2 New Features and Changes
This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.
Installation
The following notable change has been made to the graphical installation program in Oracle Linux 8.4:
Graphical Installation Program Displays Warnings About Deprecated Kernel Boot Arguments
All graphical installation program boot arguments that do not
contain the inst.
prefix, such as
ks
, stage2
,
repo
, and so on, have been deprecated since
Oracle Linux 7. These arguments will be removed in the next major Oracle Linux
release.
Starting with Oracle Linux 8.4, warning messages are displayed by the
graphical installation program whenever any boot arguments that
do not include the inst.
prefix are used, as
appropriate.
For example, the following warnings are displayed in
dracut
when booting the installation:
ks has been deprecated. All usage of Anaconda boot arguments without the inst. prefix have been deprecated and will be removed in a future major release. Please use inst.ks instead.
When the installation program is started in a terminal window, the following warnings are displayed:
Deprecated boot argument ks must be used with the inst. prefix. Please use inst.ks instead. Anaconda boot arguments without inst. prefix have been deprecated and will be removed in a future major release.
Red Hat Compatible Kernel
The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.4 on the x86_64 platform.
For more information about the Unbreakable Enterprise Kernel Release 6 (UEK R6) release that is shipped with , see the Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 2 (5.4.17-2102).
-
bcc updated to version 0.16.0
The
bcc
package has updated to version 0.16.0. This version of the package includes several improvements over the previous version. -
Berkeley Packet Filter updated to version 5.9
The following, related Berkeley Packet Filter (BPF) packages are updated in this release:
-
bpf
packages have been updated to version 5.9. -
bpftrace
packages have been updated to version 0.11.0 . -
lipbpf
packages have been updated to version 0.2.0.1 .
-
-
cgroups implementation for the slab memory controller
This release introduces a new implementation of the slab memory controller for the control groups (
cgroups
) technology. The slab memory controller improves slab utilization, as well as enables a shift in memory accounting from the page level to the object level. Note that this change eliminates each set of duplicated per-CPU and per-node slab caches for each memory control group, as well as establishes one, common set of per-CPU and per-node slab caches for all memory control groups. With this change, you can achieve a significant drop in the total kernel memory footprint and observe positive effects on memory fragmentation. -
CPU hotplug in hv_24x7 and hv_gpci PMUs support
A change that enables PMU counters to correctly react to the hot-plugging of a CPU is introduced in this release. Now, if a
hv_gpci
event counter is running on a CPU that becomes disabled, the counting redirects to another CPU. -
EDAC module included
This release includes the Error Detection and Correction (EDAC) kernel module, which is set in 8th and 9th generation Intel Core Processors (CoffeeLake). The EDAC kernel module primarily handles Error Code Correction (ECC) memory and detects and reports PCI bus parity errors.
-
dwarves updated to version 1.19.1
The
dwarves
package has been updated to version 1.19.1. This version of the package provides multiple bug fixes and enhancements over the previous version, as well as new way of checking functions from the DWARF debug data by using relatedftrace
entries to ensure that a subset offtrace
functions is generated. -
Free memory page feature added
The Oracle Linux 8 host kernel is capable of returning memory pages that are not used by its VMs back to the hypervisor. This feature change improves the stability and resource efficiency of the host. Note that in order for memory page returning to work, it must be configured in the VM, and the VM must also use the
virtio_baloon
device. -
hwloc updated to version 2.2.0
The
hwloc
package has been updated to version 2.2.0. With this change,hwloc
can report details on Nonvolatile Memory Express (NVMe) drives, including total disk size, as well as sector size. -
ima-evm-utils updated to version 1.3.2
The
ima-evm-utils
package has been updated version 1.3.2 to provide multiple bug fixes and enhancements, including the following changes:-
Handling of the Trusted Platform Module (TPM2) multi-banks feature.
-
Extension of the boot aggregate value to Platform Configuration Registers (PCRs) 8 and 9.
-
Preloaded OpenSSL engine by using a command-line interface (CLI) parameter.
-
Intel Task State Segment (TSS2) PCR reading.
-
Support for the original Integrity Measurement Architecture (IMA) template.
Note:
Both the
libimaevm.so.0
andlibimaevm.so.2
libraries are part ofima-evm-utils
. As such, usinglibimaevm.so.0
has no effect if more recent applications uselibimaevm.so.2
. -
-
kabi_whitelist package renamed to kabi_stablelist
The
kabi_whitelist
package has been renamedkabi_stablelist
. This change was made in accordance with Oracle's commitment to replacing problematic and potentially offensive language.Note:
A similar renaming has already taken place in the UEK R6 release, per Bug ID 31783146.
-
kdump enhancement for configuring VLAN tagged team interface
In this release, you can configure a Virtual Local Area Network (VLAN) tagged team interface for
kdump
. This improvement enableskdump
to use a VLAN tagged team interface to dump avmcore
file. -
kmod-redhat-oracleasm package added
The
kmod-redhat-oracleasm
package has been added in this release. This package provides the kernel module part of the ASMLib utility. Oracle Automated Storage Management (ASM) is a data volume manager for Oracle databases. ASMLib is an optional utility that you can use on Oracle Linux systems to manage Oracle ASM devices. -
Levelling of IMA and EVM features across supported CPU architectures
All CPU architectures, with the exception of the 64-bit ARM (aarch64) platform, have a similar level of feature support for Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) technologies. Note that the enabled functionalities are different for each CPU architecture. The following significant updates decrease the level of feature difference in IMA and EVM to ensure that user space applications behave the same across all supported CPU architectures:
-
Enabling of IMA appraise and trusted keyring.
-
AMD64 and Intel 64 include specific architecture policy in secure boot state.
-
IBM Power System (little-endian) includes specific architecture policy in secure and trusted boot state.
-
SHA-256 is the default hash algorithm for all supported architectures.
-
For all architectures, the measurement template has changed to IMA-SIG, and the template includes the signature bits when present. Its format is:
d-ng
|n-ng
|sig
.
-
-
libbpf updated to version 0.2.0.1
The
libbpf
package has been updated to version 0.2.0.1. -
perf improvements
The following perf tool improvements are introduced in Oracle Linux 8.4:
-
Ability to add or remove tracepoints from a running collector.
-
Support for circular buffers that use specified events to trigger snapshots.
-
The perf script can record and display trace data with absolute timestamps. Note that to display trace data with absolute timestamps, the data must be recorded with the clock ID specified.
-
Top sorting order improvement.
-
-
Proactive compaction included as disabled-by-default
Proactive compaction regularly initiates memory compaction work prior to a request for allocation being made, which increases the chances that memory allocation requests find the physically contiguous blocks of memory without the requirement that memory compaction produce them on-demand. As a result, latency for specific memory allocation requests is lowered.
Be aware that proactive compaction can result in increased compaction activity; which in turn, can result in serious, system-wide impact due to the fact that memory pages belonging to different processes are moved and remapped. For this reason, enabling proactive compaction requires the utmost care to ensure that latency spikes in applications are avoided.
Note:
Users who are running a UEK R6 release can explore using the memoptimizer user space daemon to manage proactive free memory for proactive compaction.
-
Time namespace added
Oracle Linux 8 includes the time namespace. This feature enables the system monotonic and boot-time clocks to work with per-namespace offsets on the AMD64, Intel 64, and 64-bit ARM (aarch64) architectures. Time namespace works well for changing the date and time inside Linux containers, as well as for making in-container adjustments of clocks after restoration from a checkpoint. This change enables you to independently set time for an individual container.
Extended Berkeley Packet Filter
The Extended Berkeley Packet Filter (eBPF) feature is an in-kernel virtual machine (VM) that enables code execution in the kernel space, which takes place in the restricted sandbox environment that has access to a limited set of functions. The VM executes a special assembly-like code.
The following eBPF features are included in Oracle Linux 8.4:
-
BPF Compiler Collection
The BPF Compiler Collection (BCC) package provides tools for I/O analysis, networking, and monitoring of Oracle Linux operating systems that are using eBPF.
-
BCC library
The BCC library enables the development of tools that are similar to the those that are provided in the BCC tools package.
-
eBPF for Traffic control
The eBPF for the Traffic control (
tc
) feature enables programmable packet processing inside the kernel network data path. -
eXpress Data Path
The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions.
-
libbpf package
The
libbpf
package is crucial for BPF-related applications such asbpftrace
andbpf
/xdp
development. -
xdp-tools package
The
xdp-tools
package contains user space support utilities for the XDP feature. The XDP feature is supported on both the AMD and Intel 64-bit architectures.
Software Management
The following software management features and improvements are introduced in this release:
-
createrepo_c package update and program improvement
The
createrepo_c
packages have been updated to version 0.16.2. This version of the createrepo_c program includes an improvement that enables the program to automatically add modular metadata to repositories. In previous implementations, running the createrepo_c program on Oracle Linux 8 packages to create a new repository did not include modular repodata in this repository, which consequently caused various problems with repositories.With this change, the createrepo_c program does the following:
-
Scans for modular metadata.
-
Merges the found module YAML files into a single, modular document,
modules.yaml
. -
Automatically adds the document to the repository.
Because the adding of modular metadata to repositories is now automatic, you no longer need to perform the extra step of running the modyfirepo_c command to add modular metadata to repositories.
-
-
Capability for mirror transaction between systems within DNF
This change enables you to store and replay a transaction within DNF.
To store a transaction from DNF history into a JSON file, use the dnf history store.
To replay the transaction later one the same machine, or on a different one, use the cnf history replay command.
Note that comps groups operations storing and replaying is supported. Module operations are not yet supported; and, as such, they are not stored or replayed.
-
protect_running_kernel configuration option added
You can use the new
protect_running_kernel
configuration option to control whether the package that corresponds to the running version of the kernel is protected from removal. This change provides the ability to disable protection of the running kernel. -
sos tools updated
Oracle Linux 8.4 includes an updated
sos
RPM. As part of this change, the /usr/sbin/sosreport binary is deprecated. Note that this command continues to function as a legacy supported feature; however, the command is now redirected to the sos report command. For additional information, see https://github.com/sosreport/sos.
GCC Toolset 10 Updates
Oracle Linux 8.4 provides the GCC Toolset 10, which is an Application
Stream that is distributed in the form of a Software Collection
in the AppStream
repository. The GCC Toolset
is similar to the Oracle Linux Developer Toolset.
In Oracle Linux 8.4, the GCC compiler is updated to the upstream version. This change provides multiple bug fixes.
The following tools and versions are included in this release:
-
GCC version 10.2.1
-
GDB version 9.2
-
Valgrind version 3.16.0
-
SystemTap version 4.4
-
Dyninst version 10.2.1
-
binutils
version 2.35 -
elfutils
version 0.182 -
dwz
version 0.12 -
make
version 4.2.1 -
strace
version 5.7 -
ltrace
version 0.7.91 -
annobin
version 9.29
The GCC Toolset 10 is available as an Application Stream within
the AppStream
repository, in the form of a
Software Collection.
To install this toolset, run the following command as the
root
user:
sudo dnf install gcc-toolset-10
To run a tool from GCC Toolset 10, use the following command:
scl enable gcc-toolset-10 tool
The following command runs a shell session, where tool versions from the GCC Toolset 10 take precedence over system versions of the same tools:
scl enable gcc-toolset-10 bash
Dynamic Programming Languages, Web, and Database Servers
Oracle Linux 8.4 includes the following feature changes and improvements for dynamic programming languages, and web and database servers. Note that this release also introduces the following new and improved module streams:
-
python39 module stream
Python 3.9, which is provided by the new module
python39
module stream and theubi8/python-39
container image, is included in this release and replaces the previouspython38
module stream. -
swig:4.0 module stream
Oracle Linux 8.4 includes Simplified Wrapper and Interface Generator (SWIG) version 4.0, which is available as the
swig:4.0
module stream. -
subversion:1.14 module stream
The
subversion:1.14
module stream has been added in this release. Subversion 1.14 is the most recent Long Term Support (LTS) release. -
redis:6 module stream
The
redis:6
module stream is available in this release. Redis 6 is an advanced key-value store that replaces the previous Redis 5 version. -
mysql-selinux package
The new
mysql-selinux
package has been added in this release. The package includes an SELinux module that provides rules for the MySQL database. This package is installed by default with the database server. Note that the module’s priority is set to200
. -
python-PyMySQL package
The python-PyMySQL package, which provides the pure-Python MySQL client library, has been updated to version 0.10.1. This package is included in the
python36
,python38
, andpython39
modules. -
python3-pyodbc package
The
python3-pyodbc
package is included in this release. Thepyodbc
Python module provides access to Open Database Connectivity (ODBC) databases. The module implements the Python DB API 2.0 specification, which can be used with third-party ODBC drivers. Capability has been added for using the Performance Co-Pilot (pcp
) to monitor performance of the SQL Server. -
micropipenv package
The new
micropipenv
package is available is this release. This package provides a lightweight wrapper for thepip
package installer to supportPipenv
andPoetry
lock files. Themicropipenv
package is distributed in the AppStream repository and is provided under Compatibility level 4. -
py3c-devel and py3c-docs packages
Oracle Linux 8.4 includes two new packages:
py3c-devel
andpy3c-docs
. These packages simplify the porting of C extensions to Python 3 and include a detailed guide and set of macros for easier porting.Note:
These packages are distributed through the unsupported CodeReady Linux Builder (CLB) Repository.
-
mod_fcgid module can pass up to 1024 environment variables to FCGI server process
The
mod_fcgid
module for the Apache HTTP Server can pass up to 1024 environment variables to a FastCGI (FCGI) server process. Note that the previous limit of 64 environment variables could cause applications running on the FCGI server to malfunction. -
perl-IO-String distributed through AppStream repository
Starting with this release, the
perl-IO-String
package is distributed through the supported AppStream repository. This package provides thePerl IO::String
module. Previously, theperl-IO-String
package was only made available in the unsupported CLB repository. -
quota-devel package
The new
quota-devel
package provides header files for implementing the quota Remote Procedure Call (RPC) service.Note:
This package is distributed through the unsupported CodeReady Linux Builder (CLB) Repository.
File Systems and Storage
Oracle Linux 8.4 provides the following file systems and storage features, enhancements, and changes:
-
Btrfs removed from RHCK
The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, any Btrfs user space packages that are provided are not supported with RHCK.
Note:
Support for the Btrfs file system is enabled in UEK R6. Starting with Oracle Linux 8.3, during an installation, you have the option to create a Btrfs root file system, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.
For more information about managing the Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.
For more information about the enhancements that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 2 (5.4.17-2102).
-
OCFS2 removed from RHCK
The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.
Note:
OCFS2 is fully supported with UEK R6 in Oracle Linux 8.4.
-
NVMe/TCP included as a Technology Preview
NVMe over Fabrics TCP host and the target drivers are included in RHCK as a Technology Preview.
Note:
NVMe/TCP is already supported in Unbreakable Enterprise Kernel Release 6.
-
Capability for creating swap partition 16 TiB in size during installation added
In this release, for automatic partitioning, the installer continues to create a swap partition of maximum 128 GB. However, in the case of manual partitioning, you can create a swap partition of 16 TiB. Previously, during an Oracle Linux 8installation, the installer created a swap partition of maximum 128 GB for automatic and manual partitioning.
-
Capability for surprise removal of NVMe devices added
This improvement enables you to surprise remove NVMe devices from the Oracle Linux operating system without notifying the operating system in advance. This feature enhances the serviceability of NVMe devices due to the fact that no additional steps are required to prepare the devices for orderly removal, thus eliminating server downtime and ensuring the availability of servers.
Take special note of the following additional important information and requirements for using this feature:
-
Surprise removal of NVMe devices requires that you be running UEK R6 or RHCK,
kernel-4.18.0-193.13.2.el8_2.x86_64
, or later. -
Be aware of any additional hardware platform requirements that may exist.
-
Ensure that the software that is running on the platform supports the successful surprise removal of NVMe devices.
-
The surprise removal of an NVMe device that is critical to the system's operation is not supported. For example, you cannot remove an NVMe device that contains the operating system or a swap partition.
-
-
API for mounting file systems added
This release introduces a new API for mounting file systems based on an internal kernel structure called a filesystem context (
struct fs_context
). This change provides greater flexibility for communicating mount parameters between user space, the VFS, and the file system. The following system calls for operating on the file system context are provided:-
fsopen()
: Creates a blank file system configuration context within the kernel for the file system that is named in thefsname
parameter, adds it to creation mode, and then attaches it to a file descriptor, which it then returns. -
fsmount()
: Takes the file descriptor that is returned byfsopen()
and creates a mount object for the file system root that is specified there. -
fsconfig()
: Supplies parameters to and issues commands against a file system configuration context, as set up by thefsopen(2)
orfspick(2)
system calls. -
fspick()
: Ceates a new file system configuration context within the kernel and then attaches a pre-existing superblock to it so that it can be reconfigured. -
move_mount()
: Moves a mount from one location to another. This call can also be used to attach an unattached mount that is created byfsmount()
oropen_tree()
, with theOPEN_TREE_CLONE
system call. -
open_tree()
: Picks the mount object that is specified by the pathname, attaches it to a new file descriptor, or clones it, and then attaches the clone to the file descriptor.
Note:
Note that the former API, which is based on the
mount()
system call, is still supported.For more information, see the
Documentation/filesystems/mount_api.txt
file in the kernel source tree. -
High Availability and Clusters
-
Noncritical resources in colocation constraints support added
This improvement enables you to configure a colocation constraint in such a way that if the dependent resource of the constraint reaches its migration threshold for failure, Pacemaker leaves the resource offline and keeps the primary resource on its current node rather than attempting to move both resources to another node. This change in behavior is implemented through the following options and feature changes:
-
New
influence
option. You can set this option totrue
orfalse
. When the influence colocation option has a value offalse
, Pacemaker avoids moving the primary resource as a result of the status of the dependent resource. In this case, if the dependent resource reaches its migration threshold for failures, it stops if the primary resource is active and can remain on its current node. -
Resources include a
critical
meta-attribute, which you can also set totrue
orfalse
. The value of thecritical
resource meta-attribute determines the default value of the influence option for all colocation constraints that involve a resource as a dependent resource. The value of thecritical
resource meta option is set totrue
by default, which determines that the default value of the influence option istrue
, thus preserving the previous behavior where Pacemaker attempted to keep both resources active.
-
-
New number data type for Pacemaker rules added
As of this update, PCS includes a data type of
number
that you can use when defining Pacemaker rules in any PCS command that accepts rules. Note that Pacemaker rules implementnumber
as a double-precision, floating-point number andinteger
as a 64-bit integer. -
Ability to specify a custom clone ID during creation of clone resource or promotable clone resource
By default, during the process of creating a clone resource or a promotable clone resource, the clone resource is named
resource-id-clone
; but, if that ID is already in use, PCS adds a suffix -integer that starts with an integer value of1
, which is then incremented by one for each additional clone. In this release, you can override this default by specifying a name for a clone resource ID or a promotable clone resource ID by specifying theclone-id
option when creating a clone resource with the pcs resource create or pcs resource clone command. -
New commands for managing Corosync configuration
This release introduces the following new commands for displaying and modifying Corosync configuration:
-
Capability for printing the contents of the
corosync.conf
file in several output formats by using the new pcs cluster config [show
] command has been added. Note that by default, the pcs cluster config command uses the text output format, which displays the Corosync configuration in a human-readable form using the same structure and option names as the pcs cluster setup and pcs cluster config update commands. -
Capability for modifying the parameters of the
corosync.conf
file by using the new pcs cluster config update command. For example, you can use the command to increase thetotem
token to avoid fencing during temporary system unresponsiveness.
-
-
You can change the configuration of the Corosync crypto cipher and hash by using the pcs cluster config update command. Previously, you could only configure Corosync traffic encryption when creating a new cluster. In addition, you can change the Corosync
authkey
by using the pcs cluster authkey corosync command. -
New crypt resource agent for shared and encrypted CFS2 file systems
A new
crypt
resource agent has been added to Oracle Linux High Availability. You can use thecrypt
resource agent to configure a LUKS encrypted block device, which you can then use to provide shared and encrypted GFS2 file systems. Note that use of thecrypt
resource is currently only supported with GFS2 file systems.
Infrastructure Services
Oracle Linux 8.4 introduces several version updates to infrastructure and command-line tools, including the following:
-
postfix-3.5.8 behavior change
In this release, the
postfix-3.5.8
update behavior differs from the default upstreampostfix-3.5.8
behavior. This change in behavior is for backward compatibility purposes. For the default upstream postfix-3.5.8 behavior, you can use the following commands:postconf info_log_address_format=external
sudo postconf smtpd_discard_ehlo_keywords=
sudo postconf rhel_ipv6_normalize=yes
Refer to the
/usr/share/doc/postfix/README-RedHat.txt
file for more details about this change. -
Bind updated to version 9.11.26
The
bind
package is updated to version 9.11.26 in this release. This version of Bind provides several bug fixes and enhancements over the previous version. -
ghostscript updated to version 9.27
This version of
ghostscript
provides fixes for several vulnerabilities. -
Tuned updated to version 2.15-1
The
tuned
packages have been updated to version 2.15-1. Tuned 2.15-1 includes an addedservice
plugin for Linux services control and an improvedscheduler
plugin. -
dnstap improvement
DNSTAP includes an advanced method for monitoring and logging the details of incoming name queries. The feature also records sent answers from the named service. DNSTAP provides a means of performing continuous logging of detailed, incoming queries without impacting the performance penalty. The new dnstap-read utility enables you to analyze the queries that are running on a different system.
-
SpamAssassin updated to version 3.4.4.
In this release, the
SpamAssassin
package has been updated to version 3.4.4. Two notable improvements include a newOLEVBMacro
plugin and the addition of the following new functions:check_rbl_ns
,check_rbl_rcvd
,check_hashbl_bodyre
, andcheck_hashbl_uris
. -
Capability for changing key algorithm by using OMAP added
This enhancement provides users with a way to change the key algorithm by using the omshell command. The key algorithm was previously hard coded as
HMAC-MD5
. This method is no longer considered secure. -
Sendmail provides capability for TLSFallbacktoClear configuration
With this improvement, if the outgoing TLS connection fails, the sendmail client falls back to plaintext. This change addresses TLS compatibility problems with the other parties. Note that Oracle ships Sendmail with the
TLSFallbacktoClear
option disabled by default. -
tcpdump capable of capturing of RDMA traffic
The ability to capture RDMA traffic by using the tcpdump command is enabled in this release. This feature change enables you to capture and analyze offloaded RDMA traffic. As a result, you can also use the tcpdump command to view RDMA-capable devices, capture RoCE and VMA traffic, and analyze its content.
Networking
Oracle Linux 8.4 introduces the following features, enhancements, and changes:
-
NetworkManager updated to version 1.30.0
This release introduces updated
NetworkManager
packages. Version 1.30.0 ofNetworkManager
includes numerous bug fixes and improvements over the previous version, including the following notable new features, options, and connection properties:-
ipv4.dhcp-reject-servers
connection property. This new property defines which DHCP server IDsNetworkManager
should reject lease offers. -
ipv4.dhcp-vendor-class-identifier
connection property. This new property sends a custom Vendor Class Identifier DHCP option value. -
The
active_slave
bond option is deprecated in this release. You can set the primary option in the controller connection instead. -
The
nm-initrd-generator
utility changes, including support for MAC addresses to indicate interfaces. The utility generator also supports creating InfiniBand connections. -
NetworkManager-wait-online
timeout service is increased to 60 seconds. -
ipv4.dhcp-client-id=ipv6-duid
connection property has been added and is compliant with RFC4361. -
ethtool offload features added.
-
WPA3 Enterprise Suite-B 192-bit mode support added.
-
Virtual Ethernet (
veth
) devices added.
-
-
iproute2 utility includes traffic control actions for adding MPLS headers before the Ethernet header
The iproute2 utility includes three new traffic control (
tc
) actions. These actions facilitate the implementation of Layer-2 Virtual Private Networks (L2VPNs) by adding Multi-protocol Label Switching (MPLS) labels before Ethernet headers. You can use the following actions while addingtc filters
to network interfaces:Note:
Because the MPLS feature is provided in Oracle Linux 8.4 as a Technology Preview, all of the
tc
actions that are described here are also provided as an unsupported Technology Preview.-
mac_push
: Theact_mpls
module provides this action to add MPLS labels before the original Ethernet header. -
push_eth
: Theact_vlan
module provides this action to build an Ethernet header at the beginning of the packet. -
pop_eth
: Theact_vlan
module provides this action to drop the outer Ethernet header.
For further details, see the
tc-mpls(8)
andtc-vlan(8)
manual pages. -
-
nmstate API fully supported
The Nmstate API that was previously provided as a Technology Preview only is fully supported in this release. The
nmstate
packages include a library and the nmstatectl CLI that you can use to manage host network settings in a declarative manner. The networking state is described by a predefined schema. Note that both the reporting of the current state, as well as any changes to the desired, state conform to this schema. -
bareudp device support for encapsulating MPLS traffic over UDP tunnel included as Technology Preview
As of this update, support for the
bareudp
device is available as a Technology Preview with the ip link command. The feature provides L3 encapsulation tunnelling capability for routing traffic with different L3 protocols, such as unicast and multicast MPLS and IPv4/IPv6 inside a UDP tunnel. You can start routing MPLS packets in UDP by addingtc
filters and actions.For more information about creating
bareudp
devices, see theip-link(8)
manual page. -
AF_XDP socket feature included as Technology Preview
The Address Family eXpress Data Path (AF_XDP) socket feature is available as a Technology Preview in . AF_XDP is designed for high-performance packet processing. The feature accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.
Security
Oracle Linux 8.4 introduces the following security features, enhancements, and changes:
-
Clevis updated to version 15
The
clevis
packages have been updated to version 15. This version of Clevis provides numerous bug fixes and other enhancements over the previous version, including the following notable changes:-
clevis
produces a generic initramfs and no longer automatically adds therd.neednet=1
parameter to the kernel command line. -
Proper handling of incorrect configurations that use an
sss
pin. Also, the clevis encrypt sss subcommand returns outputs that indicate the cause of errors.
-
-
fapolicyd updated to version 1.0.2
The updated
fapolicyd
packages in this release provide numerous bug fixes and enhancements over the previous version, including the following features:-
New
integrity
configuration option for enabling integrity checks by comparing file sizes and SHA-256 hashes, and by using the Integrity Measurement Architecture (IMA) subsystem. -
Improved
fapolicyd
RPM plugin, which registers any system update that is handled by either the YUM package manager or the RPM Package Manager. -
Rules can contain GID in subjects.
-
Ability to include rule numbers in debug and
syslog
messages.
-
-
libreswan updated to version 4.3
Updated
libreswan
packages are introduced in this release. Version 4.3 oflibreswan
provides several fixes and improvements for IKE, IKEv2, IPSec, as well as the following other notable improvements:-
IPsec VPN support for TCP transport
The updated
libreswan
package adds support for IPsec-based VPN over TCP encapsulation, per RFC 8229. This improvement helps establish IPsec virtual private networks (VPNs) on networks that prevent traffic through the Encapsulating Security Payload (ESP) and UDP features. This enhancement enables you to configure VPN servers and clients to use TCP, either as a fallback or as the main VPN transport protocol. -
Libreswan support for IKEv2 for Labeled IPsec
In this release, the Libreswan Internet Key Exchange (IKE) implementation includes Internet Key Exchange version 2 (IKEv2) support of Security Labels for IPsec. This enhancement enables the upgrade of systems that use security labels with IKEv1 to IKEv2.
-
-
OpenSCAP packages updated to version 1.3.4
OpenSCAP version 1.3.4 provides a fix for memory issues and leaks, as well as other fixes for issues that resulted in systems with large amounts of files to run out of memory. Other notable changes include the following:
-
OpenSCAP treats GPFS as a remote file system.
-
Proper handling of OVALs with circular dependencies between definitions.
-
Improved
yamfilecontent
: updatedyam-filter
, as well as extended the schema and probe so that it can work with a set of values in maps. -
Numerous warnings for GCC and Clang fixed.
-
Platform elements in XCCDF files properly resolve in accordance with the XCCDF specification.
-
Improved compatibility with the uClibc library.
-
Improved local and remote file system detection methods.
-
The
dpkginfo
probe can usepkgCacheFile
rather than manually opening the cache. -
OpenSCAP scan report is a valid HTML5 document.
-
-
New RPM plugin that notifies fapolicyd about changes
A new RPM plugin that notifies
fapolicyd
about any changes during RPM transactions has been added. The RPM plugin replaces the YUM plugin because its functionality is not limited to YUM transactions, while also accounting for any changes made by RPM. -
scap-security-guide packages updated to 0.1.54
The
scap-security-guide
packages have been updated to version 0.1.54. The updated version provides several bug fixes and improvements over the previous version, including an updated Operating System Protection Profile, a family of profiles that are based on ANSSI BP-028 recommendations. -
scap-workbench can scan remote systems with sudo privileges
As of this update, the
scap-workbench
GUI includes support for scanning remote systems by using passwordlesssudo
access. This improvement reduces the security risk that is imposed by supplyingroot
's credentials.Caution:
Exercise caution when using this feature. Oracle recommends dedicating a well-secured user account that is solely designated for the OpenSCAP scanner.
Web Console Includes Graphical Performance Analysis Capability
The web console includes graphical performance analysis capability in this release. With this enhancement, the system graphs page has been replaced with a new View details and history page, which is dedicated to analyzing the performance of a system.
You can view performance metrics from the Overview page by clicking View details and history. The page displays information about current metrics and historical events, based on the Utilization Saturation and the Errors (USE) method.
Technology Preview
For the Red Hat Compatible Kernel in the current Oracle Linux 8 release, the following features are under technology preview:
Multi-protocol Label Switching for TC
Multi-protocol Label Switching (MPLS) is available as a technology preview. This feature is an in-kernel data-forwarding mechanism that routes the traffic flow across enterprise networks. In an MPLS network, the router that receives packets decides the further route of the packets, based on the labels that are attached to the packet. With the usage of labels, the MPLS network has the ability to handle packets with particular characteristics.