Overall changes
Canonical support has been dropped from the following packages. They have been moved to the universe repo.
- tcpd
- xinetd
- isc-dhcp-server-ldap
- ntp, ntpdate
There might be problems to automatically start previously configured ntp service at boot time. As a replacement, systemd-timesyncd.service is now enabled by default and provides SNTP client services. Default time server is ntp.ubuntu.com, or the one obtained from systemd-networkd.service (s. "man timesyncd.conf" for configuration). - firewalld
- ssmtp
New versions
- kernel 4.4 -> 4.15
- bind 9.10.3 -> 9.11.3
https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/
https://www.isc.org/downloads/bind/bind-9-11-new-features/ - bacula-fd 7.0.5 -> 9.0.6
http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_7_4_0.html
http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_9_0_0.html - systemd 229 -> 237
https://github.com/systemd/systemd/blob/master/NEWS - libvirt 1.3.1 -> 4.0.0
https://libvirt.org/news.html - virt-manager 1.3.2 -> 1.5.1
https://github.com/virt-manager/virt-manager/blob/master/NEWS.md
Installing Bacula client from source
Again the new bacula-fd version 9.0.6 might be a problem, if you are running a Bacula server with an older version (s. Upgrade from Ubuntu Desktop 14.04 LTS to 16.04 LTS). In your job output, you will see an error like this:
25-Apr 02:15 server-dir JobId 5638: FD compression disabled for this Job because AllowCompress=No in Storage resource. 25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638: Unchanged file skipped: /etc/inputrc 25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638: Unchanged file skipped: /etc/bind/db.empty 25-Apr 02:15 server-sd JobId 5638: Fatal error: bsock.c:547 Packet size=1073742451 too big from "client:192.168.0.1:9103. Terminating connection. 25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638: Unchanged file skipped: /etc/bind/Kexample2.+163+42584.private 25-Apr 02:15 server-sd JobId 5638: Fatal error: append.c:149 Error reading data header from FD. n=-2 msglen=0 ERR=No data available 25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638: Unchanged file skipped: /etc/bind/zones.rfc1918 25-Apr 02:15 server-sd JobId 5638: Elapsed time=00:00:01, Transfer rate=186 Bytes/second 25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615307 client-fd JobId 5638: Error: bsock.c:649 Write error sending 884 bytes to Storage daemon:192.168.0.1:9103: ERR=Broken pipe 25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=3 level=1524615307 client-fd JobId 5638: Fatal error: backup.c:843 Network send error to SD. ERR=Broken pipe 25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615317 client-fd JobId 5638: Error: bsock.c:537 Socket has errors=1 on call to Storage daemon:192.168.0.1:9103 25-Apr 02:15 server-dir JobId 5638: Fatal error: bsock.c:547 Packet size=1073741935 too big from "Client: client-fd:client.example.com:9102. Terminating connection. 25-Apr 02:15 server-dir JobId 5638: Fatal error: No Job status returned from FD.
Here is how to install bacula-fd 5.2.13 from source on Ubuntu 18.04:
- systemctl stop bacula-fd
- Install packages required for building bacula client from source:
apt-get install build-essentials libssl1.0-dev - Download bacula-5.2.13.tar.gz and bacula-5.2.13.tar.gz.sig from https://sourceforge.net/projects/bacula/files/bacula/5.2.13/
- Import Bacula Distribution Verification Key and check key fingerprint (fingerprint for my downloaded Bacula key is 2CA9 F510 CA5C CAF6 1AB5 29F5 9E98 BF32 10A7 92AD):
gpg --recv-keys 10A792AD
gpg --fingerprint -k 10A792AD - Check signature of downloaded files:
gpg --verify bacula-5.2.13.tar.gz.sig - tar -xzvf bacula-5.2.13.tar.gz
- cd bacula-5.2.13
- ./configure --prefix=/usr/local --enable-client-only --disable-build-dird --disable-build-stored --with-openssl --with-pid-dir=/var/run/bacula --with-systemd
- check output of previous configure command
- make && make install
- check output of previous command for any errors
- create new file /etc/ld.so.conf.d/local.conf:
/usr/local/lib - ldconfig
- Delete the following files:
rm /lib/systemd/system/bacula-fd.service
rm /etc/init.d/bacula-fd
(In fact you can remove the bacula-fd 9.0.6 package completely, just make sure to copy the directory /etc/bacula somewhere safe before you do, and restore it afterwards.) - Create file /etc/systemd/system/bacula-fd.service (see below)
- systemctl daemon-reload
- systemctl start bacula-fd
/etc/systemd/system/bacula-fd.service:
[Unit] Description=Bacula File Daemon service Documentation=man:bacula-fd(8) Requires=network.target After=network.target RequiresMountsFor=/var/lib/bacula /etc/bacula /usr/sbin # from http://www.freedesktop.org/software/systemd/man/systemd.service.html [Service] Type=forking User=root Group=root Environment="CONFIG=/etc/bacula/bacula-fd.conf" EnvironmentFile=-/etc/default/bacula-fd ExecStartPre=/usr/local/sbin/bacula-fd -t -c $CONFIG ExecStart=/usr/local/sbin/bacula-fd -u root -g root -c $CONFIG ExecReload=/bin/kill -HUP $MAINPID SuccessExitStatus=15 Restart=on-failure RestartSec=60 PIDFile=/run/bacula/bacula-fd.9102.pid [Install] WantedBy=multi-user.target
Make sure that in you bacula-fd.conf, you have:
Pid Directory = /run/bacula
... and that the directory actually exists.
Some notable changes to systemd
When using systemd's default tmp.mount unit for /tmp, the mount point will now be established with the "nosuid" and "nodev" options. This avoids privilege escalation attacks that put traps and exploits into /tmp. However, this might cause problems if you e. g. put container images or overlays into /tmp; if you need this, override tmp.mount's "Options=" with a drop-in, or mount /tmp from /etc/fstab with your desired options.
systemd-resolved now listens on the local IP address 127.0.0.53:53 for DNS requests. This improves compatibility with local programs that do not use the libc NSS or systemd-resolved's bus APIs for name resolution. This minimal DNS service is only available to local programs and does not implement the full DNS protocol, but enough to cover local DNS clients. A new, static resolv.conf file, listing just this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is now recommended to make /etc/resolv.conf a symlink to this file in order to route all DNS lookups to systemd-resolved, regardless if done via NSS, the bus API or raw DNS packets. Note that this local DNS service is not as fully featured as the libc NSS or systemd-resolved's bus APIs. For example, as unicast DNS cannot be used to deliver link-local address information (as this implies sending a local interface index along), LLMNR/mDNS support via this interface is severely restricted. It is thus strongly recommended for all applications to use the libc NSS API or native systemd-resolved bus API instead.
systemd-resolved gained a new "DNSStubListener" setting in resolved.conf. It either takes a boolean value or the special values "udp" and "tcp", and configures whether to enable the stub DNS listener on 127.0.0.53:53.
The new ProtectKernelModules= option can be used to disable explicit load and unload operations of kernel modules by a service. In addition access to /usr/lib/modules is removed if this option is set.
Units acquired a new boolean option IPAccounting=. When turned on, IP traffic accounting (packet count as well as byte count) is done for the service, and shown as part of "systemctl status" or "systemd-run --wait". If CPUAccounting= or IPAccounting= is turned on for a unit a new structured log message is generated each time the unit is stopped, containing information about the consumed resources of this invocation.
