|
This document is intended to give an overview of the latest feature updates, additions and removals from the newest release of GuardianOS - v4.0.2xx. The following lists the changes. Additional details of each feature and how it may affect a customer are below.
- Existing Feature Enhancements
-- Improved Windows Domain Support (No different from 3.2)
-- Enhanced UID / GID Handling
-- Mapping of Security, User and Group Identifiers
-- Improved Quota Management
-- Updated AFP Support to v3.1
-- Updated User Interface
-- Standardized Feature Licensing Mechanism
-- Updated Security Components
-- Updated to Latest BakBone NetVault Version
-- Updated to Latest CA Antivirus Version
-- Support for Multiple Fibre Channel HBA Ports
-- ISCSI Updates
-- Expanded Volume Capacity
- Feature Additions
-- Unicode Support
-- Network Time Protocol (NTP) Support
-- OEM Ready
- Features Removed
-- Syncsort Backup Express (BEX) Software
- Notable Unchanged Features
-- Linux Kernel Still Based on 2.4.19
This section will discuss enhancements and updates to current supported features and technologies in GuardianOS.
Windows Domain and Active Directory support continue to evolve with each release of GuardianOS. Since the v3.0.099 release there have been significant improvements in the way that GuardianOS works with Windows Domains. The following outlines the significant improvements that have been made since v3.0.99.
DNS Resolver
We have incorporated a process that will remove any DNS server that is specified yet is no longer accessible. An invalid DNS entry can lead to significant delays and have an overall impact on the performance of the system as the OS continues to attempt to contact the invalid DNS entry. In some cases, the invalid DNS entry would result in operational failures due to an inability to resolve a name correctly. With this update, we automatically eliminate the invalid entry so that the system is no longer impacted trying to access the non-responsive server. When and if the DNS server becomes available, we automatically recover and start using the "recovered" DNS entry/server.
Active Directory/NT Domain Detection
During our investigation of Domain Join issues, an issue was discovered where the code incorrectly assumed a NT Domain was actually an Active Directory Domain. This in turn caused the code to issue an "Active Directory" command which failed in a NT Domain. The code has been updated to correctly determine the type of domain in this particular scenario so that we no longer issue an inappropriate Windows Active Directory command to a NT Domain.
Performance Improvements for Large Domains
Many performance improvements were made for environments with large Domains as part of the GOS 3.1 release.
There have been a few enhancements with regard to the way GuardianOS handles the UNIX style UID and GID security identifiers. Specifically the areas that have been addressed are:
- Predefined UID and GID ranges
- Performance in large domain environments
- User Interface (UI) for managing large numbers of users and groups
Predefined UID and GID ranges
The current limit for the number of UID's and GID's that GuardianOS can handle will remain at 60,000, however the exclusive ranges that existed in previous releases have been eliminated. UID's and GID's will now be assigned and "first come - first serve" basis. Conflicts between local,Windows and NIS users will not be allowed and the system will fail an import, in the case of NIS, or simply assign the next available ID, in the case of Windows.
Although the predefined ranges for local,Windows and UNIX/NIS users, there are still some notable caveats that need to be described.
- The range of UID's and GID's from 0 - 100 are still reserved for local system use on GuardianOS.
- No change for Local users - auto-generation starts at 18,000 - can be modified manually via the Web Browser Administration Tool.
- Windows users and groups will start populating initially at 35,000
During an OS upgrade, the previously assigned UIDs/GIDs will be preserved.
Performance in large Windows Domain environments
The slow performance seen in large Windows Domain environments was addressed in v3.1 of GuardianOS and was outlined in more detail above.
User Interface (UI) for managing large numbers of users and groups
The UI for managing users and groups was completely overhauled. This will be covered in detail Updated User Interface section.
In previous versions of GuardianOS,Windows users and groups and NIS UID's and GID's were managed separately and considered different users and groups regardless of the intentions of the customer. In v4.0.2xx GuardianOS now attempts to map Windows users and groups to NIS UID's and GID's that have the same name. There is also a facility to manually adjust the mappings where the names are not an exact match.
In previous versions of GuardianOS, there is a default quota value that is assigned to each user that has been configured to have a quota. This value, however, has been fixed. In v4.0.2xx, GuardianOS now has a facility to allow the administrator to set the default quota value. Once Quotas are enabled, the default quota will be applied to every user on the volume. When the default value is changed, every user that is using the default will also receive the new default value. If the new value is less than a user has consumed already then that user will not be allowed to consume any more space. Custom values set on an individual user will not be affected by the default value.
GuardianOS v4.0.2xx has been updated to Apple Filing Protocol (AFP) v3.1 which offers three major feature enhancements:
- File sizes larger than 2 Gigabytes
- File names longer than 31 characters
- Unicode support
The entire User Interface (UI) in the Web Browser Administration Tool has been updated in GuardianOS v4.0.2xx. Taking into account customer requests and general enhancements the UI has been updated in four areas:
- RAID Set, RAID Group and Volume Management
- Share Creation and Share Security
- Product Registration
- Display of Open Files and Active Users
RAID Set, RAID Group and Volume Management
Customers have described the current User Interface for RAID and Volume Management as confusing and difficult to use. The single largest complaint deals with the fact that there is no way to relate the RAID sets, RAID groups and logical volumes to the physical devices themselves. In addition, the current setup does not scale effectively to accommodate multiple expansion units.
GuardianOS v4.0.2xx offers a graphical view that gives customers a view of RAID sets, and RAID groups as they relate to the physical units. This should eliminate most if not all of the confusion and make Snap Servers much easier to manage.
Share Creation and Share Security
In previous versions of GuardianOS it was very cumbersome and difficult to setup shares and share security. This is especially evident in large environments with hundreds or even thousands of users and groups. Following the tried and true model developed on SnapOS® versions of Snap Servers, GuardianOS v4.0.2xx has been updated to simplify this. The new functionality includes the ability to search for names and domains based on wildcard patterns.
Product Registration
In an effort to get the highest possible product registration some modifications have been made to help encourage customers to register their Snap Servers.
GuardianOS v4.0.2xx has changed its opening screen to include a click-through main home page so long as the server is not registered. Once registered, the click-through pages that will remind a customer to register will no longer appear.
All unregistered servers will have a new start-up screen (after initialization) that will give the user three choices:
- Register: This will take the user to a registration page to guide them through the process
- Register off-line: This will take the user to a page that will give the user instructions on how to register off-line. There will be processes in place to register by phone or by mail.
- Register later: This will take the user to the normal main page. This page will also include a place to enter a registration key for those that have registered off-line.
IMPORTANT NOTE: The phone-home feature will be disabled until the server has been registered. This means that a user will not be able to email their syswrapper with a click of a button until they have registered the server.
Display of Open Files and Active Users
The ability to view and manage open files and active users are an important server administration tasks.
GuardianOS v4.0.2xx will implement a separate screen to view active users and open files in the Monitoring section of the Web Browser Administration Tool. Users will be tracked if they are connected via CIFS, AFP, FTP or SSH. Users will NOT be tracked if they are connected via HTTP or NFS since these are connectionless protocols to GuardianOS.
GuardianOS v4.0.2xx will implement a standardized licensing mechanism and system database to track all system licenses. This will largely not affect existing customers. The intent is to add flexibility into GuardianOS to allow features to be chargeable upgrade licenses. This also gives flexibility to "turn off" features for potential OEM opportunities.
The features/applications that will be managed by this new architecture are:
- NDMP
- BakBone NetVault
- S2Sv2
- Snap Server Manager
- Product Registration
- Snapshots - NEW!
- CA Antivirus - NEW!
- iSCSI - NEW!
Snap EDR is not fully integrated into the new licensing scheme. Licensing for Snap EDR is handled withing the application with its own internal licensing mechanisms. License and enable state are, however, combined and reported in the same location as the other apps that are fully in the framework (i.e. SnapExtensions).
Many corporations and government entities use standard scanners such as Internet Security Scanner (ISS) to locate and fix security holes in their computer systems. Since the v3.0.x release of GuardianOS, v3.1 added the latest versions of OpenSSH and OpenSSL. GuardianOS v4.0.2xx will not report back any high severity vulnerabilities that cannot be sufficiently explained as inconsequential or a false positive.
New releases of GuardianOS will include compatibility with the latest versions of integrated third party software whenever possible. GuardianOS currently ships with Version 7.1.1. NetVault has a few restrictions on version compatibility between clients and servers. Since NetVault can be both, we will need to offer our customers the flexibility of installing the version of NetVault that is consistent with their installation. This means that we will choose the least common denominator for the base install of NetVault and then test and approve upgrades to the other versions. All tested and approved NetVault upgrade packages will be available on the NetVault user CD at time of release.
At the time of GuardianOS v4.0.2xx, BakBone NetVault v7.1.1 is tested and certified.
NetVault Virtual Tape Libraries Now Larger
When NetVault is installed on a new server, the Virtual Tape Libraries can now be configured to be 500 GB.
In GuardianOS v4.0.2xx, the integrated CA eTrust Antivirus application has been upgraded to v71.3399. There have been some improvements since the previous integrated release of eTrust. The following is a list of those improvements:
- Virus scans can now utilize either the InoculateIT engine or the Vet engine - or both
- Passive FTP Support
- Warnings when signatures are out of date
- GUI Improvements
- Bug Fixes
GuardianOS v4.0.2xx will provide support for up to two Fibre Channel Host Bus Adapters (HBAs) in the system at once directly connected with up to two chains of drive expansion bays attached. This is the only configuration that will be tested and approved as part of GuardianOS v4.0.2xx. Attached tape libraries will NOT be supported in GuardianOS v4.0.2xx.
Adaptec will assume no responsibility if a Snap Server is attached to any Fibre Channel switches or directly attached to any Fibre Channel enabled device such as a disk array or tape library.
iSCSI bug fixes were released prior to v4.0.2xx as part of the v3.2.019 release. ISNS support has been significantly improved as part of GuardianOS v4.0.2xx with a few key bug fixes. It now functions properly; reporting all disks and will also properly report changes to the iSNS server. Beyond the general functionality issues, we now have the ability to support the special handling requirements to pass the Microsoft iSCSI Hardware Compatibility Test (HCT).
It is also worth noting that this release is fully tested and qualified with the latest Microsoft iSCSI Initiator v2.0.
You can now create a 16 TB volume, either stand alone or as a volume group.
The Unicode Standard is a character coding system designed to support the worldwide interchange, processing, and display of the written texts by providing a unique number for every character regardless of platform, program or language.
Previous versions of GuardianOS supported the Windows code page 1252 for Western European languages for Windows clients. Double-byte characters were not supported in code page 1252 which puts GuardianOS-powered Snap Servers at a competitive disadvantage in fast-growing regions such as Eastern Europe and Asia-Pacific where double-byte characters are used extensively.
Unicode will be implemented in GuardianOS v4.0.2xx. The file access protocols CIFS, NFS, AFP and HTTP will protect the GuardianOS file system from non-Unicode names. It will support Unicode file names, folder names, user names, group names, share names, server names and domain names. Web Browser Administration localization will NOT be included in v4.0.2xx.
Caveats: GuardianOS v4.0.2xx provides UTF-8 support for the file system and most of the protocols that can access the file system. It is imperative that the file system retains a homogenous character set. Non UTF-8 character string names CANNOT be mixed in with the UTF-8 names. At the time of the v4.0.2xx release, the following protocols and programs may introduce file and directory name problems due to their lack of compete support for UTF-8, and thus should be used with caution and ideally with ASCII characters only once Unicode is enabled on a Snap Server:
- ftp
- All backup agents (CA,Veritas and Legato)
- NetVault - May backup and restore Unicode data correctly - UI will be unusable for UTF-8 extended characters
- NDMP - May backup and restore Unicode data correctly - UI will be unusable for UTF-8 extended characters
- CA eTrust Antivirus - May not have any problems scanning Unicode files, but any file names with UTF-8 extended characters may render the UI unusable and is highly likely that the files will not be scanned.
- Snap EDR - Like-to-like (Example: UTF-8 to UTF-8) code sets should replicate fine, any extended characters in the UI will be unreadable.
For any application that will be accessing files saved on a Unicode enabled Snap Server, check with the application vendor to make sure you understand the extent of support for the UTF-8 Unicode codepage. In many cases it may simply be a misrepresented User Interface (UI) display of file and directory names. The application itself may operate fine.
Also, all server names, share names and domain names still only support ACSII characters.
Network Time Protocol (NTP) is the most commonly used Internet time protocol and the one that provides the best performance. Common operating systems such as Windows include SNTP (Simple Network Time Protocol) software which runs continuously as a background task that periodically gets updates either over the Internet from a National Time Server or over a local LAN from an internal Time Server. The software ignores responses from servers that appear to be sending the wrong time, and averages the results from those that appear to be correct.
Previous versions of GuardianOS did not support NTP which caused Snap Servers to get out of sync with other servers on the network over extended periods of time. NTP support is critical for authentication schemes and transaction-sensitive environments with applications such as databases and email that are required to time-stamp data. Active Directory and regular Domain controllers all have SNTP schemes built into them. NTP is typically critical for NFS environments.
GuardianOS v4.0.2xx includes NTP support. The administrator will be able to configure the Snap Server as an NTP client as part of the time configuration UI page in the Web Browser Administration Tool. The administrator will have a choice of selecting between setting the time or selecting an NTP time server. NTP and ADS are mutually exclusive in that ADS provides its own time synchronization.
GuardianOS v4.0.2xx will be ready for OEM customization. The framework necessary to support OEM customizations has been completed as part of the v4.0.2xx effort.
A Snap Server running GuardianOS v4.0.2xx is now setup to customize the following items:
- Logo in the upper left hand corner of the Web Browser Administration Tool
- About Box Logo
- All external hyperlinks such as the support, registration, and other company specific links
- All Help files
To support an OEM opportunity, a new version of GuardianOS would be created that would incorporating the above listed changes required by the OEM.
Syncsort Backup Express (BEX) was previously included as a preinstalled backup package on GuardianOS-based Snap Servers. BEX will no longer be supported.
For existing customers, Syncsort Backup Express will be removed as part of the upgrade to v4.0.2xx.
S2Sv1 will no longer be included as part of GuardianOS or supported. Instead users can optionally utilize the new S2Sv2 or Snap Enterprise Data Replicator (Snap EDR).
For existing customers S2Sv1 will be removed as part of the upgrade to v4.0.2xx.
The original plan was to update the core Linux Kernel of GuardianOS to the latest stable release of 2.4.21. Unfortunately, this effort turned out to cause GuardianOS to become less reliable then the currently released and hardened 2.4.19 Kernel that has been in use. The most notable benefit that will not be recognized in v4.0.2xx of GuardianOS is the gain of support for 4GB of RAM. Currently, only 2GB's of RAM will be supported in GuardianOS v4.0.2xx. This has an additional side effect on performance. The expected performance increases that were to be gained by the new Kernel and support for more RAM will not be realized in v4.0.2xx.
Through the efforts of integrating and testing the 2.4.21 kernel, it has been determined that the anticipated performance gains will not be realized by updating to 2.4.21. After integrating all of the advanced features and modules onto the newer kernel, performance was comparable to the previous GuardianOS release.
The general behavior and usage of Windows ACL°rs and permissions handlingwith GuardianOS remains the same as the previous release. |