Greetings good ISR folk,

OpenISR 0.9 was released on December 18th and is now ready for full 
deployment.  This release includes significant improvements and fixes to 
the OpenISR system, many of which are user-visible.  Highlights include:

- Brand-new hoard cache implementation, which shares one cache among all 
parcels checked out by a Unix user.  This implementation is also much 
more effective at preventing redundant downloads of parcel data.

- Elimination of the distinction between nameservers and content 
servers.  Each parcel is now associated with a single server.

- Various changes to command-line options; see the changelog (included 
below) for a complete list.

- Performance improvements for several ISR operations

- Significantly improved security

- Many under-the-hood cleanups


UPGRADING TO 0.9

The cost of all these improvements is that OpenISR 0.9 clients cannot be 
used with OpenISR 0.8 servers and vice versa.  In order to upgrade, you 
will need to have us migrate your parcels from the existing OpenISR 0.8 
server to the new 0.9-compatible server.  (If you do not need to migrate 
all of your parcels, or you would like fresh parcels created for you, 
just let us know.)  The migration process takes several hours per parcel 
but only needs to happen once.  You cannot use a parcel while it is 
being migrated, so please plan accordingly.

To upgrade:

1. Contact us to schedule migration of your parcels

2. Before the migration occurs, check in your parcels

3. Install the OpenISR 0.9 client

4. Configure the client (see below)

5. When the migration completes, you're ready to go!


CONFIGURING THE CLIENT

OpenISR 0.9 stores user configuration in ~/.openisrrc instead of 
~/.openisr.conf.  Many ISR users have an ~/.openisr.conf containing a 
single line specifying their ISR userid; if you fit in this category, 
you will need to rename ~/.openisr.conf to ~/.openisrrc after upgrading 
your client.  If you have an ~/.openisr.conf which contains more 
complicated configuration settings, you may need to make additional 
changes beyond simply renaming the file.  In this case, please see the 
changelog for additional information on configuration file changes.


IF YOU ENCOUNTER SSH ISSUES

The default server for OpenISR 0.9, isrserver05.isr.cmu.edu, was 
previously a server in the ISR-3 deployment.  If your client system 
participated in that deployment, you may encounter messages about a 
changed SSH host key for isrserver05 after upgrading to OpenISR 0.9. 
These messages can be corrected by removing the offending line from 
~/.ssh/known_hosts.


FINAL NOTES

We plan to phase out the OpenISR 0.8 server within the next few months, 
so please contact us soon to schedule the migration of your parcels.  As 
the cutoff date approaches, we will individually contact any remaining 
0.8 users to determine the best course of action for upgrading to 0.9.

Last, but not least: OpenISR 0.9 represents a significant change from 
the 0.8 series.  We have endeavoured to produce the best release 
possible, but there are certainly bugs and performance issues remaining 
in the 0.9 release.  We welcome reports of any problems you encounter, 
and will be happy to work with you to resolve them.

Thank you for using the OpenISR system.

--Benjamin Gilbert/Matt Toups



CHANGES SINCE 0.8.4

------ HEADLINES

- Significant server API changes.  0.9-series clients will not work with 
older servers, and vice versa.  Parcels created for older versions of 
ISR will need to be converted to 0.9 format before they can be used with 
an 0.9 server.

- The distinction between nameservers and content servers has been 
eliminated; each parcel is now associated with exactly one server.

- The client has a new hoard cache implementation which significantly 
reduces the need to download data more than once, even across parcels.


------ PARCEL FORMAT CHANGES

- Parcel data is now encrypted with the AES algorithm instead of Blowfish.

- Replace redundant ASCII and binary keyring files with a new, 
SQLite-based keyring

- Eliminate index.lev1 file and fold its contents into parcel.cfg

- Session logs are now per-parcel rather than per-user.  Actions which 
do not apply to a specific parcel are logged to the per-parcel log of 
every parcel known to the client.

- Each parcel now has a UUID which uniquely identifies that parcel

- The layout of the ~/.isr directory on the client has changed significantly


------ CLIENT CHANGES

- Checkouts and hoard caches created by OpenISR 0.8.4 and earlier will 
not be recognized by this version.  At resume time, the client will warn 
about any old-style checkouts, and will offer to delete old-style hoard 
caches to free up disk space.

- Replace Vulpes with Parcelkeeper, a near-complete rewrite

- Always copy disk chunks, keyrings, and memory images to the hoard 
cache after downloading, eliminating redundant downloads

- Eliminate extra copy of memory image on the first resume after 
checkout, at the cost of a slower "isr discard"

- Dramatically improve the performance of "isr ls"

- Significantly clean up logging format for enhanced readability

- Improve accuracy of ISR-generated progress bars

- Add experimental support for LZF compression

- Add low-level infrastructure for VMM independence

- Rename the Nexus "zap" sysfs action to "kill" to clarify the 
destructive nature of the action

- No longer zero the Nexus "state_times" counters when the sysfs 
attribute is read.  Writing a string to the attribute file will zero the 
counters.

- Eliminate or reduce several logging races

- Miscellaneous fixes and cleanups

- Packaging updates


------ ISR COMMAND LINE

- Add new hoard cache management commands: lshoard, rmhoard, checkhoard

- Rename -n/--nameserver option to -s/--server

- Rename -X/--noauto option to -F/--no-fullscreen

- Add -l option to "isr stat", which shows the parcel UUID

- "isr clean" now does a soft release of the parcel lock, making it safe 
to use instead of "isr discard" + "isr checkin" (which is slower).  The 
historical behavior is available via "isr clean -f".

- Eliminate "clean -a"; use rmhoard instead

- Eliminate broken (and dangerous) "reset" command

- Eliminate "-p" option, which was accepted and ignored in 0.8

- Eliminate "checkparcel" command, which was just an alias for "checkp"

- Move server-side parcel validation from "checkp" to "checkp -e"

- Move local cache validation from "stat -c" to "checkp"

- Move hoard cache validation from "stat -c" to "checkhoard"

- "checkp" and "checkhoard" will not validate the hashes of stored disk 
chunks unless the -c/--checkstate option is provided

- Eliminate "disconnect"; use "checkout -d"/"resume -d" instead. 
"checkout -d" is now an alias for checkout + hoard, and "resume -d" will 
invoke "hoard" if the parcel is not fully hoarded.

- Eliminate -x/--nocheckstate; the functionality it was bypassing is now 
mandatory for checkin/sync and is no longer the default in other cases. 
  When passing -d/--disconnected to checkout and resume, you can pass 
-c/--checkstate to get the old "disconnect" behavior.

- Allow a parcel's UUID to be used on the command line in place of its 
name if the parcel is currently checked out


------ CLIENT CONFIGURATION

- Read per-user config file from ~/.openisrrc instead of ~/.openisr.conf

- Rename "nameserver" config option to "server"

- Change format of "logmask"/"console_logmask" options: instead of a 
bitmask, these now take a comma-separated list of log types.  Currently 
accepted types are: none, info, error, chunk, transport, query, slow.

- Add "compression" option, which specifies the compression algorithm to 
be used for newly written disk chunks

- Add "hoard_minsize" option, which specifies the hoard cache size (in 
MB) below which no chunks will be garbage-collected from the cache

- Add "disable_lookaside" debug option; set this to "1" to force 
re-downloading of the keyring and memory image at checkout


------ SIGNIFICANT CLIENT BUGFIXES

- Permit a server-side checkparcel operation concurrently with other 
parcel operations (such as resume)

- Disallow sync/checkin if we no longer hold the parcel lock

- No longer allow running in disconnected mode if the local cache is 
fully populated but the hoard cache is not, since this could cause "isr 
discard" to have unexpected side effects

- Properly handle simultaneous checkouts of parcels with the same userid 
and parcel name, but different servers


------ SERVER CHANGES

- Ship the server code in the source tarball; the server can be 
installed by passing --enable-server to configure.

- Remove dependency on procmail

- Allow the server modules to be installed anywhere in the filesystem, 
so long as the new "isr_runserv" wrapper script is in the PATH

- Add a script, upgrade-0.9.pl, which will read an ISR-3 or OpenISR 0.8 
parcel and write out a new one in OpenISR 0.9 format

- Improve the thoroughness of the checkparcel module

- Various performance improvements


------ ISR_ADMIN CHANGES

- All isr_admin commands should now work properly

- Simplify isr_admin's command-line syntax

- Add "isr_admin makeparcel" command to create an empty parcel from scratch


------ SERVER CONFIGURATION

- The message-of-the-day file is now located at /etc/openisr/motd

- cfg tarballs included in parcels generated with "isr_admin makeparcel" 
will be pre-populated from the contents of the /etc/openisr/skel 
directory, if it exists

- Server.pm no longer contains system-specific configuration 
information.  That data has been moved to a new config file, 
/etc/openisr/locksrv.conf, which contains "key = value" pairs.  Default 
values will be chosen if locksrv.conf is missing or does not contain a 
particular key.

- Add "content_root" config option to locksrv.conf, giving the path to 
the HTTP document root

- Add "default_pass" config option, giving the password that will be 
assigned to user accounts created by isr_admin

- Add "hostname" config option, giving the server hostname that should 
be written to parcel.cfg files generated by isr_admin


------ SIGNIFICANT SERVER BUGFIXES

- Don't create world-readable, unencrypted keyrings in the webroot

- Don't set execute bits on chunk and image files during commit

- Allow checkparcel on a version != 1 which has no predecessors (i.e., a 
parcel that has been pruned)

- Don't allow a client to commit or rollback a parcel unless the client 
holds a valid nonce

- Avoid potential data corruption if multiple clients try to upload a 
checkin at the same time (due to a stolen parcel lock)

- Avoid exposing a parcel's keyroot to other users of the server system

- Generate each new parcel with a unique keyroot

- Significantly improve the entropy in generated keyroots