Chapter 3 New Features and Changes

This chapter describes new features, major enhancements, bug fixes, and other changes that are introduced in Oracle Linux 8.2. These features generally apply to both the x86_64 and Arm (aarch64) platforms., unless otherwise noted. For information that applies specifically to the Arm platform, see Chapter 6, Release-Specific Information for Oracle Linux 8.2 (aarch64).

3.1 Unbreakable Enterprise Kernel Release 6

Starting with Oracle Linux 8.2 the Unbreakable Enterprise Kernel Release 6 (UEK R6) is included on the installation image, along with the Red Hat Compatible Kernel (RHCK). For new installations, UEK R6 is enabled and installed by default and is the default kernel on first boot.

UEK R6 is a heavily tested and optimized operating system kernel for Oracle Linux 7.7, and later, and Oracle Linux 8.1, and later. The kernel is developed, built, and tested on Arm (aarch64), Intel x86, and AMD x86 (x86_64). platforms. It is based on the mainline Linux kernel version 5.4. This release also updates drivers and includes bug and security fixes.

Note that UEK R6 maintains compatibility with RHCK and does not disable any features that are enabled in RHCK. Additional features are enabled to provide support for key functional requirements and patches are applied to improve performance and optimize the kernel for use on Oracle operating systems.

For more details, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6.

3.2 Red Hat Compatible Kernel

The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.2 on the x86_64 platform.

For more information about the Unbreakable Enterprise Kernel Release 6 (UEK R6) release that is shipped with Oracle Linux 8.2, refer to the Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6.

  • kexec-tools documentation includes Kdump FCoE target support.  The documentation for the kexec-tools now includes Kdump FCoE target support information. This enhancement enables users to obtain a better understanding of the status and details of kdump on FCoE target support.

  • numactl manual page updated to clarify information about memory usage.  The numactl(8) manual page now explicitly mentions that the memory usage information reflects just the resident pages on the system. This change eliminates any possible confusion with regards to whether the documented memory usage information refers to resident pages or virtual memory.

  • rngd can run with non-root privileges.  In this update, the random number generator daemon (rngd) is capable of running with non-root user privileges, which enhances system security. The rngd daemon checks whether data that is supplied by the source of randomness is sufficiently random and then stores it in the kernel’s random-number entropy pool.

  • Secure Boot available by default.  The default value for the secure= boot option was not set to auto in previous releases, thereby rendering this feature unavailable. In this update, the default value for this boot option is set to auto and the secure boot feature is now available, unless it was previously configured otherwise.

3.3 Compilers and Developer Toolsets

Oracle Linux 8.2 introduces the following features, enhancements, and changes to compilers and developer toolsets.

3.3.1 Compiler Toolsets

The following compiler toolsets have been updated. These toolsets are distributed as Application Streams in Oracle Linux 8.2:

  • Clang toolset updated to version 9.0.0.  This toolset has been updated to version 9.0.0. Features that are included in this Clang version include the following: the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis.

  • Rust toolset updated to version 1.39.  This toolset has been updated to version 1.39. This version of the Rust toolset provides the Rust programming language compiler (rustc), the cargo build tool and dependency manager, as well any required libraries.

  • Go toolset updated to 1.13.4.  This toolset, which provides the Go (golang) programming language tools and libraries, has been updated to version 1.13.4. This version of the Go toolset also includes the Delve debugger for the Go programming language.

3.3.2 GCC Toolset 9

Oracle Linux 8.2 provides the GCC Toolset 9, which is an Application Stream that is distributed in the form of a Software Collection in the AppStream repository. The GCC Toolset is similar to the Oracle Linux Developer Toolset.

The GCC Toolset 9 contains up-to-date versions of the following developer tools:

  • GCC version 9.2.1

  • GDB version 8.3

  • Valgrind version 3.15.0

  • SystemTap version 4.1

  • Dyninst version 10.1.0

  • binutils version 2.32

  • elfutils version 0.176

  • dwz version 0.12

  • make version 4.2.1

  • strace version 5.1

  • ltrace version 0.7.91

  • annobin version 8.7.9

The GCC Toolset 9 is available as an Application Stream within the AppStream repository, in the form of a Software Collection.

You can install this toolset as follows:

# dnf install gcc-toolset-9

To run a tool from GCC Toolset 9, use the following command:

$ scl enable gcc-toolset-9 tool

The following command runs a shell session, where tool versions from the GCC Toolset 9 take precedence over system versions of the same tools:

$ scl enable gcc-toolset-9 bash

3.4 Database

Oracle Linux 8.2 ships with version 8.0 of the MySQL database software.

3.5 Dynamic Programming Languages, Web and Database Servers

The following dynamic programming languages, and web and database features and improvements are introduced in this update.

3.5.1 maven:3.6 Module Included

The maven:3.6 module stream is included in Oracle Linux 8.2. The Maven software project management and comprehension tool includes several bug fixes and enhancements over the maven:3.5 stream version that was included in Oracle Linux 8.

3.5.2 mod_wsgi Installation Changes

In previous releases, if you attempted to install the mod_wsgi module by using the dnf install mod_wsgi command, the python3-mod_wsgi package was installed. The introduction of Python 3.8 in Oracle Linux 8.2 requires that you to now specify which version of mod_wsgi you want to install, as Python 3.6 is also supported in this release. If you do not specify the mod_wsgi version, an error message is displayed.

For example, if you wanted to install the Python 3.6 version of mod_wsgi, enable the python36 module and then install the package as follows:

# dnf module enable python36
# dnf install python3-mod_wsgi

To install the Python 3.8 version of the package enable the python38 module and then install the package as follows:

# dnf module enable python38 
# dnf install python38-mod_wsgi
Note

The python3-mod_wsgi and python38-mod_wsgi packages conflict with each other. This conflict is due to a limitation with the Apache HTTP Server. As such, only one mod_wsgi module can be installed on a system at any given time.

3.5.3 perl-LDAP and perl-Convert-ASNI Packages Included

Oracle Linux 8.2 includes the perl-LDAP and perl-Convert-ASN1 packages. The perl-LDAP package provides an LDAP client for the Perl language. Note that the perl-LDAP package requires the perl-Convert-ASN1 package. This package encodes and decodes Abstract Syntax Notation One (ASN.1) data structures by using Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER).

3.5.4 Python 3.8 Introduced

Oracle Linux 8.2 includes Python 3.8, which is provided by a new python38 module. Python 3.8 includes several enhancements over the previous Python 3.6 version, including improvements to the developer experience and better performance. Other notable changes include new Python modules and language features, improved support for optional static type hints, and updated versions of some packages, such as pip, requests, and Cython.

Note that Python 3.6 continues to be supported in Oracle Linux 8. You can install Python 3.8 and the packages that are built for it in parallel with Python 3.6, on the same system.

For example, you would install packages from the python38 module as follows:

# dnf install python38
# dnf install python38-Cython

Running the previous command automatically enables the python38:3.8 module.

3.6 File Systems and Storage

Oracle Linux 8.2 provides the following file systems and storage features, enhancements, and changes:

  • Btrfs file system removed from RHCK.  The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, any Btrfs user-space packages that are provided are not supported with RHCK.

    Note

    Support for the Btrfs file system is enabled in UEK R6. For more information about other enhancements that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6.

  • OCFS2 file system removed from RHCK.  The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user-space packages that are provided are not supported with RHCK.

    Note

    OCFS2 is fully supported with UEK R6 in Oracle Linux 8.2.

  • dm-writecache caching method added for LVM cache volumes.  In this update, Logical Volume Manager (LVM) cache volumes include the dm-writecache caching method, as well as the existing hot-spot (dm-cache) method.

    The dm-writecache method caches write operations only. The faster volume, typically an SSD or a persistent memory (PMEM) disk, stores the write operations first and then migrates these operations to the slower disk in the background.

    Use the lvconvert command with the --type cache or --type writecache option to configure a caching method.

    Note

    See Section 4.6.5, “Limitations of the LVM dm-writecache caching method” for further information about the limitations of this feature.

3.7 Infrastructure Services

Oracle Linux 8.2 introduces the following infrastructure services features, enhancements, and changes:

  • Bind updated to version 9.11.13.  In this update, the bind packages have been updated to version 9.11.13. This version of Bind includes several improvements over the previous version, including new features and commands, as well as improvements to existing commands and functionality.

  • Tuned updated to version 2.13.  The tuned packages are updated to version 2.13 in this update. This version of Tuned provides several bug fixes and enhancements over the previous version.

3.8 Networking

Oracle Linux 8.2 introduces the following features, enhancements, and changes:

  • eBPF for Traffic Control kernel subsystem supported.  In this update, the Traffic Control (tc) kernel subsystem and the tc tool is capable of attaching to extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both the ingress and egress queueing disciplines. Note that eBPF for tc was previously available as a technology preview only.

  • firewalld updated to version 0.8.  The firewalld packages are updated to version 0.8 in this update. This version of firewalld provides several performance improvements, including all bug fixes since version 0.7.0.

    Other notable changes include the following:

    • firewalld now uses the libnftables JSON interface, which is part of the nftables subsystem.

    • Service definitions include a new helper element, which replaces module.

    • Custom helpers can now use standard helper modules.

  • firewalld service can use connection tracking helpers for services that are running on a non-standard port.  The firewalld service's user-defined helpers can now use standard kernel helper modules. This improvement provides the capability for creating firewalld rules that use connection tracking helpers for services that are running on a non-standard port.

  • User-space applications can retrieve the netns ID selected by the kernel.  In this update, capability has been added for user-space applications to request that the kernel select a new netns ID and then assign it to a network name space. This improvement provides user-space applications with a more reliable option for identifying the netlink ID selected by the kernel. You can now specify the NLM_F_ECHO option when sending an RTM_NETNSIDnetlink message to the kernel. The kernel then returns a netlink message, which includes the netns ID, which is set to the value that is selected by the kernel

  • whois package added.  The whois package is included in Oracle Linux 8.2. The whois package provides capability for retrieving information about a specific domain name or IP address.

3.9 Podman, Buildah, and Skopeo Container Tools

The podman, buildah, and skopeo container tools that were introduced in the Oracle Linux 8 release are supported on both UEK R6 and RHCK in Oracle Linux 8.2. These tools are compatible with the Open Container Initiative (OCI) and can be used to manage the same Linux containers that are produced and managed by Docker and other compatible container engines. Because these tools are light-weight and primarily focused on a subset of features, you can run them minus the overhead of working with a daemon process. For more details about these tools, see Oracle® Linux: Podman User's Guide.

3.10 Security

Oracle Linux 8.2 introduces the following security features, enhancements, and changes:

  • Audit updated to version 3.0-0.14.  The audit packages have been updated to version 3.0-0.14. This version of Audit provides many bug fixes and enhancements over the previous version.

  • Audit includes several improvements from kernel v5.5-rc1.  The version of Audit that is provided in this update includes several enhancements, bug fixes, and cleanups related to the Audit subsystem, many of which were introduced between versions 4.18 and 5.5-rc1 of Audit.

  • lvmdbusd service confined by SELinux.  In this update, the lvmdbusd executable file has the lvm_exec_t context defined. This change means the lvmdbusd daemon can now be used correctly with SELinux in enforcing mode. Previously, the lvmdbusd daemon could not transition to the lvm_t context, irrespective of whether the SELinux policy for lvm_t was defined. The result was that the lvmdbusd daemon was executed in the unconfined_service_t domain, with SELinux labeling lvmdbusd as unconfined.

  • openssl-pkcs11 updated to version 0.4.10.  The openssl-pkcs11 package has been updated to version 0.4.10. This version of the package includes several bug fixes and enhancements over the previous version. Note that the openssl-pkcs11 package provides access to PKCS #11 modules through the engine interface.

  • oscap-podman tool added.  The openscap packages have been updated to include the new oscap-podman tool for security and compliance scanning of containers. Note that this tool is contained in the openscap-utils package.

  • rsyslog updated to version 8.1911.0.  The rsyslog packages have been updated to version 8.1911.0, which provides numerous bug fixes and enhancements over the previous version.

  • SCAP Security Guide includes ACSC Essential Eight and DISA STIG for Oracle Linux 8 support.  The scap-security-guide packages in Oracle Linux 8.2 provides the following new profiles:

    • Australian Cyber Security Centre (ACSC) Essential Eight compliance profile aligned to the security baseline defined by ACSC

    • [DRAFT] DISA STIG for Oracle Linux 8 compliance profile aligned to the STIG security controls published by DISA.

    This improvement enables you to install a system that conforms to one of these security baselines.

    Also, you can now use the OpenSCAP suite to check security compliance and remediation by using this specification, which provides minimum security controls, as defined by corresponding baseline.

  • SELinux setools-gui and setools-console-analyses packages included.  The setools-gui package, which was included in Oracle Linux 7, is re-introduced in Oracle Linux 8.2. You can use the tool to inspect relations and data flows, particularly in multi-level systems with highly specialized SELinux policies. You can also use the apol graphical tool that is available with the setools-gui package to inspect and analyze various aspects of an SELinux policy. In addition, you can use the tools that are included with the setools-console-analyses package to analyze domain transitions and SELinux policy information flows.

  • SELinux improved to enable confined users to manage user session services.  Confined users can now manage user sessions. In previous releases, confined users could not manage user session services, which meant they could not execute the systemctl --user or busctl --user commands or work in the web console.

  • semanage export able to display customizations related to permissive domains.  The semanage command, which is part of the policycoreutils package for SELinux, has been improved. You can now use the command to display customizations for permissive domains. You can now also use the semanage export command to transfer permissive local modifications between systems.

  • semanage includes capability for listing and modifying SCTP and DCCP ports.  Oracle Linux 8.2 includes SCTP and DCCP protocol support for the semanage port command. This enhancement enables you to check whether two systems can communicate by using SCTP. In addition, the ability to fully enable SCTP features to successfully deploy SCTP-based applications is also provided. In previous releases, you could only list and modify TCP and UDP ports by using the semanage port command.

  • Sudo updated to version 1.8.29-3.  The sudo packages have been updated to version 1.8.29-3. This version of Sudo includes several major changes, bug fixes, and improvements over the previous version.

  • Udica capable of adding new allow rules generated from SELinux denials to existing container policy.  The udica command has been improved. Now, if a container that is running under a policy generated by the udica command triggers an SELinux denial, the command is able to update the policy. You can use the new -a or --append-rules option to append rules from an AVC file.

3.11 User-Agent Header String Improvement

In this update, the User-Agent header string that is normally part of HTTP requests that are made by DNF has been extended to include information that is read from the /etc/os-release file. See the dnf.conf(5) manual page for more specific details.

3.12 Virtualization

The following virtualization features, enhancements, and changes are introduced in this update:

  • virt-install returns more helpful message when creating VM from an install tree.  The virt-install command has been improved to include a workaround for an issue that caused booting to fail on Oracle Linux 7 and earlier Oracle Linux 8 releases if the --location option was also specified. The command now returns a more helpful message that include instructions on how to work around the problem should such a failure occur.

  • EDK2 updated to version stable201908.  The EDK2 package has been updated to version stable201908. This version of EDK2 includes several improvements, including support for OpenSSL-1.1.1. Another notable change in this version of EDK2 is that the EDK2 package license has changed from BSD and OpenSSL and MIT to BSD-2-Clause-Patent and OpenSSL and MIT.

  • Nested virtualization capability added for KVM.  This release provides support for nested virtualization on kernel-based Virtual Machines (KVMs) that are running on an Intel 64 host. This enhancement enables an Oracle Linux 7 or Oracle Linux 8 VM that is running on an Oracle Linux 8 physical host to perform as a hypervisor, as well as host its own VMs.

    Note

    On AMD64 systems, nested KVM virtualization continues to be a Technology Preview feature.

  • virt-manager application deprecated.  The Virtual Machine Manager application (virt-manager) is deprecated in this release. Oracle recommends that you use the Cockpit web console to manage virtualization. Note that some features in Oracle Linux 8 might still only be accessible by using either virt-manager or the command line.

  • VM snapshots deprecated.  The current mechanism for creating VM snapshots is deprecated and not working reliably in this release. It is therefore recommended that you do not use snapshots in Oracle Linux 8.

3.13 Web Console

Oracle Linux 8.2 introduces the following features, improvements, and changes for the Cockpit web console:

  • Web console login changes.  Starting with this update, you are now automatically logged out of your current web console session after 15 minutes of inactivity. To modify this setting, adjust the timeout in minutes by editing the /etc/cockpit/cockpit.conf file. Another change in this update includes optional capability for showing the content of banner files on the web console's login screen, which is similar to SSH behavior. You must configure this functionality in the /etc/cockpit/cockpit.conf file to use it.

  • Option for logging into the web console with a TLS client certificate added.  You can now configure the web console to log in with a TLS client certificate that is provided by a browser or a device, such as smart card or a YubiKey.

  • Storage page updates.  Creating a new file system in the web console now always required a specified mount point. This page also no longer offers the "Default" choice when mounting a file system.

    The web console now hides the distinction between the /etc/fstab and the /proc/mounts run-time state configuration. Any changes that you make in the web console apply to both the configuration and the run-time state. In the event that the configuration and the run-time state differ from each other, the web console issues a warning to enable you to more easily synchronize these configurations.

  • Virtual Machines page updates.  Several storage improvements have been made to the Virtual Machines page, including the following: storage volume creation works for all libvirt-supported types and you can now create storage pools on a LVM or iSCSI device. Also, the Virtual Machines page includes capability for creating and removing virtual network interfaces.

  • Web console redesigned to use the PatternFly 4 UI design system.  The PatternFly 4 design is implemented in this update. This design provides improved accessibility and also more closely matches the OpenShift 4 design. Another important feature improvement is a redesigned Overview page that is easier to understand. The following additional improvements have been made: health information is more prominent, resource graphs have been moved to a separate page, and the hardware information page is much easier to locate. The new design also provides a new Search field in the Navigation menu to enable users to more easily locate specific pages by using keywords.

3.14 Compatibility

Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux (RHEL), which is independent of the kernel version that underlies the operating system. Existing applications in userspace continue to run unmodified on the Unbreakable Enterprise Kernel Release 6 (UEK R6) release and no recertifications are needed for RHEL certified applications.

To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors regarding hardware and software that have dependencies on kernel modules. The kernel ABI for UEK R6 will remain unchanged in all subsequent updates to the initial release. UEK R6 contains changes to the kernel ABI, relative to UEK R5, that require recompilation of third-party kernel modules on the system. Before installing UEK R6, verify its support status with your application vendor.