3 New Features and Changes
The following features and changes are included in Oracle Linux 7.7.
For details of the new features and changes in the initial release of Oracle Linux 7, see Oracle Linux 7: Release Notes for Oracle Linux 7.
Installation
The following installation and upgrade features, bug fixes, and enhancements are included in this update.
Important Installation Information for Oracle Linux 7.7
Before installing Oracle Linux 7.7, review the following important information:
Important:
Any system that is installed by using any Oracle Linux 7.7 ISO that
is subsequently registered with the Unbreakable Linux
Network (ULN), is automatically subscribed to the
ol7_x86_64_latest
and
ol7_x86_64_UEKR5
channels and are
configured to download the latest Unbreakable Enterprise Kernel Release 5 (UEK R5) release
on the next system update. When you run yum
update after registering with ULN initially, the
system is upgraded to the Oracle Linux 7.7 release and the default
kernel is automatically changed to UEK R5. If you prefer to
continue to use an alternate kernel, such as UEK R4, you
must manually change the subscriptions for the system in ULN
before performing the system update.
Systems that are not registered with ULN retain any existing
yum configuration and continue to use the kernel that is
installed with Oracle Linux 7.7. If you are not registered with ULN
and want to upgrade to use UEK R5, you must enable the
ol7_UEKR5
repository in your yum
configuration.
Graphical Installation Program Enhancement
The Oracle Linux 7.7 graphical installation program has been enhanced to detect whether Simultaneous Multithreading (SMT) is enabled on a system. If the feature is enabled, a message is displayed at the bottom of the Installation Summary screen. SMT enables the execution of multiple threads on a single physical CPU core, which can improve performance. Note that the use of SMT is only possible where the CPU is SMT-capable.
Kernel options for setting whether SMT should be used on a
system are available. By default, the
mitigations=auto
kernel parameter is set.
This parameter mitigates against CPU vulnerabilities, but also
leaves SMT enabled, even if it is vulnerable. In the event
that a vulnerability is detected, you can disable SMT by
booting the system with the kernel option set to
mitigations=auto,nosmt
.
Developer and Compiler Tools
The following compiler and developer tool features and enhancements are included in this update.
-
gcc-libraries
packages updated to version 8.3.1This version of the GNU Compiler Collection (GCC) introduces several bug fixes and enhancements over the previous GCC version.
-
linuxptp
packages updated to version 2.0This version of the
linuxptp
compiler tool introduces several bug fixes and enhancements over the previous version. -
Python version 3.6 available
This update includes
python3
packages, which provide the Python 3.6 interpreter and thepip
andsetuptools
tools. Note that previously these packages were only available as a part of software collections.
NVMe/FC Driver on QLogic Adapter
Oracle Linux 7.7 includes the NVMe/FC driver on the QLogic qla2xxxx adapter.
File Systems
The following file systems features, bug fixes, and enhancements are included in this update.
Red Hat Compatible Kernel
The following changes are specific to the Red Hat Compatible Kernel (RHCK). For more information, refer to latest versions of the release notes for Oracle Linux Unbreakable Enterprise Kernel Release 5 in Unbreakable Enterprise Kernel documentation.
-
IMA and EVM features available on all architectures
In this update, the Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) features are available on all architectures. The IMA and EVM features are used to monitor files for accidental or malicious altering. In Oracle Linux 7.6, these features were only available on the AMD64 and Intel 64 architectures.
-
PMTU discovery and route redirection provided for VXLAN and GENEVE tunnels
This enhancement adds Path MTU (PMTU) discovery and route redirection for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. The kernel can now handle Internet Control Message Protocol (ICMP) error messages such as "Destination Unreachable" and "Redirect Message", as well as ICMPv6 error messages such as "Packet Too Big" and "Destination Unreachable" for VXLAN and GENEVE tunnels, which is done by adjusting the PMTU and modifying the forwarding information.
-
Spectre V2 mitigation default changed from IBRS to Retpoline on new Oracle Linux 7.7 installations
On new Oracle Linux 7.7 installations, the default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the 6th Generation Intel Core Processors and close derivatives has changed from Indirect Branch Restricted Speculation (IBRS) to Retpoline. This implementation is a result of Intel’s recommendations to align with the defaults that are used in the Linux community and also to restore lost performance. Note that using Retpoline in certain situations might not fully mitigate Spectre V2.
Networking
The following networking features, bug fixes, and enhancements are included in this update.
-
NetworkManager includes capability for VLAN filtering on bridge interfaces
This enhancement enables you to configure virtual LAN (VLAN) filtering on bridge interfaces in the corresponding
NetworkManager
connection profiles, as well as define VLANs directly on bridge ports. -
NetworkManager includes capability for configuring policy routing rules
This enhancement enables you to configure rules as part of a connection profile,which means that
NetworkManager
now adds the rules when the profile is activated and removes the rules when the profile is deactivated. Previously, you would have to set up policy routing rules outside ofNetworkManager
by using the dispatcher script provided in theNetworkManager-dispatcher-routing-rules
package.
Security
The following security features, bug fixes, and enhancements are included in this update.
-
Network Security Services (NSS) package updates
This update introduces several NSS changes, including numerous bug fixes, security enhancements, and improvements over the previous NSS version.
Notably, the NSS code and Certificate Authority (CA) list now meets the recommendations that are published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI).
-
SCAP Security Guide enhancement to include Universal Base Image containers and images
The security policies in the SCAP Security Guide been enhanced to include Universal Base Image (UBI) containers and UBI images, which also includes
ubi-minimal
images. This enhancement enables configuration compliance scanning of UBI containers and images by using the atomic scan command. UBI containers and images can now be scanned against any profile that is shipped in the SCAP Security Guide, with only those rules that are relevant to the secure configuration of UBI being evaluated. Any rules that are inapplicable to UBI images and containers are automatically skipped. -
scap-security-guide packages updated to version 0.1.43
As of this update, the
scap-security-guide
packages are updated to version 0.1.43 in this update. This version of thescap-security-guide
packages provides several bug fixes and enhancements over the previous version. -
shadow-utils packages updated to version 4.6
The
shadow-utils
packages have been updated to version 4.6 in this update. This version of theshadow-utils
packages provides several bug fixes and enhancements over the previous version, including the new newuidmap and newgidmap commands for manipulating name space mapping for UID and GID. -
tangd_port_t SElinux type added
Oracle Linux 7.7 includes the
tangd_port_t
SELinux type. This SELinux type enables thetangd
service to run as confined while in SELinux enforcing mode, which simplifies the configuration of a Tang server to enable listening on a user-defined port, while preserving the security level that SELinux provides when in enforcing mode.
Infrastructure Services
The following server and services features, bug fixes, and enhancements are included in this update.
Tuned Updates
As of this update, the tuned
packages are
updated to version 2.11. This version of Tuned provides
several bug fixes and enhancements over the previous version,
including the following: added support for the boot loader
specification, an updated virtual-host
profile, the addition of a range feature for CPU exclusion,
and other important improvements.
Chrony Updates
As of this update, the chrony
packages are
updated to version 3.4. This version of Chrony provides
several bug fixes and enhancements over the previous version,
including the following: hardware time-standing improvements,
extended polling interval ranges, the addition of the burst
and filter options to NTP sources, and other important
improvements.
Technology Preview
Features that are currently under technology preview when using UEK R5 are described in Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 5 Update 2 (4.14.35-1902).
For RHCK, the following features are currently under technology preview:
-
Systemd: Importd features for container image imports and exports.
-
File Systems:
-
Block and object storage layouts for parallel NFS (pNFS).
-
DAX (Direct Access) for direct persistent memory mapping from an application. This feature is under technical preview for the ext4 and XFS file systems.
-
OverlayFS remains in technical preview.
-
-
Kernel:
-
Heterogeneous memory management (HMM).
-
No-IOMMU mode virtual I/O feature.
-
-
Networking:
-
Cisco VIC InfiniBand kernel driver, which provides similar functionality to RDMA on proprietary Cisco architectures.
-
Single-Root I/O virtualization (SR-IOV) in the
qlcnic
driver. -
Cisco proprietary User Space Network Interface Controller in UCM servers provided in the
libusnic_verbs
driver. -
Trusted Network Connect included.
-
-
Storage:
-
Multi-queue I/O scheduling for SCSI (
scsi-mq
). This functionality is disabled by default. -
Plug-in for the
libStorageMgmt
API used for storage array management. ThelibStorageMgmt
API is now supported, but the plug-in is under technology preview.
-
Compatibility
Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux, which is independent of the kernel version that underlies the operating system. Existing applications in user space continue to run unmodified on the Unbreakable Enterprise Kernel Release 5 (UEK R5) and no re-certifications are needed for RHEL certified applications.
To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R5 will remain unchanged in all subsequent updates to the initial release. UEK R5 contains changes to the kernel ABI relative to UEK R4 that require recompilation of third-party kernel modules on the system. Before installing UEK R5, verify its support status with your application vendor.