August in the archive – a view from the Ubuntu Server Team

The month of August saw a lot of activity in the archive reaching Feature Freeze on Thursday, August the 28th.

PIE hardening

Kees Cook tackled one of the last point on his hardening ubuntu list: enabling PIE for a subset of the archive. While other hardening measures have been implemented directly in gcc PIE is enabled at the packaging level. Some of the packages natively support PIE  in their build process. But for the vast majority PIE is enabled by adding a build dependency on hardening-wrapper and exporting DEB_BUILD_HARDENING=1″ in the debian/rules file.

The lucky packages to provide increased protection against vulnerabilities include:

• apache2
• bind9
• dhcp3
• dovecot
• openldap
• postfix
• postgresql
• samba
• openssh

UFW package integration

Jamie Strandboge updated ufw to support application profiles. Packages can simply add profiles to /etc/ufw/applications.d and dpkg triggers will discover the changes and update ufw accordingly. Nicolas Valcárcel and Didier Roche jumped in and added ufw application profiles to the following packages:

• apache2
• bind9
• dovecot
• openssh
• postfix
• samba

Dovecot 1.1

Dovecot has been merged from Debian experimental repository. This brings in support for the manage sieve protocol. Although Dovecot LDA has had support for sieve scripts for some time end-users management of sieve scripts is greatly enhanced now. End users don’t need shell or FTP access to upload their sieve scripts any more.

Pam-auth-update support

Steve Langasek improved the support for pam modules by implementing the Pam Config Framework specification. Packages can now declare which pam modules they’re providing. A central tool can be used by system administrators to choose which modules should be enabled for the system.

Several packages have been updated to support the new pam-auth-update command:

• libpam-ldap
• libpam-smbpass
• libpam-cracklib
• ecryptfs-utils (provides pam_ecryptfs)
• libpam-ck-connector

Latest MySQL Community Edition

Following the upstream relase mysql 5.0.67 has been uploaded to the intrepid archive.

Openldap stable release

Openldap has been updated to version 2.4.11 which has been declared stable by the Openldap project:

The OpenLDAP Software stable release is the last release which has proven through general use to be the most reliable release available. OpenLDAP-2.4.11, as of 20080813, is considered stable.

The upload also marks the move from slapd.conf to the cn=config backend. Although slapd.conf support is still available new installs and package upgrades will only support the cn=config backend.

Server Team 20080902 meeting minutes

Here are the minutes of the meeting. They can also be found online
with the irc logs here.

Ubuntu VM builder

soren uploaded his rework of ubuntu-vm-builder. The package has been renamed to vm-builder. It is waiting in the NEW queue to be processed by an archive administrator. nijaba has started to write up a tutorial based on the bzr branch of vm-builder. He plans to put it on the Ubuntu help wiki.

ACTION: soren to write a blog post about vm-builder once it’s available in the archive

ACTION: sommer to update the virtualization section of the server guide with references to the new ubuntu-vm-builder

ACTION: nijaba to write a tutorial on vm-builder and put it on the help wiki

ACTION: soren to ping UWN editor to get a paragraph about vm-builder in UWN

Tomcat6 server stack support

Koon wrote up a blog post which has been published on the ubuntuserver blog. mathiaz asked about the state of the patches to reduce the pulled in dependencies. Koon reported that two of them are left and doko was looking at them.

Review ServerGuide for Intrepid

sommer added a support paragraph to the server guide. He also reported that the ldap sections had been updated to cover the new cn=config backend. mathiaz reminded that sections that needed reviews were listed in the wiki page. Reviews can be conducted either online on the development documentation website or by checking out a bzr branch of the documentation as outlined in the knowledge base.

ACTION: kirkland to review the RAID section of the server guide

ACTION: mathiaz to review the ldap section of the server guide

ACTION: sommer to specify the review work on the Roadmap

Ubuntu Server survey

nijaba reported that a host had been provided for the server survey. He is looking for volunteers to check that everything is fine before the launch and start the announce as planned on the wiki. He thinks a good launch date could be Mon, September the 22nd. Anyone interested in helping out should contact him.

UFW Package Integration

jdstrand reported that ufw had been uploaded before Feature Freeze. Thanks to the good work of nxvl and didrocks support for ufw has been added to almost all packages from the server tasksel list. mathiaz asked if the the firewall section of the server guide had to be updated.

ACTION: jdstrand to review the firewall section of the ubuntu server guide

Alpha 5 and Feature Freeze

mathiaz reminded that alpha5 is scheduled for Thursday this week. Testing of the -server isos will be asked up to the release. He also added that now that Feature Freeze is in effect the development team is focusing on bug fixing and testing.

Clamav and Spamassass in Main

nealmcb asked about the state of clamav and spamassassin in intrepid. According to the wiki page all the MIRs have been written.

Agree on next meeting date and time

Next meeting will be on Tuesday, September 9th at 15:00 UTC in #ubuntu-meeting.

Developer-friendly Tomcat 6.0 lands in Intrepid

Tomcat 6.0 will be available in Ubuntu 8.10 and you can enjoy Apache Tomcat 6.0.18 right now in the Intrepid Ibex development version. It has been packaged so that it can be used in two ways:

As a unique system-wide instance

This is the classic case of a Tomcat server that is started at boot by the init script and runs under the tomcat6 user. The tomcat6 package should be installed to cover such a scenario:

$ sudo apt-get install tomcat6

NB: This currently installs way too much dependencies, especially on a server install. Work is currently done to reduce that to an acceptable number.

Point a browser to the default start page at http://localhost:8080 to check that everything is alright and start deploying webapps.

Ready to be used webapps provided by Tomcat are also available from the archive:

$ sudo apt-get install tomcat6-examples tomcat6-docs tomcat6-admin

In developer-oriented private instances

The other use case is a development server where multiple developers can run their own Tomcat instances under their user account. The system administrator should install the tomcat6-user package:

$ sudo apt-get install tomcat6-user

Developers can then create private instances with a single command:

$ tomcat6-instance-create my-own-tomcat6

This will setup a private Tomcat 6.0 instance in a my-own-tomcat6/ directory using the system-installed libraries and binaries. Per-instance customization can be done in my-own-tomcat6/conf/server.xml (eg changing default ports to avoid conflicts). webapps are deployed in my-own-tomcat6/webapps/. Starting and stoping the server is done with the following commands:

$ my-own-tomcat6/bin/startup.sh
$ my-own-tomcat6/bin/shutdown.sh

This is still relatively new so testing and suggesting improvements through the Tomcat6 bugs page in Launchpad is welcome. Let’s all make tomcat6 rock in Intrepid !