1. Release Notes for Oracle Linux 7.8
  2. New Features and Changes

4 New Features and Changes

The following features and changes are included in Oracle Linux 7.8. These features generally apply to the x86_64 and Arm (aarch64) platforms. For information about features and changes that apply specifically to the Arm platform, see Release-Specific Information for Oracle Linux 7.8 (aarch64).

For details of the new features and changes in the initial release of Oracle Linux 7, see Oracle Linux 7: Release Notes for Oracle Linux 7.

Important Installation Information for Oracle Linux 7.8

Before installing Oracle Linux 7.8 on the x86_64 platform, review the following important information:

Important:

Any system that is installed by using any Oracle Linux 7.8 ISO that is subsequently registered with the Unbreakable Linux Network (ULN), is automatically subscribed to the ol7_x86_64_latest and ol7_x86_64_UEKR5 channels and is configured to download the latest Unbreakable Enterprise Kernel Release 5 (UEK R5) release upon the next system update. When you run yum update after registering with ULN initially, the system is upgraded to the Oracle Linux 7.8 release and the default kernel is automatically changed to UEK R5. If you prefer to continue to use an alternate kernel, such as UEK R4, you must manually change the subscriptions for the system in ULN before performing the system update.

Systems that are not registered with ULN retain any existing yum configuration and continue to use the kernel that is installed with Oracle Linux 7.8. If you are not registered with ULN and want to upgrade your system to use UEK R5, you must enable the ol7_UEKR5 repository in your yum configuration.

BTRFS Deprecated in RHCK

Starting with Oracle Linux 7.4, the BTRFS file system type is deprecated in RHCK. Note that BTRFS is fully supported with UEK R4 and later UEK releases.

rsyslog Improvement

An improvement has been made to the rsyslog service in Oracle Linux 7.8. A new option has been added for managing letter-case preservation by using the FROMHOST property for the imudp and imtcp modules. Note that you must explicitly set the preservecase value to on to enable handling of the FROMHOST property in a case-sensitive manner. To avoid breaking any existing configurations, the default preservecase value is set to on for the imtcp module and off for the imudp module.

Pacemaker Default Settings

In Oracle Linux 7.8, the Pacemaker concurrent-fencing cluster property defaults to true. Also, Pacemaker now executes fencing simultaneously for multiple nodes that use different configured fence devices that require fencing at the same time. Previously, this type of fencing was serialized. Note that this enhancement speeds up recovery in a large cluster where multiple nodes are fenced.

Security

The following security features, bug fixes, and enhancements are included in this release.

SCAP Security Guide Improvements

In this update, the scap-security-guide packages have been updated to version 0.1.46. Also, the Protection Profile for the General Purpose Operating Systems (OSPP) profile with the ospp ID in the scap-security-guide packages is updated to the OSPP 4.2.1 baseline.

Another change in this update is the introduction of the NCP (NIST National Checklist Program Security Guide) profile with the ncp ID. The NCP profile conforms to OSPP 4.2.1 and implements configuration requirements for additional policies; in particular, CNSSI 1253, NIST 800-171, NIST 800-53, USGCB, and OS SRG.

Note that the ospp42 ID has been removed. Administrators are advised to switch systems that are currently using the ospp42 profile to ospp, which is a valid ID.

This update also includes the following other notable features and enhancements for the SCAP Security Guide:

  • SCAP Security Guide supports ACSC Essential Eight

    The scap-security-guide packages now provide the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile. You can also now use the OpenSCAP suite to check security compliance and remediation by using this specification of minimum security controls, as defined by ACSC.

  • SCAP Security Guide correctly disables services

    The SCAP Security Guide (SSG) profiles now correctly disable and mask services that should not be started, which ensures that disabled services are not started inadvertently as a dependency of another service. Previously, SSG profiles only disabled the service; as a result, services that were disabled by an SSG profile could not be started unless you first unmasked them.

  • Support for scanning Oracle Linux 8 systems from Oracle Linux 7

    In this update, the scap-security-guide package includes SCAP content and Ansible playbooks for Oracle Linux 8, which provides capability for scanning Oracle Linux 8 systems from the Oracle Linux 7 environment.

SELinux Improvements

The following SELinux features and changes are introduced in this release:

  • selinux-policy packages updated to enable tomcat_t domain access to redis_port_t labeled ports

    New in Oracle Linux 7.8, the selinux-policy packages now enable the tomcat_t domain domain to connect to ports that are labeled redis_port_t when the tomcat_can_network_connect_db SELinux boolean is enabled. This boolean provides tomcat_t with access to several databases.

  • SELinux policy updated to enable sysadm_u users to log in to graphical sessions

    In this update, the SELinux policy now allows sysadm_u users login access to graphical sessions, while still conforming to DISA STIG requirements. In addition, enabling the xdm_sysadm_login boolean allows the sysadm_u user to successfully log in to an X Window System session from the GNOME Display Manager (GDM).

Technology Preview

For RHCK, the following features are currently under technology preview.

Note:

Features that are currently under technology preview in UEK R5 are described in the release notes for the UEK R5 release that you are running, which is part of the Unbreakable Enterprise Kernel documentation library.

  • Systemd: Importd features for container image imports and exports.

  • File Systems:

    • Block and object storage layouts for parallel NFS (pNFS).

    • DAX (Direct Access) for direct persistent memory mapping from an application. This feature is under technical preview for the ext4 and XFS file systems.

    • OverlayFS remains in technical preview.

  • Kernel:

    • Extended Berkeley Packet Filter tool (eBPF) system call for tracing.

    • Heterogeneous memory management (HMM).

    • kexec and kexec fast reboot system calls for loading and booting into another kernel from the currently running kernel.

    • No-IOMMU mode virtual I/O feature.

  • Networking:

    • Cisco VIC InfiniBand kernel driver, which provides similar functionality to RDMA on proprietary Cisco architectures.

    • Single-Root I/O virtualization (SR-IOV) in the qlcnic driver.

    • Cisco proprietary User Space Network Interface Controller in UCM servers provided in the libusnic_verbs driver.

    • The flower classifier with off-loading support.

    • Trusted Network Connect included.

  • Storage:

    • Multi-queue I/O scheduling for SCSI (scsi-mq). This functionality is disabled by default.

    • NVMe over Fibre Channel (NVMe/FC) transport type available in Qlogic adapters using the qla2xxx driver.

    • Plug-in for the libStorageMgmt API used for storage array management. The libStorageMgmt API is now supported, but the plug-in is under technology preview.

Compatibility

Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux (RHEL), independent of the kernel version that underlies the operating system. Existing applications in userspace continue to run unmodified on Unbreakable Enterprise Kernel Release 5 (UEK R5) and no re-certifications are needed for RHEL certified applications.

To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R5 will remain unchanged in all subsequent updates to the initial release. UEK R5 contains changes to the kernel ABI relative to UEK R4 that require recompilation of third-party kernel modules on the system. Before installing UEK R5, verify its support status with your application vendor.