=============================================================================== UPGRADE to Version 2.6.1 =============================================================================== REMARKS ======= . For more information about new features, please read the up-to-date Release Notes. . For those who are new to Linux/Unix, we recommend reading Appendix A in the Cyclades ACS Installation, Administrator, and User's Guide. NOTE: Cyclades strongly recommends that the user has read the latest User's Guide available on the Cyclades' ftp site before using this new firmware. UPGRADING OVERVIEW ================== The ACS packages may be updated from one version to another. Therefore, if the user has an ACS running an earlier version, special care should be taken regarding configuration. The user can choose to start the configuration from scratch by simply doing: defconf reboot or, the user must perform all steps from all "Upgrading from actions" with version numbers equal to or greater than the original version of their ACS. In case the option is for upgrading from an earlier version and keeping the current configuration (not start from scratch), perform ALL upgrade actions listed for ALL versions equal to and newer than the current one. To run a new configuration and save it into flash, the user must execute the following commands: runconf saveconf The command "saveconf" is equivalent to the Linux command: "tar -czf /mnt/flash/config.tgz -T /etc/config_files" Therefore, double check that all files which have been changed have their names in the file /etc/config_files. If any of the files /etc/inittab, /etc/rc.sysinit, or any user's shell script executed by /etc/rc.sysinit were changed, the ACS must be rebooted for them to take effect. Upgrading from 2.6.0-1 Actions ==================================== - username "admin" belonging to admin group can be created by user root executing "addadmin" utility (shell script) from the shell command line. Note that username "admin" cannot be added or deleted from either the WMI or CLI. - The default for authentication method was changed in the PPPD: . old version: noauth . new version: require-eap If you do not require the peer to authenticate itself, you need to include the option "noauth" in the PPPD configuration. - The script set_timezone was removed from the image. Use either the CLI or WebUI to configure the timezone. - The /etc/sshd_config file was changed. The following line was added : LoginGraceTime 3m If the sshd_config file was not changed, replace it with the file sshd_config.save. Otherwise, the user should merge these files. Upgrading from 2.3.1 Actions ============================ - A new directory was created: /etc/daemon.d. This directory contains all files that are used by daemon.sh utility. The upgrade of the old version is done by upgrade260.sh program that runs in the first boot with the 2.6.0 version. Verify your configuration after the first boot. - The /etc/config_files file was changed. The following actions must be taken: 1. If you had modified the /etc/config_files file, apply the same changes in the /etc/config_files.save; 2. Copy the /etc/config_files.save file to /etc/config_files file (cp /etc/config_files.save /etc/config_files); 3. Save in CF (saveconf command). - Upgrading the Linux Kernel to 2.6.11 . The Compact Flash directory was changed from "/proc/flash" to "/mnt/flash" . The name of the configuration file in Compact Flash was changed from "scripts" to "config.tgz" . Command for reset to factory configuration is :"defconf" . The file with modules configuration was changed from "/etc/modules.conf" to "/etc/modprobe.conf" .. Include your changes in the new file .. Add the new file in the /etc/config_files file . The /etc/ipsec.conf file was changed : .. Copy the /etc/ipsec.conf.save file to /etc/ipsec.conf file .. Include your changes - Upgrade of OpenSSH 4.2p1 : . If you use the PuTTY, you need to upgrade it to 0.58 version (The PuTTY had one bug that was fixed in the current version). - Upgrade of PAM-LDAP - if you use the Secure LDAP, you need to change the configuration : . In /etc/ldap.conf file, at least one of the following parameters are required if the tls_checkpeer is "yes": .. tls_cacertfile .. tls_cacertdir - TIMEZONE : . This feature uses now the /etc/localtime file. . The old /etc/TIMEZONE file is erased if you configure this new feature. . The image comes with no /etc/localtime file, but it will be created and replace the TIMEZONE file if you use any of the ways of configure timezone. - Authentication Enhancement . The /etc/pam.conf file was removed, and the /etc/pam.d directory was created . The Radius and TACACS+ servers need to be reconfigured by either the WebUI or CLI (the configuration of these servers in PortSlave configuration was removed). - The /bin/build_DB_ramdisk shell script was changed to use ramdisk type "tmpfs" instead of "ramfs", which has a problem with maxsize. - The name of the PCMCIA modem devices was changed from "/dev/ttySxx" to "/dev/ttyMy". Two dedicated device files (ttyM1 and ttyM2) have been created for the PCMCIA modem devices. . If the PCMCIA modem card has already been configured, the user should rename the existing file /etc/ppp/options.ttySxx to /etc/ppp/options.ttyM1 - Kerberos Authentication: . Make sure there is an entry in the "hosts table" (/etc/hosts) corresponding to the hostname configured for this machine (/etc/hostname). Upgrading from 2.3.0 Actions ============================ - The files "cert.pem" and "server.pem" were moved to "/etc/CA". Therefore, in case old "/new_web/Locale/cert.pem" or "/new_web/Locale/server.pem" were added to the "/etc/config_files", the files themselves (cert.pem and server.pem) must be copied to the new location (/etc/CA) and config_files must be corrected to remove the old references and include the new ones (/etc/CA/cert.pem and /etc/CA/server.pem). Also, run "saveconf" again to update the files correctly in flash memory. - The driver xirc2ps_cs is configured to make the PCMCIA card Xircom XE2000 10/100 Network PC Card Adaptor work in 100Mbps. This configuration was made in /etc/modules.conf file by the following line: options xirc2ps_cs if_port=4 If the card Xircom XEM5600 10/100BT Ethernet and 56k V.90 modem combination will be used, the above configuration must be commented or deleted. So, the following procedure must be executed in order to use XEM5600 card: 1. Edit the /etc/modules.conf file; comment the following line: #options xirc2ps_cs if_port=4 2. Execute the touch command on /lib/modules/2.4.17_mvl21-linuxplanet/modules.dep file: # touch /lib/modules/2.4.17_mvl21-linuxplanet/modules.dep 3. Edit the /etc/config_files to include /etc/modules.conf and /lib/modules/2.4.17_mvl21-linuxplanet/modules.dep files: /etc/modules.conf /lib/modules/2.4.17_mvl21-linuxplanet/modules.dep files 4. Save the configuration by executing the saveconf command # saveconf If the configuration was changed to use the XEM5600 card, and XE2000 card will be used instead, then the following procedure must be performed: 1. Edit /etc/modules.conf file; un-comment the following line: options xirc2ps_cs if_port=4 2. Execute steps 2 and 4, as described above Upgrading from 2.2.0 Actions ============================ - The OpenSSH was upgraded from 3.7.1.p2 to 3.8.1p1. The new version does not accept authentication method "gssapi", but accepts the new method "gssapi-with-mic". If you use Kerberos TGT, check to see if your ssh client accepts the authentication method "gssapi-with-mic". If you use NIS to do the authentication, configure the parameter UseLogin as YES in the /etc/ssh/sshd_config file. - The file /etc/snmpd.conf was renamed to /etc/snmpd.sh. If you had modified /etc/snmpd.conf previously, apply the same changes to /etc/snmpd.sh. - The file /etc/config_files contains a list of files that are saved to flash when you run "saveconf". If you had run "saveconf" with release 2.2.0, your /etc/config_files is loaded from the flash and you will not have the latest list. Edit /etc/config_files and perform the following actions: 1) Rename the file /etc/snmpd.conf to /etc/snmpd.sh 2) Rename the file /etc/ppp/options to /etc/ppp/options* 3) Run saveconf - The pmusers group has removed. The following files were changed: 1) The file /etc/rc.sysinit. If there is one saved in flash it must be replaced/merged with /etc/rc.sysinit.save. 2) The file /etc/group. If the file was not changed, replace it with the file /etc/group.save. - This version does not have support to Sentry's IPDU nor RPC's IPDU. The files /etc/pm.sentry and /etc/pm.rpc22 were deleted. The file /etc/pmd.sh was changed. If there is one saved in flash, it must be edited as follows: old line - ConfigFiles="/etc/pm.cyclades /etc/pm.rpc22 /etc/pm.sentry" new line - ConfigFiles="/etc/pm.cyclades" Upgrading from 2.1.6 Actions ============================ - The WebUi was changed. The following actions must be taken: 1) The server.pem and the cert.pem are in /new_web/Locale directory. If the files were changed, copy the file to the new directory. 2) The file /etc/group was changed, the "admin" group and "biouser" group was inserted. If the file were not changed, replace it with the file /etc/group.save. Otherwise, the administrator need to edit the file and insert the following lines: admin::104:root biouser::105: 3) The WebUi authentication is done by PAM/local. The users that can use the WebUI need to be included in the local database (/etc/passwd). Use the following command to add Admin User : #adduser -G admin Use the following command to add Regular User : #adduser The new WebUI authentication method through PAM requires the service "web" in the file "/etc/pam.conf". # # The PAM configuration file for the `web' service # web auth required pam_unix2.so web account required pam_unix2.so web password required pam_unix2.so md5 web session required pam_unix2.so 4) To configure the HTTP/HTTPS, you need to edit the file /etc/webui.conf. By default, HTTP and HTTPS are enabled. To disable HTTP service, change the line "HTTP=YES" to "HTTP=NO". To disable HTTPS service, change the line "HTTPS=YES" to "HTTPS=NO". To change the TCP ports or security level see the manual. 5) The bio users need to be included as members of the new group biouser. To include the old users in this group, the administrator must edit the file /etc/group, and add the usernames in the biouser line as in the example : biouser::105:userbio1,userbio2,userbio3 To add new users the following command must be used: #adduser -G biouser - This version allows the SSH's users to be authenticated by Kerberos TGT. The ssh_config and sshd_config files were changed. If these files were not changed replace them with the files *.save. Otherwise, the user should merge these files. - The dhcpd_cmd was changed, was included the option '-Y' to fix one bug when the ACS has NIS and DHCP configured. - The sshd was changed. The default file with the authorized keys is ~/.ssh/authorized_keys and the parameter AuthorizedKeysFile is commented in the sshd_config file. If the sshd_config file was not changed, replace it with the file sshd_config.save. Otherwise the user should merge these files. Upgrading from 2.1.5 Actions ============================ - The file /etc/TIMEZONE was changed. If there is one saved in flash it must be replaced/merged with /etc/TIMEZONE.save - The sshd program was upgraded to version 3.7.1p2 and it needs a new configuration file. If the file /etc/ssh/sshd_config was not changed, replace it with the file /etc/ssh/sshd_config.save. Otherwise, the user should merge these files. - The file /etc/rc.sysinit was changed.If there is one saved in flash it must be replaced/merged with /etc/rc.sysinit.save. - The file /etc/group was changed. It was included the group "pam" and "pmusers".If the file was not changed, replace it with the file /etc/group.save. Otherwise, the user need to do the following commands : #addgroup pam #addgroup pmusers #chgrp pmusers /bin/pm Upgrading from 2.1.4 Actions ============================ - The file /etc/rc.sysinit was changed. It was removed the activation of inetd. If there is one saved in flash it must be replaced/merged with /etc/rc.sysinit.save. - The file /etc/inittab was changed. The activation of the services snmpd, sshd, ntpclient, pmd, cy_buffering, and syslog-ng were removed. Their activation is done by the shell script daemon.sh. If there is one saved in flash it must be replaced/merged with /etc/inittab.save. - The file ntpclient.sh was removed. The ntpclient now is started by the shell script "daemon.sh", if it's enabled in the file /etc/ntpclient.conf - The file /etc/ntpclient.conf was changed. If there is one saved in flash it must be replaced/merged with /etc/ntpclient.save - The file /bin/build_DB_ramdisk was changed. If there is one saved in flash it must be replaced/merged with /bin/build_DB_ramdisk.save - The f_kernel and f_alerts in /etc/syslog-ng/syslog-ng.conf were changed. Please verify the change in /etc/syslog-ng/syslog-ng.save file. Upgrading from 2.1.2 Actions ============================ - The file /etc/inetd.conf was changed. If there is one saved in flash it must be replaced/merged with /etc/inetd.conf.save. - The shell script /etc/rc.sysinit was changed. If there is one saved in flash it must be merged with /etc/rc.sysinit.save. - The script shell /etc/portslave/cb_script was changed, because the path of the command chat was changed from "/bin/chat" to "/usr/local/sbin/chat". If you use callback feature, you need to change the path of the command chat in the script shell /etc/portslave/cb_script and save the changed file. - The example about snmptrap in /etc/syslog-ng/syslog-ng.conf was changed. Please verify the change in /etc/syslog-ng/syslog-ng.save file. - /etc/portslave/pslave.conf has new parameters. Merge or copy /etc/portslave/pslave.save over /etc/portslave/pslave.conf. - /etc/nsswitch.conf and /etc/pam.conf has new services. If they were changed, you should merge these files. - The shell script /bin/handle_dhcp was changed. If there is one saved in flash it must be removed from flash. - The shell script /etc/network/dhcpcd_cmd was changed. If there is one saved in flash, it must be merged with /etc/network/dhcpcd_cmd.save. - The shell script /etc/network/st_routes was changed. The parameter "metric 3" was inserted in the route add of the default route. - The file /etc/pm.cyclades was changed to be compatible with the AlterPath-PM version 1.0.8. If an older version of the AlterPath-PM is used, the user should save the /etc/pm.cyclades from the 2.1.2 version before the upgrade: >echo /etc/pm.cyclades>>/etc/config_files >saveconf Upgrading from 2.1.1 Actions ============================ - The meaning of the parameter DTR_reset in pslave.conf file was changed. Please, read the documentation to set it to the proper value. - The sshd program needs a new configuration file to fix a problem with sftp. If the file /etc/ssh/sshd_config was not changed, replace it with the file /etc/ssh/sshd_config.save. Otherwise, the user should merge these files. - The telnet program was moved from /bin to /usr/bin. If you use the protocol telnet in PortSlave, you need to change the parameter conf.telnet. - The /etc/pcmcia/isdn.opts was changed. Copy /etc/pcmcia/isdn.opts.save over /etc/pcmcia/isdn.opts and re-apply your changes, if any. Run "saveconf". - The /etc/config_files contains a list of files that are saved to flash when you run "saveconf". If you had run "saveconf" with release 2.1.1, your /etc/config_files is loaded from the flash and you will not have the latest list. Please edit /etc/config_files, add the file listed below and run "saveconf": /etc/ppp/auth-up Upgrading from 2.1.0 Actions ============================ - The web user management has changed, and because of that, the file /etc/websum.conf has changed. In order to make the web server work, the user must do the following steps: From the prompt, type #cp /etc/websum.conf.save /etc/websum.conf #saveconf #reboot After the reboot, open a browser and point to the ACS IP address. Log in as root (password = tslinux). Go to the link Web User Management->Users, change the root password and create the users, classifying according to the privilege allowed to them (root, admin, monitor or user). Go to the link Web User Management->Load/Save Web Configuration and click the "Save Configuration" button. Go to the link Administration->Load/Save Configuration and click the "Save to Flash" button. - The syslog-ng.conf file (syslog-ng configuration) was changed. This configuration allows syslog-ng to receive syslog messages from the Kernel. The user must copy /etc/syslog-ng/syslog-ng.save over /etc/syslog-ng/syslog-ng.conf and make his own changes again, if any. - The /etc/wireless.opts was changed. Copy /etc/wireless.opts.save over /etc/wireless.opts and re-apply your changes, if any. Please also change the file permission of wireless.opts by executing "chmod 600 /etc/pcmcia/wireless.opts". Run "saveconf". - The /etc/config_files contains a list of files that are saved to flash when you run "saveconf". If you had run "saveconf" with release 2.1.0, your /etc/config_files is loaded from the flash and you will not have the latest list. Please edit /etc/config_files, add the files listed below and run "saveconf": /etc/pcmcia/isdn.opts /etc/mgetty/login.config /etc/ppp/auth-up /etc/ppp/chap-secrets /etc/ppp/pap-secrets /etc/ppp/ioptions /etc/ppp/options