- 论坛徽章:
- 13
|
想到会有朋友会问到,从红帽上贴些资料
Chapter 1. Installation
FCoE Support in the Kickstart File
When using a kickstart file to install Red Hat Enterprise Linux 6.4, with the new fcoe kickstart option you can specify which Fibre Channel over Ethernet (FCoE) devices should be activated automatically in addition to those discovered by Enhanced Disk Drive (EDD) services. For more information, refer to the Kickstart Options section in the Red Hat Enterprise Linux 6 Installation Guide.
Installation over VLAN
In Red Hat Enterprise Linux 6.4, the vlanid= boot option and the --vlanid= kickstart option allow you to set a virtual LAN ID (802.1q tag) for a specified network device. By specifying either one of these options, installation of the system can be done over a VLAN.
Configuring Bonding
The bond boot option and the --bondslaves and --bondopts kickstart options can now be used to configure bonding as a part of the installation process. For more information on how to configure bonding, refer to the following parts of the Red Hat Enterprise Linux 6 Installation Guide: section Kickstart Options and chapter Boot Options.
LVM Reserved Free Space Default
When installing Red Hat Enterprise Linux 6.4 via the user interface, 50% of all LVM's volume group space is now reserved for future upgrades. The reserved space is displayed in the volume group dialog, but cannot be edited. When installing via a Kiskstart file, the default is to not reserve any space; however, a commented out option is included in the default Kiskstart file to set this limit.
Chapter 2. Kernel
2.1. Kernel General Features
2.2. Important Changes to External Kernel Parameters
2.1. Kernel General Features
Open vSwitch Kernel Module
Red Hat Enterprise Linux 6.4 includes the Open vSwitch kernel module as an enabler for Red Hat's layered product offerings. Open vSwitch is supported only in conjunction with those products containing the accompanying user space utilities. Please note that without these required user space utilities, Open vSwitch will not function and can not be enabled for use. For more information, please refer to the following Knowledge Base article: https://access.redhat.com/knowlege/articles/270223.
Uncore and Load Latency PMU Support
The kernel shipped with Red Hat Enterprise Linux 6.4 adds "uncore" Performance Monitoring Unit (PMU) support to the perf event subsystem for Intel Xeon Processor X55xx and Intel Xeon Processor X56xx family of processors. The "uncore" refers to subsystems in the physical processor package that are shared by multiple processor cores, for example the L3 cache. With uncore PMU support, performance data can be easily collected on a package level.
Load latency is part of the PMU support. The load latency facility provides software with means to characterize the average load latency to different levels of cache/memory hierarchy. This facility measures latency from micro-operation (uop) dispatch up until data is globally observable (GO).
PMU events parsing has also been enabled to allow debugging via perf.
Reduced memcg Memory Overhead
Memory control groups maintain their own Least Recently Used (LRU) list to, for example, reclaim memory. This list was on top of the global per-zone LRU list. In Red Hat Enterprise Linux 6.4, the memory overhead for memcg was reduced by disabling the global per-zone LRU list and converting its users to operate on the per-memory cgroup lists instead.
Reclaim/Compaction
The kernel shipped with Red Hat Enterprise Linux 6.4 uses reclaim/compaction for high-order allocation requests or under memory pressure.
Fail-open Mode
Red Hat Enterprise Linux 6.4 adds support for a new fail-open mode when using netfilter's NFQUEUE target. This mode allows users to temporarily disable packet inspection and maintain connectivity under heavy network traffic.
kdump/kexec Kernel Dumping Mechanism for IBM System z Fully Supported
In Red Hat Enterprise Linux 6.4, the kdump/kexec kernel dumping mechanism is enabled for IBM System z systems as a fully supported feature, in addition to the IBM System z stand-alone and hypervisor dumping mechanism. The auto-reserve threshold is set at 4 GB; therefore, any IBM System z system with more than 4 GB of memory has the kdump/kexec mechanism enabled.
Sufficient memory must be available because kdump reserves approximately 128 MB by default. This is especially important when performing an upgrade to Red Hat Enterprise Linux 6.4. Sufficient disk space must also be available for storing the dump in case of a system crash.
The following warning message may appear when kdump is initialized:
..no such file or directory
This message does not impact the dump functionality and can be ignored. You can configure or disable kdump through /etc/kdump.conf, system-config-kdump, or firstboot.
TSC Deadline Support for KVM
TSC deadline timer is a new mode in the Local APIC (LAPIC) timer, which generates one-shot timer interrupts based on the TSC deadline, in place of the current APIC clock count interval. It provides more precise timer interrupts (less than 1 tick) to benefit the OS scheduler. KVM now exposes this feature to guests.
Persistent Device Naming
This feature stores the mapping of device names (for example, sda, sdb, and others) and persistent device names (provided by udev in /dev/disk/by-*/) to kernel messages. This allows users to identify a device from kernel messages. The kernel /dev/kmsg log, which can be displayed with the dmesg command, now shows the messages for the symbolic links, which udev has created for kernel devices. These messages are displayed in the following format:
udev-alias: <device_name> (<symbolic_link> <symbolic link> …)
Any log analyzer can display these messages, which are also saved in /var/log/messages via syslog.
New linuxptp Package
The linuxptp package, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, is an implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.
Transparent Hugepages Documentation
Documentation for transparent hugepages has been added to the following file:
/usr/share/doc/kernel-doc-<version>/Documentation/vm/transhuge.txt
2.2. Important Changes to External Kernel Parameters
This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 6.4. These changes include added or updated procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
TCP_USER_TIMEOUT
TCP_USER_TIMEOUT is a TCP level socket option that specifies the maximum amount of time (in milliseconds) that transmitted data may remain unacknowledged before TCP will forcefully close the corresponding connection and return ETIMEDOUT to the application. If the value 0 is specified, TCP will continue to use the system default.
IPPROTO_ICMP
The IPPROTO_ICMP socket option makes it possible to send ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages without any special privileges.
Increased Default in ST_MAX_TAPES
In Red Hat Enterprise Linux 6.4, the number of supported tape drives has increased from 128 to 512.
Increased Number of Supported IOMMUs
The number of supported input/output memory management units (IOMMUs) has been increased to be the same as the number of I/O Advanced Programmable Interrupt Controllers (APICs; defined in MAX_IO_APICS).
Chapter 3. Device Drivers
Storage Drivers
The mtip32xx driver has been updated to add support for the latest PCIe SSD drives.
The lpfc driver for Emulex Fibre Channel Host Bus Adapters has been updated to version 8.3.5.82.1p.
The bnx2fc for the Broadcom Netxtreme II 57712 chip has been updated to version 1.0.12.
The qla2xxx driver for QLogic Fibre Channel HBAs has been updated to version 8.04.00.04.06.4-k, which adds support for QLogic's 83XX Converged Network Adapter (CNA), 16 GBps FC support for QLogic adapters, and new Form Factor CNA for HP ProLiant servers.
The qla4xxxx has been updated to version v5.03.00.00.06.04-k0, which adds change_queue_depth API support, fixes a number of bugs, and introduces various enhancements.
The ql2400-firmware for QLogic 4Gbps fibre channel HBA has been updated to version 5.08.00.
The ql2500-firmware for QLogic 4Gbps fibre channel HBA has been updated to version 5.08.00.
The ipr driver for IBM Power Linux RAID SCSI HBAs has been updated to version 2.5.4, which adds support for the Power7 6Gb SAS adapters and enables SAS VRAID capability on these adapters.
The hpsa driver has been updated to version 2.0.2-4-RH1 to add PCI-IDs for the HP Smart Array Generation 8 family of controllers.
The bnx2i driver for Broadcom NetXtreme II iSCSI has been updated to version 2.7.2.2 with general hardware support enablements.
The mpt2sas driver has been updated to version 13.101.00.00, which adds multi-segment mode support for the Linux BSG Driver.
The Brocade bfa Fibre Channel and FCoE driver has been updated to version 3.0.23.0 which includes Brocade 1860 16Gbps Fibre Channel Adapter support, new hardware support in Dell PowerEdge 12th Generation servers, and issue_lip support. The bfa firmware was updated to version 3.0.3.1.
The be2iscsi driver for ServerEngines BladeEngine 2 Open iSCSI devices has been updated to version 4.4.58.0r to add iSCSI netlink VLAN support.
The qib driver for TrueScale HCAs has been updated to the latest version with the following enhancements:
Enhanced NUMA awareness
Congestion Control Agent (CCA) for Performance Scale Messaging (PSM) fabrics
Dual Rail for PSM fabrics
Performance enhancements and bug fixes
The following drivers have been updated to include latest upstream features and bug fixes: ahci, md/ bitmap, raid0, raid1, raid10, and raid456.
Network Drivers
The netxen_nic driver for NetXen Multi port (1/10) Gigabit Network has been updated to version 4.0.80, which adds miniDIMM support. The netxen_nic firmware has been updated to version 4.0.588.
The bnx2x driver has been updated to the latest upstream version to include support for Broadcom 57800/57810/57811/57840 chips as well as general bug fixes and updated firmware for Broadcom 57710/57711/57712 chips. This update also includes the following enhancements:
Support for iSCSI offload and Data Center Bridging/Fibre Channel over Ethernet (DCB/FCOE) on Broadcom 578xx chips.
SRIOV support for Broadcom 57712 and 578xx chips.
Additional PHY support (including EEE).
iSCSI offload enhancements
OEM-specific features
Additional debugging capabilities (firmware dump)
The be2net driver for ServerEngines BladeEngine2 10Gbps network devices has been updated to version 4.4.31.0r to add RDMA over Converged Ethernet (RoCE) support.
The ixgbevf driver has been updated to version 2.6.0-k to include the latest hardware support, enhancements, and bug fixes.
The cxgb4 driver for Chelsio Terminator4 10G Unified Wire Network Controllers has been updated to add support for Chelsio's T480-CR and T440-LP-CR adapters.
The cxgb3 driver for the Chelsio T3 Family of network devices has been updated to version 1.1.5-ko.
The ixgbe driver for Intel 10 Gigabit PCI Express network devices has been updated to version 3.9.15-k to include support for SR-IOV with Data Center Bridging (DCB) or Receive-Side Scaling (RSS), PTP support as a Technology Preview, latest hardware support, enhancements, and bug fixes.
The iw_cxgb3 driver has been updated.
The iw_cxgb4 driver has been updated.
The e1000e driver for Intel PRO/1000 network devices has been updated to add the latest HW support, features, and provide a number of bug fixes.
The enic driver for Cisco 10G Ethernet devices has been updated to version 2.1.1.39.
The igbvf driver (Intel Gigabit Virtual Function Network driver) has been updated to the latest upstream version.
The igb driver for Intel Gigabit Ethernet Adapters has been updated to version 4.0.1 to add the latest hardware support. Also, PTP support has been added to the igb driver as a Technology Preview.
The Solarflare driver ( sfc) has been updated to add PTP support as a Technology Preview.
The tg3 driver for Broadcom Tigon3 Ethernet devices has been updated to version 3.123+ to add new hardware support. Also, PTP support has been added to the tg3 driver as a Technology Preview.
The qlcnic driver for the HP NC-Series QLogic 10 Gigabit Server Adapters has been updated to version 5.0.29.
The Brocade bna driver for Brocade 10Gb PCIe ethernet Controllers driver has been updated to version 3.0.23.0 to add new hardware support for for Dell PowerEdge 12th Generation servers, and enable the use of non-Brocade Twinax Copper cables. The bna firmware was updated to version 3.0.3.1.
The Broadcom NetXtreme II cnic driver has been updated to version 2.5.13 to include new features, bug fixes, and support for new OEM platforms.
Miscellaneous Drivers
The intel_idle cpuidle driver for Intel processors has been updated to add support for Intel's Xeon E5-XXX V2 series of processors.
The wacom driver has been updated to add support for the CTL-460 Wacom Bamboo Pen, the Wacom Intuos5 Tablet, and the Wacom Cintiq 22HD Pen Display.
The ALSA HDA audio driver has been updated to enable or improve support for new hardware and fix a number of bugs.
The mlx4_en driver has been updated to the latest upstream version.
The mlx4_ib driver has been updated to the latest upstream version.
The mlx4_core driver has been updated to the latest upstream version.
Chapter 4. Networking
HAProxy
HAProxy is a stand-alone, layer-7, high-performance network load balancer for TCP and HTTP-based applications which can perform various types of scheduling based on the content of the HTTP requests. Red Hat Enterprise Linux 6.4 introduces the haproxy package as a Technology Preview.
Chapter 5. Authentication and Interoperability
SSSD Fully Supported Features
A number of features introduced in Red Hat Enterprise Linux 6.3 are now fully supported in Red Hat Enterprise Linux 6.4. Specifically:
support for central management of SSH keys,
SELinux user mapping,
and support for automount map caching.
New SSSD Cache Storage Type
Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberized resources. In Red Hat Enterprise Linux 6.4, SSSD has been enhanced to allow you to select the DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.
Adding AD-based Trusted Domains to external Groups
In Red Hat Enterprise Linux 6.4, the ipa group-add-member command allows you to add members of Active Directory-based trusted domains to groups marked as external in Identity Management. These members may be specified by their name using domain- or UPN-based syntax, fox example AD\UserName or AD\GroupName, or User@AD.Domain. When specified in this form, members are resolved against Active Directory-based trusted domain's Global Catalog to obtain their Security Identifier (SID) value.
Alternatively, an SID value could be specified directly. In this case, the ipa group-add-member command will only verify that the domain part of the SID value is one of the trusted Active Directory domain. No attempt will be done to verify validity of the SID within the domain.
It is recommended to use user or group name syntax to specify external members rather than providing their SID values directly.
Auto-renew Identity Management Subsystem Certificates
The default validity period for a new Certificate Authority is 10 years. The CA issues a number of certificates for its subsystems (OCSP, audit log, and others). Subsystem certificates are normally valid for 2 years. If the certificates expire, the CA does not start up or does not function properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers are capable of automatically renewing their subsystem certificates. The subsystem certificates are tracked by certmonger, which automatically attempts to renew the certificates before they expire.
PKCS#12 Support for python-nss
The python-nss package, which provides Python bindings for Network Security Services (NSS) and the Netscape Portable Runtime (NSPR), has been updated to add PKCS#12 support.
Full Persistent Search for DNS
LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.
Chapter 6. Security
Treating Matches Authoritatively in Look Ups of sudoers Entries
The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and look them up in files or in LDAP. Previously, when a match was found in the first database of sudoers entries, the look up operation still continued in other databases (including files). In Red Hat Enterprise Linux 5.9, an option was added to the /etc/nsswitch.conf file that allows users to specify a database after which a match of a sudoers entry is sufficient. This eliminates the need to query any other databases; thus, improving the performance of sudoers entry look ups in large environments. This behavior is not enabled by default and must be configured by adding the [SUCCESS=return] string after a selected database. When a match is found in a database that directly precedes this string, no other databases are queried.
Additional Password Checks for pam_cracklib
The pam_cracklib module has been updated to add multiple new password strength checks:
Certain authentication policies do not allow passwords which contain long continuous sequences such as "abcd" or "98765". This update introduces the possibility to limit the maximum length of these sequences by using the new maxsequence option.
The pam_cracklib module now allows to check whether a new password contains the words from the GECOS field from entries in the /etc/passwd file. The GECOS field is used to store additional information about the user, such as the user's full name or a phone number, which could be used by an attacker for an attempt to crack the password.
The pam_cracklib module now allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number and special characters) in a password via the maxrepeatclass option.
The pam_cracklib module now supports the enforce_for_root option, which enforces complexity restrictions on new passwords for the root account.
Size Option for tmpfs Polyinstantiation
On a system with multiple tmpfs mounts, it is necessary to limit their size to prevent them from occupying all of the system memory. PAM has been updated to allow users to specify the maximum size of the tmpfs file system mount when using tmpfs polyinstantiation by using the mntopts=size=<size> option in the /etc/namespace.conf configuration file.
Locking Inactive Accounts
Certain authentication policies require support for locking of an account that is not used for certain period of time. Red Hat Enterprise Linux 6.4 introduces an additional function to the pam_lastlog module, which allows users to lock accounts after a configurable number of days.
|
|