个人工具

UbuntuHelp:Server/TechSpecs/new

来自Ubuntu中文

跳转至: 导航, 搜索

目录

What's new in the latest release of Ubuntu Server Edition

For more details about past Ubuntu Server Edition releases please visit the technical specifications overview page.

Ubuntu Server Edition 10.04LTS (Lucid Lynx)

The Ubuntu 10.04 LTS release consolidates all the new features in Ubuntu 8.10, 9.04 and 9.10 which you can find described in the relevant pages for those releases below. The following list is new features specific to the 10.04 LTS release.

Cloud computing

Ubuntu Enterprise Cloud

The Ubuntu Enterprise Cloud (UEC) installer has been improved to support a variety of installation topologies. UEC components are now automatically discovered and registered, even when the storage controller, cluster controller and walrus are installed on different servers. UEC in 10.04 is powered by Eucalyptus 1.6.2.

UEC and Amazon EC2

Ubuntu 10.04 LTS continues the tradition of providing official Ubuntu Server image releases for UEC and for Amazon's EC2, giving you everything you need for rapid deployment in public, private of hybrid environments. Ubuntu Server Edition and UEC images are available at: http://uec-images.ubuntu.com/releases/10.04/release/

Cloud-init

The cloud-init package provides "first boot" functionality for the Ubuntu UEC images. It is in charge of taking the generic filesystem image that is booting and customizing it for the UEC instance. This includes:

  • setting the hostname
  • putting the provided ssh public keys into ~ubuntu/.ssh/authorized_keys
  • running a user provided script or otherwise modifying the image

For more information see this blog post announcement

Cloud-utils

The package cloud-utils brings a series of higher level commands simplifying some commonly used actions on the cloud:

Configuration Management with Puppet

Puppet is now a core part of the server product and can be used for managing your server configuration. It has also been integrated for cloud computing tasks, as described in the following series of posts:

Additionally, Puppet and etckeeper have been integrated so that changes are appropriately maintained.

Tomcat Improvements

Tomcat has been improved in many ways, as described in the following blog post.

Stability and security

Ubuntu 10.04 LTS brings many improvements over Ubuntu 8.04 LTS to keep your servers safe and secure for the next five years, including AppArmor profiles for many key services, kernel hardening, and an easy-to-configure firewall. See below for more details on improvements since 8.04LTS.

Ubuntu Server Edition 9.10 (Karmic Koala)

Ubuntu Enterprise Cloud

Set up an EC2-based private cloud in less than 60 minutes. Ubuntu is the only server OS with a built-in open source cloud. Learn more about Ubuntu Enterprise Cloud.

Power Management

You can now use the suspend/resume technology (when available) to make Ubuntu Servers more energy efficient by ensuring that a minimum number of servers are powered up at any given time. This includes 2 distinct parts: putting servers to sleep (powernap) and waking servers up (powerwake). This is also integrated in Ubuntu Enterprise Cloud.

Improved single sign on

Ubuntu now provides a centralized single-sign-on user login infrastructure that supports disconnected mode. The package sssd is now available and OpenLdap now offer a cache overlay. Both allow disconnected mode operations.

WBEM support

CIM/WBEM infrastructure has been improved by updating the stack and allowing new CIM providers to be packaged.

New packages in main

The following packages are now officially maintained on Ubuntu: python-django, couchdb and rabbitmq-server.

Linux kernel 2.6.31

Ubuntu 9.10 includes the 2.6.31-14.48 kernel based on 2.6.31.1. The kernel ships with Kernel Mode Setting enabled for Intel graphics (see below). `linux-restricted-modules` is deprecated in favour of DKMS packages.

ext4 by default

The new "ext4" filesystem is used by default for new installations with Ubuntu 9.10; of course, other filesystems are still available via the manual partitioner. Existing filesystems will not be upgraded. If you have full backups and are confident, you can upgrade an existing ext3 filesystem to ext4 by following directions in the Ext4 Howto. (Note that the comments on that page at the time of writing about Ubuntu's use of vol_id vs. blkid are out of date and are not applicable to Ubuntu 9.10.) Maximum performance will typically only be achieved on new filesystems, not on filesystems that have been upgraded from ext3.

GRUB 2 by default

GRUB 2 is the default boot loader for new installations with Ubuntu 9.10, replacing the previous GRUB "Legacy" boot loader. Existing systems will not be upgraded to GRUB 2 at this time, as automatically reinstalling the boot loader is an inherently risky operation. If you wish to upgrade your system to GRUB 2, then see the GRUB|2 testing page for instructions. See also the upstream draft manual. Some features are still missing relative to GRUB Legacy. Notable among these are lock/password support, an equivalent of grub-reboot, and Xen handling.

iSCSI installation

The iSCSI installation process has been improved, and no longer requires `iscsi=true` as a boot parameter; the installer will offer you the option of logging into iSCSI targets if there are no local disks, or you can select "Configure iSCSI" in the manual partitioner. Putting the root filesystem on iSCSI is now supported.

AppArmor

AppArmor in Ubuntu 9.10 features an improved parser that uses cache files, greatly speeding up AppArmor initialisation on boot. AppArmor also now supports 'pux' which, when specified, means a process can transition to an existing profile if one exists or simply run unconfined if one does not. Please see the AppArmor|documentation for information on using AppArmor in Ubuntu.

New profiles

In addition to the above changes to AppArmor itself, several profiles were added. Enforcing profiles for `ntpd`, and `libvirt` are enabled by default. Complain mode profiles for Dovecot are now available in the `apparmor-profiles` package. An AppArmor profile is now available for Apache in the libapache2-mod-apparmor package. When used in combination with the mod_apparmor Apache module, web applications can now be protected and isolated from each other. Instructions for enabling the profile are in the /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 file. Please see the SecurityTeam/KnowledgeBase for a full listing of readily available profiles in Ubuntu.

Libvirt

Libvirt now contains AppArmor integration when using KVM or QEMU. Libvirtd is configured to launch virtual machines that are confined by uniquely restrictive AppArmor profiles. This feature significantly improves virtualisation in Ubuntu by providing user-space host protection as well as guest isolation. This is particularly important for multi tenant usage of Ubuntu Enterprise Cloud.

Uncomplicated Firewall

The Uncomplicated| Firewall now has support for filtering by interface and egress filtering when using the `ufw` command. Documentation for ufw is also improved to help users better utilise the ufw framework and take full advantage of Linux netfilter's power and flexibility. See UbuntuFirewall#Features for a full list of features.

Non-eXecutable Emulation

Non-eXecutable| (NX) memory protection, also known as eXecute-Disable (XD), has always been available in Ubuntu for any systems that had the hardware to support it and ran the 64-bit kernel or the 32-bit server kernel. The 32-bit PAE desktop kernel (linux-image-generic-pae) now also provides the PAE mode needed for hardware with the NX CPU feature. For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation that can help block many exploits an attacker might run from stack or heap memory.

Blocking Module Loading

To block| the loading of any further modules after boot (generally for servers with unchanging hardware), the /proc/sys/kernel/modules_disabled one-way sysctl flag now exists to add another layer of protections against attackers loading kernel rootkits.

Position-Independent Executables

Building on the work done in Ubuntu 8.10 and 9.04 to proactively protect Ubuntu from unknown threats by using strict| compiler flags, more applications have been built as Position-Independent| Executables (PIE) to take advantage of the Address|Space Layout Randomisation (ASLR) available in the Ubuntu kernel. In addition to the growing program list, PIE programs are now also built with the BIND_NOW| linker flag to take full advantage of the existing RELRO linker flag. This results in PIE programs having fewer places in their memory that can be controlled to redirect program flow when an attacker attempts memory-corruption exploits.

Known issues

For a full list of errata for Ubuntu 9.10, please see the Ubuntu 9.10 release notes.

Ubuntu Server Edition 9.04 (Jaunty Jackalope)

Boot performance

A number of improvements to the Ubuntu start-up process bring significantly improved boot performance to Ubuntu 9.04.

Linux kernel 2.6.28

Ubuntu 9.04 RC includes the 2.6.28-11.37 kernel based on 2.6.28.8.

Ext4 filesystem support

Ubuntu 9.04 supports the option of installing the new ext4 file system. ext3 will remain the default filesystem for Jaunty, and we will consider ext4 as the default for the next release based on user feedback. There has been extensive discussion about the reliability of applications running on ext4 in the face of sudden system outages. Applications that use the conventional approach of writing data to a temporary file and renaming it to its final location will have their reliability expectations met in Ubuntu 9.04. Ext4 support in GRUB was provided by Colin King. If you choose to upgrade your / or /boot filesystem in place from ext2 or ext3 to ext4 (as documented on the ext4 wiki), then you must also use the grub-install command after upgrading to Ubuntu 9.04 to reinstall your boot loader. If you do not do this, then the version of GRUB installed in your boot sector will not be able to read the kernel from the ext4 filesystem and your system will fail to boot.

Cloud computing

Ubuntu 9.04 Server Edition makes it easy to experiment with cloud computing. Eucalyptus, an open source technology which is included in Ubuntu as a technology preview, enables you to use your own servers to deploy, experiment and test your own private cloud that matches the Amazon EC2 API, which is Ubuntu's first step at creating an Ubuntu Enterprise Cloud. You can dynamically create virtual machines, configure multiple clusters into a single Cloud and even provide an EBS (elastic block storage) equivalent and an S3 compatible storage manager. More on Ubuntu Enterprise Cloud >>

Turn-key mail servers

The dovecot-postfix package in Ubuntu 9.04 provides an easy-to-deploy mail server stack, with support for SMTP, POP3, and IMAP with TLS and SASL. dovecot-postfix was packaged by Ante Karamatić.

Power management

Suspend, resume, hibernate

Some features, previously available on the desktop edition, are now provided on Ubuntu Server. In addition to energy savings:

  • resuming from suspend would provide a faster boot for some servers,
  • hibernate could allow some hardware maintenance and restoration of previous state,
  • hibernate is useful for security forensics/research following a security break.

See blueprint for more details

Power Capping

Through the pwrkap project, Ubuntu Server provides a set of utilities to monitor computer energy consumption and enforces an upper limit on the amount of power consumed by the computer at any given time.

Screen-profiles

screen-profiles is a new package that provides a colored text interface with tabbed windows, ability to background processes, dynamically updated status indicators for the distro, release, reboot-required, updates-available, ec2-cost, system load, num-cpus, cpu-frequency, total memory, memory used, date/time, etc..

Server virtualization

Modern, even more full featured KVM (v84) with a number of stability and performance improvements, and early preview support for nested virtualization (virtual machines running virtual machines). KVM has supported live migration for well over a year already, but it now support this all the way through the stack, from hypervisor (KVM itself) through libvirt and all the way to virt-manager. KSM is a new technology within KVM which allows for memory aggregation. Identical memory blocks accross virtual machine are detected and aggregated allowing for a much higher density of guests on a given host when running similar virtual machines. PCI passthrough feature of KVM allows to assign PCI devices directly to a given guest (up to 8 guests per PCI with supporting PCI devices), bringing performance to an unprecented level.

LVM by default

Default| support of LVM in the installer allows for easier setup and maintenance of servers. Also, recognition of LVM storage in the LiveCD allows for a smoother migration from a system currently using LVM.

Microsoft Exchange Support

The openchange library is available in jaunty to enable Ubuntu system to interact with Exchange servers: libraries, command line tools and evolution plugin.

Samba 3.3

Samba 3.3 now adds, Extended cluster support and even better behaviour with current Microsoft Windows(TM) clients and servers

Support for OEM pre-installation

The oem-config|tool now supports server pre-installation, allowing server hardware manufacturer to pre load Ubuntu Server Edition on their servers. The tool also allow appliance and virtual appliance makers to define a set of questions that will be ask to the end users the first time the system is booted to finalize the configuration.

/etc under revision control

Modifications to server configuration files are now easily tracked, audited and reverted through the bazar revision control system using the updated etckeeper package.

Uncomplicated Firewall new features

Version 0.27 of ufw brings many easy to use new features:

  • ufw now has debconf support, which means that you can enable ufw and setup some basic rules via the installer, and most importantly for server, via preseeding. Any "simple" rule can be preseeded (ie: ufw allow 22/tcp) as well as application profiles (ie: Cups, DNS, Imap (Secure), Pop3 (Secure), SSH, Samba, Smtp, WWW, WWW (Secure)), but not complex one (ie: ufw allow from 192.168.0.0/16 to any port 22 proto tcp).
  • ufw can now be used to add iptables REJECT directives now, both for rules and as the default policy.
  • Rules can now be inserted, rather than just appended to the end.
  • ufw now has the concept of log levels (off, low, medium, high, full) and can log on a per rule basis as well.

See the updated manpage for more details.

New apparmor profiles

Three new services are now apparmor protected by default when installed:

  • dhcpd3
  • dhclient3
  • tcpdump

Boot from multipath devices

Ubuntu systems can be booted from multipath devices to increase availability.

Ubuntu Server Edition 8.10 (Intrepid Ibex)

The following is a summary of the new features provided by Ubuntu Server Edition 8.10. In addition to this, you might be interested in looking at the Releases Notes.

Boot degraded raid setting

Traditionally, booting an Ubuntu installation with the root filesystem on a degraded RAID drops the system into a busybox prompt in the initramfs. This is the safest choice as it will prevent any further possible harm to data and let administrator pick what to do, but was causing issues with server hosted in remote locations. A system administrator can now statically configure their machines to continue on booting even if a disk is bad in the array by issuing the following command:

echo "BOOT_DEGRADED=true" | sudo tee -a /etc/initramfs-tools/conf.d/mdadm

Additionally, this can be specified on the kernel boot line with the

bootdegraded=[true|false]

parameter.

Compiler security-hardening features by default

The gcc compiler now defaults to enabling several security|hardening features and warnings. This stops many undiscovered security vulnerabilities, rendering them unexploitable.

DKMS

DKMS (by Dell) is included in Ubuntu 8.10, allowing kernel drivers to be automatically rebuilt when new kernels are released. This makes it possible for kernel package updates to be made available immediately without waiting for rebuilds of driver packages, and without third-party driver packages becoming out of date when installing these kernel updates.

Encrypted private directory

The ecryptfs-utils package now provides support for a secret| encrypted folder in your Home Folder (by Michael Halcrow, Dustin Kirkland, and Daniel Baumann). To enable this feature, either activate it during installation or type the following from any command prompt:

sudo aptitude install ecryptfs-utils
ecryptfs-setup-private

Free portion of Landscape client informs administrators

The open source client from Canonical's Landscape web system's management, now provides information to administrators when they log in to their servers regarding it's current usage and potential problems.

Network services compiled as position-independent executables

To take advantage of the kernel's ability to randomize the in-memory location of executables, many network services were compiled as position-independent executables (PIE), including: apache2, bind9, openldap, postfix, cups, openssh, postgresql-8.3, samba, dovecot, dhcp3. This makes certain kinds of security vulnerabilities even harder to exploit.

New installation profiles

Two new installation profiles have been added to the server software selection list (tasksel):

  • Tomcat Java Server: Tomcat 6 and Sun's Java OpenJDK 6
  • Virtualization Host: KVM and Libvirt

Notable inclusion in the main repository

The following packages have been included in the main repository and are now supported options that can be of particular interest for server administrators:

  • Sun's Java OpenJDK 6 - an open source implementation of the Java development kit
  • Apache's Tomcat 6 - A Java servlet container
  • ClamAV - a virus detection engine that can be coupled to mail servers. Note that ClamAV is protected by default by an AppArmor profile.
  • SpamAssassin - A spam detection engine that can be coupled to mail servers

OpenLDAP using cn=config

The default installation of the OpenLDAP server now uses the cn=config extension, which allows automatic synchronization between LDAP replicas of configuration changes made.

PAM authentication framework

Ubuntu 8.10 features a new pam-auth-update tool, which allows simple management of PAM authentication configuration for both desktops and servers (by Steve Langasek). Packages providing PAM modules will be configured automatically, and users can adjust their authentication preferences by running sudo pam-auth-update. More information can be found in the Ubuntu|wiki.

Samba 3.2

A lot of new features have been added in Samba 3.2, including:

  • clustered file server support
  • encrypted network transport
  • IPv6
  • better integration with current Microsoft Windows™ clients and servers.

Select-editor command

Running the

sudo select-editor

command now allows you to pick which editor will be used by default to edit documents.

Server Virtualization

  • python-vm-builder

This is a complete rewrite of ubuntu-vm-builder featuring a better template system, a plugin architecture allowing support for other distributions, front-ends and additional functionalities such as post install task (--exec, --copy) or first boot (--first-boot, --first-login). It provides a compatibility mode with the previous command-line syntax and adds better reporting. Python-vm-builder allows you to create a new virtual machine in a few minutes without going through the interactive installation process. It can be very useful for developers, software vendors or system administrators. A tutorial is available at https://help.ubuntu.com/community/JeOSVMBuilder

  • Ubuntu as a Xen guest

Using Ubuntu as a Xen guest is now a supported option included in the standard server kernel and is a choice when building virtual machines with python-vm-builder.

  • JeOS is now an option in the server installer

In an effort to simplify our build process and avoid confusion when trying to install JeOS on real hardware, JeOS is no longer provided as a separate ISO. Instead, it is an option that is activated on the server installer by pressing F4 on the first screen and selecting the "Install a minimal virtual machine" option.

  • Simplified KVM virtualization environement setup

Two new meta packages have been added to setup a virtualization environment using KVM:

  • ubuntu-virt-server will install and configure the tools you need to run KVM guest on a server,
  • ubuntu-virt-mgmt will install and configure the tools you need to administer a KVM server from a client.

Service command now supported

Fedora or Red-Hat administrators will now feel a bit more comfortable using Ubuntu as the service command they had been using to manage daemons is now standard on Ubuntu. In addition to the traditional

sudo /etc/init.d/<service> [start|stop|restart]

way of managing a process, it is now also possible to use

sudo service <service> [start|stop|restart]

To complete this, numerous standard services now support the status option so that, e.g.,

sudo service postfix status

will now report if the service is running or not.

Service-aware Uncomplicated Firewall (ufw)

Common services now inform ufw of the ports that are recommended for their proper enabling, so the administrator can open them in a single simple command

ufw allow <service>