2 New Features and Changes
This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.
Installation and Image Creation
Oracle Linux 8.1 introduces the following notable installation and image creation features and improvements:
-
Ability to disable modules during a kickstart installation
You can now disable a module during a kickstart installation to prevent packages from that module from being installed. Use the following command to disable a module during a kickstart installation:
sudo module --name=module-name --stream=stream-name--disable
-
New
repo.git
blueprint section added tolorax-composer
The new
repo.git
blueprint section enables you to include extra files in your image build. Note that the files must be hosted in a git repository that is accessible from thelorax-composer
build server. -
Image builder includes image creation capability for more cloud providers
Image Builder has been expanded in Oracle Linux 8.1 to include other cloud providers for which it can create an image. For example, you can now create and deploy images on Google Cloud and Alibaba Cloud, as well as run custom instances on these platforms.
Red Hat Compatible Kernel
The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.1.
-
Early Kdump
The early Kdump feature enables the crash kernel and
initramfs
to load early so thatvmcore
can be captured early enough to also include information about early crashes. More details aboutearly kdump
can be found in the/usr/share/doc/kexec-tools/early-kdump-howto.txt
file. See also Working With Kernel Dumps in Oracle Linux 8: Monitoring and Tuning a System. -
ipcmni_extend
kernel command-line parameter addedThe new
ipcmni_extend
kernel command-line parameter extends a number of unique System V Inter-process Communication (IPC) identifiers from the current maximum of 32 KB (15 bits), up to 16 MB (24 bits). This enhancement enables users with applications that produce a large amount of shared memory segments to create a stronger IPC identifier, without exceeding the 32 KB limit.It should be noted that in some cases, use of the
ipcmni_extend
parameter can result in minor performance issues. You should therefore only use this parameter in situations where applications require more than 32 KB of a unique IPC identifier. -
Persistent memory initialization code includes parallel initialization
The inclusion of parallel initialization to the persistent memory initialization code greatly reduces the overall memory initialization time on systems that have large amounts of persistent memory. As a result, these systems boot much faster.
-
Optane DC memory systems include capability for EDAC reports
With this update, EDAC (Error Detection and Correction) properly reports memory corrected/uncorrected events with the accurate memory module information. Previously, EDAC did not properly report these events if the memory address was within a NVDIMM module.
This update also includes the Memory Mode for Optane DC Persistent Memory technology.
-
TPM tool updated to version 2.0
The
tpm2-tools
user-space tool has been updated to version 2.0. This version of the Trusted Platform Module (TPM) tool provides fixes for several defects. -
UBSan
utility enabled in the debug kernelThe Undefined Behavior Sanitizer (
UBSan
) utility has been enabled in the debug kernel to enable the system to more easily detect certain types of bugs that previously went undetected; for example, in the case of compiler optimization, where subtle, obscure bugs might appear. -
bpftrace
language addedOracle Linux 8.1 includes the
bpftrace
language, a high-level tracing language for extended Berkeley Packet Filter (eBPF) that is used for very specific tracing tasks. A significant benefit of usingbpftrace
is that you can accomplish the same outcome with one line inbpftrace
, as compared to an entire page of code that mixes the Python and C languages in the BPF Compiler Collection (BCC) library. -
kernel-rt
source tree matches latest Oracle Linux treeSources for the
kernel-rt
source tree have been upgraded so that they are based on the latest RHCK kernel source tree. This change provides a number of bug fixes and enhancements over the previous version. -
ssdd
test added for Real Time 8This update includes the
ssdd
test for Real Time 8, which is used for stress testing of the tracing subsystem. The test runs multiple tracing threads to verify that locking is correct within the tracing system.
Corosync and Pacemaker Included in Oracle Linux 8.1.
The Corosync version 3.0.2 and Pacemaker version 2.0.2 software packages are included in Oracle Linux 8.1. This software is used for clustering and high availability.
Cockpit Web Console
In Oracle Linux 8.1, the following features, enhancements, and changes for the Cockpit web console are introduced:
-
Capability for SMT configuration by using the Cockpit web console
Oracle Linux 8.1 includes capability for Simultaneous Multi-Threading (SMT) configuration, which also includes the ability to disable SMT in the Cockpit web console. This added capability enables you to mitigate a class of CPU security vulnerabilities, such as Microarchitectural Data Sampling and L1 Terminal Fault Attack.
Note:
When SMT is disabled on the system, options for SMT are not displayed in the Cockpit web console. See Oracle® Linux: Simultaneous Multithreading Notice for more details.
-
Services page improvements
To improve the user experience in this update, the web console's Services page has been updated to include a search box that enables you to search services by name and description. Other improvements include the following: service states have been merged into one list, and the switcher buttons that were located at the top of the page have been replaced with tabs.
-
Networking page updated with new firewall settings
Additional firewall settings have been added to the web console's Networking page, including capability for the following: adding and removing zones, adding and removing services to arbitrary zones, and custom port configuration for the
firewalld
services. -
Improvements to Virtual Machines page
Several improvements have been made to the web console's Virtual Machines page. For example, in this update, you can do the following:
-
Manage various types of storage pools.
-
Configure autostart for a virtual machine (VM).
-
Import existing
qcow
images. -
Install VMs by using PXE boot.
-
Change a VM's memory allocation.
-
Pause and resume a VM.
-
Configure cache characteristics.
-
Change the boot order for a VM.
-
Compilers and Developer Tools
Oracle Linux 8.1 introduces the following feature enhancements and changes for compilers and developer tools.
GCC Toolset 9
Oracle Linux 8.1 introduces the GCC Toolset 9, which is an Application
Stream that is distributed in the form of a Software
Collection in the appstream_beta
repository. The GCC Toolset is similar to the Oracle Linux Developer
Toolset.
The GCC Toolset 9 contains up-to-date versions of the following developer tools:
-
GCC version 9.1.1
-
GDB version 8.3
-
Valgrind version 3.15.0
-
SystemTap version 4.1
-
Dyninst version 10.1.0
-
binutils
version 2.32 -
elfutils
version 0.176 -
dwz
version 0.12 -
make
version 4.2.1 -
strace
version 5.1 -
ltrace
version 0.7.91
To install the toolset, use the following command:
sudo dnf install gcc-toolset-9
You can run a tool from GCC Toolset 9 by using the following command:
scl enable gcc-toolset-9 tool
Use the following command to run a shell session, where tool versions from the GCC Toolset 9 take precedence over system versions of the same tools:
scl enable gcc-toolset-9 bash
Compiler Toolsets Updated
The following compiler toolsets have been updated. These toolsets are distributed as Application Streams in Oracle Linux 8.1:
-
Clang and LLVM toolset upgraded to version 8.0.0
This toolset provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis, to version 8.0.0
-
Rust toolset upgraded to version 1.35
This toolset provides the Rust programming language compiler (
rustc
), thecargo
build tool and dependency manager, and any required libraries. -
Go toolset upgraded to version 1.12.6
This toolset provides the Go (
golang
) programming language tools and libraries.
SystemTap Updated to Version 4.1
The SystemTap instrumentation tool has been updated to upstream version 4.1 in this update. This version of SystemTab provides several improvements over the previous version of the tool, including the following:
-
The eBPF runtime backend can now handle more features of the scripting language, such as string variables and rich formatted printing.
-
Translator performance improvements.
-
More types of data in optimized C code can be extracted by using DWARF4 debuginfo constructs.
elfutils Updated to Version 0.176
The elfutils
packages have been updated to
version 0.176 in this update. This version of
elfutils
provides numerous bug fixes and
resolves the following vulnerabilities:
-
CVE-2019-7146
-
CVE-2019-7149
-
CVE-2019-7150
-
CVE-2019-7664
-
CVE-2019-7665
Date Formatting for Japanese Reiwa Era Updated
In Oracle Linux 8.1, the GNU C Library has been updated to include
correct Japanese era name formatting for the Reiwa era
(effective May 1st, 2019). Also, the time-handling API data,
which includes the data that is used by the
strftime
and strptime
functions, has been updated. As a result, all APIs now
correctly print the Reiwa era, including when
strftime
is used with one of the era
conversion specifiers, such as %EC
,
%EY
, or %Ey
.
File Systems and Storage
Oracle Linux 8.1 introduces the following notable file systems and storage features, enhancements, and changes:
-
Btrfs file system removed from RHCK
The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, any Btrfs user-space packages that are provided are not supported with RHCK.
-
OCFS2 file system removed from RHCK
The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user-space packages that are provided are not supported with RHCK.
-
Data Integrity Field/Data Integrity Extension available in Oracle Linux 8.1
The Data Integrity Field/Data Integrity Extension (DIF/DIX) feature is available on configurations where the hardware vendor has qualified the configuration and which includes that host bus adapter (HBA) and storage array configuration. The DIF/DIX feature is enabled and disabled on the storage device. The method that is used to activate the feature on storage devices is device-dependent.
Note:
DIF/DIX is not available for use on the boot device or on virtualized guests. Using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled is also not supported.
-
VDO Ansible module moved to Ansible packages
In this update, the VDO Ansible module is provided by the
ansible
package and is located in/usr/lib/python3.6/site-packages/ansible/modules/system/vdo.py
. In previous updates, the module was provided by thevdo
RPM package and was located in/usr/share/doc/vdo/examples/ansible/vdo.py
.Note that the
vdo
package continues to distribute the Ansible playbook. -
Aero adapters
The following two Aero adapters are included in Oracle Linux 8.1:
-
PCI ID
0x1000:0x00e2
and0x1000:0x00e6
. These adapters are controlled by thempt3sas
driver. -
PCI ID
0x1000:Ox10e5
and0x1000:0x10e6
. These adapters are controlled by themegaraid_sas
driver.
Previously, these adapters were available as a Technology Preview only.
-
Infrastructure Services
Oracle Linux 8.1 introduces the following infrastructure services features, enhancements, and changes:
-
Chrony updated to version 3.5
The
chrony
packages have been updated to version 3.5. This version of Chrony provides several bug fixes and enhancements over the previous version. Some of the more notable changes include the following:-
More accurate synchronization of the system clock with hardware timestamping in the kernel.
-
Important improvements to hardware timestamping.
-
The range of available polling intervals has been extended.
-
NTP sources include a filter option.
-
-
Tuned updated to version 2.12
The
tuned
packages are updated to version 2.12 in this update. This version of Tuned provides several bug fixes and enhancements over the previous version. Some of the more notable changes include the following:-
An issue related to the handling of removed and re-attached devices has been fixed.
-
Negation of a CPU list has been added.
-
The
sysctl
tool is replaced by a new implementation that is specific to Tuned. This change improves the performance of the run-time kernel parameter.
-
Memory Mode Technology for Intel Optane DC Persistent Memory Feature Added
Memory Mode for the Intel Optane DC Persistent Memory technology has been added in Oracle Linux 8.1. This technology is transparent to the operating system and does not require any special drivers or specific certification.
Networking
This release of Oracle Linux 8 introduces the following features, enhancements, and improvements.
PMTU Discovery and Route Redirection for VXLANs and GENEVE Tunnels Added
In this update, the kernel can handle Internet Control Message Protocol (ICMP) "Destination Unreachable" and "Redirect Message" errors. The kernel can also handle ICMPv6 "Packet Too Big" and "Destination Unreachable" messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels, which is done by adjusting the PMTU and modifying forwarding information. As a result, PMTU discovery and route redirection features are now provided for VXLAN and GENEVE tunnels.
XDP and Networking eBPF Features Updated to Version 5.0
As of this update, the XDP and the networking eBPF features in
the kernel
package have been updated to
version 5.0. This feature version provides a number of bug
fixes and enhancements over the previous version, including
the following: improvements to BPF programs for better
interaction with the TCP/IP stack, flow dissection, a wider
range of bpf
helpers, and access to new map
types. XDP changes include the availability of XDP metadata to
AF_XDP sockets
.
Security
Oracle Linux 8.1 introduces the following security features, enhancements, and changes.
SELinux Features
Oracle Linux 8.1 introduces the following features, changes, and improvements for SELinux:
-
SELinux user-space tools updated to version 2.9
The following SELinux user-space tools have been updated to version 2.9:
libsepol
,libselinux
,libsemanage
,policycoreutils
,checkpolicy
, andmcstrans
. This version of the SELinux user-space tools provides several bug fixes and enhancements over the previous version. -
SETools updated to version 4.2.2
As of this update, the SETools collection and libraries have been updated to version 4.2.2. This version of the tools include several improvements over the previous version, including the removal of source policy references from manual pages (loading of source policies is no longer supported) and a fix for a performance regression in alias loading.
-
bpf
SELinux policy class addedThe new
bpf
SELinux policy class is introduced in this update. This class enables you to control the Berkeley Packet Filter (BPF) flow through SElinux and also enables the inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps that are controlled by SELinux. -
boltd_t
SELinux type addedThe new
boltd_t
SELinux type confines theboltd
system daemon that is used to manage Thunderbolt 3 devices. Theboltd
daemon now runs as a confined service in SELinux enforcing mode. -
selinux-policy
packages updated to version 3.14.3The
selinux-policy
package is updated to version 3.14.3 in this update. This version of the package provides a number of bug fixes and enhancements over the previous version, including the allowance of additional rules. -
"SELinux: Class not defined in policy" errors no longer displayed on system boot.
An issue in Oracle Linux 8 that produced errors similar to the following in the
/var/log/messages
file when booting in either SELinux permissive mode or enforcing mode has been resolved:SELinux: Class bpf not defined in policy. SELinux: Class xdp_socket not defined in policy. SELinux: the above unknown classes and permissions will be allowed
OpenScap Features
Oracle Linux 8.1 introduces the following features, changes, and improvements for OpenScap.
-
OpenSCAP updated to version 1.3.1
In Oracle Linux 8.1, the
openscap
packages have been updated to version 1.3.1. This version of OpenSCAP provides many bug fixes and enhancements over the previous version. -
OpenSCAP includes SCAP version 1.3
Oracle Linux 8.1 includes the OpenSCAP suite, which supports data streams that conform to the latest version of the SCAP standard (SCAP 1.3). You can use SCAP 1.3 data streams the same way that you use SCAP 1.2 data streams, with no additional usability restrictions.
-
scap-security-guide
packages updated to version 0.1.44The
scap-security-guide
packages have been updated to version 0.1.44 in this update. This version of the packages provides several bug fixes and enhancements over the previous version. Most notably, * SCAP content conforms to the latest version of the SCAP standard, and SCAP 1.3 * SCAP content supports UBI images.
SSH Features
The following new OpenSSH and SSH features, enhancements, and changes are included in Oracle Linux 8.1:
-
OpenSSH updated to version 8.0p1
In Oracle Linux 8.1, the
openssh
packages have been updated to version 8.0p1. This version of OpenSSH provides several bug fixes and enhancements over the previous version, including the following:-
Default RSA key size increased to 3072 bits for the ssh-keygen tool
-
Support for the
ShowPatchLevel
configuration option has been removed. -
Numerous GSSAPI key exchange code fixes applied, including a fix for some Kerberos clean-up tasks.
-
Fall back to the
sshd_net_t
SELinux context has been removed. -
Match final
blocks added. -
Minor issues with the ssh-copy-id command have been fixed.
-
Fixes for several Common Vulnerabilities and Exposures (CVE) related to the scp utility, namely the following: CVE-2019-6111, CVE-2018-20685, and CVE-2019-6109.
-
-
libssh
complies with the system-wide crypto-policiesIn Oracle Linux 8.1, the
libssh
client and server now automatically load the/etc/libssh/libssh_client.config
and/etc/libssh/libssh_server.config
files, respectively. With the automatic loading of the configuration file,libssh
can use the system-wide cryptographic settings that are set bycrypto-policies
. This change simplifies control over the set of cryptographic algorithms that are used by applications.
New udica Package
Udica is a tool for generating SELinux policies for containers. You can use Udica to create a tailored security policy, which provides better control of how a container accesses host system resources. This capability enables you to harden container deployments against security violations, while simplifying and maintaining regulatory compliance.
virt-manager Application Deprecated
The Virtual Machine Manager application (virt-manager) is deprecated in Oracle Linux 8.1. Oracle recommends that you use the Cockpit web console to manage virtualization in a GUI. Note that some features in Oracle Linux 8 might only be accessible by using either virt-manager or the command line.