3 New Features and Changes
This section describes new features and changes in Oracle Linux 7.5. For details of the new features and changes in the initial release of Oracle Linux 7, see Oracle Linux 7: Release Notes for Oracle Linux 7.
File Systems
The following file systems features, bug fixes, and enhancements are included in this update.
Installation and Upgrade
The following installation and upgrade features, bug fixes, and enhancements are included in this update:
-
livemedia-creator includes sample kickstart file for UEFI systems
The livemedia-creator utility now includes a sample kickstart file that can be used for UEFI systems.
-
New mount command for assigning block devices
Kickstart now includes a new mount command, which enables you to assign block devices as mounts during an installation. The mount command assigns a mount point to a specified block device within a file system. You can also specify the
--reformat
option with the mount command to reformat a block device. -
New network kickstart command option for binding a device configuration file to a MAC address
Use the new
--bindto=mac
option with the network kickstart command to specify the MAC address (HWWADDR
) parameter instead of the defaultDEVICE
parameter in the device'sifcfg
file. Specifying this option binds the device configuration to the MAC address instead of the device name.Note:
Because the
--bindto
option is independent of thenetwork --device
kickstart option, it is applied to theifcfg
file, regardless of whether the device was specified in the kickstart file by its name,link
, orbootif
.
Kernel
The following changes are specific to RHCK. For more information, refer to latest versions of the release notes for Oracle Linux Unbreakable Enterprise Kernel Release 4 in Unbreakable Enterprise Kernel documentation.
Automatic loading of DCCP modules through socket layer now disabled by default
For security reasons, the automatic loading of the Datagram
Congestion Control Protocol (DCCP) kernel modules through the
socket layer has been disabled by default. This change ensures
that userspace applications are not able to maliciously load
any modules. However, you can explicitly load DCCP modules by
using modprobe
. Note that the automatic
loading of DCCP modules is also not allowed on UEK releases.
MySQL Community Packages
MySQL Community packages are not included on the provided ISO in this release. This change ensures that the ISO size is appropriate for use on typical DVD-ROM media. The MySQL Community 8.0, MySQL Community 5.7, MySQL Community 5.6, and MySQL Community 5.5 packages continue to be available on the Unbreakable Linux Network (ULN) and the Oracle Linux yum server.
You can install MySQL Community packages directly from ULN or
the Oracle Linux yum server by enabling the appropriate channel or repository. For
example, if you are using the Oracle Linux yum server you can enable the
ol7_MySQL57
repository by installing the
mysql-release-el7
package to obtain the
correct yum repository configuration and then running
yum-config-manager to update the
configuration:
sudo yum install mysql-release-el7 sudo yum-config-manager --enable ol7_MySQL57
Networking
The following networking features, bug fixes, and enhancements are included in this update:
-
Control switch for offloading VXLAN and Geneve tunnels added to RHCK
This change to the
ethtool
utility can only be used with drivers that support this functionality, such as the new Geneve driver in the latest RHCK. A new control switch in the utility can be used to enable or disable offloading of VXLAN and Geneve tunnels to network cards. -
Geneve driver version updated to 4.14
The updated version the Geneve driver includes a number of bug fixes and enhancements from the previous version.
-
Search capability for
IPTABLES_SYSCTL_LOAD_LIST
modifications expanded to/etc/sysctl.d
The search capability for
IPTABLES_SYSCTL_LOAD_LIST
modifications has been expanded to include thesystctl.d
directory. Previously, only the/etc/sysctl.conf
file was searched for changes. This enhancement ensures that any user-provided files in/etc/sysctl.d/
are correctly accounted for when theiptables
service restarts. -
VXLAN updated to version 4.14
The updated version of the Virtual Extensible LAN (VXLAN) feature includes a number of bug fixes and enhancements from the previous version.
Packaging
Starting with Oracle Linux 7.5, the setup package provides and sources environment settings in a defined order that overrides any unpredictable environment settings. This change is especially useful in situations where multiple scripts changed the same environment setting.
Security
The following security features, bug fixes, and enhancements are included in this update:
-
Libreswan updated to version 3.23
This version of the Libreswan software includes bug fixes and improvements from the previous version.
-
nss
version updated to 3.34This version of the
nss
package includes bug fixes and improvements from the last version. -
SCAP workbench updated to version 1.1.6
This version of the SCAP workbench (
scap-workbench
) utility includes bug fixes and improvements from the previous version. -
SELinux supports NNP policy for
systemd
servicesIn this update, the
selinux-policy
packages contain a policy forsystemd
services that use the No New Privileges (NNP) security feature. Also introduced is thennp_nosuid_transition
policy capability that enables SELinux domain transitions under NNP ornosuid
ifnnp_nosuid_transition
is allowed between the old and new contexts.For example, the following rule describes how this capability is allowed for a service:
allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };
In addition, the distribution policy now contains the
m4 macro
interface. This interface can be used in SELinux security policies for services that use theinit_nnp_daemon_domain()
function. -
SSLv3 disabled in
mod_ssl
To improve security for SSL/TLS connections, support for SSLv3 in the default configuration for the
httpd mod_ssl
module has been disabled. This change also restricts the use of certain cryptographic cipher suites.Note:
Only fresh installations of the
mod_ssl
package are affected. Users can change their existing SSL configuration manually, as required. -
Using OpenSCAP to generate remediation scripts for use with Ansible
The OpenSCAP scanner can be used to generate remediation scripts into Ansible playbook format. This capability assists with the integration of configuration compliance into an existing Ansible work flow. After generating an Ansible playbook, you can then customize it with the desired values.
Server and Services
The following server and services features, bug fixes, and enhancements are included in this update:
-
Ability to remotely launch
dbus
applications in GNOMEIn this update, GNOME includes a feature that provides users with the ability to remotely launch
dbus
-using applications, for example over SSH.This improvement also fixes a bug that existed in RHEL 6 and RHEL 7 (up through 7.4) that caused leftover processes to remain in the system after exiting a session.
-
chrony
updated to version 3.2This version of
chrony
includes bug fixes and improvements from the previous version. -
CUPS configuration enhancement
You can now configure the Common UNIX Printing System (CUPS) to use only Transport Layer Security (TLS) v1.2 ciphers.
-
D-Bus updated to version 1.10
This version of
dbus
includes bug fixes and improvements from the previous version. -
squid
package includeskerberos_ldap_group
helperThe
kerberos_ldap_group
helper is a reference implementation that supports Simple Authentication and Security Layer (SASL) and Generic Security Services API (GSSAPI) authentication to an LDAP server. -
Tuned updated to version 2.9.0
This version of the Tuned utility includes bug fixes and improvements from the previous version.
Storage
The following storage features, bug fixes, and enhancements are included in this update:
-
DIF/DIK (T10 P1) support added for specified hardware
In Oracle Linux 7.5, the SCSI T10 DIF/DIX is fully supported on hardware that has been qualified by the vendor, provide that the vendor also provides full support for the particular host bus adapter (HBA) and storage array configuration. Note that DIF/DIX is not supported on other configurations such as for use on a boot device or a virtualized guest.
Note:
Support for DIF/DIX is in technology preview for any HBAs and storage arrays that are not qualified and are not fully supported by the vendor. To determine whether DIF/DIX is supported by a particular hardware vendor, refer to that vendor's support information for the latest status.
-
smartmontools
support on NVMe devices addedThe
smartmontools
utility program is used to monitor Nonvolatile Memory Express (NVMe) devices (in particular, Solid-state Drive (SSD) disks) with the Self-Monitoring, Analysis and Reporting Technology System.
Virtualization
The following virtualization features, bug fixes, and enhancements are included in this update:
-
Hosts and guests can use GPU devices simultaneously
Starting with this update, both hosts and guests can use Graphics Processing Unit (GPU) devices at the same time. Note that this feature requires the
vfio_mdev
module, which is not available in UEK at the time of this release. -
KASLR for KVM guests added
Capability for Kernel address-space layout randomization (KASLR) for KVM guests has been added in this update.
-
libvirt
updated to version 3.9.0This version of the
libvirt
utility includes bug fixes and improvements from the previous version. -
QEMU updated to version 1.5.3-156
This version of QEMU includes several bug fixes, including important security fixes and a large number of KVM integration improvements.
Technology Preview
Features that are currently under technology preview when using UEK R4U6 are described in Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 4 Update 6 (4.1.12-112).
For RHCK, the following features are currently under technology preview:
-
Systemd: Importd features for container image imports and exports.
-
File Systems:
-
Block and object storage layouts for parallel NFS (pNFS).
-
DAX (Direct Access) for direct persistent memory mapping from an application. This is under technical preview for the ext4 and XFS file systems.
-
ima-evm-utils
package, which provides utilities for labeling file systems and verifying the integrity of the system at run time. -
OverlayFS remains in technical preview.
-
SCSI layout for parallel NFS (pNFS), including support for both client and server configurations.
-
-
Kernel:
-
Heterogeneous memory management (HMM).
-
No-IOMMU mode virtual I/O feature.
-
-
Networking:
-
Cisco VIC InfiniBand kernel driver that provides similar functionality to RDMA on proprietary Cisco architectures.
-
nftables
andlibnftnl
network filtering and classification functionality. -
Single-Root I/O virtualization (SR-IOV) in the
qlcnic
driver. -
Support for a Cisco proprietary User Space Network Interface Controller in UCM servers provided in the
libusnic_verbs
driver. -
Trusted Network Connect support.
-
-
Storage:
-
Multi-queue I/O scheduling for SCSI (
scsi-mq
). This functionality is disabled by default. -
Plug-in for the
libStorageMgmt
API used for storage array management. ThelibStorageMgmt
API is now fully supported, but the plug-in is under technology preview.
-
You can find additional information about technology preview items that are in this release at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.5_release_notes/technology-previews.
Compatibility
Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux, which is independent of the kernel version that underlies the operating system. Existing applications in user space will continue to run unmodified on the Unbreakable Enterprise Kernel Release 4 (UEK R4) and no re-certifications are needed for RHEL certified applications.
To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R4 will remain unchanged in all subsequent updates to the initial release. UEK R4 contains changes to the kernel ABI relative to UEK R3 that require recompilation of third-party kernel modules on the system. Before installing UEK R4, verify its support status with your application vendor.