1. Release Notes for Oracle Linux 7.7
  2. New Features and Changes

3 New Features and Changes

The following features and changes are included in Oracle Linux 7.7.

For details of the new features and changes in the initial release of Oracle Linux 7, see Oracle Linux 7: Release Notes for Oracle Linux 7.

Installation

The following installation and upgrade features, bug fixes, and enhancements are included in this update.

Important Installation Information for Oracle Linux 7.7

Before installing Oracle Linux 7.7, review the following important information:

Important:

Any system that is installed by using any Oracle Linux 7.7 ISO that is subsequently registered with the Unbreakable Linux Network (ULN), is automatically subscribed to the ol7_x86_64_latest and ol7_x86_64_UEKR5 channels and are configured to download the latest Unbreakable Enterprise Kernel Release 5 (UEK R5) release on the next system update. When you run yum update after registering with ULN initially, the system is upgraded to the Oracle Linux 7.7 release and the default kernel is automatically changed to UEK R5. If you prefer to continue to use an alternate kernel, such as UEK R4, you must manually change the subscriptions for the system in ULN before performing the system update.

Systems that are not registered with ULN retain any existing yum configuration and continue to use the kernel that is installed with Oracle Linux 7.7. If you are not registered with ULN and want to upgrade to use UEK R5, you must enable the ol7_UEKR5 repository in your yum configuration.

Graphical Installation Program Enhancement

The Oracle Linux 7.7 graphical installation program has been enhanced to detect whether Simultaneous Multithreading (SMT) is enabled on a system. If the feature is enabled, a message is displayed at the bottom of the Installation Summary screen. SMT enables the execution of multiple threads on a single physical CPU core, which can improve performance. Note that the use of SMT is only possible where the CPU is SMT-capable.

Kernel options for setting whether SMT should be used on a system are available. By default, the mitigations=auto kernel parameter is set. This parameter mitigates against CPU vulnerabilities, but also leaves SMT enabled, even if it is vulnerable. In the event that a vulnerability is detected, you can disable SMT by booting the system with the kernel option set to mitigations=auto,nosmt.

Developer and Compiler Tools

The following compiler and developer tool features and enhancements are included in this update.

  • gcc-libraries packages updated to version 8.3.1

    This version of the GNU Compiler Collection (GCC) introduces several bug fixes and enhancements over the previous GCC version.

  • linuxptp packages updated to version 2.0

    This version of the linuxptp compiler tool introduces several bug fixes and enhancements over the previous version.

  • Python version 3.6 available

    This update includes python3 packages, which provide the Python 3.6 interpreter and the pip and setuptools tools. Note that previously these packages were only available as a part of software collections.

NVMe/FC Driver on QLogic Adapter

Oracle Linux 7.7 includes the NVMe/FC driver on the QLogic qla2xxxx adapter.

File Systems

The following file systems features, bug fixes, and enhancements are included in this update.

BTRFS Deprecated in RHCK

Starting with Oracle Linux 7.4, BTRFS is deprecated in RHCK. Note that BTRFS is fully supported with UEK R4 and UEK R5.

Red Hat Compatible Kernel

The following changes are specific to the Red Hat Compatible Kernel (RHCK). For more information, refer to latest versions of the release notes for Oracle Linux Unbreakable Enterprise Kernel Release 5 in Unbreakable Enterprise Kernel documentation.

  • IMA and EVM features available on all architectures

    In this update, the Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) features are available on all architectures. The IMA and EVM features are used to monitor files for accidental or malicious altering. In Oracle Linux 7.6, these features were only available on the AMD64 and Intel 64 architectures.

  • PMTU discovery and route redirection provided for VXLAN and GENEVE tunnels

    This enhancement adds Path MTU (PMTU) discovery and route redirection for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. The kernel can now handle Internet Control Message Protocol (ICMP) error messages such as "Destination Unreachable" and "Redirect Message", as well as ICMPv6 error messages such as "Packet Too Big" and "Destination Unreachable" for VXLAN and GENEVE tunnels, which is done by adjusting the PMTU and modifying the forwarding information.

  • Spectre V2 mitigation default changed from IBRS to Retpoline on new Oracle Linux 7.7 installations

    On new Oracle Linux 7.7 installations, the default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the 6th Generation Intel Core Processors and close derivatives has changed from Indirect Branch Restricted Speculation (IBRS) to Retpoline. This implementation is a result of Intel’s recommendations to align with the defaults that are used in the Linux community and also to restore lost performance. Note that using Retpoline in certain situations might not fully mitigate Spectre V2.

Networking

The following networking features, bug fixes, and enhancements are included in this update.

  • NetworkManager includes capability for VLAN filtering on bridge interfaces

    This enhancement enables you to configure virtual LAN (VLAN) filtering on bridge interfaces in the corresponding NetworkManager connection profiles, as well as define VLANs directly on bridge ports.

  • NetworkManager includes capability for configuring policy routing rules

    This enhancement enables you to configure rules as part of a connection profile,which means that NetworkManager now adds the rules when the profile is activated and removes the rules when the profile is deactivated. Previously, you would have to set up policy routing rules outside of NetworkManager by using the dispatcher script provided in the NetworkManager-dispatcher-routing-rules package.

Security

The following security features, bug fixes, and enhancements are included in this update.

  • Network Security Services (NSS) package updates

    This update introduces several NSS changes, including numerous bug fixes, security enhancements, and improvements over the previous NSS version.

    Notably, the NSS code and Certificate Authority (CA) list now meets the recommendations that are published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI).

  • SCAP Security Guide enhancement to include Universal Base Image containers and images

    The security policies in the SCAP Security Guide been enhanced to include Universal Base Image (UBI) containers and UBI images, which also includes ubi-minimal images. This enhancement enables configuration compliance scanning of UBI containers and images by using the atomic scan command. UBI containers and images can now be scanned against any profile that is shipped in the SCAP Security Guide, with only those rules that are relevant to the secure configuration of UBI being evaluated. Any rules that are inapplicable to UBI images and containers are automatically skipped.

  • scap-security-guide packages updated to version 0.1.43

    As of this update, the scap-security-guide packages are updated to version 0.1.43 in this update. This version of the scap-security-guide packages provides several bug fixes and enhancements over the previous version.

  • shadow-utils packages updated to version 4.6

    The shadow-utils packages have been updated to version 4.6 in this update. This version of the shadow-utils packages provides several bug fixes and enhancements over the previous version, including the new newuidmap and newgidmap commands for manipulating name space mapping for UID and GID.

  • tangd_port_t SElinux type added

    Oracle Linux 7.7 includes the tangd_port_t SELinux type. This SELinux type enables the tangd service to run as confined while in SELinux enforcing mode, which simplifies the configuration of a Tang server to enable listening on a user-defined port, while preserving the security level that SELinux provides when in enforcing mode.

Infrastructure Services

The following server and services features, bug fixes, and enhancements are included in this update.

Tuned Updates

As of this update, the tuned packages are updated to version 2.11. This version of Tuned provides several bug fixes and enhancements over the previous version, including the following: added support for the boot loader specification, an updated virtual-host profile, the addition of a range feature for CPU exclusion, and other important improvements.

Chrony Updates

As of this update, the chrony packages are updated to version 3.4. This version of Chrony provides several bug fixes and enhancements over the previous version, including the following: hardware time-standing improvements, extended polling interval ranges, the addition of the burst and filter options to NTP sources, and other important improvements.

Technology Preview

Features that are currently under technology preview when using UEK R5 are described in Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 5 Update 2 (4.14.35-1902).

For RHCK, the following features are currently under technology preview:

  • Systemd: Importd features for container image imports and exports.

  • File Systems:

    • Block and object storage layouts for parallel NFS (pNFS).

    • DAX (Direct Access) for direct persistent memory mapping from an application. This feature is under technical preview for the ext4 and XFS file systems.

    • OverlayFS remains in technical preview.

  • Kernel:

    • Heterogeneous memory management (HMM).

    • No-IOMMU mode virtual I/O feature.

  • Networking:

    • Cisco VIC InfiniBand kernel driver, which provides similar functionality to RDMA on proprietary Cisco architectures.

    • Single-Root I/O virtualization (SR-IOV) in the qlcnic driver.

    • Cisco proprietary User Space Network Interface Controller in UCM servers provided in the libusnic_verbs driver.

    • Trusted Network Connect included.

  • Storage:

    • Multi-queue I/O scheduling for SCSI (scsi-mq). This functionality is disabled by default.

    • Plug-in for the libStorageMgmt API used for storage array management. The libStorageMgmt API is now supported, but the plug-in is under technology preview.

Compatibility

Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux, which is independent of the kernel version that underlies the operating system. Existing applications in user space continue to run unmodified on the Unbreakable Enterprise Kernel Release 5 (UEK R5) and no re-certifications are needed for RHEL certified applications.

To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R5 will remain unchanged in all subsequent updates to the initial release. UEK R5 contains changes to the kernel ABI relative to UEK R4 that require recompilation of third-party kernel modules on the system. Before installing UEK R5, verify its support status with your application vendor.