1. Release Notes for Oracle Linux 8.4
  2. New Features and Changes

2 New Features and Changes

This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.

Installation

The following notable change has been made to the graphical installation program in Oracle Linux 8.4:

Graphical Installation Program Displays Warnings About Deprecated Kernel Boot Arguments

All graphical installation program boot arguments that do not contain the inst. prefix, such as ks, stage2, repo, and so on, have been deprecated since Oracle Linux 7. These arguments will be removed in the next major Oracle Linux release.

Starting with Oracle Linux 8.4, warning messages are displayed by the graphical installation program whenever any boot arguments that do not include the inst. prefix are used, as appropriate.

For example, the following warnings are displayed in dracut when booting the installation: 

ks has been deprecated. All usage of Anaconda boot arguments
without the inst. prefix have been deprecated and will be removed in a future
major release. Please use inst.ks instead.

When the installation program is started in a terminal window, the following warnings are displayed: 

Deprecated boot argument ks must be used with the inst. prefix.
Please use inst.ks instead. Anaconda boot arguments without inst.
prefix have been deprecated and will be removed in a future major release.

Red Hat Compatible Kernel

The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.4 on the x86_64 platform.

For more information about the Unbreakable Enterprise Kernel Release 6 (UEK R6) release that is shipped with , see the Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 2 (5.4.17-2102).

  • bcc updated to version 0.16.0

    The bcc package has updated to version 0.16.0. This version of the package includes several improvements over the previous version.

  • Berkeley Packet Filter updated to version 5.9

    The following, related Berkeley Packet Filter (BPF) packages are updated in this release:

    • bpf packages have been updated to version 5.9.

    • bpftrace packages have been updated to version 0.11.0 .

    • lipbpf packages have been updated to version 0.2.0.1 .

  • cgroups implementation for the slab memory controller

    This release introduces a new implementation of the slab memory controller for the control groups (cgroups) technology. The slab memory controller improves slab utilization, as well as enables a shift in memory accounting from the page level to the object level. Note that this change eliminates each set of duplicated per-CPU and per-node slab caches for each memory control group, as well as establishes one, common set of per-CPU and per-node slab caches for all memory control groups. With this change, you can achieve a significant drop in the total kernel memory footprint and observe positive effects on memory fragmentation.

  • CPU hotplug in hv_24x7 and hv_gpci PMUs support

    A change that enables PMU counters to correctly react to the hot-plugging of a CPU is introduced in this release. Now, if a hv_gpci event counter is running on a CPU that becomes disabled, the counting redirects to another CPU.

  • EDAC module included

    This release includes the Error Detection and Correction (EDAC) kernel module, which is set in 8th and 9th generation Intel Core Processors (CoffeeLake). The EDAC kernel module primarily handles Error Code Correction (ECC) memory and detects and reports PCI bus parity errors.

  • dwarves updated to version 1.19.1

    The dwarves package has been updated to version 1.19.1. This version of the package provides multiple bug fixes and enhancements over the previous version, as well as new way of checking functions from the DWARF debug data by using related ftrace entries to ensure that a subset of ftrace functions is generated.

  • Free memory page feature added

    The Oracle Linux 8 host kernel is capable of returning memory pages that are not used by its VMs back to the hypervisor. This feature change improves the stability and resource efficiency of the host. Note that in order for memory page returning to work, it must be configured in the VM, and the VM must also use the virtio_baloon device.

  • hwloc updated to version 2.2.0

    The hwloc package has been updated to version 2.2.0. With this change, hwloc can report details on Nonvolatile Memory Express (NVMe) drives, including total disk size, as well as sector size.

  • ima-evm-utils updated to version 1.3.2

    The ima-evm-utils package has been updated version 1.3.2 to provide multiple bug fixes and enhancements, including the following changes:

    • Handling of the Trusted Platform Module (TPM2) multi-banks feature.

    • Extension of the boot aggregate value to Platform Configuration Registers (PCRs) 8 and 9.

    • Preloaded OpenSSL engine by using a command-line interface (CLI) parameter.

    • Intel Task State Segment (TSS2) PCR reading.

    • Support for the original Integrity Measurement Architecture (IMA) template.

    Note:

    Both the libimaevm.so.0 and libimaevm.so.2 libraries are part of ima-evm-utils. As such, using libimaevm.so.0 has no effect if more recent applications use libimaevm.so.2.

  • kabi_whitelist package renamed to kabi_stablelist

    The kabi_whitelist package has been renamed kabi_stablelist. This change was made in accordance with Oracle's commitment to replacing problematic and potentially offensive language.

    Note:

    A similar renaming has already taken place in the UEK R6 release, per Bug ID 31783146.

  • kdump enhancement for configuring VLAN tagged team interface

    In this release, you can configure a Virtual Local Area Network (VLAN) tagged team interface for kdump. This improvement enables kdump to use a VLAN tagged team interface to dump a vmcore file.

  • kmod-redhat-oracleasm package added

    The kmod-redhat-oracleasm package has been added in this release. This package provides the kernel module part of the ASMLib utility. Oracle Automated Storage Management (ASM) is a data volume manager for Oracle databases. ASMLib is an optional utility that you can use on Oracle Linux systems to manage Oracle ASM devices.

  • Levelling of IMA and EVM features across supported CPU architectures

    All CPU architectures, with the exception of the 64-bit ARM (aarch64) platform, have a similar level of feature support for Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) technologies. Note that the enabled functionalities are different for each CPU architecture. The following significant updates decrease the level of feature difference in IMA and EVM to ensure that user space applications behave the same across all supported CPU architectures:

    • Enabling of IMA appraise and trusted keyring.

    • AMD64 and Intel 64 include specific architecture policy in secure boot state.

    • IBM Power System (little-endian) includes specific architecture policy in secure and trusted boot state.

    • SHA-256 is the default hash algorithm for all supported architectures.

    • For all architectures, the measurement template has changed to IMA-SIG, and the template includes the signature bits when present. Its format is: d-ng|n-ng|sig.

  • libbpf updated to version 0.2.0.1

    The libbpf package has been updated to version 0.2.0.1.

  • perf improvements

    The following perf tool improvements are introduced in Oracle Linux 8.4:

    • Ability to add or remove tracepoints from a running collector.

    • Support for circular buffers that use specified events to trigger snapshots.

    • The perf script can record and display trace data with absolute timestamps. Note that to display trace data with absolute timestamps, the data must be recorded with the clock ID specified.

    • Top sorting order improvement.

  • Proactive compaction included as disabled-by-default

    Proactive compaction regularly initiates memory compaction work prior to a request for allocation being made, which increases the chances that memory allocation requests find the physically contiguous blocks of memory without the requirement that memory compaction produce them on-demand. As a result, latency for specific memory allocation requests is lowered.

    Be aware that proactive compaction can result in increased compaction activity; which in turn, can result in serious, system-wide impact due to the fact that memory pages belonging to different processes are moved and remapped. For this reason, enabling proactive compaction requires the utmost care to ensure that latency spikes in applications are avoided.

    Note:

    Users who are running a UEK R6 release can explore using the memoptimizer user space daemon to manage proactive free memory for proactive compaction.

  • Time namespace added

    Oracle Linux 8 includes the time namespace. This feature enables the system monotonic and boot-time clocks to work with per-namespace offsets on the AMD64, Intel 64, and 64-bit ARM (aarch64) architectures. Time namespace works well for changing the date and time inside Linux containers, as well as for making in-container adjustments of clocks after restoration from a checkpoint. This change enables you to independently set time for an individual container.

Extended Berkeley Packet Filter

The Extended Berkeley Packet Filter (eBPF) feature is an in-kernel virtual machine (VM) that enables code execution in the kernel space, which takes place in the restricted sandbox environment that has access to a limited set of functions. The VM executes a special assembly-like code.

The following eBPF features are included in Oracle Linux 8.4:

  • BPF Compiler Collection

    The BPF Compiler Collection (BCC) package provides tools for I/O analysis, networking, and monitoring of Oracle Linux operating systems that are using eBPF.

  • BCC library

    The BCC library enables the development of tools that are similar to the those that are provided in the BCC tools package.

  • eBPF for Traffic control

    The eBPF for the Traffic control (tc) feature enables programmable packet processing inside the kernel network data path.

  • eXpress Data Path

    The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions.

  • libbpf package

    The libbpf package is crucial for BPF-related applications such as bpftrace and bpf/xdp development.

  • xdp-tools package

    The xdp-tools package contains user space support utilities for the XDP feature. The XDP feature is supported on both the AMD and Intel 64-bit architectures.

Software Management

The following software management features and improvements are introduced in this release:

  • createrepo_c package update and program improvement

    The createrepo_c packages have been updated to version 0.16.2. This version of the createrepo_c program includes an improvement that enables the program to automatically add modular metadata to repositories. In previous implementations, running the createrepo_c program on Oracle Linux 8 packages to create a new repository did not include modular repodata in this repository, which consequently caused various problems with repositories.

    With this change, the createrepo_c program does the following:

    • Scans for modular metadata.

    • Merges the found module YAML files into a single, modular document, modules.yaml.

    • Automatically adds the document to the repository.

    Because the adding of modular metadata to repositories is now automatic, you no longer need to perform the extra step of running the modyfirepo_c command to add modular metadata to repositories.

  • Capability for mirror transaction between systems within DNF

    This change enables you to store and replay a transaction within DNF.

    To store a transaction from DNF history into a JSON file, use the dnf history store.

    To replay the transaction later one the same machine, or on a different one, use the cnf history replay command.

    Note that comps groups operations storing and replaying is supported. Module operations are not yet supported; and, as such, they are not stored or replayed.

  • protect_running_kernel configuration option added

    You can use the new protect_running_kernel configuration option to control whether the package that corresponds to the running version of the kernel is protected from removal. This change provides the ability to disable protection of the running kernel.

  • sos tools updated

    Oracle Linux 8.4 includes an updated sos RPM. As part of this change, the /usr/sbin/sosreport binary is deprecated. Note that this command continues to function as a legacy supported feature; however, the command is now redirected to the sos report command. For additional information, see https://github.com/sosreport/sos.

GCC Toolset 10 Updates

Oracle Linux 8.4 provides the GCC Toolset 10, which is an Application Stream that is distributed in the form of a Software Collection in the AppStream repository. The GCC Toolset is similar to the Oracle Linux Developer Toolset.

In Oracle Linux 8.4, the GCC compiler is updated to the upstream version. This change provides multiple bug fixes.

The following tools and versions are included in this release:

  • GCC version 10.2.1

  • GDB version 9.2

  • Valgrind version 3.16.0

  • SystemTap version 4.4

  • Dyninst version 10.2.1

  • binutils version 2.35

  • elfutils version 0.182

  • dwz version 0.12

  • make version 4.2.1

  • strace version 5.7

  • ltrace version 0.7.91

  • annobin version 9.29

The GCC Toolset 10 is available as an Application Stream within the AppStream repository, in the form of a Software Collection.

To install this toolset, run the following command as the root user: 

sudo dnf install gcc-toolset-10

To run a tool from GCC Toolset 10, use the following command: 

scl enable gcc-toolset-10 tool

The following command runs a shell session, where tool versions from the GCC Toolset 10 take precedence over system versions of the same tools: 

scl enable gcc-toolset-10 bash

Database

This release of Oracle Linux 8 ships with version 8.0 of the MySQL database software.

Dynamic Programming Languages, Web, and Database Servers

Oracle Linux 8.4 includes the following feature changes and improvements for dynamic programming languages, and web and database servers. Note that this release also introduces the following new and improved module streams:

  • python39 module stream

    Python 3.9, which is provided by the new module python39 module stream and the ubi8/python-39 container image, is included in this release and replaces the previous python38 module stream.

  • swig:4.0 module stream

    Oracle Linux 8.4 includes Simplified Wrapper and Interface Generator (SWIG) version 4.0, which is available as the swig:4.0 module stream.

  • subversion:1.14 module stream

    The subversion:1.14 module stream has been added in this release. Subversion 1.14 is the most recent Long Term Support (LTS) release.

  • redis:6 module stream

    The redis:6 module stream is available in this release. Redis 6 is an advanced key-value store that replaces the previous Redis 5 version.

  • mysql-selinux package

    The new mysql-selinux package has been added in this release. The package includes an SELinux module that provides rules for the MySQL database. This package is installed by default with the database server. Note that the module’s priority is set to 200.

  • python-PyMySQL package

    The python-PyMySQL package, which provides the pure-Python MySQL client library, has been updated to version 0.10.1. This package is included in the python36, python38, and python39 modules.

  • python3-pyodbc package

    The python3-pyodbc package is included in this release. The pyodbc Python module provides access to Open Database Connectivity (ODBC) databases. The module implements the Python DB API 2.0 specification, which can be used with third-party ODBC drivers. Capability has been added for using the Performance Co-Pilot (pcp) to monitor performance of the SQL Server.

  • micropipenv package

    The new micropipenv package is available is this release. This package provides a lightweight wrapper for the pip package installer to support Pipenv and Poetry lock files. The micropipenv package is distributed in the AppStream repository and is provided under Compatibility level 4.

  • py3c-devel and py3c-docs packages

    Oracle Linux 8.4 includes two new packages: py3c-devel and py3c-docs. These packages simplify the porting of C extensions to Python 3 and include a detailed guide and set of macros for easier porting.

    Note:

    These packages are distributed through the unsupported CodeReady Linux Builder (CLB) Repository.

  • mod_fcgid module can pass up to 1024 environment variables to FCGI server process

    The mod_fcgid module for the Apache HTTP Server can pass up to 1024 environment variables to a FastCGI (FCGI) server process. Note that the previous limit of 64 environment variables could cause applications running on the FCGI server to malfunction.

  • perl-IO-String distributed through AppStream repository

    Starting with this release, the perl-IO-String package is distributed through the supported AppStream repository. This package provides the Perl IO::String module. Previously, the perl-IO-String package was only made available in the unsupported CLB repository.

  • quota-devel package

    The new quota-devel package provides header files for implementing the quota Remote Procedure Call (RPC) service.

    Note:

    This package is distributed through the unsupported CodeReady Linux Builder (CLB) Repository.

File Systems and Storage

Oracle Linux 8.4 provides the following file systems and storage features, enhancements, and changes:

  • Btrfs removed from RHCK

    The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, any Btrfs user space packages that are provided are not supported with RHCK.

    Note:

    Support for the Btrfs file system is enabled in UEK R6. Starting with Oracle Linux 8.3, during an installation, you have the option to create a Btrfs root file system, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.

    For more information about managing the Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.

    For more information about the enhancements that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 2 (5.4.17-2102).

  • OCFS2 removed from RHCK

    The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.

    Note:

    OCFS2 is fully supported with UEK R6 in Oracle Linux 8.4.

  • NVMe/TCP included as a Technology Preview

    NVMe over Fabrics TCP host and the target drivers are included in RHCK as a Technology Preview.

    Note:

    NVMe/TCP is already supported in Unbreakable Enterprise Kernel Release 6.

  • Capability for creating swap partition 16 TiB in size during installation added

    In this release, for automatic partitioning, the installer continues to create a swap partition of maximum 128 GB. However, in the case of manual partitioning, you can create a swap partition of 16 TiB. Previously, during an Oracle Linux 8installation, the installer created a swap partition of maximum 128 GB for automatic and manual partitioning.

  • Capability for surprise removal of NVMe devices added

    This improvement enables you to surprise remove NVMe devices from the Oracle Linux operating system without notifying the operating system in advance. This feature enhances the serviceability of NVMe devices due to the fact that no additional steps are required to prepare the devices for orderly removal, thus eliminating server downtime and ensuring the availability of servers.

    Take special note of the following additional important information and requirements for using this feature:

    • Surprise removal of NVMe devices requires that you be running UEK R6 or RHCK, kernel-4.18.0-193.13.2.el8_2.x86_64, or later.

    • Be aware of any additional hardware platform requirements that may exist.

    • Ensure that the software that is running on the platform supports the successful surprise removal of NVMe devices.

    • The surprise removal of an NVMe device that is critical to the system's operation is not supported. For example, you cannot remove an NVMe device that contains the operating system or a swap partition.

  • API for mounting file systems added

    This release introduces a new API for mounting file systems based on an internal kernel structure called a filesystem context (struct fs_context). This change provides greater flexibility for communicating mount parameters between user space, the VFS, and the file system. The following system calls for operating on the file system context are provided:

    • fsopen(): Creates a blank file system configuration context within the kernel for the file system that is named in the fsname parameter, adds it to creation mode, and then attaches it to a file descriptor, which it then returns.

    • fsmount(): Takes the file descriptor that is returned by fsopen() and creates a mount object for the file system root that is specified there.

    • fsconfig(): Supplies parameters to and issues commands against a file system configuration context, as set up by the fsopen(2) or fspick(2) system calls.

    • fspick(): Ceates a new file system configuration context within the kernel and then attaches a pre-existing superblock to it so that it can be reconfigured.

    • move_mount(): Moves a mount from one location to another. This call can also be used to attach an unattached mount that is created by fsmount() or open_tree(), with the OPEN_TREE_CLONE system call.

    • open_tree(): Picks the mount object that is specified by the pathname, attaches it to a new file descriptor, or clones it, and then attaches the clone to the file descriptor.

    Note:

    Note that the former API, which is based on the mount() system call, is still supported.

    For more information, see the Documentation/filesystems/mount_api.txt file in the kernel source tree.

High Availability and Clusters

The following high availability and clustering features are included in Oracle Linux 8.4:

  • Noncritical resources in colocation constraints support added

    This improvement enables you to configure a colocation constraint in such a way that if the dependent resource of the constraint reaches its migration threshold for failure, Pacemaker leaves the resource offline and keeps the primary resource on its current node rather than attempting to move both resources to another node. This change in behavior is implemented through the following options and feature changes:

    • New influence option. You can set this option to true or false. When the influence colocation option has a value of false, Pacemaker avoids moving the primary resource as a result of the status of the dependent resource. In this case, if the dependent resource reaches its migration threshold for failures, it stops if the primary resource is active and can remain on its current node.

    • Resources include a critical meta-attribute, which you can also set to true or false. The value of the critical resource meta-attribute determines the default value of the influence option for all colocation constraints that involve a resource as a dependent resource. The value of the critical resource meta option is set to true by default, which determines that the default value of the influence option is true, thus preserving the previous behavior where Pacemaker attempted to keep both resources active.

  • New number data type for Pacemaker rules added

    As of this update, PCS includes a data type of number that you can use when defining Pacemaker rules in any PCS command that accepts rules. Note that Pacemaker rules implement number as a double-precision, floating-point number and integer as a 64-bit integer.

  • Ability to specify a custom clone ID during creation of clone resource or promotable clone resource

    By default, during the process of creating a clone resource or a promotable clone resource, the clone resource is named resource-id-clone; but, if that ID is already in use, PCS adds a suffix -integer that starts with an integer value of 1, which is then incremented by one for each additional clone. In this release, you can override this default by specifying a name for a clone resource ID or a promotable clone resource ID by specifying the clone-id option when creating a clone resource with the pcs resource create or pcs resource clone command.

  • New commands for managing Corosync configuration

    This release introduces the following new commands for displaying and modifying Corosync configuration:

    • Capability for printing the contents of the corosync.conffile in several output formats by using the new pcs cluster config [show] command has been added. Note that by default, the pcs cluster config command uses the text output format, which displays the Corosync configuration in a human-readable form using the same structure and option names as the pcs cluster setup and pcs cluster config update commands.

    • Capability for modifying the parameters of the corosync.conf file by using the new pcs cluster config update command. For example, you can use the command to increase the totem token to avoid fencing during temporary system unresponsiveness.

  • You can change the configuration of the Corosync crypto cipher and hash by using the pcs cluster config update command. Previously, you could only configure Corosync traffic encryption when creating a new cluster. In addition, you can change the Corosync authkey by using the pcs cluster authkey corosync command.

  • New crypt resource agent for shared and encrypted CFS2 file systems

    A new crypt resource agent has been added to Oracle Linux High Availability. You can use the crypt resource agent to configure a LUKS encrypted block device, which you can then use to provide shared and encrypted GFS2 file systems. Note that use of the crypt resource is currently only supported with GFS2 file systems.

Infrastructure Services

Oracle Linux 8.4 introduces several version updates to infrastructure and command-line tools, including the following:

  • postfix-3.5.8 behavior change

    In this release, the postfix-3.5.8 update behavior differs from the default upstream postfix-3.5.8 behavior. This change in behavior is for backward compatibility purposes. For the default upstream postfix-3.5.8 behavior, you can use the following commands: 

    postconf info_log_address_format=external
    sudo postconf smtpd_discard_ehlo_keywords=
    sudo postconf rhel_ipv6_normalize=yes

    Refer to the /usr/share/doc/postfix/README-RedHat.txt file for more details about this change.

  • Bind updated to version 9.11.26

    The bind package is updated to version 9.11.26 in this release. This version of Bind provides several bug fixes and enhancements over the previous version.

  • ghostscript updated to version 9.27

    This version of ghostscript provides fixes for several vulnerabilities.

  • Tuned updated to version 2.15-1

    The tuned packages have been updated to version 2.15-1. Tuned 2.15-1 includes an added service plugin for Linux services control and an improved scheduler plugin.

  • dnstap improvement

    DNSTAP includes an advanced method for monitoring and logging the details of incoming name queries. The feature also records sent answers from the named service. DNSTAP provides a means of performing continuous logging of detailed, incoming queries without impacting the performance penalty. The new dnstap-read utility enables you to analyze the queries that are running on a different system.

  • SpamAssassin updated to version 3.4.4.

    In this release, the SpamAssassin package has been updated to version 3.4.4. Two notable improvements include a new OLEVBMacro plugin and the addition of the following new functions: check_rbl_ns, check_rbl_rcvd, check_hashbl_bodyre, and check_hashbl_uris.

  • Capability for changing key algorithm by using OMAP added

    This enhancement provides users with a way to change the key algorithm by using the omshell command. The key algorithm was previously hard coded as HMAC-MD5. This method is no longer considered secure.

  • Sendmail provides capability for TLSFallbacktoClear configuration

    With this improvement, if the outgoing TLS connection fails, the sendmail client falls back to plaintext. This change addresses TLS compatibility problems with the other parties. Note that Oracle ships Sendmail with the TLSFallbacktoClear option disabled by default.

  • tcpdump capable of capturing of RDMA traffic

    The ability to capture RDMA traffic by using the tcpdump command is enabled in this release. This feature change enables you to capture and analyze offloaded RDMA traffic. As a result, you can also use the tcpdump command to view RDMA-capable devices, capture RoCE and VMA traffic, and analyze its content.

Networking

Oracle Linux 8.4 introduces the following features, enhancements, and changes:

  • NetworkManager updated to version 1.30.0

    This release introduces updated NetworkManager packages. Version 1.30.0 of NetworkManager includes numerous bug fixes and improvements over the previous version, including the following notable new features, options, and connection properties:

    • ipv4.dhcp-reject-servers connection property. This new property defines which DHCP server IDs NetworkManager should reject lease offers.

    • ipv4.dhcp-vendor-class-identifier connection property. This new property sends a custom Vendor Class Identifier DHCP option value.

    • The active_slave bond option is deprecated in this release. You can set the primary option in the controller connection instead.

    • The nm-initrd-generator utility changes, including support for MAC addresses to indicate interfaces. The utility generator also supports creating InfiniBand connections.

    • NetworkManager-wait-online timeout service is increased to 60 seconds.

    • ipv4.dhcp-client-id=ipv6-duid connection property has been added and is compliant with RFC4361.

    • ethtool offload features added.

    • WPA3 Enterprise Suite-B 192-bit mode support added.

    • Virtual Ethernet (veth) devices added.

  • iproute2 utility includes traffic control actions for adding MPLS headers before the Ethernet header

    The iproute2 utility includes three new traffic control (tc) actions. These actions facilitate the implementation of Layer-2 Virtual Private Networks (L2VPNs) by adding Multi-protocol Label Switching (MPLS) labels before Ethernet headers. You can use the following actions while adding tc filters to network interfaces:

    Note:

    Because the MPLS feature is provided in Oracle Linux 8.4 as a Technology Preview, all of the tc actions that are described here are also provided as an unsupported Technology Preview.

    • mac_push: The act_mpls module provides this action to add MPLS labels before the original Ethernet header.

    • push_eth: The act_vlan module provides this action to build an Ethernet header at the beginning of the packet.

    • pop_eth: The act_vlan module provides this action to drop the outer Ethernet header.

    For further details, see the tc-mpls(8) and tc-vlan(8) manual pages.

  • nmstate API fully supported

    The Nmstate API that was previously provided as a Technology Preview only is fully supported in this release. The nmstate packages include a library and the nmstatectl CLI that you can use to manage host network settings in a declarative manner. The networking state is described by a predefined schema. Note that both the reporting of the current state, as well as any changes to the desired, state conform to this schema.

  • bareudp device support for encapsulating MPLS traffic over UDP tunnel included as Technology Preview

    As of this update, support for the bareudp device is available as a Technology Preview with the ip link command. The feature provides L3 encapsulation tunnelling capability for routing traffic with different L3 protocols, such as unicast and multicast MPLS and IPv4/IPv6 inside a UDP tunnel. You can start routing MPLS packets in UDP by adding tc filters and actions.

    For more information about creating bareudp devices, see the ip-link(8) manual page.

  • AF_XDP socket feature included as Technology Preview

    The Address Family eXpress Data Path (AF_XDP) socket feature is available as a Technology Preview in . AF_XDP is designed for high-performance packet processing. The feature accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.

Security

Oracle Linux 8.4 introduces the following security features, enhancements, and changes:

  • Clevis updated to version 15

    The clevis packages have been updated to version 15. This version of Clevis provides numerous bug fixes and other enhancements over the previous version, including the following notable changes:

    • clevis produces a generic initramfs and no longer automatically adds the rd.neednet=1 parameter to the kernel command line.

    • Proper handling of incorrect configurations that use an sss pin. Also, the clevis encrypt sss subcommand returns outputs that indicate the cause of errors.

  • fapolicyd updated to version 1.0.2

    The updated fapolicyd packages in this release provide numerous bug fixes and enhancements over the previous version, including the following features:

    • New integrity configuration option for enabling integrity checks by comparing file sizes and SHA-256 hashes, and by using the Integrity Measurement Architecture (IMA) subsystem.

    • Improved fapolicyd RPM plugin, which registers any system update that is handled by either the YUM package manager or the RPM Package Manager.

    • Rules can contain GID in subjects.

    • Ability to include rule numbers in debug and syslog messages.

  • libreswan updated to version 4.3

    Updated libreswan packages are introduced in this release. Version 4.3 of libreswan provides several fixes and improvements for IKE, IKEv2, IPSec, as well as the following other notable improvements:

    • IPsec VPN support for TCP transport

      The updated libreswan package adds support for IPsec-based VPN over TCP encapsulation, per RFC 8229. This improvement helps establish IPsec virtual private networks (VPNs) on networks that prevent traffic through the Encapsulating Security Payload (ESP) and UDP features. This enhancement enables you to configure VPN servers and clients to use TCP, either as a fallback or as the main VPN transport protocol.

    • Libreswan support for IKEv2 for Labeled IPsec

      In this release, the Libreswan Internet Key Exchange (IKE) implementation includes Internet Key Exchange version 2 (IKEv2) support of Security Labels for IPsec. This enhancement enables the upgrade of systems that use security labels with IKEv1 to IKEv2.

  • OpenSCAP packages updated to version 1.3.4

    OpenSCAP version 1.3.4 provides a fix for memory issues and leaks, as well as other fixes for issues that resulted in systems with large amounts of files to run out of memory. Other notable changes include the following:

    • OpenSCAP treats GPFS as a remote file system.

    • Proper handling of OVALs with circular dependencies between definitions.

    • Improved yamfilecontent: updated yam-filter, as well as extended the schema and probe so that it can work with a set of values in maps.

    • Numerous warnings for GCC and Clang fixed.

    • Platform elements in XCCDF files properly resolve in accordance with the XCCDF specification.

    • Improved compatibility with the uClibc library.

    • Improved local and remote file system detection methods.

    • The dpkginfo probe can use pkgCacheFile rather than manually opening the cache.

    • OpenSCAP scan report is a valid HTML5 document.

  • New RPM plugin that notifies fapolicyd about changes

    A new RPM plugin that notifies fapolicyd about any changes during RPM transactions has been added. The RPM plugin replaces the YUM plugin because its functionality is not limited to YUM transactions, while also accounting for any changes made by RPM.

  • scap-security-guide packages updated to 0.1.54

    The scap-security-guide packages have been updated to version 0.1.54. The updated version provides several bug fixes and improvements over the previous version, including an updated Operating System Protection Profile, a family of profiles that are based on ANSSI BP-028 recommendations.

  • scap-workbench can scan remote systems with sudo privileges

    As of this update, the scap-workbench GUI includes support for scanning remote systems by using passwordless sudo access. This improvement reduces the security risk that is imposed by supplying root's credentials.

    Caution:

    Exercise caution when using this feature. Oracle recommends dedicating a well-secured user account that is solely designated for the OpenSCAP scanner.

Web Console Includes Graphical Performance Analysis Capability

The web console includes graphical performance analysis capability in this release. With this enhancement, the system graphs page has been replaced with a new View details and history page, which is dedicated to analyzing the performance of a system.

You can view performance metrics from the Overview page by clicking View details and history. The page displays information about current metrics and historical events, based on the Utilization Saturation and the Errors (USE) method.

Technology Preview

For the Red Hat Compatible Kernel in the current Oracle Linux 8 release, the following features are under technology preview:

Multi-protocol Label Switching for TC

Multi-protocol Label Switching (MPLS) is available as a technology preview. This feature is an in-kernel data-forwarding mechanism that routes the traffic flow across enterprise networks. In an MPLS network, the router that receives packets decides the further route of the packets, based on the labels that are attached to the packet. With the usage of labels, the MPLS network has the ability to handle packets with particular characteristics.

aarch64 only: VNC Remote Console

In this release, the Virtual Network Computing (VNC) remote console is available as a technology preview on the 64-bit Arm platform only. The remaining components of the graphics stack are unverified on this platform.