Chapter 3 New Features and Changes

Table of Contents

This section describes new features and changes in Oracle Linux 7.5. For details of the new features and changes in the initial release of Oracle Linux 7, see Oracle® Linux 7: Release Notes for Oracle Linux 7.

3.1 File Systems

The following file systems features, bug fixes, and enhancements are included in this update.

3.1.1 btrfs: File system deprecated in RHCK

Starting with Oracle Linux 7.4, btrfs is deprecated in RHCK. Note that btrfs is fully supported with UEK R4.

3.1.2 ext4: quotacheck performance improvement

The quotacheck utility has been improved and is now faster on ext4.

3.2 Installation and Upgrade

The following installation and upgrade features, bug fixes, and enhancements are included in this update:

  • livemedia-creator includes sample kickstart file for UEFI systems.  The livemedia-creator utility now includes a sample kickstart file that can be used for UEFI systems.

  • New mount command for assigning block devices.  Kickstart now includes a new mount command, which enables you to assign block devices as mounts during an installation. The mount command assigns a mount point to a specified block device within a file system. You can also specify the --reformat option with the mount command to reformat a block device.

  • New network kickstart command option for binding a device configuration file to a MAC address.  Use the new --bindto=mac option with the network kickstart command to specify the MAC address (HWWADDR) parameter instead of the default DEVICE parameter in the device's ifcfg file. Specifying this option binds the device configuration to the MAC address instead of the device name.

    Note

    Because the --bindto option is independent of the network --device kickstart option, it is applied to the ifcfg file, regardless of whether the device was specified in the kickstart file by its name, link, or bootif.

3.3 Kernel

The following changes are specific to RHCK. For more information, refer to latest versions of the release notes for Oracle Linux Unbreakable Enterprise Kernel Release 4 in Unbreakable Enterprise Kernel Documentation.

3.3.1 Automatic loading of DCCP modules through socket layer now disabled by default

For security reasons, the automatic loading of the Datagram Congestion Control Protocol (DCCP) kernel modules through the socket layer has been disabled by default. This change ensures that userspace applications are not able to maliciously load any modules. However, you can explicitly load DCCP modules by using modprobe. Note that the automatic loading of DCCP modules is also not allowed on UEK releases.

3.4 MySQL Community Packages

MySQL Community packages are not included on the provided ISO in this release. This change ensures that the ISO size is appropriate for use on typical DVD-ROM media. The MySQL Community 8.0, MySQL Community 5.7, MySQL Community 5.6, and MySQL Community 5.5 packages continue to be available on the Unbreakable Linux Network (ULN) and the Oracle Linux yum server.

You can install MySQL Community packages directly from ULN or the Oracle Linux yum server by enabling the appropriate channel or repository. For example, if you are using the Oracle Linux yum server you can enable the ol7_MySQL57 repository by installing the mysql-release-el7 package to obtain the correct yum repository configuration and then running yum-config-manager to update the configuration: 

# yum install mysql-release-el7
# yum-config-manager --enable ol7_MySQL57

3.5 Networking

The following networking features, bug fixes, and enhancements are included in this update:

  • Control switch for offloading VXLAN and Geneve tunnels added to RHCK.  This change to the ethtool utility can only be used with drivers that support this functionality, such as the new Geneve driver in the latest RHCK. A new control switch in the utility can be used to enable or disable offloading of VXLAN and Geneve tunnels to network cards.

  • Geneve driver version updated to 4.14.  The updated version the Geneve driver includes a number of bug fixes and enhancements from the previous version.

  • Search capability for IPTABLES_SYSCTL_LOAD_LIST modifications expanded to /etc/sysctl.d The search capability for IPTABLES_SYSCTL_LOAD_LIST modifications has been expanded to include the systctl.d directory. Previously, only the /etc/sysctl.conf file was searched for changes. This enhancement ensures that any user-provided files in /etc/sysctl.d/ are correctly accounted for when the iptables service restarts.

  • VXLAN updated to version 4.14.  The updated version of the Virtual Extensible LAN (VXLAN) feature includes a number of bug fixes and enhancements from the previous version.

3.6 Packaging

Starting with Oracle Linux 7.5, the setup package provides and sources environment settings in a defined order that overrides any unpredictable environment settings. This change is especially useful in situations where multiple scripts changed the same environment setting.

3.7 Security

The following security features, bug fixes, and enhancements are included in this update:

  • Libreswan updated to version 3.23.  This version of the Libreswan software includes bug fixes and improvements from the previous version.

  • nss version updated to 3.34.  This version of the nss package includes bug fixes and improvements from the last version.

  • SCAP workbench updated to version 1.1.6.  This version of the SCAP workbench (scap-workbench) utility includes bug fixes and improvements from the previous version.

  • SELinux supports NNP policy for systemd services.  In this update, the selinux-policy packages contain a policy for systemd services that use the No New Privileges (NNP) security feature. Also introduced is the nnp_nosuid_transition policy capability that enables SELinux domain transitions under NNP or nosuid if nnp_nosuid_transition is allowed between the old and new contexts.

    For example, the following rule describes how this capability is allowed for a service: 

    allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };

    In addition, the distribution policy now contains the m4 macro interface. This interface can be used in SELinux security policies for services that use the init_nnp_daemon_domain() function.

  • SSLv3 disabled in mod_ssl To improve security for SSL/TLS connections, support for SSLv3 in the default configuration for the httpd mod_ssl module has been disabled. This change also restricts the use of certain cryptographic cipher suites.

    Note

    Only fresh installations of the mod_ssl package are affected. Users can change their existing SSL configuration manually, as required.

  • Using OpenSCAP to generate remediation scripts for use with Ansible.  The OpenSCAP scanner can be used to generate remediation scripts into Ansible playbook format. This capability assists with the integration of configuration compliance into an existing Ansible work flow. After generating an Ansible playbook, you can then customize it with the desired values.

3.8 Server and Services

The following server and services features, bug fixes, and enhancements are included in this update:

  • Ability to remotely launch dbus applications in GNOME.  In this update, GNOME includes a feature that provides users with the ability to remotely launch dbus-using applications, for example over SSH.

    This improvement also fixes a bug that existed in RHEL 6 and RHEL 7 (up through 7.4) that caused leftover processes to remain in the system after exiting a session.

  • chrony updated to version 3.2.  This version of chrony includes bug fixes and improvements from the previous version.

  • CUPS configuration enhancement.  You can now configure the Common UNIX Printing System (CUPS) to use only Transport Layer Security (TLS) v1.2 ciphers.

  • D-Bus updated to version 1.10.  This version of dbus includes bug fixes and improvements from the previous version.

  • squid package includes kerberos_ldap_group helper.  The kerberos_ldap_group helper is a reference implementation that supports Simple Authentication and Security Layer (SASL) and Generic Security Services API (GSSAPI) authentication to an LDAP server.

  • Tuned updated to version 2.9.0.  This version of the Tuned utility includes bug fixes and improvements from the previous version.

3.9 Storage

The following storage features, bug fixes, and enhancements are included in this update:

  • DIF/DIK (T10 P1) support added for specified hardware.  In Oracle Linux 7.5, the SCSI T10 DIF/DIX is fully supported on hardware that has been qualified by the vendor, provide that the vendor also provides full support for the particular host bus adapter (HBA) and storage array configuration. Note that DIF/DIX is not supported on other configurations such as for use on a boot device or a virtualized guest.

    Note

    Support for DIF/DIX is in technology preview for any HBAs and storage arrays that are not qualified and are not fully supported by the vendor. To determine whether DIF/DIX is supported by a particular hardware vendor, refer to that vendor's support information for the latest status.

  • smartmontools support on NVMe devices added.  The smartmontools utility program is used to monitor Nonvolatile Memory Express (NVMe) devices (in particular, Solid-state Drive (SSD) disks) with the Self-Monitoring, Analysis and Reporting Technology System.

3.10 Virtualization

The following virtualization features, bug fixes, and enhancements are included in this update:

  • Hosts and guests can use GPU devices simultaneously.  Starting with this update, both hosts and guests can use Graphics Processing Unit (GPU) devices at the same time. Note that this feature requires the vfio_mdev module, which is not available in UEK at the time of this release.

  • KASLR for KVM guests added.  Capability for Kernel address-space layout randomization (KASLR) for KVM guests has been added in this update.

  • libvirt updated to version 3.9.0.  This version of the libvirt utility includes bug fixes and improvements from the previous version.

  • QEMU updated to version 1.5.3-156.  This version of QEMU includes several bug fixes, including important security fixes and a large number of KVM integration improvements.

3.11 Technology Preview

Features that are currently under technology preview when using UEK R4U6 are described in Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 4 Update 6.

For RHCK, the following features are currently under technology preview:

  • Systemd: Importd features for container image imports and exports.

  • File Systems:

    • Block and object storage layouts for parallel NFS (pNFS).

    • DAX (Direct Access) for direct persistent memory mapping from an application. This is under technical preview for the ext4 and XFS file systems.

    • ima-evm-utils package, which provides utilities for labeling file systems and verifying the integrity of the system at run time.

    • OverlayFS remains in technical preview.

    • SCSI layout for parallel NFS (pNFS), including support for both client and server configurations.

  • Kernel:

    • Heterogeneous memory management (HMM).

    • No-IOMMU mode virtual I/O feature.

  • Networking:

    • Cisco VIC InfiniBand kernel driver that provides similar functionality to RDMA on proprietary Cisco architectures.

    • nftables and libnftnl network filtering and classification functionality.

    • Single-Root I/O virtualization (SR-IOV) in the qlcnic driver.

    • Support for a Cisco proprietary User Space Network Interface Controller in UCM servers provided in the libusnic_verbs driver.

    • Trusted Network Connect support.

  • Storage:

    • Multi-queue I/O scheduling for SCSI (scsi-mq). This functionality is disabled by default.

    • Plug-in for the libStorageMgmt API used for storage array management. The libStorageMgmt API is now fully supported, but the plug-in is under technology preview.

You can find additional information about technology preview items that are in this release at http://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.5_release_notes/technology-previews.

3.12 Compatibility

Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux, which is independent of the kernel version that underlies the operating system. Existing applications in user space will continue to run unmodified on the Unbreakable Enterprise Kernel Release 4 (UEK R4) and no re-certifications are needed for RHEL certified applications.

To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R4 will remain unchanged in all subsequent updates to the initial release. UEK R4 contains changes to the kernel ABI relative to UEK R3 that require recompilation of third-party kernel modules on the system. Before installing UEK R4, verify its support status with your application vendor.

Copyright © 2017, 2021 Oracle and/or its affiliates. Legal Notices