Release Notes 11.07.20120217-2

These are the release notes for Landscape Dedicated Server (LDS) version 11.07.20120217-2.
This release contains a series of fixes and new features backported from the development
branch. A more detailed changelog is avaiable in the documentation directory of the LDS

Release highlights

  • Custom EC2 compatible endpoint, including openstack compatibility
  • New São Paulo AWS region (sa-east-1)
  • A series of security fixes regarding cookie usage
  • Cross Site Request Forgery (CSRF) protection for the login form
  • Ubuntu Oneiric (11.10) support for AWS instances


Please make sure you have backed up the database and all the Landscape config files before proceeding with the upgrade.

Unless noted otherwise, upgrades are only supported from the previous stable release. If you have an older release, you will need to upgrade in steps until you reach the previous stable release. Then you can follow the instructions noted here.

Upgrading from appliance (KVM) version

NOTE: This is not supported by the packaged version. Please contact Canonical support for assistance with this upgrade path.

Quickstart upgrade

In general, the quickstart upgrade works just fine from the previous stable version of LDS. You may see some warnings about patch errors, but these are accounted for, and if there was a real patch problem, the service start at the end of the upgrade will tell you.

Non-quickstart upgrade from 11.07

The schema changes need to be applied manually after the package is upgraded. If you have UPGRADE_SCHEMA set to yes in /etc/default/landscape-server, then the Landscape schema will be upgraded automatically during the package installation and you only need to upgrade the Clouddeck schema.

NOTE: If you have several servers deployed, stop all Landscape and Clouddeck services on them all before proceeding with the upgrade

{i} The schema upgrade steps only need to be performed once, although it won’t create problems if run multiple times.

The schema upgrade commands are:

  • For the Landscape service, needed if you have don’t have UPGRADE_SCHEMA set to yes in /etc/default/landscape-server:
sudo setup-landscape-server
  • And for Clouddeck:
sudo clouddeck-schema /etc/clouddeck/stores.cfg

Additionally, to fix one of the cookie problems, you will need to add the following line to the [landscape] section in /etc/landscape/service.conf:

secret-token # <long random string>

NOTE: This change needs to be done on all application servers.
To generate that long string, you can use this command:

ubuntu@ubuntu:~$ dd if=/dev/urandom bs=1 count=150 2>/dev/null| openssl base64 -e | tr -d '\n' ;echo

After making this change, please restart the application servers:

sudo /etc/init.d/landscape-appserver restart

The quickstart upgrade automatically generates a random string and changes the configuration file accordingly.

New features and fixes

This section details the new features and fixes of this release.

Custom EC2 compatible endpoint

It is now possible to add a Cloud other than Amazon (AWS) or Eucalyptus by just providing
the endpoint URL for the EC2 compatible API.
Note that it won’t be possible for Landscape to get the cloud capacity or available instance
types in this case, so when spawning an instance, the user is required to fill in the field
for the size of the instance. For example, “m1.small”.

Openstack support

Via the Custom EC2 endpoint option, it is now possible to add an Openstack cloud to LDS. Just select:

  • public cloud
  • “other” for cloud provider
  • fill in the cloud endpoint URL and the credentials

New São Paulo AWS region

Recently Amazon made available a new region in South America. This region is in São Paulo,
Brazil, and this update to LDS brings support for that region, including updated AMIs for it.

Security fixes

We were alerted that there were a series of vulnerabilities in LDS regarding
how we handled the session cookie. These have been fixed.
There was also a CSRF (Cross Site Request Forgery) vulnerability in the
Landscape login form, which was also fixed.

Ubuntu Oneiric (11.10) support for AWS instance

This release of LDS now has native support for official Ubuntu Oneiric (11.10) images
in all AWS regions.

Known issues

Here are some of the known issues with this release.

Natty and Oneiric cloud images won’t register with the server

Due to a change in the way that Natty or higher images in the cloud bootstrap their Landscape registration, a small tweak is needed in the database to make this registration work. This is only needed for LDS systems that upgraded from a previous version. Fresh installs won’t exhibit this problem.

Connect to the database server either as a super user or as the landscape_maintenance user and issue an UPDATE command like the following:

landscape-standalone-main=# BEGIN;
landscape-standalone-main=# UPDATE ec2_current_image SET cloud_init_supported # true WHERE ubuntu_release_name IN ('natty','oneiric');
landscape-standalone-main=# COMMIT;

Warnings about transaction module

Some initscripts and the quickstart upgrade will report a warning about the transaction module. This is harmless and can be ignored.

No “Ubuntu” release in the cloud page, only “Other”

The cloud page needs to know the AMI for each Ubuntu release. This data is filled in by a cron job (“maintenance”) that runs once a day and, among other things, checks for new AMIs on
To populate that information right after installation, just run the following command:

sudo -u landscape /opt/canonical/landscape/scripts/

It needs a network connection, but what it downloads is very small and it should take just a few seconds. It can be run while all services are up, no problems with that.

{i} If you have several thousand computers registered, this could take from a few minutes to a couple of hours.

Custom Natty or higher AMIs, or in Eucalyptus, won’t register

The only Natty or higher cloud images that will register automatically when launched from the Landscape UI are the official Ubuntu ones in EC2, and those might still need the database query shown earlier. Instances started from custom EC2 Natty images, or using Eucalyptus, won’t register with Landscape automatically.

LDS package availability in the repository

The package repository we use to release the LDS packages will only carry the latest version at any given time. If you need to have one of the previous versions, please contact Canonical Support.

Creating cloud keypair with chrome/chromium

When a cloud ssh key pair is created with chrome or chromium, the javascript on that page crashes right afterwards and the page basically stops working. To workaround the issue, just reload the page.

Incorrect feedback link in account expired page

When an LDS license expires while the services will running, any access to the LDS application will redirect the user to an “Account expired” page. This page has an incorrect link for sending feedback. Please contact support instead using either the hosted version of Landscape ( or the phone numbers that were given to you.

Package upgrade asks about config file

During a package upgrade, the process will stop and ask what it should do with one or more modified config files. For example:

Configuration file `/etc/landscape/service.conf'
> Modified (by you or by a script) since installation.
> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** service.conf (Y/I/N/O/D/Z) [default=N] ? 

This is expected. You must answer “N” here, or else the configuration file will be replaced by a default one with a blank configuration and you will need to fix it manually.

After upgrades, /var/lib/landscape/hash-id-databases contains double the data

That directory, after an upgrade, will contain both the generic files starting with uuid_ and the “real” files, used by the server, with their names starting with the real uuid. The only harm here is using more disk space than necessary.

NOTE: ‘’'It is imperative that the files starting with the real uuid are not changed in any way! In other words, do not attempt to overwrite them with the newer unrenamed files coming from the updated package! Doing so will cause package information to be wrong and require all clients to register again.