1. Release Notes for Oracle Linux 8.3
  2. New Features and Changes

2 New Features and Changes

This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.

Installation

Oracle Linux 8.3 introduces the following notable features and improvements to installing and booting a system, and creating images.

For information about upgrading an Oracle Linux 7 system to the latest Oracle Linux 8 release, see Upgrading From Oracle Linux 7 to Oracle Linux 8.

Graphical Installer Improvements

In Oracle Linux 8.3, the Anaconda graphical installer is updated to version 33.16.3.1. This version of the installer provides numerous changes and improvements over the previous version of the installer. Notable changes include the following:

  • Installation Program displays supported NVDIMM device sector sizes.

  • Host name is configured correctly on an installed system having IPv6 static configuration.

  • Capability for using non-ASCII characters in the disk encryption passphrase.

  • The GUI installation program displays appropriate recommendation for creating a new file system on /boot, /tmp, and all /var and /usr mount points, with the exception of /usr/local and /var/www.

  • Ability to change the LUKS version of the container in the Manual Partitioning screen now available.

  • Installation program successfully finishes an installation without the btrfs-progs package.

  • Installation program uses the default LUKS2 version for an encrypted container by default.

  • Installation program no longer crashes when a kickstart file puts physical volumes (PVs) of a Logical volume group (VG) on an ignoreddisk list.

GUI Installation Changes

In Oracle Linux 8.3, the graphical installation program has been updated to include the Root password and User creation settings in the Installation Summary screen. This improvement enables you to configure a root password, as well as create a user account prior to starting the installation. In previous releases, you performed this configuration after beginning the installation process.

For more information about this change, see Oracle Linux 8: Installing Oracle Linux.

Red Hat Compatible Kernel

The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.3 on the x86_64 platform.

For more information about the Unbreakable Enterprise Kernel Release 6 (UEK R6) release that is shipped with Oracle Linux 8.3, see the Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 (5.4.17-2011).

  • lshw command provides additional CPU information

    The List Hardware command (lshw) now displays more CPU information. The CPU version field now includes the family, model and stepping details of the system processors in numeric format as version: family.model.stepping.

  • Extended Berkeley Packet Filter added

    Oracle Linux 8.3 includes support for the Extended Berkeley Packet Filter (eBPF) in-kernel virtual machine, as well as the tc classifier/action code and BCC tools.

  • Libbpf support included

    Support for Libbpf is added in this release. The libbpf package is critical for BPF-related applications like bpftrace, as well as bpf/xdp development.

  • Mellanox ConnectX-6 Dx network adapter included

    The PCI IDs of the Mellanox ConnectX-6 Dx network adapter have been added to the mlx5_core driver. Oracle Linux now loads the mlx5_core driver automatically on hosts that use this adapter. This feature was previously available as a technology preview only.

  • tpm2-tools updated to version 4.1.1

    The tpm2-tools package is updated to version 4.1.1. This version of TPM (Trusted Platform Module) 2 provides several command changes, including additions, updates, and removals.

  • TSX disabled by default

    To improve OS security, the Intel Transactional Synchronization Extensions (TSX) technology is now disabled by default in the kernel. Note that this change only applies to CPUs that support disabling TSX, for example, the 2nd Generation Intel Xeon Scalable Processors (formerly known as Cascade Lake, with Intel C620 Series Chipsets).

Built-In Default Value for best DNF Configuration Option Set to True

In this release, the built-in best DNF configuration option value is set to True by default.

This change means that DNF will now run with the best configuration option set to False unless you explicitly set it to True in a configuration file. If you have set the best=True option in your DNF configuration file (/etc/dnf/dnf.conf), this behavior is unchanged. However, if you do not have this option set in your DNF configuration file, when you run the dnf command to install a package, if the package is already installed but an update is available, the command does not attempt to install the update.

To retain the same behavior in your own configuration files, ensure that the best=True option is included.

Database

This release of Oracle Linux 8 ships with version 8.0 of the MySQL database software.

Desktop

Oracle Linux 8.3 includes the TigerVNC desktop feature. In this release, the tigervnc packages are updated to version 1.10.1.

Dynamic Programming Languages, Web and Database Servers

Oracle Linux 8.3 includes the following feature changes and improvements for dynamic programming languages, and web and database servers. Note that this release also introduces several new, as well as improved, module streams:

  • Ruby 2.7.1 module stream added

    The new ruby:2.7 module stream provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.6, is introduced in this release.

  • Nodejs:14 module stream added

    The new node.js 14.4.0 module stream provides a number of new features, bug and security fixes, and improvements over Node.js 12, the version that was distributed in the previous release.

  • git packages updated to version 2.27

    In this release, the git packages are updated to version 2.27.

  • python38:3.8 module stream changes

    This release includes the python38:3.8 module stream.

  • php:7.4 module stream added

    The new PHP 7.4 module stream includes a number of bug fixes and enhancements over the previous 7.3 version. The new Foreign Function Interface (FFI) experimental extension, which is available in the php-ffi package, has also been introduced in this release. This extension enables you to do the following: call native functions, access native variables, and create and access data structures defined in C libraries.

    Note that the following extensions have been removed:

    • The wddx extension has been removed from the php-xml package

    • The recode extension has been removed from the php-recode package.

  • nginx:1.18 module stream added

    This version of the nginx web and proxy server provides a number of bug fixes, security fixes, as well as new features and enhancements over the previous 1.16 version 1.16.

  • perl:5.30 module stream added

    RHEL 8.3 introduces Perl 5.30, which provides a number of bug fixes and enhancements over the previously released Perl 5.26. The new version also deprecates or removes certain language features.

  • perl-libwww-perl:6.34 module stream added

    The new perl-libwww-perl:6.34 module stream includes the perl-libwww-perl package, which can be used for all versions of Perl that are available in Oracle Linux 8. Note that the non-modular perl-libwww-perl package (available since Oracle Linux 8) is obsoleted by the new default perl-libwww-perl:6.34 module stream, as that package could not be used with any Perl streams, other than version 5.26.

  • perl-IO-Socket-SSL:2.066 module stream added

    The new perl-IO-Socket-SSL:2.066 module stream includes the perl-IO-Socket-SSL and perl-Net-SSLeay packages. These packages are compatible with all of the Perl streams that are available in Oracle Linux 8.

  • squid:4 module stream updated to version 4.11

    This version of the Squid proxy server includes the squid:4 module stream, which has been updated from version 4.4 to version 4.11. This version of Squid provides a number of bug and security fixes and various enhancements, including new configuration options.

  • httpd:2.4 module stream changes

    Several bug fixes and other notable changes to the Apache HTTP Server are made available through the httpd:2.4 module stream.

  • New CustomLog directive enables logging to journald in httpd

    You can now transfer logs to journald from the Apache HTTP Server by using the new CustomLog directive.

File Systems and Storage

Oracle Linux 8.3 provides the following file systems and storage features, enhancements, and changes:

  • Btrfs removed from RHCK

    The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, any Btrfs user space packages that are provided are not supported with RHCK.

    Note:

    Support for the Btrfs file system is enabled in UEK R6. Starting with Oracle Linux 8.3, during an installation, you now have the option to create a Btrfs root file system, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.

    For more information about managing the Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.

    For more information about the enhancements that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 (5.4.17-2011).

  • OCFS2 removed from RHCK

    The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.

    Note:

    OCFS2 is fully supported with UEK R6 in Oracle Linux 8.3.

  • NVMe/TCP available as a Technology Preview

    NVMe over Fabrics TCP host and the target drivers have been added to RHCK in this release as a technology preview. Note that NVMe/TCP is already supported in Unbreakable Enterprise Kernel Release 6.

GCC Toolset 10

Oracle Linux 8.3 provides the GCC Toolset 9, which is an Application Stream that is distributed in the form of a Software Collection in the AppStream repository. The GCC Toolset is similar to the Oracle Linux Developer Toolset.

The GCC Toolset 10 contains up-to-date versions of the following developer tools:

  • GCC version 10.1.1

  • GDB version 9.2

  • Valgrind version 3.16.0

  • SystemTap version 4.3

  • Dyninst version 10.1.0

  • binutils version 2.32

  • elfutils version 0.180

  • dwz version 0.12

  • make version 4.2.1

  • strace version 5.7

  • ltrace version 0.7.91

  • annobin version 9.21

The GCC Toolset 10 is available as an Application Stream within the AppStream repository, in the form of a Software Collection.

Install this toolset as follows: 

sudo dnf install gcc-toolset-10

To run a tool from GCC Toolset 10, use the following command: 

scl enable gcc-toolset-10 tool

The following command runs a shell session, where tool versions from the GCC Toolset 10 take precedence over system versions of the same tools: 

scl enable gcc-toolset-10 bash

High Availability and Clusters

The following high availability and cluster features are included in Oracle Linux 8.3:

  • pacemaker updated to version 2.0.4

    In this release, the Pacemaker is updated to version 2.0.4. This version of the Pacemaker provides a number of bug fixes over the previous version.

  • Pacemaker support for recovery by demoting a promoted resource rather than fully stopping it

    In this release, you can configure a promotable resource in a Pacemaker cluster to ensure that if a promote or monitor action fails for that resource or the partition in which the resource is running loses quorum, the resource is demoted but not fully stopped.

  • priority-fencing-delay cluster property added

    Pacemaker includes a the new priority-fencing-delay cluster property. This property enables you to configure a two-node cluster to ensure that in a split-brain situation, the node with the fewest resources running is fenced. This feature is useful in situations where you would prefer that the resource continue to be available in the unpromoted mode.

  • Commands for managing multiple sets of resource and operation defaults added

    Commands for managing multiple sets of resource and operation defaults are included in this release. These new commands enable you to create, list, change, and delete multiple sets of resource and operation defaults. Also, when creating a set of default values, you can specify a rule that contains resource and op expressions. This capability enables you to configure a default resource value for all resources that are of a particular type. In addition, commands that list existing default values now include multiple sets of defaults in their output.

  • Command for tagging cluster resources added

    You can now tag cluster resources in a Pacemaker cluster by using the pcs tag command. You can also use this command to remove or modify a resource tag, or display a tag configuration.

Infrastructure Services

Oracle Linux 8.3 introduces several version updates to infrastructure tools, including the following:

  • Bind updated to version 9.11

    The bind package is updated to version 9.11. Bind version 9.11 provides several bug fixes and enhancements over the previous version. Notable changes include increased reliability on systems that have multiple CPU cores and more detailed error detection, as well as improvements to the dig command and other tools, which now can print the Extended DNS Error (EDE) option, if present.

  • Powertop updated to version 2.12

    The powertop packages are updated to version 2.12. Powertop version 2.12 includes several improvements over the previous version.

  • Tuned updated to version 2.14.0

    The tuned packages are updated to version 2.14.0 in this release. Tuned version 2.14.0 includes the following notable enhancements:

    • New optimize-serial-console profile.

    • A post loaded profile is included.

    • A irqbalance plugin for handing irqbalance settings is included.

    • Addition of architecture-specific tuning for Marvell ThunderX and AMD based platforms.

    • Scheduler plugin extended to include cgroups-v1 for the CPU affinity setting.

  • tcpdump updated to version 4.9.3

    The tcpdump utility is updated to version 4.9.3 to fix some Common Vulnerabilities and Exposures (CVEs).

  • libpcap utility updated to version 1.9.1

    The libpcap utility is updated to version 1.9.1 to fix Common Vulnerabilities and Exposures (CVEs).

  • memcached updated to version 1.5.22

    The memcached packages are updated to version 1.5.22. This version of Memcached includes several notable improvements over the previous version.

Networking

Oracle Linux 8.3 introduces the following features, enhancements, and changes:

  • firewalld updated to version 0.8.2.

    The firewalld packages are updated to version 0.8.2 in this release. This version of firewalld includes a number of bug fixes over the previous version.

  • IPv4 and IPv6 Netfilter tracking modules merged with nf_conntrack module

    The nf_conntrack_ipv4 and nf_conntrack_ipv6 Netfilter connection tracking modules have merged with the nf_conntrack kernel module. A result of this change is that blocklisting address family-specific modules no longer works. In addition, you can now blocklist only the nf_conntrack module to disable connection tracking support for both IPv4 and IPv6.

  • NetworkManager updated to version 1.26.0

    This version of NetworkManager provides several important improvements and changes, including the following:

    • NetworkManager resets the auto-negotiation, speed, and duplex setting to the original value when deactivating a device.

    • Wi-Fi profiles now connect automatically if all previous activation attempts failed, meaning an initial failure to auto -connect does not block the automatism.

    • nm-settings-nmcli(5) and nm-settings-dbus(5) manual pages added.

    • Several bridge parameters added.

    • Virtual routing and forwarding (VRF) interfaces added.

    • Opportunistic Wireless Encryption mode (OWE) for Wi-Fi networks added.

    • mcli utility improvement enables the removal of settings by using the nmcli_connection modify command.

    • NetworkManager improved to no longer create and activate secondary devices if the primary device is missing.

  • XDP available as a Technology Preview

    The Express data path (XDP) feature has been added to RHCK in this release as a technology preview. XDP is a flexible and minimal kernel-based packet transport for high-speed networking. Note XDP is already supported in Unbreakable Enterprise Kernel Release 6 (UEK R6).

Security

Oracle Linux 8.3 introduces the following security features, enhancements, and changes:

  • CyrusSASL support for channel bindings with SASL/GSSAPI and SASL/GSS-SPNEGO plugins

    Support has been added in this release for channel bindings by using SASL/GSSAPI and SASL/GSS-SPNEGO plugins. When used in the openldap libraries, the feature provides CyrusSASL with the ability to maintain compatibility with and access to Microsoft Active Directory and Microsoft Windows systems, which introduce mandatory channel binding for LDAP connections.

  • gnutls updated to version 3.6.14

    The gnutls packages are updated to version 3.6.14 in this release. This version of the gnutls packages include several bug fixes and improvements over the previous version.

  • Libreswan updated to version 3.32

    In this release, Libreswan has been updated to version 3.32. This version of Libreswan provides several new features and bug fixes, including the following notable changes:

    • A separate FIPS 140-2 certification is no longer required.

    • Implementation the cryptographic recommendations of RFC 8247, and changes the preference from SHA-1 and RSA-PKCS v1.5 to SHA-2 and RSA-PSS.

    • Support for XFRMi virtual ipsecXX interfaces, which simplify the writing of firewall rules.

    • Improvement to the recovery of crashed and rebooted nodes in a full-mesh encryption network.

  • libseccomp library updated to version 2.4.3

    The libseccomp library is updated to version 2.4.3. This library provides an interface to the seccomp syscall filtering mechanism. This version of the libseccomp library also includes a number of bug fixes and enhancements over the previous version.

  • libcap support for ambient capabilities

    You can now grant ambient capabilities at login, which eliminates the need to have root access for appropriately configured processes.

  • libkcapi updated to version 1.2.0

    The libkcapi package is updated to version 1.2.0. This version of libkcapi includes minor changes over the previous version.

  • libssh library updated to version 0.9.4

    The libssh library is updated to version 0.9.4. This library implements the SSH protocol.

  • setools package updated to version 4.3.0

    The setools package is updated to version 4.3.0. This package provides a collection of tools that facilitates the SELinux policy analysis feature. Several bug fixes and enhancements are included in this version of the setools package.

    Note:

    The setools package requires the following additional packages: setools-console, setools-console-analyses, and setools-gui.

  • stunnel updated to version 5.56

    The stunnel encryption wrapper is updated to version 5.56. This version of the stunnel packages includes a number of new features and bug fixes, including the following:

    • ticketKeySecret and ticketMacSecret options for controlling confidentiality and integrity protection of the issued session tickets. These options enable you to resume sessions on other nodes in a cluster.

    • curves option, which controls the list of elliptic curves in OpenSSL 1.1.0 and later.

    • ciphersuites option to control the list of permitted TLS 1.3 ciphersuites.

    • sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later added.

  • update-crypto-policies and fips-mode-setup relocated to crypto-policies-scripts

    In this release, the update-crypto-policies and fips-mode-setup scripts are moved to the crypto-policies-scripts package, which is a separate RPM subpackage. This package is automatically installed through the Recommends dependency on regular installations.

SCAP and OpenSCAP Improvements

  • OpenSCAP updated to version 1.3.3

    In this release, the openscap packages are updated to version 1.3.3. This version of OpenSCAP includes several bug fixes and improvements over the previous version, including the following notable changes:

    • autotailer script is added. This script enables you to generate tailoring files by using a CLI.

    • Timezone part is added to the Extensible Configuration Checklist Description Format (XCCDF) TestResult start and end time stamps.

    • yamlfilecontent independent probe included as a draft implementation.

    • urn:xccdf:fix:script:kubernetes fix type introduced in XCCDF

    • Ability to generate the machineconfig fix added.

    • oscap-podman tool can detect ambiguous scan targets.

    • rpmverifyfile probe can verify files from the /bin directory.

    • Fixed crashes when complicated regexes are executed in the textfilecontent58 probe.

    • Evaluation characteristics of the XCCDF report are consistent with OVAL entities from the system_info probe.

    • Fixed file-path pattern matching in offline mode in the textfilecontent58 probe.

    • Fixed infinite recursion in the systemdunitdependency probe.

  • SCAP Workbench tool can generate results-based remediation from tailored profiles

    You are now able to generate results-based remediation roles from tailored profiles by using the SCAP Workbench tool.

  • scap-security-guide packages updated to version 0.1.50

    The scap-security-guide packages have been updated to version 0.1.50. These packages contain the latest set of security policies for Linux systems, as well as bug fixes and several enhancements over the previous version improved Ansible content and several fixes and improvements to the scap-security-guide content for scanning systems.

SELinux Improvements

  • fapolicyd packages updated to version 1.0

    The fapolicyd package are updated to version 1.0. Several bug fixes and enhancements are included in this version of the fapolicy packages.

  • fapolicyd includes an SELinux policy in fapolicyd-selinux

    The fapolicyd framework now provides its own SELinux security policy. The daemon is confined under the fapolicyd_t domain. The policy is installed through the fapolicyd-selinux subpackage.

  • Individual CephFS files and directories can include SELinux labels

    The storing of SELinux labels in the extended attributes of files has been enabled in the Ceph File System (CephFS). This enhancement enables you to change the labels for individual files and SELinux defines the labels of any newly created files based on transition rules. Any files that were previously unlabeled retain the system_u:object_r:cephfs_t:s0 label until explicitly changed.

Virtualization

The following virtualization features, enhancements, and changes are included in this release:

  • Bochs display device included

    The Bochs display device, which is introduced in this release, is more secure than the stdvga device. Note that all VMs that are compatible with bochs-display, mainly those that used UEFI, will use this device by default.

  • virsh guestinfo command option added

    The virsh guestinfo command option provides the ability to report information about a virtual machine (VM), including the following: host name, guest OS information, active users, and time zone that is used.

    To enable the virsh guestinfo command option, install the qemu-guest-agent package on the guest OS of the target VM. You must also enable the guest_agent channel in the VM’s XML configuration.

  • Capability for creating QCOW2 disk images on RBD

    In this release, you can create QCOW2 disk images on RADOS Block Device (RBD) storage, which means that VMs are now capable of using RBD servers for their storage backends with QCOW2 images.

    Note that write performance of QCOW2 disk images on RBD storage is currently lower than intended.

  • Capability for migrating VMs with disk cache enabled

    The libvirt library is compatible with disk cache live migration in this release, which now makes it possible to live-migrate VMs with disk cache enabled.

  • Control Group v2 support added for VMs

    The libvirt suite now supports control groups v2, which means that VMs hosted on Oracle Linux 8 can now take advantage of the resource control capabilities provided by Control Group v2.

  • IBM POWER 9 XIVE support included

    Support for the External Interrupt Virtualization Engine (XIVE) feature of IBM POWER9 to RHEL 8 is included in this release. This improvement enables VMs that are running on an Oracle Linux 8 hypervisor on an IBM POWER 9 system to use XIVE, which improves the performance of I/O-intensive VMs.

  • QEMU packed virtqueue layout support

    The packed virtqueue layout that was introduced in VirtIO-1.1 is now supported in QEMU. The new format enables the exchange of requests by using a more compact descriptor representation. This change makes it easier to implement virtIO on hardware, as well as increases system performance.

  • QEMU logs include time stamps

    As of this release, all logged QEMU events have a time stamp. This improvement enables you to more easily troubleshoot your VMs using logs in the /var/log/libvirt/qemu/ directory.

  • QEMU/KVM support for discard and write-zeros commands included

    The discard and write-zeroes commands for the virtio-blk protocol are now supported in QEMU/KVM. This change enables VMs to use the virtio-blk device to discard unused sectors of an SSD, fill sectors with zeroes when they are emptied, or both. You can use this capability to increase SSD performance and also ensure that a drive is securely erased.

  • QEMU now uses gcrypt library for XTS ciphers

    The QEMU emulator is updated to use the XTS cipher mode implementation that is provided by the gcrypt library. This change improves the I/O performance of VMS with host storage that uses QEMU’s native LUKS encryption driver.

  • macvtap interfaces can be used by VMs in non-privileged sessions

    In this release, VMs can use a pre-existing macvtap interface that was previously created by a privileged process. This change enables VMs that are started by the non-privileged user session of libvirtd to use a macvtap interface.

  • Maximum number of supported VFIO devices increased to 64

    In this release, you can attach up to 64 PCI devices that use VFIO to a single VM on an Oracle Linux 8 host. This number is increased from up to 32 PCI devices in Oracle Linux 8.2 and previous releases.

  • nbdkit logging improvement

    In this release, nbdkit service logging is updated to be less verbose: now, only potentially important messages are logged. Also, logs that are created during virt-v2v conversions are now shorter and easier to interpret.

  • virsh iothreadset command option added

    You can use the new virsh iothreadset command option to configure dynamic IOThread polling. This additional option makes it possible to set up VMs with lower latencies for I/O-intensive workloads at the expense of greater CPU consumption for the IOThread. For more information and available options, see the virsh(1) manual page.

  • VNNI for BFLOAT16 inputs supported by KVM

    Vector Neural Network Instructions (VNNI) supporting BFLOAT16 inputs, or AVX512_BF16 instructions, are now supported by KVM hosts that are running on the 3rd Gen Intel Xeon scalable processors (Cooper Lake processors). This change enables guest software to se the AVX512_BF16 instructions that reside inside VMs which is enabled in the virtual CPU configuration.

Web Console Option for Switching Access Modes

In Oracle Linux 8.3, the Cockpit web console includes a new option for switching between administrative access mode and limited access mode, from within a user's session. Click the Administrative access or Limited access indicator in your web console session to switch modes.

Technology Preview

For the Red Hat Compatible Kernel in the current Oracle Linux 8 release, the following features are under technology preview:

aarch64 only: VNC Remote Console

In this release, the Virtual Network Computing (VNC) remote console is available as a technology preview on the 64-bit Arm platform only. The remaining components of the graphics stack are unverified on this platform.