CentOS 3 Update 3 Release Notes Copyright (c) 2004 Red Hat, Inc. Copyright (c) 2004 CentOS Project. ---------------------------------------------------------------------- Note: Update 3 was relased as CentOS 3.4 Introduction The following topics are covered in this document: o Changes to the CentOS installation program (Anaconda) o General information o Kernel-related information o Changes to drivers and hardware support o Changes to packages Changes to the CentOS Installation Program (Anaconda) The following section includes information specific to the CentOS installation program, Anaconda. Note In order to upgrade an already-installed CentOS 3 system to Update 3, you must use yum to update those packages that have changed. The use of Anaconda to upgrade to Update 3 is not supported. Use Anaconda only to perform a fresh install of CentOS 3 Update 3. o If you are copying the contents of the CentOS 3 Update 3 CD-ROMs (in preparation for a network-based installation, for example) be sure you copy the CD-ROMs for the operating system only. Do not copy the Extras CD-ROM, or any of the layered product CD-ROMs, as this will overwrite files necessary for Anaconda's proper operation. These CD-ROMs must be installed after CentOS has been installed. General Information This section contains general information not specific to any other section of this document. o CentOS 3 Update 3 adds the most recent version of the KornShell (ksh) to the CentOS Extras CD. KornShell is a shell programming language for both interactive and shell script use, and is upward compatible with the Bourne Shell (sh). The new ksh package is an optional alternative to pdksh, which is already included in the core distribution. It is useful in circumstances where precise compatibility with AT&T ksh semantics is required. o The autofs package, which controls the operation of the automount daemons running on CentOS, has been updated to version 4. This update provides full backward compatibility with version 3. Additionally, it adds the following features: o Browsable mounts (ghosting) -- Ghosting of map directories allows you to see the directories in the autofs map without mounting them. When they are accessed (such as when a directory listing is requested) the map entry is mounted so that it is seen. o Replicated Server support -- Replicated server functionality allows the administrator to specify map entries that point to multiple, replicated servers. The automount daemon attempts to determine the best server to use for mounts by testing the latency of an rpc_ping to each available server. Weights may also be assigned to the servers, allowing for more administrator control. Refer to the /usr/share/doc/autofs-4.1.3/README.replicated-server file for additional map format information. o Executable maps -- A map can now be marked as executable. The initscript that parses the auto.master map passes this as a program map to the auto-mounter. A program map is called as a script with the key as an argument. It may return no lines of output if there is an error, or one or more lines containing a map (with \ quoting line breaks). This feature is useful for implementing /net functionality. o Multi-mounts -- This feature allows the automount daemon to seek multiple lookup methods in succession. For example, a lookup could query NIS and file maps. o CentOS 3 Update 2 is currently "in evaluation" for Evaluated Assurance Level (EAL) 3+/Controlled Access Protection Profile (CAPP) on the following platforms: o CentOS WS on the x86 architecture o CentOS AS on the x86, AMD64, IBM zSeries, iSeries, and pSeries architectures To get the latest Common Criteria evaluation status, refer to the following Web page: http://www.redhat.com/solutions/industries/government/commoncriteria/ All the patches that were applied to the CentOS 3 Update 2 code base to achieve EAL3 certification have been mirrored in the CentOS 3 Update 3 release. For additional information regarding the auditing subsystem, refer to the laus(7) man page. Since its initial deployment in the CentOS 3 Update 2 kernel, the kernel for Update 3 contains additional modifications that enable system-call auditing on additional architectures. When auditing is not in use, these modifications are performance-neutral. The kernel component provides access to the auditing facilities through the character-special device /dev/audit. Through this device, a user-space daemon (auditd) can enable or disable auditing and can provide the kernel with the rulesets to be used to determine when a system-call invocation must be logged. This device is also used by auditd to retrieve audit records from the kernel for transfer to the audit log. Refer to the audit(4) man page for information concerning supported ioctl calls and /proc/ interfaces for managing and tuning auditing behavior. o The version of the httpd Web server included as part of CentOS 3 Update 3 includes several significant changes: o The mod_cgi module has been enhanced to correctly handle concurrent output on stderr and stdout o SSL environment variables defined by mod_ssl can be used directly from mod_rewrite using the %{SSL:...} syntax. For example, "%{SSL:SSL_CIPHER_USEKEYSIZE}" may expand to "128". Similarly, SSL environment variables can be used directly from mod_headers using the %{...}s syntax. o The mod_ext_filter module is now included o The minimal acceptable group id that will be used by suexec has been lowered from 500 to 100. This allows the use of suexec with users belonging to the "users" group. Kernel-Related Information This section contains information related to the CentOS 3 Update 3 kernel. o CentOS 3 Update 3 includes a new kernel feature that can ease the process of diagnosing system hangs. It uses the hardware's NMI (Non-Maskable Interrupt) capability to force a kernel panic. To enable this feature, set the following system control parameter as follows: kernel.unknown_nmi_panic = 1 This can be done using the sysctl command (sysctl -w kernel.unknown_nmi_panic=1) or by adding the above line to /etc/sysctl.conf. Once this feature is enabled (and the system is rebooted), a panic can be forced by pressing the system's NMI button. Systems that lack a button capable of generating a NMI can continue to use the NMI watchdog, which will generate a NMI if the system should lock up. Note This feature is not compatible with OProfile; should OProfile be active, pressing the NMI button (or the use of the NMI watchdog) will not result in a panic. o Hardware IRQ balancing is enabled for Lindenhurst (Intel(R) E7520 and Intel(R) E7320) and Tumwater (Intel(R) E7525) based chipset platforms. Therefore, software IRQ balancing is disabled for these platforms in the CentOS 3 Update 3 kernel. o The CentOS 3 Update 3 kernel includes a new security feature known as Exec-shield. Exec-shield is a security-enhancing modification to the Linux kernel that makes large parts of specially-marked programs -- including their stack -- not executable. This can reduce the potential damage of some security holes, such as buffer overflow exploits. Exec-shield can also randomize the virtual memory addresses at which certain binaries are loaded. This randomized VM mapping makes it more difficult for a malicious application to improperly access code or data based on knowledge of the code or data's virtual address. Exec-shield's behavior can be controlled via the proc file system. Two files are used: o /proc/sys/kernel/exec-shield o /proc/sys/kernel/exec-shield-randomize The /proc/sys/kernel/exec-shield file controls overall Exec-shield functionality, and can be manipulated using the following command: echo > /proc/sys/kernel/exec-shield Where is one of the following: o 0 -- Exec-shield (including randomized VM mapping) is disabled for all binaries, marked or not o 1 -- Exec-shield is enabled for all marked binaries o 2 -- Exec-shield is enabled for all binaries, regardless of marking (To be used for testing purposes ONLY) The default value for /proc/sys/kernel/exec-shield is 1. The /proc/sys/kernel/exec-shield-randomize file controls whether Exec-shield randomizes VM mapping, and can be manipulated using the following command: echo > /proc/sys/kernel/exec-shield-randomize Where is one of the following: o 0 -- Randomized VM mapping is disabled o 1 -- Randomized VM mapping is enabled The default value for /proc/sys/kernel/exec-shield-randomize is 1. It is also possible to configure Exec-shield by including one (or both) of the following lines in the /etc/sysctl.conf file: kernel.exec-shield= kernel.exec-shield-randomize= (Where is as previously described.) Exec-shield can also be disabled at a system level by means of a kernel boot option. Appending the following parameter to the "kernel" line(s) in the /etc/grub.conf file will disable Exec-shield: exec-shield=0 Note Exec-shield functionality is available only to binaries that have been built (and marked) using the toolchain (compiler, assembler, linker) available with CentOS 3 Update 3. Binaries that have been built using a different version of the toolchain can still be used, but since they will not be marked, they will not take advantage of Exec-shield. Application developers should keep in mind that, in the majority of cases, GCC correctly marks its generated code as being capable of using Exec-shield. In the few instances (usually caused by inline assembler or other nonportable code) where GCC non-optimally (or, more rarely, incorrectly) marks generated code, it is possible to pass GCC options to obtain the desired result. The options controlling binary marking at the assembler level are: -Wa,--execstack -Wa,--noexecstack The options controlling binary marking at the linker level are: -Wl,-z,execstack -Wl,-z,noexecstack It is also possible to exert more fine-grained control by explicitly disabling Exec-shield for a specific binary at run time. This is done using the setarch command: setarch i386 (Where represents the binary to be run.) The binary is then run without Exec-shield functionality. The proc file /proc/self/maps can be used to observe Exec-shield's effects. By using cat to display the current process's VM mapping, you can see Exec-shield at work. Similarly, you can use setarch in conjunction with cat to see how normal VM mapping differs from Exec-shield's mapping. o CentOS 3 Update 3 includes a new security-related feature -- kernel support for certain new Intel CPUs that include the NX (No eXecute) capability. NX technology restricts execution of program code, making it significantly more difficult for hackers to insert malicious code into the system by means of a buffer overrun. When specific pages are marked as nonexecutable, the CPU is prevented from executing code in those pages. This can be used to mark areas of memory such as the stack or the heap (typical places where buffers are stored.) Note CentOS 3 (originally available 22-October-2003) included NX support for the AMD64 platform. Changes to Drivers and Hardware Support This update includes bug fixes for a number of drivers. The more significant driver updates are listed below. In some cases, the original driver has been preserved under a different name, and is available as a non-default alternative for organizations that wish to migrate their driver configuration to the latest versions at a later time. Note The migration to the latest drivers should be completed before the next CentOS update is applied, because in most cases only one older-revision driver will be preserved for each update. These release notes also indicate which older-revision drivers have been removed from this kernel update. These drivers have the base driver name with the revision digits appended; for example, megaraid_2002.o. You must remove these drivers from /etc/modules.conf before installing this kernel update. Keep in mind that the only definitive way to determine what drivers are being used is to review the contents of /etc/modules.conf. Use of the lsmod command is not a substitute for examining this file. Adaptec RAID (aacraid driver) o The aacraid driver has been updated from 1.1.2 to 1.1.5-2339 o The new driver is scsi/aacraid/aacraid.o o The older driver has been preserved as addon/aacraid_10102/aacraid_10102.o LSI Logic RAID (megaraid driver) Note The megaraid2 driver includes support for a number of new host bus adapters (certain PERC4 and Serial ATA products) that are not supported by the megaraid driver. If your system contains these newer products exclusively, the megaraid2 driver is loaded by default. If you have the older products exclusively, the megaraid driver will continue to be the default. However, if you have a mix of old and new MegaRAID adapters, then the driver that is selected depends on the order in which the adapters are scanned. (Note that you cannot have both the megaraid and megaraid2 drivers loaded at the same time.) If the default driver on your system is not the desired one, take one of the following actions: o If you are installing the system, type the following command at the boot prompt: expert noprobe Next, select the desired driver from the subsequent menu. o If the system is already installed, edit /etc/modules.conf and change the "alias scsi_hostadapter" lines referring to the megaraid or the megaraid2 driver to the desired driver. Note that after making any changes to /etc/modules.conf you must rebuild the initrd image; refer to the mkinitrd man page for further details. o The megaraid2 driver has been updated from v2.10.1.1 to v2.10.6-RH1 o The new driver is scsi/megaraid2.o o The older driver has been preserved as addon/megaraid_2101/megaraid2101.o o The v2.00.9 driver has been removed o The default driver remains the v1.18k driver (megaraid.o) IBM ServeRAID (ips driver) o The ips driver has been updated from 6.11.07 to 7.00.15 o The new driver is scsi/ips.o o The older driver has been preserved as addon/ips_61107/ips_61107.o o The ips 6.10.52 driver (ips_61052.o) has been removed LSI Logic MPT Fusion (mpt* drivers) o These drivers have been updated from 2.05.11.03 to 2.05.16 o The new drivers are located in message/fusion/ o The older drivers have been preserved in addon/fusion_20511 o The 2.05.05+ drivers (mpt*_20505.o) have been removed Compaq SA53xx Controllers (cciss driver) o The cciss driver has been updated from 2.4.50.RH1 to v2.4.52.RH1 QLogic Fibre Channel (qla2xxx driver) o These drivers have been updated from 6.07.02-RH2 to 7.00.03-RH1 o The new drivers are located in addon/qla2200 o The older driver has been preserved in addon/qla2200_60702RH2 o The 6.06.00b11 drivers (qla2*00_60600b11.o) have been removed Note The QLA2100 adapter has been retired by QLogic. This adapter is no longer supported by QLogic. Therefore, the driver is located in the kernel-unsupported package. Emulex Fibre Channel (lpfc driver) o This driver has been added to the distribution. The version is 7.0.3 o The driver is located in addon/lpfc Intel PRO/1000 (e1000 driver) o This driver has been updated from 5.2.30.1-k1 to 5.2.52-k3 Intel PRO/100 (e100 driver) o This driver has been updated from version 2.3.30-k1 to 2.3.43-k1 Broadcom Tigon3 (tg3 driver) o This driver has been updated from v3.1 to v3.6RH Changes to Packages This section contains listings of packages that have been updated, added, or removed from CentOS 3 as part of Update 3. Packages that have been built for multiple architectures are listed with the target architecture in parentheses. Note These package lists include packages from all variants of CentOS 3. Your system may not include every one of the packages listed here. The following packages have been updated from CentOS 3 Update 2: o ImageMagick o ImageMagick-c++ o ImageMagick-c++-devel o ImageMagick-devel o ImageMagick-perl o MAKEDEV o XFree86 o XFree86-100dpi-fonts o XFree86-75dpi-fonts o XFree86-ISO8859-14-100dpi-fonts o XFree86-ISO8859-14-75dpi-fonts o XFree86-ISO8859-15-100dpi-fonts o XFree86-ISO8859-15-75dpi-fonts o XFree86-ISO8859-2-100dpi-fonts o XFree86-ISO8859-2-75dpi-fonts o XFree86-ISO8859-9-100dpi-fonts o XFree86-ISO8859-9-75dpi-fonts o XFree86-Mesa-libGL o XFree86-Mesa-libGLU o XFree86-Xnest o XFree86-Xvfb o XFree86-base-fonts o XFree86-cyrillic-fonts o XFree86-devel o XFree86-doc o XFree86-font-utils o XFree86-libs o XFree86-libs-data o XFree86-sdk o XFree86-syriac-fonts o XFree86-tools o XFree86-truetype-fonts o XFree86-twm o XFree86-xauth o XFree86-xdm o XFree86-xfs o anaconda o anaconda-runtime o arpwatch o at o autofs o bash o bind o bind-chroot o bind-devel o bind-utils o bison o cdda2wav o cdrecord o cdrecord-devel o chkconfig o comps o control-center o cpp o crash o cups o cups-devel o cups-libs o cvs o dev o dhclient o dhcp o dhcp-devel o eclipse o eclipse-lomboz o elfutils o elfutils-devel o elfutils-libelf o elfutils-libelf-devel o ethereal o ethereal-gnome o ethtool o expect o expect-devel o expectk o file-roller o gcc o gcc-c++ o gcc-g77 o gcc-gnat o gcc-java o gcc-objc o gdb o glibc (i386) o glibc (i686) o glibc-common o glibc-debug o glibc-devel o glibc-headers o glibc-kernheaders o glibc-profile o glibc-utils o gnome-panel o grep o grub o gtk+ o gtk+-devel o gtkhtml3 o gtkhtml3-devel o httpd o httpd-devel o hwdata o imap o imap-devel o imap-utils o initscripts o itcl o jpackage-utils o kdelibs o kdelibs-devel o kernel (athlon) o kernel (i686) o kernel-BOOT o kernel-doc o kernel-hugemem o kernel-hugemem-unsupported o kernel-smp (athlon) o kernel-smp (i686) o kernel-smp-unsupported (athlon) o kernel-smp-unsupported (i686) o kernel-source o kernel-unsupported (athlon) o kernel-unsupported (i686) o kernel-utils o krb5-devel o krb5-libs o krb5-server o krb5-workstation o laus o laus-devel o lha o libcap o libcap-devel o libf2c o libgcc o libgcj o libgcj-devel o libgnat o libgtop2 o libgtop2-devel o libobjc o libpcap o libpng o libpng-devel o libpng10 o libpng10-devel o libstdc++ o libstdc++-devel o ltrace o lvm o mdadm o metacity o mkisofs o mod_auth_pgsql o mod_authz_ldap o mod_ssl o modutils o modutils-devel o ncompress o net-snmp o net-snmp-devel o net-snmp-perl o net-snmp-utils o nfs-utils o nptl-devel o nscd o nss_ldap o ntp o ntsysv o openldap o openldap-clients o openldap-devel o openldap-servers o openmotif o openmotif-devel o openoffice.org o openoffice.org-i18n o openoffice.org-libs o openssl (i386) o openssl (i686) o openssl-devel o openssl-perl o pam o pam-devel o parted o parted-devel o passwd o perl o perl-CGI o perl-CPAN o perl-DB_File o perl-suidperl o php o php-devel o php-imap o php-ldap o php-mysql o php-odbc o php-pgsql o popt o postfix o ppp o prelink o procps o pvm o pvm-gui o qt o qt-MySQL o qt-ODBC o qt-PostgreSQL o qt-designer o qt-devel o rdist o readline o readline-devel o redhat-config-bind o redhat-config-kickstart o redhat-config-network o redhat-config-network-tui o redhat-config-proc o redhat-config-securitylevel o redhat-config-securitylevel-tui o rh-postgresql o rh-postgresql-contrib o rh-postgresql-devel o rh-postgresql-docs o rh-postgresql-jdbc o rh-postgresql-libs o rh-postgresql-pl o rh-postgresql-python o rh-postgresql-server o rh-postgresql-tcl o rh-postgresql-test o rhnlib o rhpl o rp-pppoe o rpm o rpm-build o rpm-devel o rpm-python o rpmdb-redhat o rsync o rusers o rusers-server o samba o samba-client o samba-common o samba-swat o schedutils o sendmail o sendmail-cf o sendmail-devel o sendmail-doc o shadow-utils o squid o squirrelmail o strace o sysklogd o sysstat o tcl o tcl-devel o tcl-html o tcllib o tclx o tcpdump o tix o tk o tk-devel o tux o unixODBC o unixODBC-devel o unixODBC-kde o up2date o up2date-gnome o utempter o vixie-cron o xemacs o xemacs-el o xemacs-info o xinetd o xscreensaver o ypserv The following packages have been added to CentOS 3 Update 3: o amtu o anacron o authd o bind-libs o bootparamd o diskdumputils o eal3-certification o eal3-certification-doc o eclipse-rhaps-develserver o evolution-connector o laus-libs o nss_db o nss_db-compat o qt-config The following packages have been removed from CentOS 3 Update 3: o java-javadoc ( x86 )