /boot arrays) do not benefit from
having write intent bitmaps. It is possible to add a write intent bitmap
to your previously existing arrays after the upgrade is complete via
the mdadm --grow command on the device,
however write intent bitmaps do incur a modest performance hit (about
3-5% at a bitmap chunk size of 65536, but can increase to 10% or more at
small bitmap chunk sizes such as 8192). This means that if a write
intent bitmap is added to an array, it is best to keep the chunk size
reasonably large. The recommended size is 65536.
It is recommended that those wishing to make use of ext4 start with a
freshly formatted partition. However, you may install Red Hat
Enterprise Linux 6 with the ext4migrate
boot option if you wish to convert your legacy ext3 partitions to ext4.
It is important to note that by doing this you will not receive all of
the benefits ext4 offers, since the data currently residing on the
partition will not make use of the extents features and other changes.
New data will however make use of extents. Passing this boot option to
migrate to ext4 is not recommended and it is strongly recommended that
you back up file systems before attempting this migration.
Red Hat Enterprise Linux 6 provides full support for ext4 and it is
the default file system for new installations. This section explains the
major changes in behaviour that this new file system introduces.
The included version of the GRUB bootloader provides full support for ext4 partitions. The installer also allows you to place any /boot file system on an ext4 partition.
The included version of the e2fsprogs package is fully compatible with ext4.
In some cases, ext4 file systems created under Red Hat Enterprise Linux 5.3 with the e4fsprogs package created an ext4dev file system type. The test_fs feature flag identifying these file systems as a development version can be removed with the following command: tune2fs -E ^test_fs. This is done so that these file systems will be recognized as regular ext4 file systems.
Fusecompress is a compressing filesystem mountable by unprivileged
users. Red Hat Enterprise Linux 6 includes an updated version that fixes
several bugs but changes the on-disk format. Users with existing
fusecompress filesystems will need to migrate their data to the new
format. Unless decompression is performed before upgrading, the fusecompress_offline1 package is required.
The blockdev --rmpart command option is no longer supported. The partx(8) and delpart(8) commands now provide this functionality.
Chapter 4. Networking and Services
4.1. Interfaces and Configuration
Red Hat Enterprise Linux 6 uses NetworkManager by default when configuring network interfaces.
Infiniband support (specifically the openib start script and the openib.conf file) was provided by the openib
package in Red Hat Enterprise Linux 5. The package name has changed in
Red Hat Enterprise Linux 6 to reflect its functionality more accurately.
The Infiniband functionality is now distributed in the rdma package. The service is now called rdma, and the configuration file is located at /etc/rdma/rdma.conf.
4.2. Service Initialization
Xinetd is a daemon used to start network services on demand. The
changes in xinetd are related to the allowed limit of open file
descriptors:
The listening mechanism has changed from select() to poll(). With this change, the limit of open file descriptors used by xinetd can be changed.
File descriptor limit can also now be changed on a per-service
basis. This can be done in the configuration file for the service via
the rlimit_files directive. The value can be a positive integer or UNLIMITED.
In Red Hat Enterprise Linux 6, the custom runlevels 7, 8 and 9 are no longer supported and can not be used.
In Red Hat Enterprise Linux 6, init from the sysvinit package has been replaced with Upstart,
an event-based init system. This system handles the starting of tasks
and services during boot, stopping them during shutdown and supervising
them while the system is running. For more information on Upstart
itself, refer to the init(8) man page.
Processes are known to Upstart as jobs and are defined by files in the /etc/init directory. Upstart is very well documented via man pages. Command overview is in init(8) and job syntax is described in init(5).
Upstart provides the following behavioral changes in Red Hat Enterprise Linux 6:
The /etc/inittab file is deprecated, and is now used only for setting up the default runlevel via the initdefault line. Other configuration is done via upstart jobs in the /etc/init directory.
The number of active tty consoles is now set by the ACTIVE_CONSOLES variable in /etc/sysconfig/init, which is read by the /etc/init/start-ttys.conf job. The default value is ACTIVE_CONSOLES=/dev/tty[1-6], which starts a getty on tty1 through tty6.
A serial getty is still automatically configured if the serial
console is the primary system console. In prior releases, this was done
by kudzu, which would edit /etc/inittab. In Red Hat Enterprise Linux 6, configuration of the primary serial console is handled by /etc/init/serial.conf.
To configure a getty running on a non-default serial console, you must now write an Upstart job instead of editing /etc/inittab. For example, if a getty on ttyS1 is desired, the following job file (/etc/init/serial-ttyS1.conf) would work:
# This service maintains a getty on /dev/ttyS1.
start on stopped rc RUNLEVEL=[2345]
stop on starting runlevel [016]
respawn
exec /sbin/agetty /dev/ttyS1 115200 vt100-nav
As in prior releases, you should still make sure that ttyS1 is in /etc/securetty if you wish to allow root logins on this getty.
Because of the move to Upstart, using /etc/shutdown.allow for defining who can shut the machine down is no longer supported.
IPTables includes a
SECMARK target
module. This is used to set the security mark value associated with the
packet for use by security subsystems such as SELinux. It is only valid
in the mangle table. Refer to the following for example usage:
iptables -t mangle -A INPUT -p tcp --dport 80 -j SECMARK --selctx \ system_u:object_r:httpd_packet_t:s0
There are several major changes in BIND configuration:
Default ACL configuration - in Red Hat Enterprise Linux 5, the
default ACL configuration allowed queries and offered recursion for all
hosts. By default in Red Hat Enterprise Linux 6, all hosts can make
queries for authoritative data but only hosts from the local network can
make recursive queries.
New allow-query-cache option - the allow-recursion
option has been deprecated in favor of this option. It is used to
control access to server caches, which include all non-authoritative
data (like recursive lookups and root nameserver hints).
Chroot environment management - the bind-chroot-admin
script, which was used to create symlinks from a non-chroot environment
to a chroot enviromnent, is deprecated and no longer exists. Instead,
configuration can be managed directly in a non-chroot environment and
init scripts automatically mount needed files to the chroot environment
during named startup in the case that files are not already present in the chroot.
/var/named directory permissions - The /var/named
directory is no longer writable. All zone files that need to be
writable (such as dynamic DNS zones, DDNS) should be placed in the new
writable directory: /var/named/dynamic.
The dnssec [yes|no] option no longer exists - The global dnssec [yes|no] options have been split into two new options: dnssec-enable and dnssec-validation. The dnssec-enable option enables DNSSEC support. The dnssec-validation option enables DNSSEC validation. Note that setting dnssec-enable
to "no" on recursive server means that it cannot be used as a forwarder
by another server that performs DNSSEC validation. Both options are set
to yes by default.
You no longer need to specify the controls statement in /etc/named.conf if you use the rndc management utility. The named service automatically allows control connections via the loopback device and both named and rndc use the same secret key generated during installation (located in /etc/rndc.key).
In a default installation, BIND is installed with DNSSEC validation
enabled, and uses the ISC DLV register. This means all signed domains
(such as gov., se., cz.), that have their key in the ISC DLV register,
are cryptographically validated on the recursive server. If validation
fails due to attempts at cache poisoning, then the end user will not be
given this forged/spoofed data. DNSSEC deployment is now a
widely-implemented feature, is an important step in making the Internet
more secure for end users, and is fully supported in Red Hat Enterprise
Linux 6. As previously mentioned, DNSSEC validation is controlled with
the dnssec-validation option in /etc/named.conf.
NTP (Network Time Protocol) is used to synchronize the clocks of
computer systems over the network. In Red Hat Enterprise Linux 6, the
default configuraton file, /etc/ntp.conf, now has the following lines commented:
#server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
This configuration means that ntpd
will only distribute time information to network clients if it is
specifically synchronized to an NTP server or a reference clock. To get ntpd to offer this information even when not synchronized, the two lines should be uncommented.
Also, when ntpd is started with the -x option (in OPTIONS in the /etc/sysconfig/ntpd file), or if there are servers specified in /etc/ntp/step-tickers, the service no longer runs the ntpdate command before starting. There is now a separate ntpdate service which can be enabled independently from the ntpd service. This ntpdate
service is disabled by default, and should be used only when other
services require the correct time before starting, or do not function
properly when time modifications occur later by ntpd.
You may encounter problems running this service with the default NetworkManager configuration. It may be necessary to add NETWORKWAIT=1 to /etc/sysconfig/network, as described in the Red Hat Enterprise Linux Deployment Guide.
In Red Hat Enterprise Linux 6, Kerberos clients and servers (including KDCs) will default to not using keys for the ciphers des-cbc-crc, des-cbc-md4, des-cbc-md5, des-cbc-raw, des3-cbc-raw, des-hmac-sha1, and arcfour-hmac-exp. By default, clients will not be able to authenticate to services which have keys of these types.
Most services can have a new set of keys (including keys for use with
stronger ciphers) added to their keytabs and experience no downtime,
and the ticket granting service's keys can likewise be updated to a set
which includes keys for use with stronger ciphers, using kadmin's cpw -keepold command.
As a temporary workaround, systems that need to continue to use the weaker ciphers require the
allow_weak_crypto option in the
libdefaults section of the
/etc/krb5.conf file. This variable is set to
false by default, and authentication will fail without having this option enabled:
[libdefaults]
allow_weak_crypto = yes
Additionally, support for Kerberos IV, both as an available shared
library and as a supported authentication mechanism in applications, has
been removed. Newly-added support for lockout policies requires a
change to the database dump format. Master KDCs which need to dump
databases in a format which older KDCs can consume should run
kdb5_util's dump command with the -r13 option.
In some releases of Red Hat Enterprise Linux 5, the sendmail Mail Transport Agent (MTA) accepted network connections from external hosts by default. In Red Hat Enterprise Linux 6, sendmail by default only accepts connections from the local system (localhost). To grant sendmail the ability to act as a server for remote hosts, perform one of the following steps:
Edit /etc/mail/sendmail.mc and change the DAEMON_OPTIONS line to also listen on network devices
Comment out the DAEMON_OPTIONS line in /etc/mail/sendmail.mc. Then install the sendmail-cf package and regenerate /etc/mail/sendmail.cf by running the following commands:
su -c 'yum install sendmail-cf'
su -c 'make -C /etc/mail'
Exim has been removed from Red Hat Enterprise Linux 6. Postfix is the default and recommended MTA.
The configuration for Dovecot 2.x has changed. The master configuration file /etc/dovecot.conf has moved to /etc/dovecot/dovecot.conf and other parts of Dovecot configuration have moved to /etc/dovecot/conf.d/*.conf.
The majority of the configuration is the same and is compatible with
this new version; however, you can test your configuration and list
which options have been renamed, removed, or otherwise changed in this
new version with the following command:
doveconf [-n] -c /old/dovecot.conf
The MySQL DBD driver has been dual-licensed and the related licensing issues have been resolved. The resulting apr-util-mysql package is now included in the Red Hat Enterprise Linux 6 software repositories.
Drupal has been updated from the 5.x series to 6.x. For details, refer to:
http://drupal.org/
Remember to log in to your site as the admin user, and disable any
third-party modules before upgrading this package. After upgrading the
package:
Copy /etc/drupal/default/settings.php.rpmsave to /etc/drupal/default/settings.php, and repeat for any additional sites' settings.php files.
To run the upgrade script, browse to its location using the web interface of your installed host. For example, http://hostname.example.com/drupal/update.php.
Squid has been updated to 3.1, and now provides native IPv6 support. The configuration file
/etc/squid/squid.conf
has been significantly shortened; the configuration options for Squid
3.1 have changed and are not entirely backwards compatible with some
older versions. For complete details on configuration and other changes,
please refer to the Squid 3.1 release notes:
http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html.
Squid provides the ability to authenticate users via ncsa_auth and pam_auth
helpers. The permissions of these helpers has changed in Red Hat
Enterprise Linux 6. Previous releases enabled the setuid flag for the ncsa_auth and pam_auth,
as elevated privileges were needed to access system files needed for
authentication. Now, in Red Hat Enterprise Linux 6, Squid does not
require the setting of the setuid flag for these helpers. This change
has been made because of the security risks present when running setuid
flags. Normal functionality has been maintained without setting these
flags.
In order to support Bluetooth devices, the Bluetooth background
service was started by default in previous versions of Red Hat
Enterprise Linux. In this release, the Bluetooth service is started on
demand when needed and automatically stops 30 seconds after the use of
the device has stopped. This reduces overall initial startup time and
resource consumption.
Red Hat Enterprise Linux 6 includes the cronie package as a replacement for vixie-cron. The main difference between these packages is how the regular jobs (daily, weekly, monthly) are done. Cronie uses the /etc/anacrontab file, which by default looks like the following:
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22
# period in days delay in minutes job-identifier command
1 5 cron.daily nice run-parts /etc/cron.daily
7 25 cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly
These regular jobs will be executed once a day in the 03:00-22:00 time interval, including a random delay. For example, cron.daily will have a 5 minute forced delay plus a random delay of 0-45 minutes. You could also run jobs with no delays, between 4 and 5:
RANDOM_DELAY=0 # or don't use this option at all
START_HOURS_RANGE=4-5
# period in days delay in minutes job-identifier command
1 0 cron.daily nice run-parts /etc/cron.daily
7 0 cron.weekly nice run-parts /etc/cron.weekly
@monthly 0 cron.monthly nice run-parts /etc/cron.monthly
Features of cronie include:
Random delay for starting the job in /etc/anacrontab.
Time range of regular jobs can be defined in /etc/anacrontab.
Each cron table can have its own defined time zone with the CRON_TZ variable.
By default, the cron daemon checks for changes in tables with inotify.
For further details about cronie and cronie-anacron, please refer to the Red Hat Enterprise Linux Deployment Guide.
The dateext option is now enabled by default in /etc/logrotate.conf.
This option archives old versions of log files by adding a extension
representing the date (in YYYYMMDD format). Previously, a number was
appended to files.
Chapter 7. Security and Authentication
This chapter covers behavioral changes for security and authentication, including SELinux, SSSD, LDAP, Checksums, and PAM.
The sshd daemon is now a confined service.
SSSD (System Security Services Daemon) offers access to remote identity and authentication mechanisms, referred to as providers.
It allows those providers to be plugged in as SSSD back-ends,
abstracting the local and network identity and authentication sources
and allowing any kind of identity data provider to be plugged in. A domain
is a database containing user information, which may serve as the
source of a provider’s identity information. Multiple identity providers
are supported, allowing two or more identity servers to act as separate
user namespaces. Collected information is available to applications on
the front-end through standard PAM and NSS interfaces.
SSSD runs as a suite of services, independent of the applications
that use it. Those applications therefore no longer need to make their
own connections to remote domains, or even be aware of which is being
used. Robust local caching of identity and group membership information
allows operations regardless of where identity comes from (e.g., LDAP,
NIS, IPA, DB, Samba, etc.), offers improved performance, and allows
authentication to be performed even when operating offline and online
authentication is unavailable. SSSD also allows the use of multiple
providers of the same type (e.g., multiple LDAP providers) and allows
domain-qualified identity requests to be resolved by those different
providers. Further details can found in the Red Hat Enterprise Linux 6
Deployment Guide.
7.3.1. Converting slapd configuration
This example assumes that the file to convert from the old slapd configuration is located at /etc/openldap/slapd.conf and the new directory for OpenLDAP configuration is located at /etc/openldap/slapd.d/.
Remove the contents of the new /etc/openldap/slapd.d/ directory:
# rm -rf /etc/openldap/slapd.d/*
Run slaptest to check the validity of the configuration file and specify the new configuration directory:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
Configure permissions on the new directory:
chown -R ldap:ldap /etc/openldap/slapd.d
chmod -R 000 /etc/openldap/slapd.d
chmod -R u+rwX /etc/openldap/slapd.d
Once the service is confirmed to be working in the new configuration directory, remove the old configuration file:
rm -rf /etc/openldap/slapd.conf
Red Hat Enterprise Linux now uses the SHA-256 digest algorithm for
data verification and authentication in more places than before,
upgrading from the cryptographically weaker SHA-1 and MD5 algorithms.
7.5. Pluggable Authentication Modules (PAM)
Common configuration for PAM services is located in the /etc/pam.d/system-auth-ac file.
Authentication modules are now also written into additional PAM configuration files: /etc/pam.d/password-auth-ac, etc/pam.d/smartcard-auth-ac and /etc/pam.d/fingerprint-auth-ac.
The PAM module for sshd and other remote services such as ftpd now include the /etc/pam.d/password-auth file in Red Hat Enterprise Linux 6 instead of /etc/pam.d/system-auth.
The threshold for statically assigned UID/GID numbers (defined by the setup package in the /usr/share/doc/setup-*/uidgid
file) has increased from 100 (in Red Hat Enterprise Linux 3, 4, and 5)
to 200 in Red Hat Enterprise Linux 6. This change can affect systems
that have 100-200 dynamically or statically assigned UID/GIDs, and cause
failure in the installation and running of some appications.
Dynamic UID/GID allocation now ranges from 499 downward in Red Hat
Enterprise Linux 6. For static system user creation without reservations
enforced by the setup package, it is recommended to use the UID/GID area of 300 and above.
Chapter 9. Package And Driver Changes
The list of included packages and system drivers undergoes regular
changes in Red Hat Enterprise Linux releases. This is done for a number
of reasons: packages and drivers are added or updated in the operating
system to provide new functionality, or the packages and drivers may
represent out-of-date hardware and are removed. The upstream project for
the packages and drivers might no longer be maintained, or
hardware-specific packages and drivers are no longer supported by a
hardware vendor and are removed.
This chapter lists the new and updated packages and drivers in Red Hat
Enterprise Linux 6, as well as those that have been deprecated and
discontinued (removed).
The system-config-bind tool has been deprecated and removed without replacement. Editing the name server configuration manually via the named.conf file is recommended in Red Hat Enterprise Linux 6. Comprehensive BIND documentation is installed as part of the bind package in /usr/share/doc/bind-x.y.z. Also, sample configurations can be found in the /usr/share/doc/bind-x.y.z/sample directory. The system-config-bind
tool from previous versions does, however, generate standard BIND
configuration, so depending on your environment it is possible to
migrate to the version of BIND found in Red Hat Enterprise Linux 6 by
moving old configuration files to the correct location and performing
sufficient testing.
The system-config-cluster tool has been deprecated and removed without replacement. Using ricci and luci (from the Conga project) is recommended.
The system-config-display tool has been replaced by XRandr configuration tools as found in both supported desktops: GNOME and KDE. There is no explicit configuration file (xorg.conf) in the default X server installation as display management is now done dynamically via one of the following menu options:
GNOME: System -> Preferences -> Display
KDE: System Settings -> Computer Administration -> Display
Note: The command line utility (xrandr) can be also used for display configuration. See the xrandr --help command or the manual page via the man xrandr command for further details.
The system-config-httpd tool has been
deprecated and removed without replacement. Users should configure web
servers manually. Configuration can be done in the /etc/httpd directory. The main configuration file is located at /etc/httpd/conf/httpd.conf.
This file is well documented with detailed comments in the file for
most server configurations; however if required, the complete Apache web
server documentation is shipped in the httpd-manual package.
The system-config-lvm tool has been deprecated. Users should perform management of logical volumes via the gnome-disk-util or the lvm tools.
The system-config-netboot tool has been deprecated and removed without replacement. Using Red Hat Satellite is recommended.
The system-config-nfs tool has been deprecated and removed without replacement. Users should set up NFS server configuration manually.
The system-config-rootpassword tool has been replaced by the system-config-users tool - a powerful user management and configuration tool. The root password can be set in the system-config-users tool by unchecking the "Hide system users and groups"
option in the Preferences dialog. The root user will now be shown in
the main listing, and the password can be modified like any other user.
The system-config-samba tool has been deprecated and removed without replacement. Users should set up SMB server configuration manually.
The system-config-securitylevel tool has been obsoleted by the system-config-firewall tool.
The system-config-soundcard tool has been removed. Sound card detection and configuration is done automatically.
The system-config-switchmail tool has
been deprecated and removed without replacement. Postfix is the
preferred and default MTA (Mail Transfer Agent) in Red Hat Enterprise
Linux 6. If you are using another MTA, it should be configured manually
according to its specific configuration files and techniques.
9.2. Bash (Bourne-Again Shell)
Red Hat Enterprise Linux 6 includes version 4.1 of Bash as its
default shell. This section describes the compatibility issues that this
version introduces over previous versions.
Bash-4.0 and later now allows process substitution constructs to
pass unchanged through brace expansion, so any expansion of the contents
will have to be separately specified, and each process subsitution will
have to be separately entered.
Bash-4.0 and later now allows SIGCHLD to interrupt the wait
builtin, as Posix specifies, so the SIGCHLD trap is no longer always
invoked once per exiting child if you are using `wait' to wait for all
children.
Since Bash-4.0 and later now follows Posix rules for finding the
closing delimiter of a $() command substitution, it will not behave as
previous versions did, but will catch more syntax and parsing errors
before spawning a subshell to evaluate the command substitution.
The programmable completion code uses the same set of delimiting
characters as readline when breaking the command line into words, rather
than the set of shell metacharacters, so programmable completion and
readline should be more consistent.
When the read builtin times out, it attempts to assign any input
read to specified variables, which also causes variables to be set to
the empty string if there is not enough input. Previous versions
discarded the characters read.
In Bash-4.0 and later, when one of the commands in a pipeline is
killed by a SIGINT while executing a command list, the shell acts as if
it received the interrupt.
Bash-4.0 and later versions change the handling of the set -e
option so that the shell exits if a pipeline fails (and not just if the
last command in the failing pipeline is a simple command). This is not
as Posix specifies. There is work underway to update this portion of the
standard; the Bash-4.0 behavior attempts to capture the consensus at
the time of release.
Bash-4.0 and later fixes a Posix mode bug that caused the . (source) builtin to search the current directory for its filename argument, even if "." is not in the system PATH. Posix says that the shell shouldn't look in the PWD variable in this case.
Bash-4.1 uses the current locale when comparing strings using operators to the [[ command. This can be reverted to the previous behavior by setting one of the compatNN shopt options.
Further to the points already listed, quoting the pattern argument to the regular expression matching conditional operator =~ may cause regexp matching to stop working. This occurs on all architectures. In versions of bash prior to 3.2, the effect of quoting the regular expression argument to the [[ command's =~
operator was not specified. The practical effect was that
double-quoting the pattern argument required backslashes to quote
special pattern characters, which interfered with the backslash
processing performed by double-quoted word expansion and was
inconsistent with how the == shell pattern matching operator treated quoted characters.
In bash version 3.2, the shell was changed to internally quote characters in single- and double-quoted string arguments to the =~ operator, which suppresses the special meaning of the characters that are important to regular expression processing (`.', `[', `\', `(', `), `*', `+', `?', `{', `|', `^', and `$') and forces them to be matched literally. This is consistent with how the == pattern matching operater treats quoted portions of its pattern argument.
Since the treatment of quoted string arguments was changed, several
issues have arisen, chief among them the problem of white space in
pattern arguments and the differing treatment of quoted strings between bash 3.1 and bash
3.2. Both problems may be solved by using a shell variable to hold the
pattern. Since word splitting is not performed when expanding shell
variables in all operands of the [[
command, this provides the ability to quote patterns as you wish when
assigning the variable, then expand the values to a single string that
may contain whitespace. The first problem may be solved by using
backslashes or any other quoting mechanism to escape the white space in
the patterns.
Bash 4.0 introduces the concept of a compatibility level, controlled by several options to the shopt builtin. If the compat31 option is enabled, bash will revert to the 3.1 behavior with respect to quoting the right-hand side of the =~ operator.
9.3. Other Package Changes
The following table lists updated packages in Red Hat Enterprise Linux 6 and a description of noteworthy changes.
Table 9.1. Updated Package
|
Updated Packages
|
Description
|
|---|
|
OProfile
|
OProfile has been updated to 0.9.5. This newer version includes
support for Intel Atom and i7 processors, AMD Family 11h processors, and
the Instruction Based Sampling (IBS) feature in AMD Family 10h.
|
|
module-init-tools
|
/etc/modprobe.conf does not exist by default. Can still be used if manually created.
|
The following table lists discontinued (removed) packages in Red Hat Enterprise Linux 6 and their replacements.
Table 9.2. Discontinued Packages
|
Discontinued Package
|
Replaced By
|
|---|
|
aspell
|
hunspell. aspell is only provided as a build dependency. Applications that want to use spell-checking must use hunspell.
|
|
beecrypt
|
NSS/OpenSSL
|
|
crash-spu-commands
|
None. Cell-specific packages no longer included.
|
|
dhcpv6/dhcpv6-client
|
dhcp/dhclient binaries now have IPv6 capability built in.
|
|
elfspe2
|
None. Cell-specific packages no longer included.
|
|
exim
|
Postfix
|
|
gnbd
|
iSCSI recommended for use instead.
|
|
gnome-vfs
|
gvfs
|
|
ipsec-tools
|
Openswan
|
|
kmod-gnbd
|
iSCSI recommended for use instead.
|
|
lam
|
openmpi
|
|
libspe2
|
None. Cell-specific packages no longer included.
|
|
libspe2-devel
|
None. Cell-specific packages no longer included.
|
|
linuxwacom
|
xorg-x11-drv-wacom
|
|
mkinitrd
|
dracut
|
|
nss_ldap
|
nss_pam_ldapd, pam_ldap
|
|
openmotif-2.2
|
openmotif-2.3
|
|
pidgin
|
empathy
|
|
spu-tools
|
None. Cell-specific packages no longer included.
|
|
switchdesk
|
The session management performed by both supported session managers: GDM and KDM.
|
|
syslog
|
rsyslog
|
|
SysVinit
|
upstart
|
|
vixie-cron
|
cronie
|
This section describes the driver changes in Red Hat Enterprise Linux
6. Please note that all drivers are now loaded to initramfs by default.
32-bit libraries are not installed by default on Red Hat Enterprise Linux 6. You can change this behavior by setting multilib_policy=all in /etc/yum.conf, which will enable multilib policy as a system-wide policy.