This page contains content from the old Annvix.org wiki and has been moved here to preserve content. These pages have been retained for historical and nostalgic purposes only. Please be aware that Annvix is no longer in development!

Annvix 1.1-RELEASE Release Notes

WARNING: Upgrading from 1.0-RELEASE to 1.1-RELEASE incorporates a great number of changes and while every care has been taken to ensure a smooth upgrade, there are no guarantees. Before proceeding with a full system upgrade, BE SURE TO HAVE A CURRENT AND WORKING BACKUP OF YOUR EXISTING SYSTEM!

Contents 1 Introduction 2 Features 3 New Versions of Software 4 Configuration File Changes 5 Kernel Changes 6 Overall Changes 7 Logging Changes 8 Upgrading Notes 9 OpenLDAP Migration 10 srv Changes

Introduction

Thank you for your interest in Annvix! Whether you are currently using Annvix or are looking at evaluating it for the first time, we hope you find something about Annvix interesting and appealing.

Annvix started out as a "proof of concept" Linux project with a few specific goals: Security, speed, stability, and a different way of looking at things. Annvix isn't your typical Linux distribution "clone". Granted, various different Linux distributions have different features, different ways of doing things, but Annvix takes this to an extreme. If you're not prepared to re-learn a few assumptions you have about Linux and system administration, Annvix may not be for you.

Annvix has been in development since late 2003 with the first 1.0-RELEASE made generally available on March 28th, 2005. This release marks the second public release and next evolution in Annvix.

Annvix is the result of an investment of thousands of dollars in equipment, man-hours, and resources largely provided by the lead developer. If you find Annvix useful, consider donating a few dollars to help pay back the developers for the huge investment of time and effort. We hope you find Annvix useful or, if nothing else, at least an interesting diversion from your "typical" Linux distribution!

Features

A number of changes have been made to Annvix that change the feature-set from what it was for 1.0-RELEASE:

• srv has been enhanced to manage system daemons better
• execlineb is used as a run script parser wherever possible to increase speed and security and reduce overhead
• new versions of software are available
• the installer has been updated:
  • net-setup now probes for network devices and sets them up (including /etc/modules.conf)
  • dhcp now works
  • install-pkgs probes for scsi devices and sets up /etc/modules.conf
• an upgrade script is provided for a smooth urpmi-based "in-place" upgrade mechanism
• SSP support was removed due to severe problems between the new gcc and glibc
• RSBAC support was removed due to the lack of default policies and good documentation

Losing SSP support is a significant step back that we aim to rectify quickly in 1.2-RELEASE. RSBAC support will return to the kernel when there is sufficient time to document it and create default policies to make it easy to setup and use.

New Versions of Software

Annvix 1.1-RELEASE comes with several versions of new software. All of it can't possibly be listed, but the important ones to watch out for are listed. We highly recommend doing whatever backup you deem necessary in case anything goes wrong with the upgrade or your data isn't compatible with a new version of the software. Backup guidelines will be noted where applicable for particular pieces of software. The afterboot manpage also contains great information on backing up databases, etc.

The following table illustrates the major components of software that has been upgraded. You may wish to read up on the changes in the software from the individual vendor websites.

Annvix 1.0-RELEASE	Annvix 1.1-RELEASE
MySQL 4.1.11	MySQL 4.1.14
OpenLDAP 2.1.29	OpenLDAP 2.3.9
OpenSSH 4.0p1	OpenSSH 4.2p1
Kerberos 1.3.6	Kerberos 1.4.2
PostgreSQL 8.0.1	PostgreSQL 8.0.4
OpenSWAN 1.0.9	OpenSWAN 2.3.1
Samba 3.0.11	Samba 3.0.20
Glibc 2.3.2	Glibc 2.3.5
GCC 3.3.1	GCC 3.4.4
chkrootkit 0.43	rkhunter 1.2.7

Configuration File Changes

A number of configuration changes have occurred since 1.0-RELEASE. The first is the introduction of the /etc/sysconfig/env directory structure. This is being utilized by various run scripts to set options to services, etc. rather than using traditional sourced /etc/sysconfig/foo scripts. This adds enhanced security to the system, as well as making it easier to parse and set values. Services, particularly those run via tcpsvd have a global /etc/sysconfig/env/tcpsvd directory values that can be overridden on a per-service basis.

Run scripts are now flagged as configuration files so will never be over-written if you have made changes to them. As well, a number of run scripts are now using the execlineb program rather than a bash shell to execute resulting in faster and more secure service execution. This also removes about 10MB of running memory on the system vs. similar services running using /bin/sh (as was the case with 1.0-RELEASE).

Kernel Changes

The Annvix kernel is still 2.4-based. However, it is more vanilla in 1.1-RELEASE than it was in 1.0-RELEASE. A number of patches have been removed; essentially the kernel is very similar to the Openwall kernel now, with the Openwall Linux kernel patch. RSBAC is no longer included due to the lack of default policies and adequate documentation; we hope to bring it back in the future.

Overall Changes

One significant change from 1.0-RELEASE to 1.1-RELEASE is the removal of the SSP compiler and glibc patches due to numerous problems with the patches and compilation. We hope to have re-integrate SSP support for 1.2-RELEASE.

Logging Changes

The default location of service logs has changed from /var/log/supervise to /var/log/service. All logs will be relocated there on upgrade if they exist. As well, the default log directory is created on-the-fly the first time the service is started rather than at install-time.

1.1-RELEASE includes a new system logger, socklog. socklog is a minimalist syslog-like logging system that uses svlogd to handle the logging and log rotation of logs. syslogd and klogd are still provided if you wish to use them, however, socklog provides greater security and reliability.

Log files should only be readable by root; if an administrator needs to read a log file they should be granted privileges explicitly via sudo. All service logs are mode 0640 by default and owned by user logger, group logger. socklog-generated logs are owned by the user and group socklog.

Upgrading Notes

There is a 1.0-to-1.1-upgrade.sh script in CVS (tools/installer/tools) that attempts to perform a sane and clean upgrade of 1.0-RELEASE to 1.1-RELEASE. Unfortunately, due to a large number of changes, the script cannot accomodate everything, but it does it's best to do as much as possible. As a result, you may have to do some manual cleanup once the script is done.

First, you need to ensure that your Annvix uprmi medium is named "annvix". In some early cases, it may be named "updates" depending on how you installed 1.0-RELEASE. To rename this, simple use urpmi.removemedia updates then urpmi.addmedia annvix ftp://[host] with media_info/hdlist.cz and this will create the appropriate medium that the upgrade script is looking for. Once that is done, have one console open to run the script, and the other to tail the file /tmp/upgrade.XXXXXX where XXXXXX is a random string (from mktemp). This will allow you to see what is going on as the upgrade script progresses.

Due to the removal of SSP, there will be some segfaults and core dumps. There is nothing that can be done about this and is not an indication of problems; all it means is that some symbols that some applications are looking for is missing. This is also why we recommend using the script rather than adding the 1.1-RELEASE medium and doing a urpmi --auto-select as the script uses a few passes to ensure things are upgraded in the correct order to minimize problems.

You may notice some errors of removal of packages; these will have to be cleaned up manually. For instance, you may find that libopenssl0.9.7 and libldap2 may not be removed due to exim requiring those libraries, and a urpmi --auto-select (done manually when the script is done) doesn't pull in the new exim (you may have 4.50-1avx installed when 4.54-4avx is available). Simply execute urpmi exim to grab the new version. Then you can do rpm -e libldap2; rpm -e libopenssl0.9.7 and remove those libraries providing you have no ports packages that rely on them (if you do, you will need to rebuild those packages prior to removing those libraries). This is an example; this problem may not hit you, or you may have other similar errors.

Once the install is done and you have installed the new kernel and have checked things over to your satisfaction, you will need to reboot the system. NOTE: currently when you issue reboot after the upgrade the system performs a halt, rather than a reboot so be sure that you are either at the computer or can get to it easily to physically start it up again; subsequent "reboot" commands will work properly.

NOTE: Be sure you use a DNS resolver external to your server when you upgrade due to the fact that if you are using named (or another DNS resolver that may be upgraded, it will be shut down during the upgrade and if it is shut down prior to urpmi grabbing the new package to install, you will not be able to resolve the URL you are downloading from. If you normally run your own DNS server or cache on the system, you may wish to temporarily point it to another DNS server for the duration of the upgrade (this can be done by editing /etc/resolv.conf.

WARNING: BE SURE YOU HAVE A COMPLETE BACKUP OF ALL DATA PRIOR TO UPGRADING!. Annvix comes with absolutely no warranties, expressed or implied and if the upgrade destroys your data or system, it is entirely you responsibility. Be sure you have a full and working backup of your data prior to performing the upgrade (a good idea would be to dump all databases and to tar up the /etc/ directory as well as any other pertinent directories. See below for specific issues.

OpenLDAP Migration

If you currently use OpenLDAP in 1.0-RELEASE, you will need to take a few steps to ensure a clean upgrade of your database. For some reason, the old OpenLDAP samba schema doesn't seem to be compatible with the new schema, so if you have any accounts with samba attributes, you will need to remove those attributes. You should also use slapcat to create a backup and use this to setup the new database. For instance:

# srv stop slapd
# /usr/sbin/slapcat >~/ldap-backup.ldif
[ do the 1.0 to 1.1 upgrade, reboot, etc.]
# srv --down slapd
# cd /var/lib/ldap
# mkdir backup
# mv -f {*db*,alock,log.*} backup/
# srv --up slapd
# srv --down slapd
# slapadd -cv -l ~/ldap-backup.ldif
# srv --up slapd

This will get your OpenLDAP database back to the state it was at prior to the upgrade. HOWEVER if you did use samba attributes, you will need to manually edit your ldif file to remove the following attributes from any accounts that have them: objectClass: sambaAccount, pwdLastSet, logonTime, logoffTime, kickoffTime, pwdCanChange, pwdMustChange, displayName, rid, primaryGroupID, lmPassword, ntPassword, and acctFlags. If you require the use of LDAP for samba authentication, you will need to re-set this up after the import. If you're using LDAP for PAM/NIS, this will be sufficient to get you back up and running.

srv Changes

The srv tool, which controls supervised services, has been largely re-written for 1.1-RELEASE. As a result, the syntax has completely changed; old commands will no longer work. Please refer the srv manpage or srv --help output to see the new syntax.