1. Release Notes for Oracle Linux 9.2
  2. Technology Preview

3 Technology Preview

The following items are available as technical previews in this release of Oracle Linux. Note that some items listed apply to Red Hat Compatible Kernel (RHCK) and might already be available in UEK.

WireGuard

WireGuard is a VPN solution that has improved security features and is easily configurable.

Note that WireGuard is fully supported in UEK. See Oracle Linux: Configuring Virtual Private Networks for more information on using WireGuard on Oracle Linux.

KTLS

The Linux Kernel TLS (KTLS) handles TLS records for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to NICs that support this functionality.

OpenSSL 3.0 is able to use KTLS if the enable-ktls configuration option is used during compiling.

The updated gnutls packages can use KTLS for accelerating data transfer on encrypted channels. To enable KTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content: 

[global]
ktls = true

Note that gnutls doesn't permit you to update traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites.

Intel® Arc A-Series Graphics

Intel® Arc A-Series graphics, also known as Alchemist or DG2, are available as a technology preview.

Add the following option to the kernel command line to enable hardware acceleration with Intel® Arc A-Series graphics:

i915.force_probe=pci-id

In this option, replace pci-id with the PCI ID of the Intel® GPU.

Intel® Data Streaming Accelerator Driver

The driver is an Intel® CPU integrated accelerator and shares a work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

Intel® Trust Domain Extensions Available for Oracle VM Guests

Intel® Trust Domain Extension (TDX) can be used with Oracle Linux guest VMs. TDX protects confidential guest VMs by isolating the guest register state and encrypting the guest memory.

Note:

Using TDX can cause kdump to fail on the VM.

SGX Available

Software Guard Extensions (SGX) from Intel® protects software code and data from disclosure and modification. The Linux kernel partially supports SGX v1 and SGX v1.5. Version 1 enables platofmrs by using the Flexible Launch Control mechanism to use the SGX technology.

Note that SGX is supported in UEK.

DAX File System Available

In this release, the DAX file system is available as a Technology Preview for the ext4 and XFS file systems. DAX enables an application to directly map persistent memory into its address space. The system must have some form of persistent memory available to use DAX. Persistent memory can be in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs). In addition, a file system that supports DAX must be created on the NVDIMMs; the file system must be mounted with the dax mount option. Then, an mmap of a file on the DAX mounted file system results in a direct mapping of storage into the application's address space.

SEV and SEV-ES

The Secure Encrypted Virtualization (SEV) feature is provided for AMD EPYC host machines that use the KVM hypervisor. It encrypts a virtual machine's memory and protects the VM from access by the host.

SEV's enhanced Encrypted State version (SEV-ES) encrypts all CPU register contents when a VM stops running, thus preventing the host from modifying the VM's CPU registers or reading any information from them.

Note that SEV is supported in UEK.

NVMe-oF Discovery Service

The NVMe-oF Discovery Service features are defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014. To preview these features, install the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/developers/nvme-specification/ website.

Note that NVMe-oF is supported in UEK.

nvme-stas Package

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, handles the following functionalities:

  • Asynchronous Event Notifications (AEN)

  • Automated NVMe subsystem connection controls

  • Error handling and reporting

  • Automatic (zeroconf) and Manual configuration.

This package consists of two daemons, Storage Appliance Finder (stafd) and Storage Appliance Connector (stacd).

NVMe 8006 in-Band Authentication

Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for NVMe over Fabrics (NVMe-oF), is available as for technology preview. The NVMe Technical Proposal 8006 defines the DH-HMAC-CHAP in-band authentication protocol for NVMe-oF. For more information, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-connect(1) manual page.

in-Band Authentication is fully available in UEK R7U2.

Virtualization for Arm Platforms

You can create KVM virtual machines on systems running on the Arm (aarch64) platforms using RHCK as a technical preview.

KVM is supported on aarch64 in UEK.

virtio-mem for Intel® and AMD Systems

Oracle Linux 9 introduces the virtio-mem feature for AMD and Intel® systems. With virtio-mem, you can dynamically add or remove host memory in virtual machines (VMs).

To use virtio-mem, do the following:

  1. Define virtio-mem memory devices in the XML configuration of a VM.

  2. Use the virsh update-memory-device command to request memory device size changes while the VM is running.

To see the current memory size exposed by such memory devices to a running VM, view the XML configuration of the VM.

systemd-resolved Service

The systemd-resolved service provides name resolution to local applications. Its components include a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Stratis

A local storage manager, Stratis manages file systems on top of pools of storage and provides features such as the following:

  • Manage snapshots and thin provisioning

  • Automatically grow file system sizes as needed

  • Maintain file systems

You administer Stratis storage through the stratis utility, which communicates with the stratisd background service.

nodejs:18 Module Stream

Node.js 18 provides numerous new features together with bug and security fixes over Node.js 16, including the following:

  • V8 engine is upgraded to version 10.1.

  • The npm package manager is upgraded to version 8.15.0.

  • Node.js provides a new experimental fetch API as well as an experimental node:test module that facilitates the creation of tests that report results in the Test Anything Protocol (TAP) format.

To install the nodejs:18 module stream, type: 

sudo dnf module install nodejs:18

jmc-core and owasp-java-encoder

jmc-core is a library that provides core APIs for Java Development Kit (JDK) Mission Control, including APIs for:

  • Parsing and writing Java Flight Recording files

  • Discovering Java Virtual Machines (JVMs) through the Java Discovery Protocol (JDP)

The owasp-java-encoder package provides a collection of high-performance low-overhead contextual encoders for Java.

The packages are available in the Oracle Linux 9 CodeReady Builder repository, which is unsupported, and which you must explicitly enable.

Socket API for TuneD

The socket API for TuneD maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus isn't available. With the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default. You can enable it in the tuned-main.conf file.

Quadlet for Podman

Quadlet for Podman v4.4 and later is available as a technology preview that can be used to automatically generate a systemd service file from the container description. The container description is in the systemd unit file format and simplifies much of the technical complexity of running containers under systemd. Quadlet formatted descriptions are easier to write and maintain than systemd unit files. See the upstream documentation for more information.

Podman sigstore Signatures

Podman recognizes the sigstore format of container image signatures as a technology preview. The sigstore signatures can be stored in the container registry with the container image without the need to have a separate signature server to store image signatures.

Multiple GPG Keys for Podman Images

The /etc/containers/policy.json file accepts a keyPaths field that contains a list of trusted GPG keys. Usage of more than one GPG key in the container policy is a technology preview feature that permits Podman to install images signed by any one of multiple GPG keys.

Clients for sigstore Signatures With Fulcio and Rekor

You can create signatures with Fulcio and Rekor servers by using short-term certificates based on an OpenID Connect (OIDC) server authentication rather than managing a private key manually. However, this functionality is only on the client, not on either the Fulcio or Rekor servers.

You would need to configure the policy.json file by creating a fulcio section, and then adding the rekorPublicKeyPath or rekorPublicKeyData fields.

To sign container images, use the podman push --sign-by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml commands, where file.yml is the sigstore signing parameter file.

For more information, see containers-policy.json manual page.