1. Release Notes for Oracle Linux 8.5
  2. New Features and Changes

2 New Features and Changes

This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.

Installation

The following installation changes are introduced in Oracle Linux 8.5:

  • Capability for overriding official repositories added

    The osbuild-composer backend includes a set of official repositories that are defined in the /usr/share/osbuild-composer/repositories directory by default; but, it does not inherit the system repositories that are located in the /etc/yum.repos.d/ directory. However, in this release, you can override the official repositories by defining overrides in the /etc/osbuild-composer/repositories directory. As a result. the files that are located in this directory take precedence over those in the /usr directory.

  • Graphical installation program displays warnings about deprecated kernel boot arguments

    Graphical installation program boot arguments that do not contain the inst. prefix, such as ks, stage2, repo, and so on, are deprecated as of Oracle Linux 7, with the intent to remove these arguments in the next major Oracle Linux release.

    Starting with Oracle Linux 8.4, warning messages are displayed by the graphical installation program whenever any boot arguments that do not contain the inst. prefix are used, as appropriate.

    For example, the following warnings are displayed in dracut when booting the installation: 

    ks has been deprecated. All usage of Anaconda boot arguments
without the inst. prefix have been deprecated and will be removed in a future
major release. Please use inst.ks instead.

    When the installation program has started in a terminal window, the following warnings are displayed: 

    Deprecated boot argument ks must be used with the inst. prefix.
Please use inst.ks instead. Anaconda boot arguments without inst.
prefix have been deprecated and will be removed in a future major release.

Red Hat Compatible Kernel

The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 8.5 on the x86_64 platform.

For the latest information about Unbreakable Enterprise Kernel Release 6 (UEK R6), which is shipped with Oracle Linux 8.5, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 3 (5.4.17-2136).

schedutil CPU governor available in RHCK and UEK R6

In Oracle Linux 8.5, the schedutil CPU frequency governor is available for both RHCK and UEK R6. This feature leverages utilization data from the CPU scheduler to appropriately adjust CPU frequency settings and performance state. The schedutil governor is capable of accessing the scheduler’s internal data structures directly and can control how the CPU raises and lowers its frequency in response to system load.

Note that the schedutil governor feature is not enabled by default and must be manually enabled.

igc Driver Included

The igc Intel 2.5G Ethernet Linux wired local area network (LAN) driver, which was previously introduced in Oracle Linux 8.1 as a technology preview, is supported on all architectures, starting with Oracle Linux 8.4. Note that the ethtool command that is used to control network driver and hardware settings also includes support for igc wired LANs.

EDAC for Intel Sapphire Rapids Processors Enabled

This enhancement provides Error Detection And Correction (EDAC) device support for Intel Sapphire Rapids processors. EDAC mainly handles Error Code Correction (ECC) memory and detects and reports PCI bus parity errors.

Note that this feature is already enabled in Unbreakable Enterprise Kernel Release 6.

Software Management

The following software management features and enhancements are introduced in Oracle Linux 8.5:

  • RPM includes read-only support for sqlite database back end

    When inspecting other root directories, such as containers, you might want to query an RPM that is based on the sqlite database backend. Oracle Linux 8.5 includes read-only support for the RPM sqlite database back end, which means you can query the packages that are installed in a container directly from the Oracle Linux 8 host.

    To perform this type of query with Podman, mount the container’s file system by using podman mount command, then run the rpm -qa command with the --root option and point to the mounted location.

    Note that RPM on Oracle Linux 8 continues to use the Berkeley DB database (bdb) back end.

  • libmodulemd updated to version 2.13.0

    The libmodulemd packages have been updated to version 2.13.0. This version of libmodulemd includes fixes for several issues with the modulemd-validator command, as well as the following improvements over the previous version:

    • Capability for delisting demodularized packages from a module.

    • Capability for validating modulemd-packager-v3 documents by specifying the new --type option with the modulemd-validator command.

    • Fortified parsing integers.

  • sslverifystatus added to dnf configuration

    Starting with this release, enabling the sslverifystatus option causes the dnf command to each server certificate revocation status by using the Certificate Status Request TLS extension (OCSP stapling). As a result, when a revoked certificate is encountered, the dnf command refuses the download from its server.

  • libcomps-devel package moved to ol8_codeready_builder repository

    The libcomps-devel package was moved by upstream from the ol8_baseos repository to the ol8_codeready_builder repository between Oracle Linux 8.4 and Oracle Linux 8.5. If you were using this package previously, you may need to enable the ol8_codeready_builder repository to resolve any potential update issues.

Shells and Command-Line Tools

The following shells and command-line tools features and improvements are introduced in Oracle Linux 8.5:

  • Errors when restoring LVM with thin pools is fixed

    This enhancement enables Relax-and-Recover (ReaR) to detect when thin pools and other logical volume types with kernel metadata, such as RAIDs and caches, are used in a volume group (VG). ReaR then switches to a mode where it recreates all of the logical volumes (LVs) in the VG by using lvcreate commands. Thus, LVM with thin pools are restored without producing any errors.

    Note:

    The new method does not preserve all the LV properties, such as LVM UUIDs. Before you use ReaR in a production environments, you should test restoring from the backup to determine whether the recreated storage layout matches the requirements.

  • FCoE option changed to rd.fcoe

    The rd.nofcoe=0 command has been changed to rd.fcoe in Oracle Linux 8.5. In previous releases, the dracut.cmdline(7) manual page documented using the rd.nofcoe=0 command to turn off Fibre Channel over Ethernet (FCoE). Starting with this release, you should use the rd.fcoe=0 command to disable FCoE.

  • lsvpd updated to version 1.7.12

    The lsvpd package has been updated to version 1.7.12 in this release. Notable bug fixes and enhancements in this version of lsvpd include the following:

    • UUID property added in sysvpd.

    • Improvements to the NVMe firmware version.

    • Fix for the PCI device manufacturer parsing logic.

    • Added recommends clause to the lsvpd configuration file.

  • modulemd-tools package added

    The modulemd-tools package is introduced in Oracle Linux 8.5. This package provides tools for parsing and generating modulemd YAML files. To install the package, use the dnf install modulemd-tools command.

  • opencryptoki updated to version 3.16.0

    The opencryptoki package has been updated to version 3.16.0 in this release. This version of opencryptoki includes several bug fixes and the following improvements over the previous version:

    • Improvements to the protected-key option and support for attribute-bound keys in the EP11 core processor

    • Improvements to the import and export of secure key objects in the cycle-count-accurate (CCA) processor.

  • ppc64-diag updated to version 2.7.1

    The ppc64-diag package has been updated to version 2.7.7 in this release. This version of ppc64-diag includes the following improvements:

    • Unit test cases have been improved.

    • UUID property is added in sysvpd.

    • The rtas_errd service does not run in Linux containers.

    • Obsolete logging options removed from the systemd service files.

  • ReaR updated to version 2.6

    The ReaR feature has been updated to version 2.6 in this release. This version of ReaR includes several notable improvements over the previous version.

Compilers and Development Toolsets

Oracle Linux 8.5 introduces the following features, enhancements, and changes to compilers and development toolsets.

  • Go Toolset updated to version 1.16.6

    The Go Toolset has been updated to version 1.16.6. The following are some of the notable changes that have been made:

    • The GO111MODULE environment variable is set to on by default. You can revert this setting by changing the variable's value to auto.

    • The Go linker uses less resources and improves code robustness and maintainability. This improvement applies to all supported architectures and operating systems.

    • A new embed package has been added. With this package, you can access embedded files while compiling programs.

    • All of the functions of the io/ioutil package have been moved to the io and os packages. You an still use the io/ioutil package; however, the io and os packages provide better definitions.

    • The Delve debugger has been updated to version 1.6.0. This version of the Delve debugger supports the Go 1.16.7 Toolset.

  • Rust Toolset updated to version 1.54.0

    The Rust Toolset has been updated to version 1.54.0. This version of the Rust Toolset included the following changes:

    • The Rust standard library is available for the wasm32-unknown-unknown target. This enhancement enables you to generate WebAssembly binaries, including newly stabilized intrinsics.

    • Rust includes the IntoIterator implementation for arrays. This enhancement enables you to use the IntoIterator trait to iterate over arrays by value and pass arrays to methods. Note, however, that the array.into_iter() still iterates values by reference until the 2021 edition of Rust.

    • The syntax for or patterns allows for nesting anywhere in the pattern, for example, Pattern(1|2) can be used instead of Pattern(1)|Pattern(2).

    • Unicode identifiers can contain all valid identifier characters, as defined in the Unicode Standard Annex #31.

    • Methods and trait implementations have been stabilized.

    • Incremental compilation has been reenabled by default.

  • LLVM Toolset updated to version 12.0.1

    The LLVM Toolset has been updated to version 12.0.1. A new compiler was added and several changes were made to existing compilers. The following are the notable changes that were made in this version of the tool:

    • The new -march=x86-64-v[234] complier flag has been added.

    • The -fasynchronous-unwind-tables compiler flag, which is part of the clang compiler, is the default on Linux AArch64/PowerPC.

    • The clang compiler includes support for the C++20 likelihood attributes.

    • The new tune-cpu function attribute has been added. This function attribute enables microarchitectural optimizations to be applied independently from the target-cpu attribute or TargetMachine CPU.

    • The new sanitizer, -fsanitize=unsigned-shift-base, has been added to the integer sanitizer, -fsanitize=integer, for improved security.

    • Code generation on PowerPC targets has been optimized.

    • The WebAssembly back end is now enabled in LLVM. This enhancments enables you to generate WebAssembly binaries with LLVM and Clang.

    • For debugging .NET applications, use the lldb debugger. For other languages, use the gdb debugger.

  • CMake updated to version 3.20.2

    CMake has been updated to version 3.20.2. Notable changes that are included in this version of CMake include the following:

    • C++23 compiler modes can be specified by using the CXX_STANDARD, CUDA_STANDARD, and OBJCXX_STANDARD target properties or by using the cxx_std_23 meta-feature of the compile features function.

    • CUDA language support allows the NVIDIA CUDA compiler to be a symbolic link.

    • Intel oneAPI NextGen LLVM compilers are supported with the IntelLLVM compiler ID.

    • CMake can facilitate cross compiling for Android by merging with the Android NDK’s toolchain file.

    • When using cmake(1) to generate a project build system, unknown command-line arguments that begin with a hyphen are rejected.

  • GCC Toolset 11: dwz suppors DWARF 5

    Staring with GCC Toolset 11, dwz includes support for DWARF 5.

  • SystemTap updated to verison 4.5

    SystemTap has been updated to to version 4.5. This version of SystemTap includes several bug fixes and other improvements, including the following:

    • 32-bit floating-point variables are automatically widened to double variables. As a result, they can be accessed directly as $context variables.

    • enum values can be accessed as $context variables.

    • The BPF uconversions tapset has been extended to include more tapset functions for accessing values in user space, such as user_long_error().

    • Concurrency control is significantly improved to provide more stable operatiosn on large servers.

  • elfutils updated to version 0.185

    The elfutils packages have been updated to version 0.185. Several bug fixes and the following notable improvements have been made in this version:

    • The eu-elflint and eu-readelf tools can recognize and show the SHF_GNU_RETAIN and SHT_X86_64_UNWIND flags on ELF sections.

    • The DEBUGINFOD_SONAME macro is added to debuginfod.h. You can use this macro with the dlopen function to load the libdebuginfod.so library dynamically from an application.

    • The debuginfod_set_verbose_fd function has been added to the debuginfod-client library. This function enhances the debuginfod_find_* queries functionality by redirecting the verbose output to a separate file.

    • Setting the DEBUGINFOD_VERBOSE environment variable shows additional information about to which servers the debuginfod client is connected, as well HTTP responses of those servers.

    • The debuginfod server includes a new thread-busy metric and more detailed error metrics, which makes it easier to inspect processes that run on the debuginfod server.

    • The libdw library transparently handles the DW_FORM_indirect location value, which enables the dwarf_whatform function to return the actual FORM of an attribute.

    • The debuginfod-client library stores negative results in a cache, and client objects can reuse an existing connection, which reduces network traffic.

  • Valgrind updated to version 3.17.0

    Valgrind has been updated to version 3.17.0. This version of Valgrind introduces several bug fixes and enhancements. A few of the more notable improvements include the following: Valgrind can read DWARF Version 5 debugging format, support for debugging queries to the debuginfod server, and partial support for ARMv8.2 processor instructions.

  • New pcp-ss PCP utility

    The new pcp-ss PCP utility is added in this release. The utility reports socket statistics that are collected by the pmdasockets(1) PMDA. The command is compatible with several ss command-line options and reporting formats. The utility also provides the advantages of local and remote monitoring, in live mode and historical replay, from a previously recorded PCP archive.

  • PCP updated to 5.3.1

    The Performance Co-Pilot (PCP) package has been updated to version 5.3.1. This release includes bug fixes, enhancements, and new features, including the following: scalability improvements, resolved memory leaks in the pmproxy service and the libpcp_web API library, a new pcp-ss tool for historical socket statistics, improvements to the pcp-htop tool, and extensions to the over-the-wire PCP protocol, which supports higher resolution timestamps.

  • pcp-container package updated to version 5.3.1

    The pcp-container package has been updated to version 5.3.1 in this release.

  • grafana package updated to version 7.5.9

    The grafana package has been updated to version 7.5.9 in this release. Notable new features enhancements include the following: a new time series panel (beta), a new pie chart panel (beta), altering support for Loki, and multiple new query transformations.

  • grafana-container package updated to version 7.5.9

    The grafana-container packages have been updated to version 7.5.9 in this release. Notable new features enhancements include the following:

    • The grafana package is updated to version 7.5.9.

    • The grafana-pcp package is updated to version 3.10.

    • The container includes support for the GF_INSTALL_PLUGINS environment variable for installing custom Grafana plugins at container start-up.

  • grafana-pcp package updated to version 3.10.0

    The grafana-pcp package has been updated to version 3.1.0. Notable improvements include the following:

    • Performance Co-Pilot (PCP) Vector Checklist dashboards use a new time series panel, show units in graphs, and contain updated help texts.

    • Addition of the pmproxy URL and hostspec variables to PCP Vector Host Overview and PCP Checklist dashboards.

    • All dashboards display datasource selection.

    • Marking all included dashboards as read-only.

    • Added compatibility with Grafana 8.

GCC Toolset 11

Oracle Linux 8.5 provides the GCC Toolset 11, which is an Application Stream that is distributed in the form of a Software Collection in the AppStream repository. The GCC Toolset is similar to the Oracle Linux Developer Toolset.

In Oracle Linux 8.5, the GCC compiler is updated to the upstream version. The following tools have been updated since GCC Toolset 10:

  • GCC version 11.1.1

  • GDB version 10.1

  • Valgrind version 3.17.0

  • SystemTap version 4.5

  • Dyninst version 10.2.1

  • binutils version 2.36.1

  • elfutils version 0.184

  • dwz version 0.14

  • annobin version 9.69

See Compilers and Development Toolsets for further details about notable changes that have been made to some of the tools that are in GCC Toolset 11.

The GCC Toolset 11 is available as an Application Stream within the AppStream repository, in the form of a Software Collection.

To install this toolset, use the following command: 

sudo dnf install gcc-toolset-11

To run a tool from GCC Toolset 11, use the following command: 

scl enable gcc-toolset-11 tool

The following command initiates a shell session, where tool versions from the GCC Toolset 11 take precedence over system versions of the same tools: 

scl enable gcc-toolset-11 bash

Database

This release of Oracle Linux 8 ships with version 8.0 of the MySQL database software.

Dynamic Programming Languages, Web, and Database Servers

Oracle Linux 8.5 includes several feature changes and improvements for dynamic programming languages and web and database servers. Note that that this release also introduces several new and improved module streams:

  • ruby:3.0 module stream added

    Oracle Linux 8.5 includes Ruby version 3.0.2 in a new ruby:3.0 module stream. Ruby 3.0.2 includes several performance improvements, bug and security fixes, and new features, compared with Ruby version 2.7 that was previously available. This version of Ruby includes the following significant features:

    • Concurrency and parallelism features.

    • Static analysis features.

    • Pattern matching with the case/in expression is no longer experimental.

    • One-line pattern matching has been redesigned. This feature is an experimental feature.

    • The find pattern is added as an experimental feature.

    • Pasting of long code to the Interactive Ruby Shell (IRB) is significantly faster.

    • The measure command has been added to IRB for time measurement.

    • Changes to keyword arguments, which are now separated from other arguments.

    • The default directory for user-installed gems has changed to $HOME/.local/share/gem/, unless the $HOME/.gem/ directory already exists.

  • Default separator for Python urllib parsing functions has changed

    The default separator for the urllib.parse.parse_qsl and urllib.parse.parse_qs functions has been changed from the ampersand (&) and semicolon (;) to just an ampersand. These changes were made to mitigate the Web Cache Poisoning CVE-2021-23336 in the Python urllib library.

    This change, which was introduced in Python 3.6 with Oracle Linux 8.4, is now being backported to Python 3.8 and Python 2.7. Note that Python 3.9 is unaffected, as it already includes the new default separator.

    Note:

    Because this change is potentially backwards incompatible, you have the option to configure the behavior in Python packages, where the default separator has been changed. Note also that the affected urllib parsing functions emit a warning if it is detected that a customer’s application is affected by the change.

  • Python ipaddress module changes

    The Python ipaddress module has been updated to reject IPv4 addresses with leading zeros, with an AddressValueError: Leading zeros are not permitted error. This change was made to mitigate CVE-2021-299221.

    This change was introduced in python38 and python39 modules. Note that previous Python modules are not impacted by CVE-2021-299221.

    If you rely on the previous behavior, you can pre-process your IPv4 address inputs to strip the leading zeros off as follows: 

    >>> def reformat_ip(address): return '.'.join(part.lstrip('0') if part != '0' else part for part in address.split('.'))
>>> reformat_ip('0127.0.0.1')
'127.0.0.1'

    To strip off the leading zeros with an explicit loop for readability, use the following: 

    def reformat_ip(address):
    parts = []
    for part in address.split('.'):
        if part != "0":
            part = part.lstrip('0')
        parts.append(part)
    return '.'.join(parts)

  • php:7.4 module stream updated to version 7.4.19

    The PHP scripting language, which is included in the php:7.4 module stream, has been updated to version 7.4.19 in this release. With this update, multiple security and bug fixes have been implemented.

  • pg_repack package added

    The new pg_repack has been added to the postgresql:12 and postgresql:13 modules. This package provides a PostgreSQL extension that enables you remove bloat from tables and indexes, as well as optionally restore the physical order of clustered indexes.

  • nginx:1.20 module added

    The nginx 1.20 web and proxy server is available as the nginx:1.20 module stream in Oracle Linux 8.5. This version provides numerous bug fixes, security fixes, enhancements, and new features over the previous version, including the following:

    • Support for the client SSL certificate validation with Online Certificate Status Protocol (OCSP).

    • Support for cache clearing, based on the minimum amount of free space. Note that this feature is implemented as the min_free parameter of the proxy_cache_path directive.

    Other notable changes in the nginx:1.20 module include enhanced directives, such as the ssl_conf_command and ssl_reject_handshake , and proxy_cookie_flags, as well as improved support for HTTP/2.

  • squid:4 module updated to version 4.15

    The Squid proxy sserver, which is available in thesquid:4 module stream has been updated to version 4.15. This update includes several bug and security fixes over the previous version.

  • quota command supports HPE XFS

    This change enables users of HPE XFS to monitor and manage user and group disk usage by using the quota.

  • mutt updated to version 2.0.7

    The Mutt email client has been updated to version 2.0.7 in this release. This version of mutt provides a number of enhancements and bug fixes, as well as added supported for the following:

    • The OAuth 2.0 authorization protocol by using the XOAUTH2 mechanism. Mutt also supports the OAUTHBEARER authentication mechanism for the IMAP, POP, and SMTP protocols.

    • Domain-literal email addresses such as user@[IPv6:fcXX:…​]

    • New $imap_deflate variable that supports COMPRESS=DEFLATE compression. Note that this variable is disabled by default.

    • $ssl_starttls variable no longer controls aborting an unencrypted IMAP PREAUTH connection. Instead, use the $ssl_force_tls variable if you rely on the STARTTLS process.

    Note:

    After updating to the new Mutt version, the ssl_force_tls configuration variable still defaults to no, which is designed prevent problems in existing environments. Note also in the upstream version of Mutt, ssl_force_tls is enabled by default.

File Systems and Storage

Oracle Linux 8.5 provides the following file systems and storage features, enhancements, and changes:

  • Btrfs removed from RHCK

    The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, note that any Btrfs user space packages that are provided are not supported with RHCK.

    Note:

    Support for the Btrfs file system is enabled in UEK R6; starting with Oracle Linux 8.3, you have the option to create a Btrfs root file system during an installation, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.

    For more information about managing a Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.

    For the latest enhancements that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 3 (5.4.17-2136).

  • OCFS2 removed from RHCK

    The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.

    Note:

    OCFS2 is fully supported with UEK R6 in Oracle Linux 8.5.

  • NVMe/TCP included as a Technology Preview

    NVMe over Fabrics TCP host and the target drivers are included in RHCK as a technology preview in this release.

    Note:

    Support for NVMe/TCP is already available in Unbreakable Enterprise Kernel Release 6.

High Availability and Clusters

The following high availability and clustering features are included in Oracle Linux 8.5:

  • Local mode version for pcs cluster setup command added

    Support for the local mode version of the pcs cluster setup command has been added in this release.

  • fence_watchdog agent enables watchdog-only SBD configuration on subset of cluster nodes

    This release includes a new fence_watchdog agent for configuring a watchdog-only SBD setup. Because this capability did not exist previously, it prevented the use of SBD in a cluster where some nodes supported it, but others (most often remote nodes) required some other form of fencing.

  • pcs command for updating SCSI fencing device

    A new pcs command for updating a SCSI fencing device without causing the restart of all other resources has been added.

  • Reduced output display option added to pcs resoure safe-disable command

    The reduced output display option has been added to the pcs resource safe-disable command

  • pcs command accepts Promoted and Unpromoted role names

    With this update, the pcs command accepts the Promoted and Unpromoted role names.

  • pcs resoure status display commands added

    This update introduces new pcs resource status display commands.

  • LVM volume group flag added

    A new LVM volume group flag for controlling auto-activation has been added in this release.

Infrastructure Services

Oracle Linux 8.5 introduces several version updates to infrastructure and command-line tools, including the following features:

  • linuxptp updated to version 3.1

    The linuxptp package has been updated to version 3.1. Notable enhancements include the ts2phc program for synchronizing the Precision Time Protocol (PTP) hardware clock to Pulse Per Second (PPS) signal, and added support for the automotive profile and client event monitoring.

  • chrony updated to version 4.1

    The chrony package has been updated to version 4.1 in this release. Notable changes in this version of chrony include the following:

    • Added support for Network Time Security (NTS) authentication.

    • The Authenticated Network Time Protocol (NTP) sources are trusted over non-authenticated NTP sources by default in this update. To restore the original behavior, add the autselectmode ignore argument to the chrony.conf file.

    • Support is no longer available for authentication with the following RIPEMD keys: RMD128, RMD160, RMD256, and RMD320.

    • Support for long, non-standard MACs in NTPv4 packets is no longer available. If you are using the chrony 2.x, non-MD5/SHA1 keys, you need to configure chrony by using the version 3 option.

  • PowerTop updated to version 2.14

    PowerTop has been updated to version 2.14 in this release. This update provides support for the Alder Lake, Sapphire Rapids, and Rocket Lake platforms.

  • kdumpctl updated to provide an estimate utility

    The kdumpctl command features an estimate subcommand. Running the kdumpctl estimate command provides a recommended crashkernel value that is based on the current kdump setup and includes additional details on memory usage.

  • Intel® QuickAssist Technology Library user space package updated to version 21.05

    The Intel® QuickAssist Technology Library (QATlib) user space package and the qatlib user space libraries that allow access to Intel QuickAssist devices and expose the Intel QuickAssist APIs, have been updated to version 21.05.

  • Tuned moves unnecessary IRQs to housekeeping CPUs

    Network device drivers such as i40e, iavf, and mlx5 evaluate online CPUs to determine the number of queues and MSIX vectors to be created. Previously, for low-latency environments consisting of a large number of isolated and very few housekeeping CPUs, any attempts by Tuned to move these device IRQs to housekeeping CPUs failed, due to the per-CPU vector limit.

    With this enhancement, Tuned explicitly adjusts the numbers of network device channels, and MSIX vectors, as per the housekeeping CPUs. Therefore, all of the device IRQs on the housekeeping CPUs can be moved to achieve low latency.

Graphics Infrastructure

  • Intel's Tiger Lake graphics available

    Intel's Tiger Lake graphics is made available in Oracle Linux 8.5 .

Networking

Oracle Linux 8.5 introduces the following networking features, enhancements, and changes:

  • firewalld updated to version 0.9.3

    The firewalld package has been updated to version 0.9.3. This version of firewalld includes numerous upstream bug fixes and improvements over version 0.8.2.

    Notably, this update includes the introduction of the policy object feature that allows forward and output filtering for virtual machines (VMs), containers, and zones. For further information, see https://firewalld.org/2020/09/policy-objects-introduction and https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traffic.

  • NetworkManager updated to version 1.32.10

    NetworkManager has been updated to version 1.32.10. This version of NetworkManager includes numerous bug fixes and enhancements over the previous version.

  • Capability for managing ethtool parameters added to NetworkManager

    In certain cases, you need to explicitly set non auto-pause parameters on a specific network interface. In this release, NetworkManager includes capability for pausing the control flow parameters of ethtool in nmstate. Previously, NetworkManager did not include this capability.

    To disable auto negotiation of the pause parameter and enable RX/TX pause support explicitly, use the following command: 

    sudo nmcli connection modify enp1s0 ethtool.pause-autoneg no ethtool.pause-rx true ethtool.pause-tx true

  • Property for setting physical and virtual interface in promiscuous mode added to Network Manager

    The 802-3-ethernet.accept-all-mac-addresses property for setting physical and virtual interfaces in the accept all MAC addresses mode has been added to NetworkManager. With this enhancement, the kernel can accept network packages that are targeting current interfaces’ MAC address in the accept all MAC addresses mode.

    For example, to enable accept all MAC addresses mode on eth1, use the following command: 

    sudo nmcli c add type ethernet  ifname eth1 connection.id eth1  802-3-ethernet.accept-all-mac-addresses true

  • nftables can be used as firewall back end in NetworkManager

    This enhancement adds support for the nftables firewall framework to NetworkManager. To switch the default back end from iptables to nftables, use the following commands:

Security

Oracle Linux 8.5 introduces the following security features, enhancements, and changes:

  • crypto-policies updated to 20210617

    The crypto-policies packages have been updated to the upstream version 20210617. This version of crypto-policies includes numerou bug fixes and improvements over the previous version.

  • crypto-policies support for AES-192 ciphers in custom policies

    In Oracle Linux 8.5, the system-wide cryptographic policies include support for the following values of the cipher option in the custom policies and subpolicies: AES-192-GCM, AES-192-CCM, AES-192-CTR, and AES-192-CBC. With this change, you an enable the AES-192-GCM and AES-192-CBC ciphers for the Libreswan application, as well as the AES-192-CTR and AES-192-CBC ciphers for the libssh library and the OpenSSH suite through crypto-policies.

  • CBC ciphers are disabled in the FUTURE cryptographic policy

    IThe crypto-policies packages have been updated to disable ciphers that use cipher block chaining (CBC) mode in the FUTURE policy. The settings in the FUTURE policy should be able to withstand near-term future attacks; this change reflects the current progress. Consequently, system components that respect crypto-policies cannot use CBC mode when the FUTURE policy is active.

  • gnutls updated to version 3.6.16

    The gnutls packages have been updated to version 3.6.16. The following notable enhancements and bug fixes are included:

    • The gnutls_x509_crt_export2() function returns 0 value instead of the size of the internal base64 blob in the event of success. This change aligns with the documentation in the gnutls_x509_crt_export2(3) manual page.

    • Certificate verification failures due to the Online Certificate Status Protocol (OCSP) must-stapling not being followed are correctly marked with the GNUTLS_CERT_INVALID flag.

    • Version negotiation for TLS 1.2 has been fixed and TLS 1.2 can now be correctly disabled. Previously, if TLS 1.2 was explicitly disabled by using the -VERS-TLS1.2 option, the server continued to offer TLS 1.2, even if TLS 1.3 was enabled

  • Kernel AVC tracepoint added

    This enhancement introduces a new avc:selinux_audited kernel tracepoint that triggers when an SELinux denial is to be audited. This tracepoint provides for a more convenient and low-level debugging of SELinux denials. Note that the new tracepoint is also available for tools like perf.

  • libreswan updated to version 4.4

    The libreswan packages have been updated to version 4.4. This version introduces important enhancements and bug fixes, including several IKEv2 and pluto IKE daemon enhancements, most notably the following:

    • IKEv2 protocol fixes and enhancements:

      • Fixes for TCP encapsulation in Transport Mode and host-to-host connections.

      • --globalstatus option added to the ipsec whack command for displaying redirect statistics.

      • The vhost and vnet values in the ipsec.conf configuration file are no longer allowed for IKEv2 connections.

    • pluto IKE daemon fixes and enhancements:

      • Fixes for host-to-host connections that use non-standard IKE ports.

      • The interface-ip= option is disabled because Libreswan does not provide the corresponding functionality yet.

      • The PLUTO_PEER_CLIENT variable in the ipsec__updown script for NAT in Transport Mode is fixed.

      • Set the PLUTO_CONNECTION_TYPE variable to transport or tunnel.

      • Non-templated wildcard ID connections can now match.

  • SCAP Security Guide updated to version 0.1.57

    In Oracle Linux 8.5, the scap-security-guide packages have been updated to version 0.1.57. This version of the SCAP Security Guide provides several bug fixes and improvements over the previous version, including the following:

    • Performance remediations for Audit improvements

      Performance of remediations for Audit has been improved by grouping similar system calls. Previously, Audit remediations generated an individual rule for each system call tha was audited by the profile. This behavior led to large numbers of audit rules, which in turn, degraded performance. With this change, remediations for Audit can group rules together for similar system calls with identical fields into a single rule, which improves performance.

    • Profile for ANSSI-BP-028 High level added

      The ANSSI High level profile, which is based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), is added in this release. This additional completes the availability of profiles for all ANSSI-BP-028 v1.2 hardening levels in the SCAP Security Guide. The new profile enables you to harden the system to the recommendations from ANSSI for GNU/Linux Systems at the High hardening level. Thus, you can configure and automate compliance of your Oracle Linux 8 systems to the strictest hardening level by using ANSSI Ansible Playbooks and ANSSI SCAP profiles.

  • OpenSCAP updated to version 1.3.5

    The OpenSCAP packages have been updated to version 1.3.5. This version of OpenSCAP includes numerous fixes and other enhancements over the previous version.

  • Support for validating digitally signed SCAP source data streams

    To conform with the Security Content Automation Protocol (SCAP) 1.3 specifications, OpenSCAP has been updated in Oracle Linux 8.5 to enable the validation of digital signatures for digitally signed SCAP source data streams. OpenSCAP also now validates the digital signature when evaluating a digitally signed SCAP source data stream. The signature validation is performed automatically while loading the file. Data streams with invalid signatures are rejected, and OpenSCAP does not evaluate their content. OpenSCAP uses the XML Security Library in conjunction with the OpenSSL cryptography library to validate the digital signature.

    To skip the signature validation, add the --skip-signature-validation option to the oscap xccdf eval command.

    Caution:

    OpenSCAP does not address the trustworthiness of certificates or public keys that are part of the KeyInfo signature element, which are used to verify the signature. As such, it is important that you verify such keys to prevent the evaluation of data streams that may have been modified and signed by bad actors.

  • OpenSSL for encrypting Rsyslog TCP and RELP traffic

    In this release, the OpenSSL network stream driver has been added to Rsyslog. This driver implements TLS-protected transport by using the OpenSSL library. This change provides added functionality, compared to the stream driver that uses the GnuTLS library. In addition, you can use either OpenSSL or GnuTLS as an Rsyslog network stream driver.

  • Rsyslog updated to version 8.2102.0-5

    Rsyslog has been updated to version 8.2102.0-5. The version of Rsyslog provides numerous improvements over the previous version, including the following:

    • Added the exists() script function for checking whether a variable exists or not, for example $!path!var

    • Ability to set OpenSSL configuration commands with the new tls.tlscfgcmd configuration parameter for the omrelp and imrelp modules.

    • Added two new rate-limit options to the omfwd module for rate-limiting syslog messages that are sent to the remote server:

      • ratelimit.interval: This option specifies the rate-limiting interval in seconds.

      • ratelimit.burst: This option specifies the rate-limiting burst in the number of messages.

    • The immark module has been rewritten to include various improvements.

    • Added the max sessions configuration parameter to the imptcp module. The maximum is measured per-instance, not globally, across all instances.

    • Added the rsyslog-openssl subpackage. This network stream driver implements TLS-protected transport by using the OpenSSL library.

    • Added per-minute rate limiting to the imfile module, with the MaxBytesPerMinute and MaxLinesPerMinute options. Note that these options accept integer values and limit the number of bytes or lines that are allowed to be sent in a minute.

    • Capability added to the imtcp and omfwd module to configure a maximum depth for the certificate chain verification by using the streamdriver.TlsVerifyDepth option.

  • socat updated to version 1.7.4

    The socat packages have been updated to version 1.7.4. This version of socat includes numerous bug fixes and improvements over version 1.7.3.

For information about security features that are related to networking, see Networking.

Supportability

  • SoS supportability feature updated to version 4.1

    The sos package for the System of Systems (SoS) supportability feature has been updated to version 4.1.

Technology Preview

For the Red Hat Compatible Kernel in the current Oracle Linux 8 release, the following features are under technology preview:

kexec Fast Reboot

The kexec fast reboot feature is available as a technology preview feature in Oracle Linux 8. This feature significantly speeds up the boot process by enabling the kernel to boot directly into the second kernel without having to first pass through the Basic Input/Output System (BIOS). To use this feature, load the kexec module first, then reboot the system.

aarch64 only: VNC Remote Console

In this release, the Virtual Network Computing (VNC) remote console is available as a technology preview on the 64-bit Arm platform only. The remaining components of the graphics stack are unverified on this platform.