Chapter 3 New Features and Changes

This chapter describes new features, major enhancements, bug fixes, and other changes that are included in the Oracle Linux 8 release.

3.1 Oracle Linux 8 Software Distribution and Management

Oracle Linux 8 introduces the following software management features, enhancements, and changes.

3.1.1 Oracle Linux 8 Content Distribution Changes

The core operating system and associated packages for a typical Oracle Linux 8 server are distributed through Applications Streams. Application Streams contain all of the necessary system components and a range of applications that were previously distributed in Software Collections, as well as other products and programs.

3.1.1.1 About Oracle Linux 8 Repositories

The yum repositories on the Oracle Linux 8 ISO, which form the base repositories for an Oracle Linux 8 installation, are divided into two repositories: BaseOS and AppStream, both of which are available with all Oracle Linux subscriptions. These two repositories are required for the operating system to work. Additional packages may be provided in additional repositories, for example, the CodeReady Linux Builder repository.

The BaseOS repository includes the core set of packages that are required for Oracle Linux to function and includes packages that are required for all installation methods. The content of the BaseOS repository is available in RPM format. The same support terms that applied in previous releases apply to the Oracle Linux 8 release.

The AppStream repository includes packages that provide additional support for a variety of workloads, such as user-space applications, runtime languages, and databases. The AppStream repository includes content with various life cycles, which is available as traditional RPM packages and an extended format, referred to as modules.

The CodeReady Linux Builder repository provides the build packages that are required for developers and package maintainers to build traditionally compiled binaries that you might ship as packages with Oracle Linux. For example, this repository contains compilers, build tools, library sources, developer documentation, documentation build tools, and several other developer-related packages.

If you attempt to install packages from the codeready_builder yum repository or ULN channel, the system must also be subscribed to the appstream yum repository or ULN channel to avoid dependency issues. It is not sufficient for a system to only be subscribed to the codeready_builder yum repository or ULN channel and to baseos_latest.

For information about package changes in this release, see Appendix B, Package Changes from the Upstream Release.

3.1.1.2 About Application Streams

Oracle Linux 8 introduces the concept of Application Streams, where multiple versions of user-space components can be delivered and updated more frequently than the core operating system packages. Application Streams contain all of the necessary system components and a range of applications that were previously distributed in Software Collections, as well as other products and programs.

The content in the AppStream repository is available in two formats: RPM and modules, which are an extension of the RPM format. Traditional RPM packages are available for immediate installation. Traditional package management methods and installation are transparently supported for all content. Modules are similar to Software Collections, in that they provide a mechanism by which multiple, major versions of a component are made available for installation in the AppStream repository. Note that modules are easier than Software Collections to install and use. The appropriate combination of modules and streams is automatically used to enable the installation of packages that rely on modular features.

The AppStream repository contains the following components:

  • Modules: Are a set of RPM packages that are grouped and installed together. Modules can contain several streams that consist of multiple versions of applications that can be installed. A module stream is enabled to provide system access to the RPM packages that are contained within that module stream.

    A typical module can contain the following different types of packages: packages with an application, packages with the application’s specific dependency libraries, packages with documentation for the application, and packages with helper utilities

  • Module streams: Contain a different version of packages and their dependencies. Modules can have multiple streams and each stream receives updates independently. Although modules can have multiple streams, only one of its streams can be enabled and provide its packages to enable the installation of the respective version of content. Typically, the stream with the latest version is selected as the default stream and will be used when operations do not specify a particular stream or a different stream is not enabled.

    Note

    Oracle recommends that you use the latest stream for any module that is installed, even though other streams may continue to receive limited support.

  • Module profiles: List certain packages that are to be installed at the same time for a particular use case. Each module can have one or more profiles.

For more detailed information about modules, including examples, see the chapter on DNF in Oracle® Linux 8: Managing Software on Oracle Linux.

3.1.2 DNF Support Added

Oracle Linux 8 supports a new version of the Yum tool that is based on the DNF technology. DNF, or Dandified yum, is a software package manager that installs, updates, and removes packages on RPM-based Linux distributions. Yum DNF (often referred to simply as DNF) provides several advantages over the Yum v3 tool that was used in previous releases. Most notably, DNF provides support for modular content, as well as a strict and stable API for extensions and plugins.

Keep the following key points in mind when using DNF:

  • DNF is compatible with Yum v3 when used from the command line or when editing or creating configuration files.

  • You can use the dnf command and all of its options similarly to how you used the yum command in Oracle Linux 7 and previous releases.

  • You can install Yum packages under the names that were previously used by using the provides command.

  • To aid in the transition from Yum v3 to DNF, packages include compatibility symlinks to enable binaries, configuration files, and directories to be found in their usual locations.

  • Because the Python API that is provided by Yum v3 and the Libdnf C API are likely to change during the Oracle Linux 8 life cycle, users are encouraged to migrate plugins and scripts to the new DNF Python API, as this API is stable and fully supported in Oracle Linux 8.

For a comparison of command-line, plugin, and utility differences between Yum v3 and DNF, see Appendix A, Comparing Yum Version 3 With DNF.

3.1.3 RPM Improvements

Oracle Linux 8 ships with version 4.14 of RPM. This version of RPM introduces many improvements over the previously supported RPM version 4.11.

With RPM version 4.14, you can install debuginfo packages in parallel. This version of RPM also provides support for several new features, including the following:

  • Weak dependencies

  • Rich or boolean dependencies

  • Packaging of files that are greater than 4 GB

  • File triggers

Other important changes include stricter spec-parser, simplified signature checking of output in non-verbose mode, as well as additions and deprecations in macros.

One significant change in this version of RPM is that it now validates the entire package contents before starting an installation. In Oracle Linux 7, RPM verified the payload contents of individual files during unpacking, which could be inefficient, especially if the payload was damaged.

Also, in the previous version of RPM, hashes on individual files were performed on uncompressed data, thus causing RPM to be susceptible to decompressor vulnerabilities. In Oracle Linux 8, the entire package is validated as a separate step prior to installation using the best available hash. In this release, packages are built by using a new SHA-256 hash on the compressed payload. For signed packages, the payload hash is additionally protected by the signature; and, therefore, cannot be altered without breaking a signature and other hashes on the package header. Note that older packages use the MD5 hash for the header and payload unless the hash has been disabled by configuration. In addition, you can use the %_pkgverify_level macro to enforce signature verification prior to installation or to disable the payload verification. You can also use the %_pkgverify_flags macro to limit the hashes and signatures that are allowed.

3.2 Installation, Boot, and Image Creation

Oracle Linux 8 introduces the following notable features and improvements to installing and booting a system, and creating images:

  • New kernel boot parameter added to the installer.  A new kernel boot parameter, inst.addrepo=name,url, has been added to the installer. You can use this parameter to specify an additional repository during an installation. Note that the parameter has two mandatory values that must be provided: the name of the repository and a URL that points to that repository. Previously, you could only specify a base repository by setting kernel boot parameters.

  • LUKS2 disk encryption added to installer.  By default, the Oracle Linux 8 installer uses the LUKS2 format. This change introduces several improvements such as extending the capabilities of the on-disk format and providing flexible ways to store metadata. During an installation with the installer, you can now select a LUKS version in the Custom Partitioning window. Or, you can specify these new command options in a kickstart profile by using the autopart, logvol, part, and RAID options.

  • Boom Boot Manager added.  The Boom Boot Manager uses boot loaders that support the BootLoader Specification for boot entry configuration. Boom provides flexible boot configuration and simplifies the creation of new or modified boot entries. Boom includes a simple command-line interface (CLI) and an API that make the task of creating boot entries easier.

    Note that the Boom Boot Manager does not modify any existing boot loader configuration; it only inserts additional entries, thereby maintaining the existing configuration, as well as any distribution integration such as kernel installation and update scripts. This configuration continues to function as in previous releases.

  • Support for unified ISO added to the installer.  In this release, the installer uses a unified ISO, which automatically loads the BaseOS and AppStream installation source repositories. The feature works for the first base repository that is loaded during an installation, but it does not work if you boot by using a different base repository and then attempt to change to the unified ISO. Doing so replaces the base repository; however, the AppStream repository is not replaced and continues to point to the original file.

  • Deprecated Kickstart commands and options.  Several Kickstart commands and options that were available in previous releases are now deprecated. Most significantly, the --interactive option for the ignoredisk command is deprecated and should be removed from any existing kickstart configurations to prevent a fatal error during installation.

    Other deprecated commands and options include:

    • auth

    • authconfig

    • device

    • deviceprobe

    • dmraid

    • install

    • lilo

    • lilocheck

    • mouse

    • multipath

    • bootloader --upgrade

    • ignoredisk --interactive

    • partition --active

    • reboot --kexec

3.3 Red Hat Compatible Kernel

The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.

  • modinfo command updated to recognize and display the PKCS#7 module signature.  The modinfo command has been updated to recognize and display signature information, such as signature key fingerprint, signer, and correct hash algorithm, for modules that are signed with CMS and PKCS#7 formatted signatures. Also, note that previous versions of the modinfo command incorrectly displayed these modules as signed with the MD4 hash and did not display the appropriate signature information, such as the signature key or the correct hash algorithm.

  • Some kernel modules have been moved to the kernel-modules-extra package.  To increase security in Oracle Linux 8, a set of kernel modules have been moved to the kernel-modules-extra package, which means none of these modules are installed by default. As a consequence, non-root users cannot load these components, as they are also blacklisted by default. To use one of these kernel modules, as the root user, you must install the kernel-modules-extra package, then explicitly remove the module blacklist. As a result, non-root users will be able to load the software component automatically.

    To check whether a module was moved and is now included in the kernel-modules-extra package, you can run the following command:

    # dnf repoquery -l kernel-modules-extra
  • 5-level paging added.  T has been updated to include a new P4d_t software page table type. This change enables 5-level paging in Oracle Linux 8. This feature requires hardware support which may not be available on your processor type.

  • Memory management 5-level paging added.  Memory bus limits have been extended to 57/52 bit of virtual/physical memory addressing, with 128 PiB of virtual address space and 4 PB of physical memory capacity. This extended address range allows the memory management feature in Oracle Linux 8 to enable 5-level paging, which is capable of handling an expanded address range.

    The I/O memory management unit (IOMMU) code in the Linux kernel is also updated in this release to enable 5-level paging tables.

  • Support for Control Group v2 added.  This release supports the Control Group v2 mechanism, which organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner. Unlike the previously supported version, Control Group v2 is a single hierarchy that categorizes processes based on the role of the process owner and eliminates issues with conflicting policies and multiple hierarchies.

    The Control Group v2 mechanism supports numerous controllers, including the following: CPU controller, memory controller, I/O controller, PID controller, and the RDMA controller. Note that the I/O controller, in conjunction with the memory controller, implements the control of page cache write-back IOs.

    Note

    Support for the cpuset Cgroup v2 controller is not currently available in Oracle Linux 8.

  • Capability for reporting eBPF-based programs and maps added to sosreport tool.  In Oracle Linux 8, the sosreport tool includes the capability for reporting any loaded extended Berkeley Packet Filtering (eBPF) programs and maps.

  • bpftool added.  Support for the bpftool tool has been added to the Linux kernel. This tool is used for inspection and the basic manipulation of programs and maps that are based on eBPF. The bpftool tool is part of the kernel source tree and is provided by the bpftool package, which is a subpackage of the kernel package.

  • Support for early kdump added.  The early kdump feature enables the crash kernel and initramfs to load early so that it can capture vmcore information, including early crashes. Previously, the kdump service did not start soon enough to capture crash information (vmcore), especially for early kernel crashes. See the /usr/share/doc/kexec-tools/early-kdump-howto.txt file for more details.

3.4 Cockpit

Oracle Linux 8 includes the following features, enhancements, and changes for the Cockpit interface:

Note

For security purposes, Cockpit usually requires that web browsers communicate with the application by using HTTPS. For more information about Cockpit usage requirements, including information about certificates and SSL and TLS versions, visit https://cockpit-project.org/guide/latest/https.html#https-certificates.

  • Cockpit packages available for installation by default.  Cockpit packages are now included in the Oracle Linux default repositories and are available for immediate installation. For non-minimal installations, Cockpit is automatically installed. A system message that is displayed prior to login provides information about how to enable or access Cockpit.

    Note

    If your firewall is enabled, you might need to allow access for the ports that are used by cockpit. To explicitly enable the firewall ports for this service, run the following command:

    # firewall-cmd --permanent --add-service=cockpit; firewall-cmd --reload
  • Firewall section added to Cockpit Networking page.  The new Firewall section on the Networking page provides support for enabling and disabling a firewall. You can also add, remove, and modify firewall rules in this section of the page.

  • Cockpit front page improved to display missing updates and subscriptions.  If your Cockpit-managed system has outdated packages or a lapsed subscription, a warning is now displayed on the Cockpit front page of the system.

  • Cockpit compatibility with mobile browsers.  In this release, you have the ability to navigate Cockpit menus and pages on several different mobile browsers. This change makes it possible to manage systems by using Cockpit from a mobile device.

  • Support for PBD rules added.  You can now use the Cockpit interface to apply Policy-Based Decryption (PBD) rules to disks on managed systems. The use of the Clevis decryption client facilitates several security management functions in Cockpit, for example, the automatic unlocking of LUKS-encrypted disk partitions.

  • Support for managing virtual machines with Cockpit.  The ability to add a Virtual Machine page to the Cockpit interface has been added. You can use this page to create and manage libvirt-based virtual machines.

3.5 Podman, Buildah, and Skopeo Container Tools Included

The podman, buildah, and skopeo container tools are provided in the Oracle Linux 8 release. These tools are compatible with the Open Container Initiative (OCI) and can be used to manage the same Linux containers that are produced and managed by Docker and other compatible container engines. Because these tools are light-weight and primarily focused on a subset of features, you can run them minus the overhead of working with a daemon process.

  • Pod Manager (podman) Oracle Linux 8 introduces the Pod Manager tool (podman), which is a daemonless container engine that you can use to develop, run, and manage compatible container images on Linux systems. The containers can be run as root or in rootless mode.

    The podman tool is built on the libpod library, which enables the management of containers and groups of containers, called pods.You can use podman to directly manage pods, container images, and containers on a single node, with commands such as run, stop, start, ps, attach, exec, and similar commands.

    The podman tool uses syntax that is similar to the docker command-line tool and is able to run images that are designed to run in a Docker environment. The podman syntax is often also simplified to make it easier to run common commands; for instance, the Docker command, docker container ls --all, is shortened to podman ls --all. Furthermore, podman introduces the --latest syntax, which can be used as shorthand for the most recently created container so that you do not have to repeatedly type the container name.

    Note that podman and related tools depend on cgroup v1 functionality, so this functionality should not be disabled.

    For more information about using podman, visit https://podman.io.

  • Buildah (buildah) You use the buildah command to create container images from a working container, a Dockerfile, or from scratch. The resulting images are Open Container Initiative compliant, so they will work on any container runtime that meets the Open Container Initiative Runtime Specification, such as Docker and CRI-O.

    The buildah command includes several options that enable you to also do the following: inspect a container or image, mount and unmount a container, create a new container layer, and delete a container or image.

    Note that Buildah can operate without Docker or other container runtimes because it stores data separately and includes features that enable you to both build images, as well as run those images as containers. Note also that Buildah stores images in an area that is identified as containers-storage that is located in /var/lib/containers.

    The buildah command differs from the docker command in the following ways:

    • No container runtime (Docker, CRI-O, or other) is required to use Buildah because the buildah command bypasses the Docker daemon.

    • You can use the buildah command to build an image that is based on another container. You can also start with a scratch (empty) image.

    • Buildah tools are external. No build tools are included within the image itself, which means the size of the images that you build with Buildah are reduced. As a result, these smaller images require fewer resources to transport. Also, the images that you build with Buildah are more secure because you do not need to use tools like gcc, make, or dnf to build a container with the resulting image.

    For more information about using Buildah, visit the GitHub Buildah page.

  • Skopeo (skopeo) Skopeo is a client tool that you use to work with remote images registries to retrieve information, images, and signing content. You can use the skopeo command to copy container images to and from remote container registries. The tool also includes capability for signing and authenticating images remotely.

    The skopeo command includes several options that enable you to copy, inspect, delete, and sign images. For example, if you wanted to inspect a container image before you pull it to your system, you would use the skopeo inspect command. This command displays information about an image that resides in a remote container registry.

    For more information about using Skopeo, visit the GitHub Skopeo page.

3.6 Database

Oracle Linux 8 ships with version 8.0 of the MySQL database.

3.7 Desktop

In Oracle Linux 8, the GNOME desktop introduces the following features, enhancements, and changes:

  • GNOME Shell version updated to 3.27.  This version of the GNOME Shell includes several improvements over the previous version, including the following:

    • New GNOME Boxes features

    • On-screen keyboard implemented

    • Extended device support that includes the integration of the Thunderbolt 3 interface

    • Improvements to GNOME software, dconf-editor, and the GNOME terminal

  • Wayland is the default display server.  In Oracle Linux 8, both the GNOME session and GNOME Display Manager (GDM) use Wayland as the default display server. Wayland is a simpler replacement to the X.org server used in the previous major Oracle Linux release. Wayland, a protocol for a compositor, can be a stand-alone display server that is running on the Linux kernel's mode-setting and evdev input devices, an X application, or a Wayland client. The clients can be traditional applications, X servers (rootless or fullscreen), or other display servers.

    In addition, Wayland is easier to develop and maintain. Wayland provides the following other advantages over X.org server:

    • Stronger security

    • Improved multi-monitor handling

    • Improved user interface (UI) scaling

    • Direct control of window handling by the desktop

    Note

    Some Wayland features currently do not work as expected or are not available.

    Note that the system also automatically falls back to X.org as the default display server when the following graphics drivers are in use:

    • NVIDIA binary driver

    • cirrus driver

    • mga driver

    • aspeed driver

    You can disable Wayland manually as follows:

    • To disable Wayland in GDM, set the WaylandEnable=false option in the /etc/gdm/custom.conf file.

    • To disable Wayland in the GNOME desktop, select the legacy X11 option in the cogwheel menu that is located in the login screen after typing your login name.

  • Locating desktop packages in additional repositories not enabled by default.  In this release, additional repositories for desktop packages are not enabled by default and is indicated by the enabled=0 line in the corresponding .repo file. If you attempt to install a package from one of these repositories with PackageKit, you will encounter an error indicating the application is not available. To make the package available, change the line in the respective .repo file with enabled=1.

  • GNOME Software utility replaces gnome-packagekit.  In Oracle Linux 8, the GNOME Software utility package (gnome-software) replaces the gnome-packagekit package used in previous releases. The GNOME Software utility enables you to install and update applications and gnome-shell extensions.

  • PackageKit updated to operate on RPM packages.  Support for operating on rpm packages has been added to PackageKit.

3.8 Developer Tools and Compilers

Oracle Linux 8 introduces numerous feature enhancements and changes to developer tools and compilers, including the following:

  • Boost C++ library updated to version 1.66.  This version of the Boost C++ library provides several enhancements and improvements over Boost version 1.53, which was used in Oracle Linux 7.

    Note

    Installing the boost package no longer installs the Boost.Python library as a dependency. To use the Boost.Python library, you must explicitly install the boost-python3 or the boost-python3-devel packages.

  • GNU C library updated to version 2.28.  Oracle Linux 8 provides the GNU C library version 2.28 (glibc), which includes security hardening features, performance improvements, Unicode version 11.0.0, and new developer features.

  • ltrace tool improved to display large structures correctly.  Oracle Linux 8 includes an improved ltrace tool, which can now handle large structures and print them correctly.

  • New compat-libpthread_nonshared package added.  Oracle Linux 8 provides the new compat-libpthread-nonshared package. This package enables applications that directly reference /usr/lib64/libpthread_nonshared.a to work properly.

  • Locale package distribution change.  In Oracle Linux 8, languages and locales are distributed in multiple glibc-langpack-CODE packages. In previous releases, all locales and languages were distributed in a single package, glibc-common. Note also that in this release, not all locales are installed by default: just those that are selected during an installation are installed. Any additional locale packages that you require must be installed separately.

  • compat-libgfortran-48 package added.  Oracle Linux 8 provides the new compat-libgfortran-48 compatibility package. This package, which provides the libgfortran.so.3 library, is provided for backwards compatibility with Oracle Linux 6 and Oracle Linux 7 applications that use the Fortran library,

  • Support for retpolines added to GCC.  Oracle Linux 8 adds support for retpolines to the GNU Compiler Collection (GCC). A retpoline is a software construct that the kernel uses to reduce the overhead of mitigating Spectre Variant 2 attacks, as described in CVE-2017-5715.

  • CMake updated to version 3.11.  The CMake build system version 3.11 is provided in the cmake package in Oracle Linux 8.

  • make tool updated to version 4.2.1.  Oracle Linux 8 includes version 4.2.1 of the make build tool.

  • FIPS compliance for Go programs built with the Go Toolset.  If a host system is configured in FIPS mode, the cryptographic library that is included in the Go Toolset uses the OpenSSL library version 1.1.0. Thus, any programs that are built with this version of the Go Toolset are FIPS-compliant.

    To specify that Go programs use only the uncertified, standard cryptographic routines. use the -tags no_openssl option of the Go compiler at build time.

  • SystemTap updated to version 4.0.  Oracle Linux 8 includes version 4.0 of the SystemTap instrumentation tool. This version of SystemTap includes several notable features and improvements over the previous version.

  • binutils updated to version 2.30.  Oracle Linux 8 provides version 2.30 of the binutils package. Improvements include improved support for the new s390x architecture extensions, as well as improvements to assembler and linker support. Other significant changes in this version of binutils include the addition of new options for the readelf, objdump, and nm tools.

  • Performance Co-Pilot updated to version 4.1.3.  This release includes version 4.1.3 of Performance Co-Pilot (pcp), which provides several improvements over the previous version of pcp.

  • Memory protection keys provided.  In this release, hardware features that allow per-thread page protection flag changes are enabled. New glibc system call wrappers have been added for the following functions: pkey_alloc(), pkey_free(), and pkey_mprotect(). In addition, the pkey_set() and pkey_get() functions have been added. These functions allow access to per-thread protection flags.

  • Time zone data updated to new upstream default data format.  Oracle Linux 8 includes a version of the tzdata-2018e package that works with the new default upstream data format and also includes negative DST (Daylight Saving Time) offsets.

  • elfutils updated to version 0.174.  Oracle Linux 8 includes the elfutils version 0.174 . This version of elfutils provides several improvements over the previous version of the tool.

  • Valgrind updated to version 3.14.  Oracle Linux 8 includes the Valgrind executable code analysis tool version 3.14. This version of Valgrind includes several feature enhancements and changes over the previous version of the tool.

  • GDB updated to version 8.2.  Oracle Linux 8 includes the GDB debugger version 8.2. This version of the GDB debugger several improvements over the previous version.

  • GCC updated to version 8.2.  In Oracle Linux 8, the GCC toolchain is based on the GCC 8.2 release series, which provides several changes and improvements over the previous version of GCC.

3.9 File Systems and Storage

Oracle Linux 8 introduces the following notable file systems and storage features, enhancements, and changes:

  • Btrfs file system removed in RHCK.  The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, no Btrfs user-space packages are provided in this release. If you are using Btrfs, continue to use Oracle Linux 7.

  • OCFS2 file system support not available in RHCK.  The OCFS2 file system is not supported on RHCK in Oracle Linux 8. If you need to use OCFS2, continue to run Oracle Linux 7.

  • NFSv3 over UDP support not available in Oracle Linux 8.  In Oracle Linux 8, by default, the NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket. Note that this change impacts NFS version 3 (NFSv3) only, as version 4 requires the Transmission Control Protocol (TCP).

  • DM Multipathing enhancements.  Oracle Linux 8 introduces some noteworthy enhancements for the Device Mapper Multipathing (DM Multipathing) configuration, including the following:

    • New overrides section has been added to the /etc/multipath.conf file. You can enter a configuration value for all of your devices by using this section. The attributes that you set are then used by DM Multipathing for all of your devices, unless the values are overwritten by any attributes that are set in the multipaths section of the /etc/multipath.conf file for paths that contain the device. Note that this new functionality is a replacement for the all_devs parameter in the devices section of the configuration file, which is no longer supported.

    • Support for improved detection of marginal paths has been added to the multipathd service. This enhancement helps multipath devices avoid paths that are likely to fail repeatedly, thereby improving performance. For more details about this change, including information about the options in the /etc/multipath.conf file that control marginal paths behavior, see the multipath.conf man page.

  • SCSI Multiqueue driver support added.  In Oracle Linux 8, block devices use multiqueue scheduling. This feature enhancement enables block layer performance to scale well with fast solid-state drives (SSDs) and multi-core systems.

    Also, the SCSI Multiqueue (scsi-mq) driver is enabled by default and the kernel boots with the scsi_mod.use_blk_mq=Y option. Note that a requirement of DM Multipathing is that the scsi-mq driver be active.

  • Stratis local storage manager introduced.  Oracle Linux 8 includes the Stratis local storage management tool. Stratis enables you to perform complex storage tasks and manage your storage stack more easily by using a unified interface.

  • XFS support for shared COW data extents.  The XFS file system now supports shared copy-on-write (COW) data extent functionality, whereby two or more files can share a common set of data blocks. This feature is similar to Copy on write (COW) functionality that is found in other file systems, where if either of the files that are sharing common blocks change, XFS breaks the link to those common blocks and then creates a new file.

    Shared COW extents are fast, space efficient, and transparent. User-space utilities can use COW extents for cloning, per-file snapshots, and out-of-band deduplication. Some kernel subsystems, such as Overlayfs and NFS, also use COW extents.

    Shared COW data extents are currently disabled by default during the creation of an XFS file system, in the xfsprogs 4.19.0-2.0.1.el8 package version. To create an XFS file system with this feature enabled, run the following command:

    # mkfs.xfs -m crc=1,reflink=1 block-device

    Future versions of xfsprogs are likely to enable this functionality by default.

  • Technology Preview: Clustered Bitmap on MD Raid.  The mdadm command, used to manage MD Raid devices, includes the --bitmap=clustered option to store the bitmap for the array within a clustered environment. This feature is available as a technology preview and is unsupported on Oracle Linux 8.

3.10 Identity Management

Oracle Linux 8 introduces several major identity management features and enhancements, including a major change to how the packages that are necessary for installing an Identity Management (IdM) server and client are distributed. The following are details of this and other noteworthy identity management changes:

  • IdM packages now distributed as a module.  Starting with Oracle Linux 8, the packages that are necessary to install an IdM (Identity Management) server and client are distributed as a module. The client stream is the default stream for the idm module. Note that you can download the packages that are necessary to install the client without enabling the stream.

    The IdM server module stream is called the DL1 stream and it contains multiple profiles that correspond to the following different types of IdM servers: server, dns, adtrust, client, and default.

    To download the packages to a specific profile of the DL1 stream, do the following:

    1. Enable the stream.

    2. Switch to using the RPMs that are delivered through the stream.

    3. Run the following command:

      # yum module install idm: DL1/profile-name
  • Directory Server enhancements.  This release includes the following Directory Server enhancements:

    • New password syntax checks: This enhancement for Directory Server enables dictionary checks and allows or denies the use of character sequences and palindromes. The password policy syntax check employed by Directory Server enforces more secure passwords when it is enabled.

    • Improved internal operations logging support: Directory Server now logs the real connection and operation ID, thereby enabling you to trace the internal operation to the server or client operation that caused the operation. Previously, the server only logged the Internal connection keyword for internal operations. Also, the operation ID was always set to -1.

  • Enterprise Security Client uses the opensc library for token detection.  The Enterprise Security Client (ESC) now uses the opensc library for token detection instead of the coolkey library, which has been removed. This change causes applications to correctly detect supported tokens.

  • Certificate System supports log rotation.  Certificate System now uses the java.logging.util framework, which supports log rotation. As a result of this change, you can now configure log rotation in the /var/lib/pki/instance-name/conf/logging.properties file, instead of using the previous logging framework method that did not support log rotation.

    See the documentation for the java.util.logging package for more details.

  • Local user and group resolution cached by SSSD and served through the nss_sss module.  The resolution of local users and groups is faster in Oracle Linux 8. Note that the root user is never handled by the System Security Services Daemon (SSSD). As such, root resolution cannot be impacted by a potential bug in SSSD. Also, if SSSD is not running, the nss_sss module falls back to nss_files. Note that you do not have to configure SSSD because the files domain is automatically added.

  • KCM replaces KEYRING.  In Oracle Linux 8, the default credential cache storage is the Kerberos Credential Manager (KCM), which is backed by the sssd-kcm daemon. This enhancement provides better support for containerized environments and is the basis for adding more features in subsequent releases. KCM overcomes the limitations of KEYRING, which is difficult to use in containerized environments because the feature does not use name-spacing and therefore cannot be used to view and manage quotas.

  • Support for administering identity management with Active Directory added.  In this release, you can add a user ID override for an Active Directory (AD) user as a member of an Identity Management (IdM) group. This change enables the IdM LDAP server to apply access control rules to the AD user for the IdM group.

    In addition, an AD administrator can now fully administer idM without having two separate accounts. AD users can also use self-service features of the IdM user interface (UI), such as uploading SSH keys and changing personal data. However, note that some IdM features still might not be available to AD users.

  • Support for printing a HBAC rules report for an IdM domain by using sssctl added.  In Oracle Linux 8, you can use the SSSD sssctl command to print an access control report for an IdM domain. This enhancement provides the ability, in certain environments (for regulatory reasons), to view the list of users and groups that can access a specific client system. Running the sssctl access-reportdomain-name command on an IdM client prints the parsed subset of the host-based access control (HBAC) rules in the IdM domain that applies to the client's system.

  • Support for session recording solution added.  Oracle Linux 8 provides a session recording solution. The new tlog package and its associated Cockpit session player enable you to record and play back user terminal sessions. The recording can then be configured per-user or per user group by using the SSSD service. All terminal input and output is captured and stored in text-based format in a system journal. For security reasons, the input is inactive by default.

    You can also use the recording solution to audit user sessions on security-sensitive systems. You can review and analyze the recorded sessions in the event of a security breach. In addition, you can configure session recording locally and then view the result from either the Cockpit web-based interface or by using the tlog-play command.

  • authselect command replaces authconfig command.  In this release, the authselect command replaces the authconfig command. The authselect command simplifies user authentication configuration on Oracle Linux 8. The authselect command also provides a safer approach to Pluggable Authentication Modules (PAM) stack management.

    You can use the authselect command to configure the following authentication methods: passwords, certificates, smart cards, and fingerprints. However, note that you cannot use the authselect command to configure services that are required to join remote domains. For this type of configuration, use the realmd or ipa-client-install command.

3.11 Infrastructure Services

Oracle Linux 8 introduces the following infrastructure services features, enhancements, and changes:

  • GeoLite database packages replaced with Geolite2 Database packages.  The GeoIP package and the legacy database that was provided for GeoLite databases in Oracle Linux 7 is no longer supported. In Oracle Linux 8, GeoLite2 databases are provided by multiple packages, including the following: the libmaxminddb package, which includes the library, and the mmdblookup command-line tool, which enables manual searching of addresses. Note that the geoipupdate binary from the legacy GeoIP package is now provided by the geoipupdate package. This package is capable of downloading both legacy databases and the new GeoLite2 databases.

3.12 Networking

Oracle Linux 8 introduces the following features, enhancements, and improvements, including one significant change, which is the replacement of iptables with nftables.

3.12.1 Replacement of iptables With nftables

In Oracle Linux 8, the default iptables network packet filtering framework been replaced with the nftables framework. As the designated successor to iptables, ip6tables, arptables, and ebtables, the nftables framework includes packet classification facilities and several improvements, which provide added convenience and improved performance over the previously used packet-filtering tools.

The nftables implementation provides the following improvements:

  • Replacement of linear processing with lookup tables

  • Single framework for both the IPv4 and IPv6 protocols

  • More consistent and compact syntax

  • Support for debugging and tracing in the ruleset with nftrace

  • Netlink API for third-party applications

Note the following additional information about the nftables implementation:

  • The nftables framework uses tables for storing chains, similarly to iptables. Chains contain individual rules for performing actions.

  • The nft tool replaces all of the previously used packet-filtering framework tools.

  • You can use the libnftables library for low-level interaction with the nftables Netlink API over the libmnl library.

  • The iptables, ip6tables, ebtables and arptables tools are replaced by drop-in replacements that are nftables-based and use the same name.

    Although these tools behave identically to their legacy counterparts, internally, they use nftables with legacy netfilter kernel modules through a compatibility interface, as required.

    You can use the nft list ruleset command to observe the effect of the modules on the nftables ruleset. It is worth noting, however, that these tools add tables, chains, and rules to the nftables ruleset; and as such, some nftables ruleset operations, for example, the nft flush ruleset command, might affect rulesets that were installed by using legacy commands, as these were formerly separate.

    To determine which version of the tool is currently running, use the iptables --version command, as version information has been updated to include the back-end name. For example, if you are running Oracle Linux 8, the nftables-based iptables tool displays the following information:

    # iptables --version
    iptables v1.8.2 (nf_tables)

    If the legacy version of the iptables tool is installed, the output would be as follows:

    # iptables --version
    iptables v1.8.0 (legacy)

3.12.1.1 Tools for Converting iptables Rules to the nftables Equivalents

Oracle Linux 8 provides the iptables-translate and ip6tables-translate commands for converting existing iptables and ip6tables rules to their nftables equivalents. In cases where extensions do not include translation support, the untranslated rule, prefixed by a hash sign (#), is printed by the conversion tools, as shown in the following example:

# iptables-translate -A INPUT -j CHECKSUM --checksum-fill
nft # -A INPUT -j CHECKSUM --checksum-fill

You can use this utility to translate a dump of iptables rules in a single operation, for example:

# iptables-save > rules.iptables
# iptables-restore-translate -f rules.iptables > rules.nft
# nft -f rules.nft

3.12.1.2 firewalld Uses nftables by Default

In Oracle Linux 8, the nftables filtering subsystem is the default firewall backend for the firewalld daemon. If you want to change the back-end firewall, specify the FirewallBackend option in the /etc/firewalld/firewalld.conf file.

This feature change introduces the following notable differences in behavior when using nftables:

  • The iptables rule executions always occur before firewalld rules.

  • In iptables, DROP means a packet is never seen by firewalld, while ACCEPT means a packet is still subject to firewalld rules.

  • The firewalld direct rules are still implemented through iptables, while other firewalld features use nftables.

  • Direct rule execution occurs before firewalld generic acceptance of established connections.

3.12.2 IPVLAN Virtual Network Driver Added

The Oracle Linux 8 kernel supports IPVLAN virtual Network Interface Cards (NICs). This added support enables network connectivity for multiple containers by exposing a single MAC address to the local network. The enhancement makes it possible to enable network connectivity for multiple containers on a single host, thereby overcoming a possible limitation on the number of MAC addresses that are supported by the peer networking equipment.

3.12.3 Networking Stack Updated to Version 4.18

The networking stack in Oracle Linux 8 has been updated to version 4.18. This version of the networking stack includes several bug fixes and improvements over the previous version, including new offload features and the new fq_codel default transmit queue scheduling algorithm. Several additional changes were made, including improvements to the generic busy polling code, and improved scalability for the User Datagram Protocol (UDP), IPv6, routing code, as well as some transmit queue scheduling algorithms.

3.12.4 Removal of -ok Option From tc Command

In Oracle Linux 8, the tc command no longer supports the -ok option. One workaround is to implement code to communicate directly with the kernel through netlink. Another alternative for less time-critical applications is use a custom script to simulate tc -batch behavior by printing OK for each successful tc invocation.

3.12.5 SR-IOV Virtual Functions Added to NetworkManager

In this release, NetworkManager enables you to configure the number of virtual functions (VF) for interfaces that support single-root I/O virtualization (SR-IOV). NetworkManager also enables you to configure certain attributes of the VFs, including the MAC address, a VLAN, the spoof-checking setting, and allowed bitrates. All of the properties that are related to SR-IOV are available in the sriov connection setting. See the nm-settings(5) man page for details.

3.12.6 TCP Updated to Version 4.18

Oracle Linux 8 provides version 4.18 of the Transmission Control Protocol (TCP). This version of TCP provides increased performance, as well as better scalability, and increased stability over previous versions.

Also new in this release, are the new TCP congestion algorithms, BBR and NV. These algorithms provide lower latency and better throughput than cubic in most situations.

3.12.7 wpa_supplicant Package Improvements

In this release, the wpa_supplicant package is built with CONFIG_DEBUG_SYSLOG enabled. This change provides the capability to read the wpa_supplicant log by using the journalctl utility rather than having to check the contents of the /var/log/wpa_supplicant.log file, as in previous releases.

3.13 Scripting and Dynamic Programming Languages

The following scripting and dynamic programming language changes are introduced in this release:

  • Python version 3.6 included.  Oracle Linux 8 includes Python version 3.6. Note that this version of the Python package is not installed on your Oracle Linux 8 by default.

    The Python 2.7 package python2 is also available for installation on your Oracle Linux 8 system; but, note that Python 2.7 is provided to facilitate a smoother transition to Python 3 and that its life cycle will be shorter than that of Python 3.

    Note

    Developers may want to migrate former code that is written in Python 2 to Python 3. After the migration, the original Python 2 code becomes interpretable by the Python 3 interpreter, while also remaining interpretable for the Python 2 interpreter.

    The default python package, as well as the unversioned /usr/bin/python executable, is included in Oracle Linux 8. You should use either python3 or python2 directly. Or, alternatively, you can configure the unversioned python command by using the alternatives command.

  • PHP updated to version 7.2.  Oracle Linux 8 includes PHP version 7.2, which includes several improvements over the previous version of PHP, including the following:

    • PHP now uses the FastCGI Process Manager (FPM) by default, which is safe for use with a threaded httpd.

    • In this release, you no longer specify the php_value and php-flag variables in the httpd configuration files. Instead, set these variables in the pool configuration, /etc/php-fpm.d/*.conf.

    • PHP script errors and warnings are now logged to /var/log/php-fpm/www-error.log instead of /var/log/httpd/error.log.

    • Changing the PHP max_execution_time configuration variable requires that you also change the httpdProxyTimeout setting so that the configurations match.

    • The user who is running PHP scripts is now configured in the FPM pool configuration file, /etc/php-fpm/d/www.conf. Also, the apache user is the now the default.

    • If you make configuration changes or install a new extension, you are now required to restart the php-fpm service for the changes to take effect.

    • The following PHP extensions are removed in this release:

      • aspell

      • memcache

      • mysql

        The mysqli and pdo_mysql extensions are still provided by php-mysqlnd package.

      • zip

  • Ruby improvements.  Oracle Linux 8 includes Ruby version 2.5, which provides several improvements over Ruby 2.0.0, including the following:

    • Symbols are now garbage collected.

    • Several refinements syntax improvements.

    • The $SAFE=2 and $SAFE=2 levels are obsoleted.

    • The consolidation of the Fixnum and Bignum classes into the Integer class.

    • Performance improvements, including optimization of the Hash class, improved access to instance variables, as well as performance improvements to the Mutex class.

    • The deprecation of some older APIs.

    • Updated bundled libraries, including the following: RubyGems, Rake, RDoc, Psych, Minitest, and test-unit.

    • The mathn, DL, ext/tk, and XMLRPC libraries that were previously distributed with Ruby are deprecated or no longer included.

    • The SemVer versioning scheme is now used for Ruby versioning.

  • Perl features and improvements.  Oracle Linux 8 includes Perl version 5.26, which provides new features and improvements over the previous version of Perl. Note that in this version of Perl, some features are deprecated.

    Notable changes in this version of Perl include the following:

    • Availability of Unicode 9.0.

    • Addition of the op-entry, loading-file, and loaded-fileSystemTap probes.

    • Addition of the Config::Perl::V module to access perl -V data in a structured way.

      Addition of the IO::Socket::IP module to handle IPv4 and IPv6 sockets transparently.

    • New perl-App-cpanminus package has been added. This package includes the cpanm utility, which enables you to get, extract, build, and install modules from the Comprehensive Perl Archive Network (CPAN) repository.

    • Ability to use the copy-on-write mechanism when assigning scalars for improved performance.

    • Hashes are now randomized by default. Also, the order in which keys and values are returned from a hash changes on each perl run. You can disable the randomization by setting the PERL_PERTURB_KEYS variable to 0.

    • The perl packaging is now aligned with upstream and also installs core modules. The /usr/bin/perl interpreter is provided by the perl-interpreter package, which is a change from previous releases, where the perl package included only a minimal interpreter and the perl-core package included both the interpreter and the core modules.

    The following Perl features are deprecated or removed:

    • The current directory (.) has been removed from the @INC module search path. This change was made for security reasons.

    • The do statement returns a deprecation warning when it fails to load a file.

    • The do subroutine(LIST) call is no longer supported and results in a syntax error.

    • Unescaped literal { characters in regular expression patterns are not allowed.

    • Removed lexical scope support for the $_ variable.

    • Cannot use the defined operator on an array or a hash, as it results in a fatal error.

    • Importing functions from the UNIVERSAL module result in a fatal error.

    • Removal of the find2perl, s2p, a2p, c2ph, and pstruct tools.

    • Removal of the ${^ENCODING} facility. In addition, the encoding pragma’s default mode is no longer supported. To write source code using encoding other than UTF-8, use the encoding’s Filter option.

3.14 Security

Oracle Linux 8 introduces the following security features, enhancements, and changes:

  • OpenSSH updated to version 7.8p1.  The openssh packages have been upgraded to upstream version 7.8p1. This version of OpenSSH includes the following changes:

    • UsePrivilegeSeparation=sandbox option is now mandatory and cannot be disabled.

    • Minimal accepted RSA key size is set to 1024 bits.

    • Modulus size for Diffie-Hellman parameters has been changed to 2048 bits.

    • Default value of the UseDNS option has been changed to no.

    • DSA public key algorithms are disabled by default.

    • Semantics of the ExposeAuthInfo configuration option has changed.

    • The following features are removed in OpenSSH 7.8p1:

      • SSH version 1 protocol

      • hmac-ripemd160 message authentication code

      • RC4 (arcfour), Blowfish, and CAST ciphers

  • LUKS2 replaces LUKS1.  The LUKS version 2 (LUKS2) format replaces the legacy LUKS (LUKS1) format in this release. Also, the dm-crypt subsystem and the cryptsetup tool now use LUKS2 as the default format for encrypted volumes.

  • Replacement of nfsnobody user and group pair with nobody user and group pair.  The nobody user and group pair, with the ID of 99, and the nfsnobody user and group pair, with the ID of 65534 (the default kernel overflow ID), have been merged into the nobody user and group pair. This change reduces confusion about the files that are owned by nobody and have nothing to do with NFS. The merged user and group pair use the 65534 ID. Note that the nfsnobody user and group pair are no longer created during a fresh installation.

  • GPG key length increased to 4096 bits.  Oracle Linux 8 RPM packages are now signed with a new 4096-bit GNU Privacy Guard (GPG) key for greater security. Previously, the GPG key length was 2048 bits.

  • RSA-PSS available in OpenSC.  Oracle Linux 8 provides the RSA-PSS cryptographic signature scheme for the OpenSC smart card driver. The new scheme enables a secure cryptographic algorithm, which is required for the TLS 1.3 support in the client software.

  • rsyslog updated to version 8.37.0.  In Oracle Linux 8, the rsyslog packages have been upgraded to version 8.37.0. This version of rsyslog includes several bug fixes and improvements over previous versions.

  • New omkafka rsyslog module added.  You can use the omkafka module in the Oracle Linux 8 release to enable Kafka centralized data storage scenarios. You can also use this module to forward logs to the Kafka infrastructure.

  • libssh implements SSH as a core cryptographic component.  The libssh library, which implements the SSH protocol, is introduced as a core cryptographic component in Oracle Linux 8. Note that libssh does not comply with the system-wide cryptographic policy.

  • Consolidation of OpenSCAP API.  In Oracle Linux 8, the OpenSCAP shared library API has been consolidated. As a result, 63 symbols are removed, 14 symbols are added, and 4 symbols have an updated signature.

    The following symbols are removed in OpenSCAP 1.3.0:

    • Symbols marked as deprecated in version 1.2.0

    • SEAP protocol symbols

    • Internal helper functions

    • Unused library symbols

    • Unimplemented symbols

  • PKCS #11 support for smart cards and HSMs is now consistent.  In Oracle Linux 8, using smart cards and Hardware Security Modules (HSM) with the PKCS #11 cryptographic token interface is consistent, which means users and administrators can use the same syntax for all related tools in the system.

  • SELinux policy improvement to enable iscsiuio processes to work correctly.  Oracle Linux 8 adds missing rules to the SELinux policy to enable iscsiuio processes to access /dev/uio* devices by using the mmap system call. Previously, SELinux policy restricted this access, which caused the connection to the discovery portal to fail.

  • System-wide cryptographic policies applied by default.  In Oracle Linux 8, the crypto-policies component configures the core cryptographic subsystems and covers the TLS, IPSec, SSH, DNSSec, and Kerberos protocols. The component provides a small set of policies that can be selected by using the update-crypto-policies command.

    The DEFAULT system-wide cryptographic policy that provides secure settings for current threat models is also compatible with PCI-DSS requirements, as it allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted, if they are larger than 2047 bits.

    See the update-crypto-policies(8) man page.

  • OSPP 4.2 added to SCAP Security Guide.  The SCAP Security Guide includes a draft of the OSPP (Protection Profile for General Purpose Operating Systems) profile version 4.2 RHEL 8. This profile reflects the mandatory configuration controls that are identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2). The SCAP Security Guide provides automated checks and scripts so that users can meet the requirements that are defined in the OSPP.

  • Improvements to the OpenSCAP command-line interface.  The verbose mode is now available in all oscap modules and submodules. In addition, improvements have been made to the tool output.

    Several options are deprecated and have been removed, including the following:

    • The --show option in the osccap xccdf generate report command is completely removed.

    • The --probe-root option in the oscap oval eval. As a replacement, you can set the environment variable, OSCAP_PROBE_ROOT.

    • The --sce-results option in the oscap xccdf eval command is replaced by the --check-engine-results option.

    • The validate-xml submodule validator has been dropped from the CPE, OVAL, and XCCDF modules. You can use validate submodules to validate SCAP content against XML schemas and XSD schematrons.

    • The oscap oval list-probes command. Instead, use the oscap command with the --version option to display this information.

    • Note

      OpenSCAP allows for evaluating all of the rules in a given XCCDF benchmark by using --profile '(all)', regardless of the profile.

  • SELinux map permission code added.  Oracle Linux 8 provides the SELinux map permission feature. This feature controls memory mapped access to files, directories, and sockets and enables SELinux policy to prevent direct memory access to various file system objects and also ensure that all such access is revalidated.

  • systemd No New Privileges added to SELinux.  Oracle Linux 8 provides support for the nnp_nosuid_transition policy capability, which enables SELinux domain transitions under No New Privileges (NNP) or nosuid, if nnp_nosuid_transition is allowed between the old and new contexts. The selinux-policy packages now contain a policy for systemd services that use the NNP security feature.

    The following example shows the rule that defines how you would allow this capability for a service:

    allow source_domain  target_type:process2 { nnp_transition nosuid_transition };

    would be defined as follows for this service:

    allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };

    Note that the distribution policy now also contains the m4 macro interface, which can be used in SELinux security policies for services that use the init_nnp_daemon_domain() function.

  • getrlimit permission in the process class added to SELinux.  A new SELinux access control check, process:getrlimit, has been added to the prlimit() function. This change enables SELinux policy developers to control when one process attempts to read and then modify the resource limits of another process by using the process:setrlimit permission. Note that SELinux does not restrict a process from manipulating its own resource limits through prlimit(). See the prlimit(2) and getrlimit(2) man pages for details.

  • New SELinux booleans added.  Oracle Linux 8 includes the following new SELinux booleans:

    • colord_use_nfs

    • mysql_connect_http

    • pdns_can_network_connect_db

    • ssh_use_tcpd

    • sslh_can_bind_any_port

    • sslh_can_connect_any_port

    • virt_use_pcscd

    For more details, run the semanage boolean -l command.

  • TLS 1.3 in cryptographic libraries added.  This release adds Transport Layer Security (TLS) 1.3, by default, in all major back-end cryptographic libraries. This change enables low latency across the operating system communications layer and enhances privacy and security for applications by taking advantage of new algorithms such as RSA-PSS or X25519.

  • OpenSCAP updated to version 1.3.0.  In Oracle Linux 8, the OpenSCAP suite has been upgraded to version 1.3.0. This version of the OpenSCAP suite introduces many enhancements, including the consolidation of the API and the ABI, an enhanced command-line interface, and other notable improvements over the previous OpenSCAP version.

  • Replacement of audispd with auditd in Audit 3.0.  In this release, the functionality of audispd has been moved to auditd. As a result, audispd configuration options are now part of auditd.conf, and the plugins.d directory is now under /etc/audit. You can check the current status of auditd and its plugins by running the auditd state command.

  • imfile module added to rsyslog.  In Oracle Linux 8, the rsyslog imfile module has been enhanced for improved performance and the addition of more configuration options. This change enables you to use the module for more complicated file monitoring.

3.15 New systemd Behavior in Oracle Linux 8

In Oracle Linux 8, systemd uses a pager to enable the viewing of full status output in paginated format. You can use the --no-pager --full options when running the systemctl command to obtain the full output without using the pager. Or, you can set the $PAGER environment variable to specify the default pager program that should be used.

Note that when using a pager, the output is piped to a forked process that might not exit immediately. In this case, use the exit keys that are appropriate for the pager program, usually the q key or by pressing Ctrl-c.

3.16 Virtualization

Oracle Linux 8 introduces the following virtualization features, enhancements, and changes:

  • 5-level paging added to KVM.  In Oracle Linux 8, Kernel-based Virtual Machine (KVM) virtualization enables the 5-level paging feature for hardware that can support this feature. This enhancement significantly increases the physical and virtual address space that the host and guest systems can use.

  • UMIP added to KVM.  Oracle Linux 8 includes the addition of the User Mode Instruction Prevention (UMIP) feature for KVM virtualization. This security enhancement assists in preventing user-space applications from accessing system-wide settings, resulting in a reduction in the potential vectors for privilege escalation attacks.

  • Additional information included in KVM guest crash reports.  In this release, the crash information that KVM hypervisor generates if a guest terminates unexpectedly or becomes unresponsive includes additional information, which makes it easier to diagnose and fix problems when using KVM virtualization.

  • qemu-kvm updated to version 2.12.  Oracle Linux 8 provides the qemu-kvm 2.12 package. This version of qemu-kvm includes numerous bug fixes and improvements over the previously supported 1.5.3 version.

  • NVIDIA vGPU compatible with the VNC console.  As of Oracle Linux 8, you can use the VNC console to display the visual output of the guest when using the NVIDIA virtual GPU (vGPU) feature.

  • Virtualization for Ceph added.  In this release, Ceph storage is supported by KVM virtualization on all CPU architectures that are supported by Oracle Linux.

  • Virtualization for Q35 machine type added.  Oracle Linux 8 provides the Q35 machine type, which is a more modern PCI Express-based machine type. Feature changes include a wide variety of improvements and performance enhancements for virtual devices, which ensure that a wider range of modern devices are compatible with virtualization features. Note that any virtual machines (VMs) that you create in Oracle Linux 8 are set to use the Q35 machine type by default.

  • QEMU sandboxing added.  In Oracle Linux 8, the QEMU emulator introduces sandboxing, which is enabled and configured by default. Sandboxing provides configurable limitations for the system calls that QEMU can perform, thereby making VMs more secure.

  • Mounting ephemeral disks on VMs running on Microsoft Azure works more reliably in Oracle Linux 8.  An improvement has been made in Oracle Linux 8 to ensure that reconnecting an ephemeral disk on a VM that is running on the Microsoft Azure platform is handled correctly and does not fail if the disk was recently detached from the VM, which was the case in previous releases.

3.17 Web Services

In Oracle Linux 8, the following web service features, enhancements, and changes are introduced:

  • Apache Tomcat package is not available in Oracle Linux 8.  The Apache Tomcat software package that was available in Oracle Linux 7 is no longer included in Oracle Linux 8.

  • Apache HTTP Server updated to version 2.4.35.  Oracle Linux 8 includes Apache HTTP Server version 2.4.35, which provides several improvements over the previous version of Apache.

    This version of the Apache HTTP Server includes the following changes:

    • HTTP/2 available in Oracle Linux 8.  HTTP/2 has been added in this release and is provided by the mod_http2 package. This package is included in the httpd module.

    • Automated TLS certificate provisioning.  Oracle Linux 8 includes automated TLS certificate provisioning and renewal by using the Automatic Certificate Management Environment (ACME) protocol through the mod_md package has been added. The mod_md package is used with certificate providers such as Let’s Encrypt.

    • TLS certificate loading added.  The Apache HTTP Server now includes capability for loading TLS certificates and private keys from hardware security tokens directly from PKCS#11 modules. Additionally, mod_ssl configuration can now use PKCS#11 URLs to identify the TLS private key, and optionally, the TLS certificate in the SSLCertificateKeyFile and SSLCertificateFile directives.

    • Multi-processing module changed to high-performance multi-thread event model.  The multi-processing module (MPM) that the Apache HTTP Server configures by default has changed to a high-performance, multi-threaded event model. Previously, the multi-process forked model (also known as prefork) was used. Note that you must replace or remove any third-party modules that are not thread-safe. To change the MPM that is currently configured, edit the /etc/httpd/conf.modules.d/00-mpm.conf file by following the directions documented in the httpd.service(8) man page.

  • Availability of HTTP for nginx 1.14 web and proxy server.  The nginx 1.14 web and proxy server includes support for HTTP and other protocols by providing high currency performance with low-memory usage. Previously, nginx was only available as a Software Collection.

    The nginx web server also provides support for loading TLS certificates and private keys from hardware security tokens, directly from PKCS#11 modules. As a result, an nginx configuration can use PKCS#11 URLs to identify the TLS private key in the ssl_certificate_key directive.

3.18 Compatibility

Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux (RHEL), which is independent of the kernel version that underlies the operating system. To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors for hardware and software that have dependencies on kernel modules.