2 New Features and Changes
This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.
Installation
Oracle Linux 8.3 introduces the following notable features and improvements to installing and booting a system, and creating images.
For information about upgrading an Oracle Linux 7 system to the latest Oracle Linux 8 release, see Upgrading From Oracle Linux 7 to Oracle Linux 8.
Graphical Installer Improvements
In Oracle Linux 8.3, the Anaconda graphical installer is updated to version 33.16.3.1. This version of the installer provides numerous changes and improvements over the previous version of the installer. Notable changes include the following:
-
Installation Program displays supported NVDIMM device sector sizes.
-
Host name is configured correctly on an installed system having IPv6 static configuration.
-
Capability for using non-ASCII characters in the disk encryption passphrase.
-
The GUI installation program displays appropriate recommendation for creating a new file system on
/boot
,/tmp
, and all/var
and/usr
mount points, with the exception of/usr/local
and/var/www
. -
Ability to change the LUKS version of the container in the Manual Partitioning screen now available.
-
Installation program successfully finishes an installation without the
btrfs-progs
package. -
Installation program uses the default LUKS2 version for an encrypted container by default.
-
Installation program no longer crashes when a kickstart file puts physical volumes (PVs) of a Logical volume group (VG) on an
ignoreddisk
list.
GUI Installation Changes
In Oracle Linux 8.3, the graphical installation program has been
updated to include the Root password
and
User creation
settings in the Installation
Summary screen. This improvement enables you to configure a
root
password, as well as create a user
account prior to starting the installation. In previous
releases, you performed this configuration after beginning the
installation process.
For more information about this change, see Oracle Linux 8: Installing Oracle Linux.
Red Hat Compatible Kernel
The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.3 on the x86_64 platform.
For more information about the Unbreakable Enterprise Kernel Release 6 (UEK R6) release that is shipped with Oracle Linux 8.3, see the Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 (5.4.17-2011).
-
lshw command provides additional CPU information
The List Hardware command (lshw) now displays more CPU information. The CPU version field now includes the family, model and stepping details of the system processors in numeric format as version: family.model.stepping.
-
Extended Berkeley Packet Filter added
Oracle Linux 8.3 includes support for the Extended Berkeley Packet Filter (eBPF) in-kernel virtual machine, as well as the tc classifier/action code and BCC tools.
-
Libbpf support included
Support for Libbpf is added in this release. The
libbpf
package is critical for BPF-related applications likebpftrace
, as well asbpf/xdp
development. -
Mellanox ConnectX-6 Dx network adapter included
The PCI IDs of the Mellanox ConnectX-6 Dx network adapter have been added to the
mlx5_core
driver. Oracle Linux now loads themlx5_core
driver automatically on hosts that use this adapter. This feature was previously available as a technology preview only. -
tpm2-tools updated to version 4.1.1
The
tpm2-tools
package is updated to version 4.1.1. This version of TPM (Trusted Platform Module) 2 provides several command changes, including additions, updates, and removals. -
TSX disabled by default
To improve OS security, the Intel Transactional Synchronization Extensions (TSX) technology is now disabled by default in the kernel. Note that this change only applies to CPUs that support disabling TSX, for example, the 2nd Generation Intel Xeon Scalable Processors (formerly known as Cascade Lake, with Intel C620 Series Chipsets).
Built-In Default Value for best DNF Configuration Option Set to True
In this release, the built-in best
DNF
configuration option value is set to True
by
default.
This change means that DNF will now run with the
best
configuration option set to
False
unless you explicitly set it to
True
in a configuration file. If you have set
the best=True
option in your DNF
configuration file (/etc/dnf/dnf.conf
), this
behavior is unchanged. However, if you do not have this option
set in your DNF configuration file, when you run the
dnf command to install a package, if the
package is already installed but an update is available, the
command does not attempt to install the update.
To retain the same behavior in your own configuration files,
ensure that the best=True
option is included.
Desktop
Oracle Linux 8.3 includes the TigerVNC desktop feature. In this release,
the tigervnc
packages are updated to version
1.10.1.
Dynamic Programming Languages, Web and Database Servers
Oracle Linux 8.3 includes the following feature changes and improvements for dynamic programming languages, and web and database servers. Note that this release also introduces several new, as well as improved, module streams:
-
Ruby 2.7.1 module stream added
The new
ruby:2.7
module stream provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.6, is introduced in this release. -
Nodejs:14 module stream added
The new
node.js 14.4.0
module stream provides a number of new features, bug and security fixes, and improvements over Node.js 12, the version that was distributed in the previous release. -
git packages updated to version 2.27
In this release, the
git
packages are updated to version 2.27. -
python38:3.8 module stream changes
This release includes the
python38:3.8
module stream. -
php:7.4 module stream added
The new
PHP 7.4
module stream includes a number of bug fixes and enhancements over the previous 7.3 version. The new Foreign Function Interface (FFI) experimental extension, which is available in thephp-ffi
package, has also been introduced in this release. This extension enables you to do the following: call native functions, access native variables, and create and access data structures defined in C libraries.Note that the following extensions have been removed:
-
The
wddx
extension has been removed from thephp-xml
package -
The
recode
extension has been removed from thephp-recode
package.
-
-
nginx:1.18 module stream added
This version of the
nginx
web and proxy server provides a number of bug fixes, security fixes, as well as new features and enhancements over the previous 1.16 version 1.16. -
perl:5.30 module stream added
RHEL 8.3 introduces
Perl 5.30
, which provides a number of bug fixes and enhancements over the previously releasedPerl 5.26
. The new version also deprecates or removes certain language features. -
perl-libwww-perl:6.34 module stream added
The new
perl-libwww-perl:6.34
module stream includes theperl-libwww-perl
package, which can be used for all versions of Perl that are available in Oracle Linux 8. Note that the non-modularperl-libwww-perl
package (available since Oracle Linux 8) is obsoleted by the new defaultperl-libwww-perl:6.34
module stream, as that package could not be used with any Perl streams, other than version 5.26. -
perl-IO-Socket-SSL:2.066 module stream added
The new perl-IO-Socket-SSL:2.066 module stream includes the perl-IO-Socket-SSL and perl-Net-SSLeay packages. These packages are compatible with all of the Perl streams that are available in Oracle Linux 8.
-
squid:4 module stream updated to version 4.11
This version of the
Squid
proxy server includes thesquid:4
module stream, which has been updated from version 4.4 to version 4.11. This version ofSquid
provides a number of bug and security fixes and various enhancements, including new configuration options. -
httpd:2.4 module stream changes
Several bug fixes and other notable changes to the Apache HTTP Server are made available through the
httpd:2.4
module stream. -
New CustomLog directive enables logging to journald in httpd
You can now transfer logs to
journald
from the Apache HTTP Server by using the newCustomLog
directive.
File Systems and Storage
Oracle Linux 8.3 provides the following file systems and storage features, enhancements, and changes:
-
Btrfs removed from RHCK
The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, any Btrfs user space packages that are provided are not supported with RHCK.
Note:
Support for the Btrfs file system is enabled in UEK R6. Starting with Oracle Linux 8.3, during an installation, you now have the option to create a Btrfs root file system, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.
For more information about managing the Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.
For more information about the enhancements that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 (5.4.17-2011).
-
OCFS2 removed from RHCK
The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.
Note:
OCFS2 is fully supported with UEK R6 in Oracle Linux 8.3.
-
NVMe/TCP available as a Technology Preview
NVMe over Fabrics TCP host and the target drivers have been added to RHCK in this release as a technology preview. Note that NVMe/TCP is already supported in Unbreakable Enterprise Kernel Release 6.
GCC Toolset 10
Oracle Linux 8.3 provides the GCC Toolset 9, which is an Application
Stream that is distributed in the form of a Software Collection
in the AppStream
repository. The GCC Toolset
is similar to the Oracle Linux Developer Toolset.
The GCC Toolset 10 contains up-to-date versions of the following developer tools:
-
GCC version 10.1.1
-
GDB version 9.2
-
Valgrind version 3.16.0
-
SystemTap version 4.3
-
Dyninst version 10.1.0
-
binutils
version 2.32 -
elfutils
version 0.180 -
dwz
version 0.12 -
make
version 4.2.1 -
strace
version 5.7 -
ltrace
version 0.7.91 -
annobin
version 9.21
The GCC Toolset 10 is available as an Application Stream within
the AppStream
repository, in the form of a
Software Collection.
Install this toolset as follows:
sudo dnf install gcc-toolset-10
To run a tool from GCC Toolset 10, use the following command:
scl enable gcc-toolset-10 tool
The following command runs a shell session, where tool versions from the GCC Toolset 10 take precedence over system versions of the same tools:
scl enable gcc-toolset-10 bash
High Availability and Clusters
The following high availability and cluster features are included in Oracle Linux 8.3:
-
pacemaker updated to version 2.0.4
In this release, the Pacemaker is updated to version 2.0.4. This version of the Pacemaker provides a number of bug fixes over the previous version.
-
Pacemaker support for recovery by demoting a promoted resource rather than fully stopping it
In this release, you can configure a promotable resource in a Pacemaker cluster to ensure that if a promote or monitor action fails for that resource or the partition in which the resource is running loses quorum, the resource is demoted but not fully stopped.
-
priority-fencing-delay cluster property added
Pacemaker includes a the new
priority-fencing-delay
cluster property. This property enables you to configure a two-node cluster to ensure that in a split-brain situation, the node with the fewest resources running is fenced. This feature is useful in situations where you would prefer that the resource continue to be available in the unpromoted mode. -
Commands for managing multiple sets of resource and operation defaults added
Commands for managing multiple sets of resource and operation defaults are included in this release. These new commands enable you to create, list, change, and delete multiple sets of resource and operation defaults. Also, when creating a set of default values, you can specify a rule that contains resource and op expressions. This capability enables you to configure a default resource value for all resources that are of a particular type. In addition, commands that list existing default values now include multiple sets of defaults in their output.
-
Command for tagging cluster resources added
You can now tag cluster resources in a Pacemaker cluster by using the pcs tag command. You can also use this command to remove or modify a resource tag, or display a tag configuration.
Infrastructure Services
Oracle Linux 8.3 introduces several version updates to infrastructure tools, including the following:
-
Bind updated to version 9.11
The
bind
package is updated to version 9.11. Bind version 9.11 provides several bug fixes and enhancements over the previous version. Notable changes include increased reliability on systems that have multiple CPU cores and more detailed error detection, as well as improvements to the dig command and other tools, which now can print the Extended DNS Error (EDE) option, if present. -
Powertop updated to version 2.12
The
powertop
packages are updated to version 2.12. Powertop version 2.12 includes several improvements over the previous version. -
Tuned updated to version 2.14.0
The
tuned
packages are updated to version 2.14.0 in this release. Tuned version 2.14.0 includes the following notable enhancements:-
New
optimize-serial-console
profile. -
A post loaded profile is included.
-
A
irqbalance
plugin for handingirqbalance
settings is included. -
Addition of architecture-specific tuning for Marvell ThunderX and AMD based platforms.
-
Scheduler plugin extended to include
cgroups-v1
for the CPU affinity setting.
-
-
tcpdump updated to version 4.9.3
The tcpdump utility is updated to version 4.9.3 to fix some Common Vulnerabilities and Exposures (CVEs).
-
libpcap utility updated to version 1.9.1
The libpcap utility is updated to version 1.9.1 to fix Common Vulnerabilities and Exposures (CVEs).
-
memcached updated to version 1.5.22
The
memcached
packages are updated to version 1.5.22. This version of Memcached includes several notable improvements over the previous version.
Networking
Oracle Linux 8.3 introduces the following features, enhancements, and changes:
-
firewalld updated to version 0.8.2.
The
firewalld
packages are updated to version 0.8.2 in this release. This version offirewalld
includes a number of bug fixes over the previous version. -
IPv4 and IPv6 Netfilter tracking modules merged with nf_conntrack module
The
nf_conntrack_ipv4
andnf_conntrack_ipv6
Netfilter connection tracking modules have merged with thenf_conntrack
kernel module. A result of this change is that blocklisting address family-specific modules no longer works. In addition, you can now blocklist only thenf_conntrack
module to disable connection tracking support for both IPv4 and IPv6. -
NetworkManager updated to version 1.26.0
This version of
NetworkManager
provides several important improvements and changes, including the following:-
NetworkManager
resets the auto-negotiation, speed, and duplex setting to the original value when deactivating a device. -
Wi-Fi profiles now connect automatically if all previous activation attempts failed, meaning an initial failure to auto -connect does not block the automatism.
-
nm-settings-nmcli(5)
andnm-settings-dbus(5)
manual pages added. -
Several bridge parameters added.
-
Virtual routing and forwarding (VRF) interfaces added.
-
Opportunistic Wireless Encryption mode (OWE) for Wi-Fi networks added.
-
mcli utility improvement enables the removal of settings by using the nmcli_connection modify command.
-
NetworkManager
improved to no longer create and activate secondary devices if the primary device is missing.
-
-
XDP available as a Technology Preview
The Express data path (XDP) feature has been added to RHCK in this release as a technology preview. XDP is a flexible and minimal kernel-based packet transport for high-speed networking. Note XDP is already supported in Unbreakable Enterprise Kernel Release 6 (UEK R6).
Security
Oracle Linux 8.3 introduces the following security features, enhancements, and changes:
-
CyrusSASL support for channel bindings with SASL/GSSAPI and SASL/GSS-SPNEGO plugins
Support has been added in this release for channel bindings by using SASL/GSSAPI and SASL/GSS-SPNEGO plugins. When used in the
openldap
libraries, the feature provides CyrusSASL with the ability to maintain compatibility with and access to Microsoft Active Directory and Microsoft Windows systems, which introduce mandatory channel binding for LDAP connections. -
gnutls updated to version 3.6.14
The
gnutls
packages are updated to version 3.6.14 in this release. This version of thegnutls
packages include several bug fixes and improvements over the previous version. -
Libreswan updated to version 3.32
In this release, Libreswan has been updated to version 3.32. This version of Libreswan provides several new features and bug fixes, including the following notable changes:
-
A separate FIPS 140-2 certification is no longer required.
-
Implementation the cryptographic recommendations of RFC 8247, and changes the preference from SHA-1 and RSA-PKCS v1.5 to SHA-2 and RSA-PSS.
-
Support for XFRMi virtual ipsecXX interfaces, which simplify the writing of firewall rules.
-
Improvement to the recovery of crashed and rebooted nodes in a full-mesh encryption network.
-
-
libseccomp library updated to version 2.4.3
The
libseccomp
library is updated to version 2.4.3. This library provides an interface to theseccomp
syscall filtering mechanism. This version of thelibseccomp
library also includes a number of bug fixes and enhancements over the previous version. -
libcap support for ambient capabilities
You can now grant ambient capabilities at login, which eliminates the need to have
root
access for appropriately configured processes. -
libkcapi updated to version 1.2.0
The
libkcapi
package is updated to version 1.2.0. This version oflibkcapi
includes minor changes over the previous version. -
libssh library updated to version 0.9.4
The
libssh
library is updated to version 0.9.4. This library implements the SSH protocol. -
setools package updated to version 4.3.0
The
setools
package is updated to version 4.3.0. This package provides a collection of tools that facilitates the SELinux policy analysis feature. Several bug fixes and enhancements are included in this version of thesetools
package.Note:
The
setools
package requires the following additional packages:setools-console
,setools-console-analyses
, andsetools-gui
. -
stunnel updated to version 5.56
The
stunnel
encryption wrapper is updated to version 5.56. This version of thestunnel
packages includes a number of new features and bug fixes, including the following:-
ticketKeySecret
andticketMacSecret
options for controlling confidentiality and integrity protection of the issued session tickets. These options enable you to resume sessions on other nodes in a cluster. -
curves
option, which controls the list of elliptic curves in OpenSSL 1.1.0 and later. -
ciphersuites
option to control the list of permitted TLS 1.3 ciphersuites. -
sslVersion
,sslVersionMin
andsslVersionMax
for OpenSSL 1.1.0 and later added.
-
-
update-crypto-policies and fips-mode-setup relocated to crypto-policies-scripts
In this release, the
update-crypto-policies
andfips-mode-setup
scripts are moved to thecrypto-policies-scripts
package, which is a separate RPM subpackage. This package is automatically installed through the Recommends dependency on regular installations.
SCAP and OpenSCAP Improvements
-
OpenSCAP updated to version 1.3.3
In this release, the
openscap
packages are updated to version 1.3.3. This version of OpenSCAP includes several bug fixes and improvements over the previous version, including the following notable changes:-
autotailer
script is added. This script enables you to generate tailoring files by using a CLI. -
Timezone part is added to the Extensible Configuration Checklist Description Format (XCCDF) TestResult start and end time stamps.
-
yamlfilecontent
independent probe included as a draft implementation. -
urn:xccdf:fix:script:kubernetes
fix type introduced in XCCDF -
Ability to generate the
machineconfig
fix added. -
oscap-podman
tool can detect ambiguous scan targets. -
rpmverifyfile
probe can verify files from the/bin
directory. -
Fixed crashes when complicated regexes are executed in the
textfilecontent58
probe. -
Evaluation characteristics of the XCCDF report are consistent with OVAL entities from the
system_info
probe. -
Fixed file-path pattern matching in offline mode in the
textfilecontent58
probe. -
Fixed infinite recursion in the
systemdunitdependency
probe.
-
-
SCAP Workbench tool can generate results-based remediation from tailored profiles
You are now able to generate results-based remediation roles from tailored profiles by using the SCAP Workbench tool.
-
scap-security-guide packages updated to version 0.1.50
The
scap-security-guide
packages have been updated to version 0.1.50. These packages contain the latest set of security policies for Linux systems, as well as bug fixes and several enhancements over the previous version improved Ansible content and several fixes and improvements to thescap-security-guide
content for scanning systems.
SELinux Improvements
-
fapolicyd packages updated to version 1.0
The
fapolicyd
package are updated to version 1.0. Several bug fixes and enhancements are included in this version of thefapolicy
packages. -
fapolicyd includes an SELinux policy in fapolicyd-selinux
The
fapolicyd
framework now provides its own SELinux security policy. The daemon is confined under thefapolicyd_t
domain. The policy is installed through thefapolicyd-selinux
subpackage. -
Individual CephFS files and directories can include SELinux labels
The storing of SELinux labels in the extended attributes of files has been enabled in the Ceph File System (CephFS). This enhancement enables you to change the labels for individual files and SELinux defines the labels of any newly created files based on transition rules. Any files that were previously unlabeled retain the
system_u:object_r:cephfs_t:s0
label until explicitly changed.
Virtualization
The following virtualization features, enhancements, and changes are included in this release:
-
Bochs display device included
The Bochs display device, which is introduced in this release, is more secure than the
stdvga
device. Note that all VMs that are compatible withbochs-display
, mainly those that used UEFI, will use this device by default. -
virsh guestinfo command option added
The virsh guestinfo command option provides the ability to report information about a virtual machine (VM), including the following: host name, guest OS information, active users, and time zone that is used.
To enable the virsh guestinfo command option, install the
qemu-guest-agent
package on the guest OS of the target VM. You must also enable theguest_agent
channel in the VM’s XML configuration. -
Capability for creating QCOW2 disk images on RBD
In this release, you can create QCOW2 disk images on RADOS Block Device (RBD) storage, which means that VMs are now capable of using RBD servers for their storage backends with QCOW2 images.
Note that write performance of QCOW2 disk images on RBD storage is currently lower than intended.
-
Capability for migrating VMs with disk cache enabled
The
libvirt
library is compatible with disk cache live migration in this release, which now makes it possible to live-migrate VMs with disk cache enabled. -
Control Group v2 support added for VMs
The libvirt suite now supports control groups v2, which means that VMs hosted on Oracle Linux 8 can now take advantage of the resource control capabilities provided by Control Group v2.
-
IBM POWER 9 XIVE support included
Support for the External Interrupt Virtualization Engine (XIVE) feature of IBM POWER9 to RHEL 8 is included in this release. This improvement enables VMs that are running on an Oracle Linux 8 hypervisor on an IBM POWER 9 system to use XIVE, which improves the performance of I/O-intensive VMs.
-
QEMU packed virtqueue layout support
The packed virtqueue layout that was introduced in VirtIO-1.1 is now supported in QEMU. The new format enables the exchange of requests by using a more compact descriptor representation. This change makes it easier to implement
virtIO
on hardware, as well as increases system performance. -
QEMU logs include time stamps
As of this release, all logged QEMU events have a time stamp. This improvement enables you to more easily troubleshoot your VMs using logs in the
/var/log/libvirt/qemu/
directory. -
QEMU/KVM support for discard and write-zeros commands included
The discard and write-zeroes commands for the
virtio-blk
protocol are now supported in QEMU/KVM. This change enables VMs to use thevirtio-blk
device to discard unused sectors of an SSD, fill sectors with zeroes when they are emptied, or both. You can use this capability to increase SSD performance and also ensure that a drive is securely erased. -
QEMU now uses gcrypt library for XTS ciphers
The QEMU emulator is updated to use the XTS cipher mode implementation that is provided by the
gcrypt
library. This change improves the I/O performance of VMS with host storage that uses QEMU’s native LUKS encryption driver. -
macvtap interfaces can be used by VMs in non-privileged sessions
In this release, VMs can use a pre-existing
macvtap
interface that was previously created by a privileged process. This change enables VMs that are started by the non-privileged user session oflibvirtd
to use amacvtap
interface. -
Maximum number of supported VFIO devices increased to 64
In this release, you can attach up to 64 PCI devices that use VFIO to a single VM on an Oracle Linux 8 host. This number is increased from up to 32 PCI devices in Oracle Linux 8.2 and previous releases.
-
nbdkit logging improvement
In this release,
nbdkit
service logging is updated to be less verbose: now, only potentially important messages are logged. Also, logs that are created duringvirt-v2v
conversions are now shorter and easier to interpret. -
virsh iothreadset command option added
You can use the new virsh iothreadset command option to configure dynamic IOThread polling. This additional option makes it possible to set up VMs with lower latencies for I/O-intensive workloads at the expense of greater CPU consumption for the IOThread. For more information and available options, see the
virsh(1)
manual page. -
VNNI for BFLOAT16 inputs supported by KVM
Vector Neural Network Instructions (VNNI) supporting
BFLOAT16
inputs, orAVX512_BF16
instructions, are now supported by KVM hosts that are running on the 3rd Gen Intel Xeon scalable processors (Cooper Lake processors). This change enables guest software to se theAVX512_BF16
instructions that reside inside VMs which is enabled in the virtual CPU configuration.
Web Console Option for Switching Access Modes
In Oracle Linux 8.3, the Cockpit web console includes a new option for switching between administrative access mode and limited access mode, from within a user's session. Click the Administrative access or Limited access indicator in your web console session to switch modes.