-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
On the morning (UTC) of June 6th we will performance general maintenance[0]
on all servers. Services will be affected as follows:
Service | Expected impact
--------------------------+--------------------------------------------------
Entire platform | As described in maintenance schedule[0]
FishEye | Unavailable for < 10 minutes
[0] https://wiki.toolserver.org/view/Maintenance_schedule
Start time: Monday, 6th June, 0800h UTC (or possibly earlier)
http://time.tcx.org.uk/utc/2011-06-06/00:00
End time: Monday, 6th June, 1200h UTC (estimated)
http://time.tcx.org.uk/utc/2011-06-06/12:00
Details:
We will install current operating system patches on all servers, which will
require a reboot of each system.
--
We will enable IPv6 on the NFS server, which might make /home
unavailable for a short period even if hosts are up.
--
FishEye will be upgraded to 2.5.5.
--
We will perform general software upgrades for ts-specs (/opt/ts). A list of
software to be upgraded can be found at:
<https://wiki.toolserver.org/view/Admin:Pending_maintenance_tasks>
Some software may be unavailable or function incorrectly during the upgrade
process, which we estimate will take under 30 minutes.
Note: Mono will not be upgraded due to a build failure which was not
fixed in time for the maintenance.
ts-specs (/opt/ts software) changes
- -----------------------------------
We now build software with GCC stack-smashing protection (-fstack-protector) by
default, and several packages have been rebuilt to benefit from this. This
should not cause any user-noticable changes.
Some notable changes are detailed below:
webp
- ----
The "webpconv" binary is no longer provided; instead, use cwebp and dwebp.
OpenSSL
- -------
We will install a set of root CA certificates for OpenSSL, which will enable
SSL connections (e.g. from cURL or wget) to work by default, as long as the
certificate is valid, rather than requiring the user to provide a certificate
or disable checking.
The set of installed certificates will be the current Mozilla root certificate
set (from Firefox) and the Toolserver CA certificate from
https://fingerprints.toolserver.org.
Python 3
- --------
The default version of Python 3 (/usr/bin/python3) will change to 3.2. Python
3.1 will be removed during the following maintenance.
MySQL
- -----
The MySQL client will be upgraded to 5.5.12, and will move from
/opt/ts/mysql/5.1/bin to /opt/ts/bin. If you currently call "mysql" without a
path, you do not need to change anything. If you use
"/opt/ts/mysql/5.1/bin/mysql", you should change to "/opt/ts/bin/mysql" (or
preferably remove the path and rely on $PATH). The old (5.1) client will still
be available for now.
The MySQL client library will also move to /opt/ts/lib. The old client library
will still be available, but if you have any compiled software which links
against MySQL, you should re-compile it with the client library in /opt/ts/lib.
libpng
- ------
libpng has been upgraded from 1.4 to 1.5. A 1.4 runtime library is provided
for compatibility, but if you have any software that links against libpng, you
should recompile it with 1.5. The following warning (from the libpng
documentation) applies to this upgrade:
The libpng 1.5.x series continues the evolution of the libpng API,
finally hiding the contents of the venerable and hoary png_struct and
png_info data structures inside private (i.e., non-installed) header
files. Instead of direct struct-access, applications should be using
the various png_get_xxx() and png_set_xxx() accessor functions, which
have existed for almost as long as libpng itself. (Apps that compiled
against libpng 1.4 without warnings about deprecated features should
happily compile against 1.5, too.)
GCC
- ---
GCC has been upgraded to 4.6.0. This should be backwards compatible, so there
is no need to recompile software. There are two relevant changes for C++ users:
* If you define _XOPEN_SOURCE, you need to use -D_XOPEN_SOURCE=600.
-D_XOPEN_SOURCE=500 will not work.
* GCC 4.6 will no longer accept a const object without a ctor, i.e.:
struct S { };
const S o;
The fix is to either add an empty constructor, or explicitly default-initialise
the object:
const S o = S();
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3lYHIACgkQIXd7fCuc5vKCpgCfTKXkByYIjD8f7sFhSRk+kMSl
BksAoI86/sVpyhFt6YoFpYjI+OUS+OQj
=+Pc2
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
It is now possible to access toolserver.org via SSL, e.g.
<https://toolserver.org/~river/>. This is otherwise identical to normal
HTTP access.
Unfortunately, because of how this is implemented, it's not possible to
require that SSL be used for a particular page, or for a CGI script to
check if SSL is in use. If anyone has a need for this, it might be
possible to implement <https://secure.toolserver.org/> or similar.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3lXzYACgkQIXd7fCuc5vKg7ACgiwaaPDKhhabddeQsQI0la0OJ
rFkAn3/jyhY6XyupfT/FozxbpfK6MHiz
=9+QL
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have switched toolserver.org HTTP to use a Squid reverse proxy for
load-balancing instead of Solaris Cluster. In case of problems (like
odd HTTP errors), please file an issue in JIRA.
NB: This is unrelated to the previous IPv6 changes.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3kKkUACgkQIXd7fCuc5vK+JACglpYP1/yEV0k66fByrDT+Ztom
x7QAmwXkPp9zXkhXRgIs6u4g5+ob4INh
=vX+x
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
During the next maintenance window I plan to start the (somewhat
overdue) deployment of IPv6 at the Toolserver. In preparation for this,
I will be adding IPv6 addresses to all hosts today.
I don't expect this to cause any problems for users, except that the IP
address for willow (which already has one) will change. I will leave
the old IP in place until everything has migrated, but the new IP will
be used for outgoing connections.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3h5w4ACgkQIXd7fCuc5vIc4QCggvuH0CpZ1scPjb82g8xjxcmX
IkoAoK8xKuYW2WO8Zqv4T8qUbamZPAvQ
=c2zi
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have added a page on the wiki to suggest new features or changes to
the Toolserver: <https://wiki.toolserver.org/view/Suggestions>. If you
have a suggestion (even if you think it's not feasible), you can add it
to that page we will consider it.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3f+5oACgkQIXd7fCuc5vK55wCgn6AYfpneISzv50AXWradPBFm
mpUAnjC0680tZVpRBJvR3waEnUa2nqlU
=l1UE
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
At some point in the future we plan to make some changes to how mail
sending on the Toolserver works. Unless you have tools which send mail
(not including mail from cron or SGE), this change does not affect you.
Specifically, we will no longer allow users to inject mail into the
Toolserver mail system via SMTP, unless the mail is to a Toolserver
address; in other words, internal hosts will be treated identically to
any Internet host. This means you cannot send mail via SMTP to
mail.toolserver.org or localhost.
It will also be forbidden to send mail directly to Internet hosts,
but this will not be enforced by technical means.
If you send mail using /usr/lib/sendmail (or a comparable mechanism,
such as /usr/bin/mail or Mutt), you do not need to do anything. (This
includes PHP's mail() function.)
If you send mail via SMTP, you should stop doing that, and instead use
/usr/lib/sendmail. This generally means invoking
"/usr/lib/sendmail -oi -bm -- <address>" and sending the mail body to
it on stdin (including headers). Remember to escape any shell
metacharacters in the address, if applicable.
It should generally be trivial to convert anything that uses SMTP to use
sendmail instead, and you should do this now rather than waiting. If
you think this is not possible for some reason, you should let us know
sooner rather than later.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3f5k8ACgkQIXd7fCuc5vLKwQCgnb388KrYECUXroxuogkART3p
VMgAn1vZGwNyr7POKIKqP+DM3gxYpcN3
=7Dq0
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The SSL certificate for https://svn.toolserver.org has changed. The new
fingerprint is available on <https://fingerprints.toolserver.org/> and
also below:
SHA-1: E8:62:65:9A:89:CA:1C:0D:8B:97:80:93:F3:CA:04:F7:5F:B8:A8:D5
SHA-256: 4D:45:9B:60:E1:82:F6:57:4B:D0:EB:66:1C:22:25:21:95:24:2E:5A:7C:A6:C1:BC:B7:6D:FC:F4:6C:AF:84:E4
Your SVN client may require you to (re-)accept this key before you can
access the repository.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3eYHMACgkQIXd7fCuc5vKW4ACdGqJNwbqxWfe8h828VNSkJjb/
pxAAoJ3hF/V8vC4G/wcsf/nBBVAVqOKd
=ebwa
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The front-end web server on amaranth (which serves JIRA, MediaWiki,
FishEye and WordPress) has been changed from Sun Java System Web Server
to Apache. This should not cause any noticeable changes, but please
report any problems to JIRA or ts-admins(a)toolserver.org.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3T3OEACgkQIXd7fCuc5vJr8wCfYRN6DaltlbGWX+qfDv/R4oLe
mSEAniY5Yfoj2VvWV1wsE+1Db8oWQb1/
=D6af
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Due to high replication lag on thyme (s1) I've switched 'sql-s1' to
rosemary. If you have scripts which access user databases on s1 and
haven't been updated to use sql-s1-user instead, you will find your
databases are missing. The fix is to connect to sql-s1-user instead of
sql-s1.
Scripts which do not use user databases will not be affected and should
not be changed.
This change will be reverted once thyme has caught up.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3OC2QACgkQIXd7fCuc5vIz7ACdENxlPUZHXengxHE/ZcYp4hkt
g5oAoLTAXH4VJWJVZCla5sAhQ25sniRh
=9Jc7
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
It is now possible to mark a user database to be backed up without its
data, i.e. only the schema is dumped (mysqldump -d). To do this,
include the string "_transient" in the database name:
u_jsmith_transient
u_jsmith_my_transient_data_p
If you have databases whose data doesn't need to be backed up, it would
be very helpful if you could rename them to include _transient in the
name, to reduce the load / disk space requirements of the nightly backup
job.
Unfortunately MySQL doesn't provide a way to rename a database, but you
can copy the database to a new name like this:
$ mysqladmin create u_jsmith_transient
$ mysqldump --opt u_jsmith | mysql u_jsmith_transient
The old database should then be dropped.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk3OGlQACgkQIXd7fCuc5vKdsQCaAwWY3LJ/H4+JcvB0x7VHTyzS
VSMAnjVCQBvlfOVG/2DmLtUz0c9EUe5Y
=sB8i
-----END PGP SIGNATURE-----