1. Release Notes for Oracle Linux 8.6
  2. New Features and Changes

2 New Features and Changes

This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.

Installation

The following installation changes are introduced in Oracle Linux 8.6:

  • Image Builder includes capability to customize file system partition on LVM. If you have more than one partition, this feature enhancement enables you to create images with a customized file system partition on LVM and then resize those partitions at runtime. To do so, you would specify a customized file system configuration in your blueprint and then create images with the desired disk layout. The default file system layout remains unchanged; also, if you use plain images without file system customization, the root partition is resized by cloud-init.

--secontext Option of strace Enhanced to Include Mismatch Parameter

For the Red Hat Compatible Kernel (rhck), the --secontext option of the strace utility has been enhanced to include a mismatch parameter. This parameter enables you to print the expected context, along with the actual context upon mismatch only. The output is separated by double exclamation marks (!!), with the actual context appearing first, followed by the expected context.

Software Management

The following software management features and enhancements are introduced in Oracle Linux 8.6:

  • New modulesync command for replacing certain workflows. You cannot install modular packages in Oracle Linux 8.6 without modular metadata. In previous releases, you could use the dnf command to download packages, and then use the createrepo_c command to redistribute those packages. With this enhancement, the modulesync command is introduced. This command is used to ensure the presence of modular metadata, which ensures package installability. The command downloads rpm packages from modules and then creates a repository with modular metadata inside a working directory.

  • New --path option added to RPM. In Oracle Linux 8.6, you can use the new --path option to query packages by specifying a file that is currently not installed. This option is similar to the existing --file option; however, the new option matches packages solely based on the provided path. Note that the file specified by that path does not need to exist on disk.

    The --path option can be useful when you exclude all of the documentation files at installation time by specifying the --nodocs option with the dnf command. In this case, you can opt to use the --path option to display the owning package of such an excluded file. The --file option does not display the package because the requested file does not exist.

Shells and Command-Line Tools

The following shells and command-line interface (CLI) tools features and improvements are introduced in Oracle Linux 8.6:

  • lsvpd package updated to version 1.7.13. The lsvpd package has been updated to version 1.7.13. This update provides some bug fixes and enhancements over the previous version.

  • net-snmp-cert gencert tool uses the SHA512 encryption algorithm instead of SHA1. The net-snmp-cert gencert tool has been updated to generate certificates by using SHA512 encryption algorithm. This change provides for increased security.

  • dnn and text modules now available in the opencv package. The dnn module that contains the Deep Neural Networks for image classification inference, as well as the text module that is used for scene text detection and recognition are now available in the opencv package.

  • opencryptoki package updated to version 3.17.0. The opencryptoki package has been updated to version 3.17.0. This update provides some bug fixes and enhancements over the previous version.

  • Capability for excluding certain network interfaces and IP addresses when creating a rescue image. The EXCLUDE_IP_ADDRESSES variable enables you to ignore certain IP addresses, and the EXCLUDE_NETWORK_INTERFACES variable enables you to ignore certain network interfaces when creating a rescue image.

Compilers and Development Toolsets

Oracle Linux 8.6 introduces the following features, enhancements, and changes to compilers and development toolsets.

  • Rust Toolset updated to version 1.58.1. This version of the Rust Toolset includes the following changes:

    • Rust compiler support has been added for the 2021 edition of the language, featuring disjoint capture in closure, IntoIterator for arrays, a new Cargo feature resolver, as well as other changes.

    • Cargo support for new custom profiles has been added.

    • Cargo now deduplicates compiler errors.

    • New open range patterns have been added.

    • Captured identifiers in format strings have been added.

  • LLVM Toolset updated to version 13.0.1. The LLVM Toolset has been updated to version 13.0.1. The following notable changes were made in this version of the tool:

    • Clang support added for guaranteed tail calls with statement attributes in C++ and attributemusttail in C.

    • Clang support added for the -Wreserved-identifier warning, which warns developers when using reserved identifiers in their code.

    • The Clang -Wshadow flag now checks for shadowed structured bindings.

    • The Clang -Wextra now implies Wnull-pointer-subtraction.

  • Location change for libffi's self-modifying code. In this release, libffi’s self-modifying code takes advantage of a feature in the Linux kernel for creating a suitable file that is independent of any other file system. As a result of this change, libffi’s self-modifying code no longer depends on making part of the file system insecure.

  • Command for capturing glibc optimization data added. You can use the new ld.so --list-diagnostics command to capture data that influences glibc optimization decisions, such as IFUNC selection and glibc-hwcaps configuration, in a single machine-readable file.

  • GCC Toolset pudated to version 11.2. The GCC Toolsset has been updated to version 11.2. See GCC Toolset 11.2 for more information about these changes.

  • UTF-8 en_US@ampm locale with 12-hour clock added. In this release, you can use the new UTF-8 en_US@ampm locale with a 12-hour clock. You can also combine this new locale with other locales by specifying the LC_TIME environment variable.

  • GDB disassembler includes support for new arch14 instructions. In this release, GDB is able to disassemble the new arch14 instructions.

  • PCP updated to version 5.3.5. The Performance Co-Pilot (PCP) package (pcp) has been updated to version 5.3.5. Several notable improvements are included in this version of PCP, including the following:

    • New pmieconf(1) rules for CPU and disk saturation.

    • Improved stability and scalability for the pmproxy(1) service.

    • Improved service latency and robustness for the pmlogger(1) service.

    • Performance metrics related to electrical power added.

    • New features added to the pcp-htop(1) utility.

    • Nvidia GPU metrics updated.

    • Linux kernel KVM and networking metrics added.

    • New MongoDB metrics agent added.

    • New sockets metrics agent and pcp-ss(1) utility added.

    • The pmcd(1) and pmproxy(1) Avahi service advertising is disabled by default.

  • pcp-container package updated to version 5.3.5 The pcp-container package has been updated to version 5.3.5.

  • grafana package updated to version 7.5.11. The grafana package has been updated to version 7.5.11. Notable changes include the additional of a new prepare time series transformation for backward compatibility of panels that do not support the new data frame format. Also, CVE-2021-43813 is resolved in this version of Grafana.

  • grafana-pcp package updated to version 3.2.0. The grafana-pcp package has been updated to version 3.2.0. Notable improvements include the following:

    • New MS SQL server dashboard for PCP Redis added.

    • Visibility of empty histogram buckets in the PCP Vector eBPF/BCC Overview dashboard added.

    • A bug fix for the metric() function of PCP Redis, where the function did not return all metric names.

  • js-d3-flame-graph updated to version 4.0.7. The js-d3-flame-graph package has been updated to version 4.0.7. Notable changes include the addition of a new blue and green color scheme and added functionality for displaying flame graph context.

GCC Toolset 11.2

Oracle Linux 8.6 provides the GCC Toolset 11.2, which is an Application Stream that is distributed in the form of a Software Collection in the AppStream repository. The GCC Toolset is similar to the Oracle Linux Developer Toolset. See Compilers and Development Toolsets for additional information about changes to compilers and developer toolsets in this release.

GCC Toolset 11.2 is available as an Application Stream within the AppStream repository, in the form of a Software Collection.

To install this toolset, use the following command: 

sudo dnf install gcc-toolset-11

If you previously installed this toolset, use the following command to upgrade to the latest version: 

sudo dnf upgrade gcc-toolset-11

To run a tool from GCC Toolset 11, use the following command: 

scl enable gcc-toolset-11 tool

The following command initiates a shell session, where tool versions from the GCC Toolset 11 take precedence over system versions of the same tools: 

scl enable gcc-toolset-11 bash

Availability of the container-tools:4.0 stable stream in Oracle Linux 8.6

Oracle Linux 8.6 includes the container-tools:4.0 stable stream.

Database

This release of Oracle Linux 8 ships with version 8.0 of the MySQL database software.

Dynamic Programming Languages, Web, and Database Servers

Oracle Linux 8.6 includes several feature changes and improvements for dynamic programming languages and web and database servers. Note that that this release also introduces several new and improved module streams:

  • php:8.0 module stream added. The php:8.0 module stream has been added in Oracle Linux 8.6. php:8.0 provides several bug fixes and enhancements over the 7.4 version, including the following notable features:

    • New named arguments are order-independent and self-documented, and enable you to specify only required parameters.

    • New attributes enable you to use structured metadata with PHP’s native syntax.

    • New union types enable you to use native union type declarations that are validated at runtime instead of PHPDoc annotations for a combination of types.

    • Internal functions now more consistently raise an Error exception instead of warnings if parameter validation fails.

    • The Just-In-Time compilation has improved the performance.

    • The Xdebug debugging and productivity extension for PHP have been updated to version 3. This version introduces major functionality and configuration changes over Xdebug version 2.

    To install the php:8.0 module stream: 

    sudo dnf module install php:8.0

    If you previously installed php:7.4, you can switch to the latest version by running the following commands: 

    sudo dnf module reset php
sudo dnf module enable php:8.0
sudo dnf distro-sync

  • Perl updated to version 5.32. Oracle Linux 8.6 provides Perl version 5.32. This version of Perl includes a number of bug fixes and enhancements over Perl version 5.30, which was distributed in Oracle Linux 8.3. Notable changes include the following:

    • Added support for unicode version 13.0 in Perl.

    • Enhancement to the qr qoute-like operator.

    • POSIX::mblen(), mbtowc, and wctomb functions work on shift state locales and are thread-safe on C99 and higher compilers when executed on a platform that includes locale thread-safety. Also, the length parameters are now optional.

    • New experimental isa infix operator for testing whether a given object is an instance of a given class or a class that is derived from it.

    • Alpha assertions and scripts are no longer experimental.

    • Feature checks are faster.

      Perl capability for dumping compiled patterns before optimization.

    If you previously installed perl version 5.30, you can switch to the latest version by running the following commands: 

    sudo dnf module reset perl
sudo dnf module enable perl:5.32
sudo dnf distro-sync

File Systems and Storage

Oracle Linux 8.6 provides the following file systems and storage features, enhancements, and changes:

  • Btrfs removed from RHCK. The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, note that any Btrfs user space packages that are provided are not supported with RHCK.

    Note:

    Support for the Btrfs file system is enabled in UEK R7 and UEK R6. Starting with Oracle Linux 8.3, you have the option to create a Btrfs root file system during an installation, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.

    For more information about managing a Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.

    For changes that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 3 (5.4.17-2136).

    For changes to Btrfs in UEK R7, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 (5.15.0-0.30).

  • OCFS2 removed from RHCK. The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.

    Note:

    OCFS2 is fully supported with UEK R6 and UEK R7 in Oracle Linux 8.6.

  • Samba utilities options renamed or removed in version 4.15. In version 4.15 of Samba, some utilities have been improved to ensure a consistent command-line interface. These changes include several renamed and removed options. To avoid any issues after an update to version 4.15 of Samba, you should review any scripts that use Samba utilities, and update them accordingly.

    The following is a summary of the Samba changes that are introduced in this release:

    • Samba command-line utilities previously silently ignored unknown options, whereas now, these utilities consistently reject unknown options.

    • Many command-line options have a corresponding smb.conf variable for controlling the default value. To identify whether a command-line option has an smb.conf variable name, see the associated manual pages for the specified utility.

    • Samba utilities now log to standard error (stderr) by default. Use the --debug-stdout option to change this behavior.

    • The --client-protection=off|sign|encrypt option has been added to the common parser.

    • The following options have been renamed in all utilities:

      • --kerberos renamed --use-kerberos=required|desired|off

      • --krb5-ccache renamed --use-krb5-ccache= CCACHE

      • --scope renamed --netbios-scope= SCOPE

      • --use-ccache renamed --use-windbind-ccache

    • The following options have been removed:

      • -e and --encrypt

      • -C removed from -use-winbind-ccache

      • -i removed from -netbios-scope

      • -S and --signing

    • The following options have been removed (or renamed) from the utilities that are listed:

      • ndrdump: -l no longer available for --load-dso

      • net: -l no longer available for --long

      • sharesec: -V no longer available for --viewsddl

      • smbcquotas: --user renamed --quota-user

      • nmbd: --log-stdout renamed --debug-stdout

      • smbd: --log-stdout renamed --debug-stdout

      • winbindd: --log-stdout renamed --debug-stdout

High Availability and Clusters

The following high availability and clustering features are included in Oracle Linux 8.6:

  • pcmk_delay_base parameter accepts different values for different modes. You can now specify different values for different nodes when configuring a fence device by using the pcmk_delay_base parameter. This improvement enables a single fence device to be used in a two-node cluster, with a different delay for each node, which can prevent a situation where each node attempts to fence the other node at the same time.

  • Capability added for spcifying automatic removal of location constraint following resource move. A new --autodelete option has been added to the pcs resource move command. This option was previously only available as a Technology Preview, but it is now fully supported. When you specify this option, the location constraint that the command creates is automatically removed after the resource has been moved. When you use the pcs resource move command, it adds a constraint to the resource to prevent it from running on the node on which it is currently running.

  • Detailed Pacemaker status display for internal errors available. If Pacemaker can not execute a resource or fence agent for some reason, such as when the agent is not installed or if there has been an internal timeout, the Pacemaker status displays now display a detailed exit reason for the internal error.

  • Support for special characters inside pcmk_host_map values added. Support has been added to the pcmk_host_map property for special characters inside pcmk_host_map values by specifying a backslash (\) in front of the value. For example, to include a space in the host alias, you would specify pcmk_host_map="node3:plug\ 1".

  • pcs support for OCF Resource Agent API 1.1 standard. The pcs command now includes support for OCF 1.1 resource and STONITH agents. Note that an OCF 1.1 agent’s metadata must comply with the OCF 1.1 schema. If an OCF 1.1 agent’s metadata does not comply with the OCF 1.1 schema, the pcs considers the agent invalid and does not create or update a resource of the agent unless you also specify the --force option. The pcsd web interface and pcs commands for listing agents omit OCF 1.1 agents with invalid metadata from the listing.

    An OCF agent that declares that it implements any OCF version other than 1.1, or does not declare a version at all, is validated against the OCF 1.0 schema. Validation issues are reported as warnings, but is not necessary to specify the --force option for those agents when creating or updating a resource of the agent.

Infrastructure Services

Oracle Linux 8.6 introduces several version updates to infrastructure and command-line tools, including the following features:

  • New bind9.16 pacakge version 9.16.23 introduced. The bind component version 9.16.23 is introduced as alternative to version 9.11.36. This version includes several new features, as well as some removed features, including the following:

    • New Key and Signing Policy feature in DNSSEC.

    • New QNAME minimisation to improve privacy.

    • New validate-except feature added to Permanent.

    • Negative Trust Anchors to temporarily disable DNSSEC validation.

    • Response policy zones (RPZ) have been re-factored.

    • New naming conventions for zone types. The primary and secondary zone types are now used as synonyms for master and slave

    • New supplementary YAML output mode for the dig, mdig, and delv commands.

    • Functionality for filter-aaaa has been moved into separate filter-a and filter-aaaa plugins.

    • New zone type mirror support, per RFC 8806.

    The following features have been removed:

    • The dnssec-enabled option is removed; DNSSEC is now enabled by default; the dnssec-enabled keywords are no longer accepted.

    • The lwresd lightweight resolver daemon and the liblwres light resolver library have both been removed.

  • Bind component updated to version 9.11.36. The bind component has been updated to version 9.11.36. This version provides some bug fixes and several enhancements, including the following:

    • The lame-ttl option has been improved for better security.

    • A multiple threads bug affecting RBTDB instances has been fixed and no longer results in assertion failure in free_rbtdb().

    • ZONEMD RR type implementation updated to match RFC 8976.

    • Maximum supported number of NSEC3 iterations is reduced to 150; records with additional iterations are treated as insecure.

    • An invalid direction field in an LOC record has been fixed so that it no longer results in a failure.

  • nginx-mod-devel package added to nginx:1.20 module stream. The nginx-mod-devel package has been added to the nginx:1.20 module stream in this release. This package includes all of the necessary files for building external dynamic modules for nginx, which includes RPM macros and the nginx source code.

Networking

Oracle Linux 8.6 introduces the following networking features, enhancements, and changes:

  • CleanUpModulesOnExit firewalld global configuration option available. This enhancement enables you to set the CleanUpModulesOnExit option to no to stop firewalld from unloading these kernel modules. Whereas, previously, when restarting or shutting down firewalld, it recursively unloaded kernel modules. As a result, other packages that were attempting to use these modules or dependent modules failed.

  • hostapd package added. The hostapd package is available for installation in Oracle Linux 8.6. However note that support for hostapd is limited to setting up an Oracle Linux 8 host as an 802.1X authenticator on an Ethernet network only. Other scenarios, such as wireless access points or authenticators in wireless networks, are currently not supported.

  • NetworkManager updated to version 1.36.0.NetworkManager has been upgraded to version 1.36.0. This version of NetworkManager includes several enhancements and bug fixes over the previous version, most notably the following:

    • Reworking of how layer 3 configurations are handled. This enhancement improves the stability, performance, and memory usage of NetworkManager.

    • The additional of the blackhole, unreachable, prohibit route types.

    • NetworkManager ignores routes managed by routing services.

    • Improvements to the Wi-Fi Protected Access version 3 (WPA3) network security by enabling the hash-to-element (H2E) method when generating simultaneous authentication of equals (SAE) password elements.

    • The service now correctly handles replies from DHCP servers that send duplicate address or mask options.

    • The ability to turn off MAC aging on bridges has been added.

    • NetworkManager no longer listens for netlink events for the qdiscs and filters traffic control objects.

    • Network bonds support for setting a queue ID for bond ports.

  • NetworkManager includes support for setting the number of receiving queueus (rx_queue) on OVS-DPDK interfaces. You can use NetworkManager to configure the n_rxq setting of Open vSwitch (OVS) Data Plane Development Kit (DPDK) interfaces. Use the ovs-dpdk.n-rxq attribute in NetworkManager to set the number of receiving queues on OVS-DPDK interfaces.

  • nftables framework includes support for nft set elements with attached counters. You can now configure the nftables framework by using the nft tool. The kernel enables this tool to count the network packets from a given source address with the statement add @myset {ip saddr counter}. In this release, you can count packets that match a specific criteria with a dynamic set and elements with attached counters.

  • Restoring large nftables sets requires less memory. The nftables framework has been enhanced to require significantly less memory when restoring large sets. The algorithm that prepares the netlink message is also improved.

Security

Oracle Linux 8.6 introduces the following security features, enhancements, and changes:

  • Audit updated to version 3.0.7. The audit packages have been updated in this release. The updated version of Audit includes several changes and improvements, including the following:

    • Added sudoers to Audit base rules. The /etc/sudoers and etc/sudoers.d/ directories have been added to Audit base rules, for example, the Payment Card Industry Data Security Standard (PCI DSS) and the Operating Systems Protection Profile (OSPP). This improvement increases security by monitoring configuration changes in privileged areas such as sudoers.

    • Added the --eoe-timeout option to the ausearch command and its analogous eoe_timeout option to auditd.conf file, which impacts how ausearch parses co-located events. You can use these options to specify the end of the event timeout to avoid problems with parsing co-located events. The default value for the end of the event timeout is set to two seconds.

  • clevis-systemd no longer depends on nc. In this release, the clevis-systemd package no longer depends on the nc package. This dependency did not work correctly when used with Extra Packages for Enterprise Linux (EPEL).

  • fapolicyd framework packages updated to version 1.1. Several improvements have been made in this update release, including the ability to use the new rules.d/ and trust.d/ directories, the fagenrules script. In additional, some new options have been added to the fapolicyd-cli command.

  • libcap packages updated to version 2.48. The libcap packages have been updated to version 2.48. This update provides some bug fixes and enhancements over the previous version.

  • Libreswan updated to version 4.5. Libreswan has been updated to version 4.5. This update provides some bug fixes and enhancements over the previous version, including added support for Internet Key Exchange version 2 (IKEv2) for Labeled IPsec and childless initiation of IKE Security Association (SA).

  • libseccomp packages updated to version 2.5.2. The libseccomp packages have updated to version 2.5.2. This version provides several bug fixes and enhancements over the previous version.

  • Libssh updated to version 0.9.6. The libssh package has been updated to version 0.9.6. In this version of Libssh, there are some bug fixes, and other enhancements, including the following:

    Support added for multiple identity files, which are now processed from the bottom to the top, as listed in the ~/.ssh/config file.

    Parsing of sub-second times in SFTP is fixed.

    A regression for the ssh_channel_poll_timeout() function, where it returned SSH_AGAIN unexpectedly, is fixed.

    A possible heap-buffer overflow after a key re-exchange is fixed

  • Support for diffie-hellman-graoup14-sha256 provided in crypto policies. In Oracle Linux 8.6, you can use the diffie-hellman-group14-sha256 key exchange (KEX) algorithm for the libssh library in the Oracle Linux system-wide cryptographic policies. This release additionally provides parity with OpenSSH, which also supports the KEX algorithm; libssh has diffie-hellman-group14-sha256 enabled by defaul, but you can disable it by using a custom crypto policy.

  • OpenSSH servers include support for drop-in configuration files. Support for the the include directive has been added to the sshd_config file, which means you can now include configuration files in another directory. This change makes it easier to apply system-specific configurations on OpenSSH servers by using automation tools, including the Ansible Engine. The new behavior is also more consistent with the capabilities of the ssh_config file. Also, drop-in configuration files provide for easier organization of different configuration files for different uses, for example, for filter incoming connections.

  • pcsc-lite packages have been updated to version 1.9.5. The pcsc-lite packages have been updated to version 1.9.5. This version includes many enhancements and bug fixes over the previous version. Notable changes include fixes for memory leaks and concurrency problems, as well as the following:

    • The pcscd daemon no longer automatically exits after inactivity when started manually.

    • The pcsc-spy utility provides support for Python 3 and a new --thread option.

    • The SCardEndTransaction() function has been improved for better performance.

    • The poll() function replaces the select() function. This function allows for file descriptor numbers that are higher than FD_SETSIZE.

  • New --checksum option for verifying installed versions of SELinux policy modules. You can use the new --checksum option of the semodue command to verify the versions of installed SELinux policy modules. Previously , there was no simple way to verify that the installed module is the same version as the module which was supposed to be installed.

    You can use the new semodule -l --checksum command to receive a SHA256 hash for the specified module, enabling you to compare it with the checksum of the original file, which is faster than reinstalling modules.

  • SCAP rules include warning message to configure Audit log buffer for large systems. SCAP rules now include a warning message to configure Audit log buffer for large systems. The xccdf_org.ssgproject.content_rule_audit_basic_configuration SCAP rule displays a performance warning that suggests that users of large systems (where the Audit log buffer that is configured by this rule) might be too small and can override the custom value. The new warning also describes the process for configuring a larger Audit log buffer. This improvement enables users of large systems to remain compliant and have their Audit log buffer set correctly.

  • SCAP Security Guide updated to version 0.1.60. The SCAP Security Guide (SSG) packages have updated to version 0.1.60. Notable changes include the following:

    • The xccdf_org.ssgproject.content_enable_fips_mode rule checks only whether FIPS mode has been enabled properly. It does not guarantee, however, that system components have undergone FIPS certification.

  • SSG capability for scans and remediations that detect home directories and interactive users. This enhancement adds OVAL checks and remediations that detect local interactive users in a system and their respective home directories. The SCAP Security Guide (SSG) suite can now safely check and remediate all related benchmark requirements, where previously, there was no robust solution for covering this gap by using the OVAL language.

  • OpenSCAP packages updated to version 1.3.6. The OpenSCAP packages have been updated to version 1.3.6. This version of OpenSCAP provides numerous enhancements and bug fixes, most notably the following:

    • Capability for providing local copies of remote SCAP source data stream components by using the --local-files option has been added.

    • OpenSCAP accepts multiple --rule arguments on the command line for selecting multiple rules.

    • OpenSCAP allows the skipping of evaluation for some rules by using the --skip-rule option.

    • Restricting memory that is consumed by OpenSCAP probes can be accomplished by using the OSCAP_PROBE_MEMORY_USAGE_RATIO environment variable.

    • OpenSCAP adds support for the OSBuild Blueprint as a remediation type.

    • OpenSCAP includes the ability to consume local files instead of remote SCAP source data stream components in this release. You can now download and copy the remote SCAP source data stream components to the target system before performing the OpenSCAP scan and then provide them to OpenSCAP by specifying the --local-files option with the oscap command. In previous releases, you could not perform a complete evaluation of SCAP source data streams that contained remote components on systems without Internet access, which meant that OpenSCAP could not evaluate some of the rules in the data streams because the remote components had to be downloaded from the Internet.

  • SSG support for /etc/security/faillock.conf file added. Support for the /etc/security/faillock.conf file has been added to SSG. This enhancement enables SSG to assess and remediate the /etc/security/faillock.conf file for the definition of pam_faillock settings. In addition, the authselect tool can be used to enable the pam_faillock module to ensure the integrity of pam files. This change causes the assessment remediation of the pam_faillock module to be more aligned with the latest versions and best practices.

New --estimate-only Option for sosreport update Command

This sos report update command includes a new --estimate-only option that you can use to approximate the disk space required for collecting an sos report from an Oracle Linux 8 server. Running the sos report --estimate-only command executes a dry run of sos report and mimics all plugins consecutively, as well as estimates disk size. Note that because the final disk space estimation is approximate, it is recommended that you double the estimated value.

Windows Server 2022 Guest Support

This release includes support for using Windows Server 2022 as a guest operating system on KVM virtual machines (VMs).

Technology Preview

For the Red Hat Compatible Kernel in the current Oracle Linux 8 release, the following features are under technology preview:

kexec Fast Reboot

The kexec fast reboot feature is available as a technology preview feature in Oracle Linux 8. This feature significantly speeds up the boot process by enabling the kernel to boot directly into the second kernel without having to first pass through the Basic Input/Output System (BIOS). To use this feature, load the kexec module first, then reboot the system.

SGX Available

Software Guard Extensions (SGX) is an Intel technology for protecting software code and data from disclosure and modification. The Linux kernel partially supports SGX v1 and v1.5; version 1 enables platforms by using the Flexible Launch Control mechanism to use the SGX technology.

DAX File System Available

In this release, the DAX file system is available as a Technology Preview for the ext4 and XFS file systems. DAX enables an application to directly map persistent memory into its address space. The system must have some form of persistent memory available to use DAX. Persistent memory can be in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs). In addition, a file system that supports DAX must be created on the NVDIMMs; the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

NVMe/TCP available

NVMe over Fabrics TCP host and the target drivers are included in RHCK as a technology preview in this release.

Note:

Support for NVMe/TCP is already available in Unbreakable Enterprise Kernel Release 6.