TechnicalOverview

Differences between revisions 89 and 91 (spanning 2 versions)
Revision 89 as of 2009-09-29 20:31:23
Size: 16505
Editor: c-76-105-168-175
Comment: drop hardening section; makes no sense to separate it out
Revision 91 as of 2009-09-29 22:11:43
Size: 15913
Editor: minbar
Comment: update for beta
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
The Ubuntu developers are moving quickly to bring you the absolute latest and greatest software the Open Source Community has to offer. The Karmic Koala Alpha 6 is the sixth alpha release of Ubuntu 9.10, bringing with it the earliest new features for the next version of Ubuntu. The Ubuntu developers are moving quickly to bring you the latest and greatest software the Open Source Community has to offer. This is the Ubuntu 9.10 beta release, which brings a host of exciting new features.
Line 8: Line 8:
'''This is an alpha release. Do not install it on production machines. The final stable version will be released on October 29th, 2009.''' '''Note: This is a beta release. Do not install it on production machines. The final stable version will be released on October 29th, 2009.'''
Line 16: Line 16:
= New features in Karmic = = Download =
Line 18: Line 18:
Feature development for Karmic is happening with full speed. Please see the [[https://blueprints.launchpad.net/ubuntu/karmic/+specs|Karmic blueprint list]] for details. Get it while it's hot. ISOs and torrents are available at:
Line 20: Line 20:
Please test and report any bugs you find:  http://releases.ubuntu.com/releases/9.10/ (Ubuntu Desktop, Server, and Netbook Remix) <<BR>>
 http://uec-images.ubuntu.com/releases/9.10/ (Ubuntu Server for UEC and EC2) <<BR>>
 http://releases.ubuntu.com/kubuntu/9.10/ (Kubuntu Desktop and Netbook) <<BR>>
 http://cdimage.ubuntu.com/xubuntu/releases/9.04/beta/ (Xubuntu) <<BR>>
 http://cdimage.ubuntu.com/ubuntustudio/releases/9.04/beta/ (Ubuntu``Studio) <<BR>>
 http://cdimage.ubuntu.com/mythbuntu/releases/9.04/beta/ (Mythbuntu) <<BR>>
 http://cdimage.ubuntu.com/edubuntu/releases/9.04/beta/ (Edubuntu) <<BR>>

Local mirrors are also available:

 '''FIXME: import mirror list automatically'''

= New features since Ubuntu 9.04 =

These features are showcased for your attention. Please test them and report any bugs you find:
Line 34: Line 48:
Ubuntu Karmic Alpha 6 includes the [[https://wiki.ubuntu.com/SoftwareCenter|Ubuntu Software Store]]. It is temporarily located under `System`, with a plan to replace `Add\Remove` in the Beta release. We kindly request users to try it out, and [[https://bugs.launchpad.net/ubuntu/+source/software-center|report any bugs]] they find. Ubuntu 9.10 Beta includes the [[https://wiki.ubuntu.com/SoftwareCenter|Ubuntu Software Center]], replacing 'Add/Remove' in the '''Applications''' menu. We kindly request users to try it out, and [[https://bugs.launchpad.net/ubuntu/+source/software-center|report any bugs]] they find.
Line 38: Line 52:
Ubuntu Karmic Alpha 6 includes the latest [[http://live.gnome.org/TwoPointTwentyseven/|GNOME 2.27.91]] development release. Ubuntu 9.10 Beta includes the latest [[http://live.gnome.org/TwoPointTwentyseven/|GNOME 2.28]] desktop environment with a number of great new features:
Line 40: Line 54:
[[http://live.gnome.org/Empathy|Empathy]] has replaced Pidgin as the default instant messaging client, introducing the [[http://telepathy.freedesktop.org/wiki/|Telepathy framework]].  * [[http://live.gnome.org/Empathy|Empathy]] has replaced Pidgin as the default instant messaging client, introducing the [[http://telepathy.freedesktop.org/wiki/|Telepathy framework]].
Line 42: Line 56:
The gdm 2.27.91 login manager is a complete rewrite compared to the version in earlier Ubuntu releases.  * The gdm 2.28 login manager is a complete rewrite compared to the version in earlier Ubuntu releases, permitting a more integrated login experience.
Line 46: Line 60:
Kubuntu includes its first Netbook release, Social from the Start and the latest [[http://www.kde.org|KDE]] packages. See [[KarmicKoala/Alpha6/Kubuntu|the Kubuntu technical overview]] Kubuntu 9.10 includes the first Kubuntu Netbook release, Social from the Start and the latest [[http://www.kde.org|KDE]] packages. See [[KarmicKoala/Beta/Kubuntu|the Kubuntu technical overview]].
Line 50: Line 64:
Alpha 6 includes alpha images which are common to [[http://www.ubuntu.com/products/whatisubuntu/serveredition/cloud/UEC|Ubuntu Enterprise Cloud]] (UEC) and Amazon's EC2. You can try out the latest Karmic server alpha instantly on EC2 using a preconfigured AMI, or download an image and put it into your own Ubuntu Enterprise Cloud. For information on using UEC images on Amazon EC2, see the [[https://help.ubuntu.com/community/EC2StartersGuide|EC2 Starter's Guide]]. Ubuntu 9.10 Beta includes images for common use on [[http://www.ubuntu.com/products/whatisubuntu/serveredition/cloud/UEC|Ubuntu Enterprise Cloud]] (UEC) and Amazon's EC2. You can try out the latest Ubuntu 9.10 server image instantly on EC2 using a preconfigured AMI, or download an image and put it into your own Ubuntu Enterprise Cloud. For information on using UEC images on Amazon EC2, see the [[https://help.ubuntu.com/community/EC2StartersGuide|EC2 Starter's Guide]].
Line 54: Line 68:
Ubuntu Karmic Alpha 6 ships the [[https://ubuntuone.com/|Ubuntu One]] file sharing service by default, providing tightly integrated file synchronization of your computer with other computers and the Ubuntu One network storage service. Ubuntu 9.10 Beta ships the [[https://ubuntuone.com/|Ubuntu One]] file sharing service by default, providing tightly-integrated file synchronization of your computer with other computers and the Ubuntu One network storage service.
Line 58: Line 72:
Alpha 6 includes the 2.6.31-10.34 [[http://kernel.org|kernel]] based on 2.6.31. The kernel ships with Kernel Mode Setting enabled for Intel graphics (see below). `linux-restricted-modules` is deprecated in favour of DKMS packages. Ubuntu 9.10 Beta includes the 2.6.31-11.36 [[http://kernel.org|kernel]] based on 2.6.31.1. The kernel ships with Kernel Mode Setting enabled for Intel graphics (see below). `linux-restricted-modules` is deprecated in favour of DKMS packages.
Line 62: Line 76:
Karmic Alpha 6's underlying technology for power management, laptop hotkeys, and handling of storage devices and cameras maps has moved from "hal" (which is in the process of being deprecated) to "Device``Kit-power", "Device``Kit-disks" and "udev". When testing Alpha 6, please pay particular attention to regressions in those areas and report bugs. Ubuntu 9.10 Beta's underlying technology for power management, laptop hotkeys, and handling of storage devices and cameras maps has moved from "hal" (which is in the process of being deprecated) to "Device``Kit-power", "Device``Kit-disks" and "udev". When testing Ubuntu 9.10 Beta, please be alert for regressions in those areas and report any bugs you find.
Line 66: Line 80:
The Intel video driver has switched from the "EXA" acceleration method to the new "UXA". This solves major performance problems of Ubuntu 9.04, but could use further testing to flag any regressions it may bring.

Feedback about the new "kernel mode setting" feature is also heavily appreciated. This will reduce video mode switching flicker at booting, and dramatically speed up suspend/resume. Please see the [[https://wiki.ubuntu.com/X/KernelModeSetting|instructions and feedback page]] for details.

== New default compiler ==

Karmic uses GCC-4.4 as the default compiler, which in some parts is more strict than GCC-4.3, see [[http://gcc.gnu.org/gcc-4.4/changes.html|list of changes]]. Please make sure to test packages on karmic or in a karmic chroot before upload.
The Intel video driver has switched from the "EXA" acceleration method to the new "UXA", solving major performance problems of Ubuntu 9.04. Ubuntu 9.10 Beta also features [[https://wiki.ubuntu.com/X/KernelModeSetting|kernel mode setting]] by default on Intel hardware, which reduces boot-time flickering and dramatically speeds up suspend/resume.
Line 76: Line 84:
The new "ext4" filesystem is used by default for new installations of Karmic; of course, other filesystems are still available via the manual partitioner. Existing filesystems will not be upgraded. The new "ext4" filesystem is used by default for new installations with Ubuntu 9.10 Beta; of course, other filesystems are still available via the manual partitioner. Existing filesystems will not be upgraded.
Line 78: Line 86:
If you have full backups and are confident, you can upgrade an existing ext3 filesystem to ext4 by following directions in the [[http://ext4.wiki.kernel.org/index.php/Ext4_Howto#Converting_an_ext3_filesystem_to_ext4|Ext4 Howto]] (note that the comments on that page at the time of writing about Ubuntu's use of vol_id vs. blkid are out of date and are not applicable to Karmic). Maximum performance will typically only be achieved on new filesystems, not on filesystems that have been upgraded from ext3. If you have full backups and are confident, you can upgrade an existing ext3 filesystem to ext4 by following directions in the [[http://ext4.wiki.kernel.org/index.php/Ext4_Howto#Converting_an_ext3_filesystem_to_ext4|Ext4 Howto]]. (Note that the comments on that page at the time of writing about Ubuntu's use of vol_id vs. blkid are out of date and are not applicable to Ubuntu 9.10 Beta.) Maximum performance will typically only be achieved on new filesystems, not on filesystems that have been upgraded from ext3.
Line 82: Line 90:
GRUB 2 is the default boot loader for new installations of Karmic, replacing the previous GRUB "Legacy" boot loader. Existing systems will not be upgraded to GRUB 2 at this time, as automatically reinstalling the boot loader is an inherently risky operation. GRUB 2 is the default boot loader for new installations with Ubuntu 9.10 Beta, replacing the previous GRUB "Legacy" boot loader. Existing systems will not be upgraded to GRUB 2 at this time, as automatically reinstalling the boot loader is an inherently risky operation.
Line 95: Line 103:
A lot of work went into AppArmor for Karmic. The parser has been improved to
use cache files, greatly speeding up AppArmor initialisation on boot. AppArmor
also now supports 'pux' which, when specified, means a process can transition to
an existing profile if one exists or simply run unconfined if one does not.
Improved support for globbing has also been added, most notably when using
wildcard matching for the binary of a profile. Significantly, the AppArmor
patch for Ubuntu has been heavily reworked and now fully uses the upstream LSM
hooks. This makes AppArmor in Ubuntu very self-contained and a good candidate for
future inclusion in the upstream kernel.

AppArmor support in Ubuntu 9
.10 Beta features a number of improvements. The parser has been improved to use cache files, greatly speeding up AppArmor initialisation on boot. AppArmor also now supports 'pux' which, when specified, means a process can transition to an existing profile if one exists or simply run unconfined if one does not.  Improved support for globbing has also been added, most notably when using wildcard matching for the binary of a profile. Significantly, the AppArmor patch for Ubuntu has been heavily reworked and now fully uses the upstream LSM hooks. This makes AppArmor in Ubuntu very self-contained and a good candidate for future inclusion in the upstream kernel.
Line 106: Line 107:
In addition to the above changes to AppArmor itself, several profiles were
added. Enforcing profiles for ```ntpd```, the GNOME document viewer
(```evince```), and ```libvirt``` are enabled by default. Complain mode
profiles for Dovecot are now available in the ```apparmor-profiles``` package.
A new profile is provided for Firefox as well, though it is disabled by
default. Users can enable this by using:{{{

In addition to the above changes to AppArmor itself, several profiles were added. Enforcing profiles for ```ntpd```, the GNOME document viewer (```evince```), and ```libvirt``` are enabled by default. Complain mode profiles for Dovecot are now available in the ```apparmor-profiles``` package. A new profile is provided for Firefox as well, though it is disabled by default. Users can enable this by running: {{{
Line 115: Line 112:
Please see the [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles|SecurityTeam/KnowledgeBase]]
for a full listing of readily available profiles in Ubuntu.
Please see the [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles|SecurityTeam/KnowledgeBase]] for a full listing of readily available profiles in Ubuntu.
Line 119: Line 115:
Libvirt now contains AppArmor integration when using KVM or QEMU. Libvirtd is
configured to launch virtual machines that are confined by uniquely restrictive
AppArmor profiles. This feature significantly improves virtualisation in Ubuntu
by providing user-space host protection as well as guest isolation.
Libvirt now contains AppArmor integration when using KVM or QEMU. Libvirtd is configured to launch virtual machines that are confined by uniquely restrictive AppArmor profiles. This feature significantly improves virtualisation in Ubuntu by providing user-space host protection as well as guest isolation.
Line 125: Line 118:
The [[UbuntuFirewall|Uncomplicated Firewall]] now has support for
filtering by interface and egress filtering when using the ```ufw``` command.
Documentation for ufw is also improved to help users better utilise the ufw
framework and take full advantage of Linux netfilter's power and flexibility.
See [[https://wiki.ubuntu.com/UbuntuFirewall#Features|UbuntuFirewall#Features]]
for a full list of features.
The [[UbuntuFirewall|Uncomplicated Firewall]] now has support for filtering by interface and egress filtering when using the ```ufw``` command. Documentation for ufw is also improved to help users better utilise the ufw framework and take full advantage of Linux netfilter's power and flexibility. See [[https://wiki.ubuntu.com/UbuntuFirewall#Features|UbuntuFirewall#Features]] for a full list of features.
Line 133: Line 121:
The [[https://wiki.ubuntu.com/Security/Features#Non-Exec%20Memory|Non-eXecutable (NX) memory protection]],
also known as eXecute-Disable (XD), has always been available in
Ubuntu for any systems that had the hardware to support it and ran the
64bit kernel or the 32bit server kernel. The 32bit PAE desktop kernel
({{{linux-image-generic-pae}}}) now also provides the PAE mode needed
for hardware with the NX CPU feature.
[[https://wiki.ubuntu.com/Security/Features#Non-Exec%20Memory|Non-eXecutable (NX) memory protection]], also known as eXecute-Disable (XD), has always been available in Ubuntu for any systems that had the hardware to support it and ran the 64-bit kernel or the 32-bit server kernel. The 32-bit PAE desktop kernel ({{{linux-image-generic-pae}}}) now also provides the PAE mode needed for hardware with the NX CPU feature.
Line 140: Line 123:
For systems that lack NX hardware, the 32bit kernels now provide an
approximation of of the NX CPU feature via software emulation that can
help block many exploits an attacker might run from stack or heap memory.
For systems that lack NX hardware, the 32-bit kernels now provide an approximation of of the NX CPU feature via software emulation that can help block many exploits an attacker might run from stack or heap memory. 
Line 146: Line 127:
after boot (generally for servers with unchanging hardware), the
{{{/proc/sys/kernel/modules_disabled}}} one-way sysctl flag now exists
to add another layer of protections against attackers loading kernel
rootkits.
after boot (generally for servers with unchanging hardware), the {{{/proc/sys/kernel/modules_disabled}}} one-way sysctl flag now exists to add another layer of protections against attackers loading kernel rootkits.
Line 151: Line 129:
== Position Independent Executables ==
Building on the work done in Ubuntu 8.10 and 9.04 to pro-actively protect Ubuntu
from unknown threats by using
[[https://wiki.ubuntu.com/CompilerFlags|strict compiler flags]],
more applications have been built as
[[https://wiki.ubuntu.com/Security/Features#PIE|Position Independent Executables]]
(PIE) to take advantage of the
[[https://wiki.ubuntu.com/Security/Features#ASLR|Address Space Layout Randomisation]]
(ASLR) available in the Ubuntu kernel.
== Position-Independent Executables ==
Building on the work done in Ubuntu 8.10 and 9.04 to proactively protect Ubuntu from unknown threats by using [[https://wiki.ubuntu.com/CompilerFlags|strict compiler flags]], more applications have been built as [[https://wiki.ubuntu.com/Security/Features#PIE|Position-Independent Executables]] (PIE) to take advantage of the
[[https://wiki.ubuntu.com/Security/Features#ASLR|Address Space Layout Randomisation]] (ASLR) available in the Ubuntu kernel.
Line 161: Line 133:
In addition to the growing program list, PIE programs are now also built with the
[[https://wiki.ubuntu.com/Security/Features#BIND_NOW|BIND_NOW]] linker flag to
take full advantage of the existing [[https://wiki.ubuntu.com/Security/Features#RELRO|RELRO]]
linker flag. This results in PIE programs having fewer places in their
memory that can be controlled to redirect program flow when an attacker
attempts memory-corruption exploits.
In addition to the growing program list, PIE programs are now also built with the [[https://wiki.ubuntu.com/Security/Features#BIND_NOW|BIND_NOW]] linker flag to take full advantage of the existing [[https://wiki.ubuntu.com/Security/Features#RELRO|RELRO]] linker flag. This results in PIE programs having fewer places in their memory that can be controlled to redirect program flow when an attacker attempts memory-corruption exploits.
Line 168: Line 135:

= Download Alpha 6 =

Get it while it's hot. ISOs and torrents are available at:

 http://cdimage.ubuntu.com/releases/karmic/alpha-6/ (Ubuntu Desktop, Server, and Netbook Remix) <<BR>>
 http://uec-images.ubuntu.com/releases/karmic/alpha-6/ (Ubuntu Server for UEC and EC2) <<BR>>
 http://cdimage.ubuntu.com/ports/releases/karmic/alpha-6/ (Ubuntu Desktop for ARM) <<BR>>
 http://cdimage.ubuntu.com/kubuntu/releases/karmic/alpha-6/ (Kubuntu Desktop and Netbook) <<BR>>
 http://cdimage.ubuntu.com/xubuntu/releases/karmic/alpha-6/ (Xubuntu) <<BR>>
 http://cdimage.ubuntu.com/ubuntustudio/releases/karmic/alpha-6/ (Ubuntu``Studio) <<BR>>
 http://cdimage.ubuntu.com/mythbuntu/releases/karmic/alpha-6/ (Mythbuntu) <<BR>>
 http://cdimage.ubuntu.com/edubuntu/releases/karmic/alpha-6/ (Edubuntu) <<BR>>
Line 184: Line 138:
As is to be expected at this stage of the release process, there are several known bugs that users are likely to run into with Karmic Alpha 6. We have documented them here for your convenience along with any known workarounds, so that you don't need to spend time reporting these bugs again: As is to be expected at this stage of the release process, there are several known bugs that users are likely to run into with Ubuntu 9.10 Beta. We have documented them here for your convenience along with any known workarounds, so that you don't need to spend time reporting these bugs again:
Line 208: Line 162:
It should come as no surprise that this alpha release of Karmic Koala contains other bugs. Your comments, bug reports, patches and suggestions will help fix bugs and improve future releases. Please [[http://help.ubuntu.com/community/ReportingBugs|report bugs using the tools provided]]. It should come as no surprise that this beta release of Karmic Koala contains other bugs. Your comments, bug reports, patches and suggestions will help fix bugs and improve future releases. Please [[http://help.ubuntu.com/community/ReportingBugs|report bugs using the tools provided]].

Introduction

The Ubuntu developers are moving quickly to bring you the latest and greatest software the Open Source Community has to offer. This is the Ubuntu 9.10 beta release, which brings a host of exciting new features.

Note: This is a beta release. Do not install it on production machines. The final stable version will be released on October 29th, 2009.

Upgrading from Ubuntu 9.04

To upgrade from Ubuntu 9.04 on a desktop system, press Alt+F2 and type in "update-manager -d" (without the quotes) into the command box. Update Manager should open up and tell you: New distribution release '9.10' is available. Click Upgrade and follow the on-screen instructions.

To upgrade from Ubuntu 9.04 on a server system: install the update-manager-core package if it is not already installed; edit /etc/update-manager/release-upgrades and set Prompt=normal; launch the upgrade tool with the command sudo do-release-upgrade -d; and follow the on-screen instructions.

Download

Get it while it's hot. ISOs and torrents are available at:

Local mirrors are also available:

  • FIXME: import mirror list automatically

New features since Ubuntu 9.04

These features are showcased for your attention. Please test them and report any bugs you find:

Updated Packages

As with every new release, packages--applications and software of all kinds--are being updated at a rapid pace. Many of these packages come from an automatic sync from Debian's Unstable branch. For a list of all packages being accepted for 9.10 Karmic Koala, please subscribe to karmic-changes:

Upstart

As part of our boot performance work, we have now transitioned to Upstart. If you are testing on your primary machine, we strongly suggest having an Ubuntu Karmic Alpha 5 LiveCD available, or creating an Alpha 5 USB startup disk before doing an upgrade. This will allow us to help you recover in the case that something goes wrong during the boot of your system after upgrade. We request that all bugs affecting the performance or functionality of boot be tagged with ubuntu-boot in Launchpad.

Software Center

Ubuntu 9.10 Beta includes the Ubuntu Software Center, replacing 'Add/Remove' in the Applications menu. We kindly request users to try it out, and report any bugs they find.

GNOME

Ubuntu 9.10 Beta includes the latest GNOME 2.28 desktop environment with a number of great new features:

  • Empathy has replaced Pidgin as the default instant messaging client, introducing the Telepathy framework.

  • The gdm 2.28 login manager is a complete rewrite compared to the version in earlier Ubuntu releases, permitting a more integrated login experience.

Kubuntu

Kubuntu 9.10 includes the first Kubuntu Netbook release, Social from the Start and the latest KDE packages. See the Kubuntu technical overview.

Ubuntu Enterprise Cloud Images

Ubuntu 9.10 Beta includes images for common use on Ubuntu Enterprise Cloud (UEC) and Amazon's EC2. You can try out the latest Ubuntu 9.10 server image instantly on EC2 using a preconfigured AMI, or download an image and put it into your own Ubuntu Enterprise Cloud. For information on using UEC images on Amazon EC2, see the EC2 Starter's Guide.

Ubuntu One file sharing

Ubuntu 9.10 Beta ships the Ubuntu One file sharing service by default, providing tightly-integrated file synchronization of your computer with other computers and the Ubuntu One network storage service.

Linux kernel 2.6.31

Ubuntu 9.10 Beta includes the 2.6.31-11.36 kernel based on 2.6.31.1. The kernel ships with Kernel Mode Setting enabled for Intel graphics (see below). linux-restricted-modules is deprecated in favour of DKMS packages.

hal deprecation

Ubuntu 9.10 Beta's underlying technology for power management, laptop hotkeys, and handling of storage devices and cameras maps has moved from "hal" (which is in the process of being deprecated) to "DeviceKit-power", "DeviceKit-disks" and "udev". When testing Ubuntu 9.10 Beta, please be alert for regressions in those areas and report any bugs you find.

New Intel video driver architecture available for testing

The Intel video driver has switched from the "EXA" acceleration method to the new "UXA", solving major performance problems of Ubuntu 9.04. Ubuntu 9.10 Beta also features kernel mode setting by default on Intel hardware, which reduces boot-time flickering and dramatically speeds up suspend/resume.

ext4 by default

The new "ext4" filesystem is used by default for new installations with Ubuntu 9.10 Beta; of course, other filesystems are still available via the manual partitioner. Existing filesystems will not be upgraded.

If you have full backups and are confident, you can upgrade an existing ext3 filesystem to ext4 by following directions in the Ext4 Howto. (Note that the comments on that page at the time of writing about Ubuntu's use of vol_id vs. blkid are out of date and are not applicable to Ubuntu 9.10 Beta.) Maximum performance will typically only be achieved on new filesystems, not on filesystems that have been upgraded from ext3.

GRUB 2 by default

GRUB 2 is the default boot loader for new installations with Ubuntu 9.10 Beta, replacing the previous GRUB "Legacy" boot loader. Existing systems will not be upgraded to GRUB 2 at this time, as automatically reinstalling the boot loader is an inherently risky operation.

If you wish to upgrade your system to GRUB 2, then see the GRUB 2 testing page for instructions. See also the upstream draft manual.

Some features are still missing relative to GRUB Legacy. Notable among these are lock/password support, an equivalent of grub-reboot, and Xen handling.

iSCSI installation

The iSCSI installation process has been improved, and no longer requires iscsi=true as a boot parameter; the installer will offer you the option of logging into iSCSI targets if there are no local disks, or you can select "Configure iSCSI" in the manual partitioner.

Putting the root filesystem on iSCSI is now supported.

AppArmor

AppArmor support in Ubuntu 9.10 Beta features a number of improvements. The parser has been improved to use cache files, greatly speeding up AppArmor initialisation on boot. AppArmor also now supports 'pux' which, when specified, means a process can transition to an existing profile if one exists or simply run unconfined if one does not. Improved support for globbing has also been added, most notably when using wildcard matching for the binary of a profile. Significantly, the AppArmor patch for Ubuntu has been heavily reworked and now fully uses the upstream LSM hooks. This makes AppArmor in Ubuntu very self-contained and a good candidate for future inclusion in the upstream kernel.

New profiles

In addition to the above changes to AppArmor itself, several profiles were added. Enforcing profiles for ntpd, the GNOME document viewer (evince), and libvirt are enabled by default. Complain mode profiles for Dovecot are now available in the apparmor-profiles package. A new profile is provided for Firefox as well, though it is disabled by default. Users can enable this by running:

$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

Please see the SecurityTeam/KnowledgeBase for a full listing of readily available profiles in Ubuntu.

Libvirt

Libvirt now contains AppArmor integration when using KVM or QEMU. Libvirtd is configured to launch virtual machines that are confined by uniquely restrictive AppArmor profiles. This feature significantly improves virtualisation in Ubuntu by providing user-space host protection as well as guest isolation.

Uncomplicated Firewall

The Uncomplicated Firewall now has support for filtering by interface and egress filtering when using the ufw command. Documentation for ufw is also improved to help users better utilise the ufw framework and take full advantage of Linux netfilter's power and flexibility. See UbuntuFirewall#Features for a full list of features.

Non-eXecutable Emulation

Non-eXecutable (NX) memory protection, also known as eXecute-Disable (XD), has always been available in Ubuntu for any systems that had the hardware to support it and ran the 64-bit kernel or the 32-bit server kernel. The 32-bit PAE desktop kernel (linux-image-generic-pae) now also provides the PAE mode needed for hardware with the NX CPU feature.

For systems that lack NX hardware, the 32-bit kernels now provide an approximation of of the NX CPU feature via software emulation that can help block many exploits an attacker might run from stack or heap memory.

Blocking Module Loading

To block the loading of any further modules after boot (generally for servers with unchanging hardware), the /proc/sys/kernel/modules_disabled one-way sysctl flag now exists to add another layer of protections against attackers loading kernel rootkits.

Position-Independent Executables

Building on the work done in Ubuntu 8.10 and 9.04 to proactively protect Ubuntu from unknown threats by using strict compiler flags, more applications have been built as Position-Independent Executables (PIE) to take advantage of the Address Space Layout Randomisation (ASLR) available in the Ubuntu kernel.

In addition to the growing program list, PIE programs are now also built with the BIND_NOW linker flag to take full advantage of the existing RELRO linker flag. This results in PIE programs having fewer places in their memory that can be controlled to redirect program flow when an attacker attempts memory-corruption exploits.

Known issues

As is to be expected at this stage of the release process, there are several known bugs that users are likely to run into with Ubuntu 9.10 Beta. We have documented them here for your convenience along with any known workarounds, so that you don't need to spend time reporting these bugs again:

  • When installing Ubuntu from Alpha 6 in a dual-boot configuration with another operating system, such as Windows Vista, the grub2 configuration will not present an option to boot to the other OS. Investigation of this issue is ongoing. (430141)

  • Installing a UEC cluster controller under Ubuntu Server will hang on reboot due to a bug in the eucalyptus init scripts. As a workaround, you can log in to the server remotely via ssh and change the CLOUD_PORT value in /etc/init.d/eucalyptus-cc to 8774. This bug will be resolved for the Ubuntu 9.10 Beta. (430758)

  • Installation of a eucalyptus node will not properly configure the bridge network setup in Alpha 6. To correct this after install, log in to the node and run the command sudo sed -i "s/^iface $interface inet dhcp$/iface $interface inet manual/" /etc/network/interfaces && sudo service networking restart, where $interface is the primary interface of the machine. Cluster nodes installed using Ubuntu 9.10 Beta will have the correct configuration set automatically. (430820)

  • The OEM installer end-user setup will fail to start in Alpha 6. Investigation of this issue is ongoing. (431941)

  • Choosing the "Install Kubuntu" option from Kubuntu and Kubuntu Netbook LiveCDs will start a live session instead. As a workaround, you can launch the installer from the live session desktop. Investigation of this issue is ongoing. (431169)

  • Installing using Wubi will run to completion, but after reboot the newly-installed system will fail to boot with the error message "Could not find a bootloader configuration". Investigation of this issue is ongoing. (431285)

  • In some configurations, users will be unable to use the auto-resize option due to a timestamp problem during ext3/4 filesystem check. Investigation of this issue is ongoing. (431786)

  • Some users with Intel video chipsets will experience a black screen on reboot after install because the fbcon module is not being loaded. As a workaround, users can boot with the i915.modeset=0 option. Investigation of this issue is ongoing. (431812)

  • Encrypted partitions other than the root filesystem will not be mounted in Alpha 6 due to a bug in the cryptsetup package. This bug has been resolved immediately post-Alpha 6; as a workaround for this issue users are recommended to upgrade to cryptsetup version 2:1.0.6+20090405.svn49-1ubuntu4 before rebooting. (430496)

Reporting bugs

It should come as no surprise that this beta release of Karmic Koala contains other bugs. Your comments, bug reports, patches and suggestions will help fix bugs and improve future releases. Please report bugs using the tools provided.

If you want to help out with bugs, the Bug Squad is always looking for help.

Participate in Ubuntu

If you would like to help shape Ubuntu, take a look at the list of ways you can participate at

More information

You can find out more about Ubuntu on the Ubuntu website and Ubuntu wiki.

To sign up for future Ubuntu development announcements, please subscribe to Ubuntu's development announcement list at:

KarmicKoala/TechnicalOverview (last edited 2009-10-28 16:06:36 by pD9EB68B8)