[ Pobierz całość w formacie PDF ]
Red Hat Enterprise Linux 7 Security Guide, available from
http://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.
3.11.1.1. Migrating rules to firewalld
Red Hat Enterprise Linux 6 provided two methods of firewall configuration:
Use the graphical system-config-firewall tool to configure rules. This tool stored its configuration
details in the /etc/sysconfig/system-config-firewall file, and created configuration for the
iptables and ip6tables services in the /etc/sysconfig/iptables and
/etc/sysconfig/ip6tables files.
Manually edit the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files (either from
scratch, or editing an initial configuration created by system-config-firewall).
If you configured your Red Hat Enterprise Linux 6 firewall with system-config-firewall, after you upgrade
your system and install firewalld, you can use the firewall-offline-cmd tool to migrate the configuration
in /etc/sysconfig/system-config-firewall into the default zone of firewalld.
$ firewall-offline-cmd
31
Red Hat Enterprise Linux 7 Migration Planning Guide
However, if you manually created or edited /etc/sysconfig/iptables or
/etc/sysconfig/ip6tables, after you install firewalld, you must either create a new configuration
with firewall-cmd or firewall-config, or disable firewalld and continue to use the old iptables and
ip6tables services. For details about creating new configurations or disabling firewalld, see the
Red Hat Enterprise Linux 7 Security Guide, available from
http://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.
3.11.2. Changes to PolicyKit
Previously, PolicyKit used key value pairs in .pkla files to define additional local authorizations. Red Hat
Enterprise Linux 7 introduces the ability to define local authorizations with JavaScript, allowing you to script
authorizations if necessary.
polkitd reads .rules files in lexicographic order from the /etc/polkit-1/rules.d and
/usr/share/polkit-1/rules.d directories. If two files share the same name, files in /etc are
processed before files in /usr. When the old .pkla files were processed, the last rule processed took
precedence. With the new .rules files, the first matching rule takes precedence.
After migration, your existing rules are applied by the /etc/polkit-1/rules.d/49-polkit-pkla-
compat.rules file. They can therefore be overridden by .rules files in either /usr or /etc with a
name that comes before 49-polkit-pkla-compat in lexicographic order. The simplest way to ensure
that your old rules are not overridden is to begin the name of all other .rules files with a number greater
than 49.
For further information about this, see the Red Hat Enterprise Linux 7 Desktop Migration and
Administration Guide, available from
http://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.
3.11.3. Changes to user identifiers
In Red Hat Enterprise Linux 6, the base user identifier was 500. In Red Hat Enterprise Linux 7, the base
user identifier is now 1000. This change involves replacing the /etc/login.defs file during the
upgrade process.
If you have not modified the default /etc/login.defs file, the file is replaced during upgrade. The base
user identifier number is changed to 1000, and new users will be allocated user identifiers at and above
1000. User accounts created before this change retain their current user identifiers and continue to work
as expected.
If you have modified the default /etc/login.defs file, the file is not replaced during upgrade, and the
base user identifier number remains at 500.
3.11.4. Changes to libuser
As of Red Hat Enterprise Linux 7, the libuser library no longer supports configurations that contain both
the ldap and files modules, or both the ldap and shadow modules. Combining these modules results
in ambiguity in password handling, and such configurations are now rejected during the initialization
process.
If you use libuser to manage users or groups in LDAP, you must remove the files and shadow
modules from the modules and create_modules directives in your configuration file
(/etc/libuser.conf by default).
32
`
Chapter 4 . Changes to packages, functionality, and support
Chapter 4. Changes to packages, functionality, and support
Read this chapter for information about changes to the functionality or to packages provided in Red Hat
Enterprise Linux 7, and changes to the support of said packages.
4.1. New Packages
This section describes notable packages now available in Red Hat Enterprise Linux 7.
4.1.1. Chrony
Chrony is a new NTP client provided in the chrony package. It replaces the reference implementation
(ntp) as the default NTP implementation in Red Hat Enterprise Linux 7. However, it does not support all
features available in ntp, so ntp is still provided for compatibility reasons. If you require ntp, you must
explicitly remove chrony and install ntp instead.
Chrony's timekeeping algorithms have several advantages over the ntp implementation.
Faster, more accurate synchronization.
Larger range for frequency correction.
Better response to rapid changes in clock frequency.
No clock stepping after initial synchronization.
Works well with an intermittent network connection.
For more information about chrony, see the Red Hat Enterprise Linux 7 System Administrators Guide or
System Administrators Reference Guide, available from
http://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.
4.1.2. HAProxy
HAProxy is a TCP/HTTP reverse proxy that is well-suited to high availability environments. It requires few
resources, and its event-driven architecture allows it to easily handle thousands of simultaneous
connections on hundreds of instances without risking the stability of the system.
For more information about HAProxy, see the man page, or consult the documentation installed along with
the haproxy package in the /usr/share/doc/haproxy directory.
4.1.3. Kernel-tools
The kernel-tools package includes a number of tools for the Linux kernel. Some tools in this package
replace tools previously available in other packages. See Section 4.3, Deprecated Packages and
Section 4.2, Package Replacements for details.
4.2. Package Replacements
This section lists packages that have been removed from Red Hat Enterprise Linux between version 6 and
version 7 alongside functionally equivalent replacement packages or alternative packages available in
Red Hat Enterprise Linux 7.
Table 4 .1. Replaced packages
33
Red Hat Enterprise Linux 7 Migration Planning Guide
Removed package Replacement/Alternative Notes
vconfig iproute (ip tool) Not fully compatible.
module-init-tools kmod
openoffice.org libreoffice
man man-db
ext2 and ext3 filesystem driver ext4 filesystem driver
openais corosync Functionality wrapped by the
Red Hat Enterprise Linux HA
stack.
jwhois whois Output format differs.
libjpeg libjpeg-turbo
gpxe ipxe Fork of gpxe.
cpuspeed kernel, kernel-tools (cpupower, Now configured in
cpupower.service) /etc/sysconfig/cpupower.
No longer includes user-space
scaling daemon; use kernel
governors if necessary.
nc nmap-ncat
procps procps-ng
[ Pobierz całość w formacie PDF ]