2 New Features and Changes

This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.

Installation and Update Changes

  • Instructions when performing system updates

    If you are performing a fresh Oracle Linux 8.7 installation from an ISO image, then after the installation completes, the UEK R7 kernel is automatically enabled. However, if the system has been registered on ULN, then the UEK R6 ULN channel is enabled by default. See UEK R7 ULN Channel Not Enabled After ULN Registration for instructions on the steps to complete in this case.

    UEK R7 includes many new features including security and performance enhancements. For more details, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 (5.15.0-0.30).

    If you choose to use RHCK as your default kernel instead of UEK, ensure that you disable UEK repositories or channels on yum or ULN, respectively. For more information about switching to RHCK, see Managing Kernels and System Boot in Oracle Linux 8: Managing Core System Configuration.

    In the case of updates, switching to UEK R7 is not automatic. If you are upgrading from a prior release of Oracle Linux 8, your system will continue to run with the kernel that is already installed.

    If your system is currently using UEK R6, the following provides instructions for upgrading to UEK R7:

    • Updating by using yum

      When you update to Oracle Linux 8.7, the previous kernel is preserved. At the same time, the UEK R7 yum repository is also added to your configuration. To move to the latest kernel, run the following commands, depending on the platform you are using:

      • On x86_64 systems:

        sudo dnf config-manager --disable ol8_UEKR6
        sudo dnf config-manager --enable ol8_UEKR7
        sudo dnf install -y kernel-uek
        sudo dnf update
      • On aarch64 systems:

        sudo dnf config-manager -enable ol8_UEKR7
        sudo dnf install -y kernel-uek
        sudo dnf update
    • Updating by using ULN

      Similar to the previous scenario, the previous kernel is preserved. However, your subscriptions might change as a result. You should log in to https://linux.oracle.com and ensure that the channels that are enabled as well as disabled match what you intend for the updated kernel.

    • Users of the aarch64 platform

      In the UEK R7 implementation, the default base page size has changed from 64 KB to 4 KB. Therefore, updating to UEK R7 might require additional preparations especially in connection with prior existing file systems. See the section Information About Upgrading From a Previous Oracle Linux or UEK Release to UEK R7 in Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 (5.15.0-0.30).

    After setting the default kernel, you can further configure kernel boot parameters so that these parameters are applied at every system boot. For instructions, see Oracle Linux 8: Managing Core System Configuration.

Operating System and Software Management

The following operating system and software management features and enhancements are introduced in Oracle Linux 8.7:

  • Maximum error file size option available in Rsyslog

    You can now specify a byte-size value for the new action.errorfile.maxsize option, which prevents the Rsyslog error file from exceeding the specified size. Once the maximum file size is reached, further writes are prevented to protect the system from excessive file system usage.

Shells and Command-Line Tools

The following shells and command-line interface (CLI) tools features and improvements are introduced in Oracle Linux 8.7:

  • The xmlstarlet package is available in a supported repository

    The xmlstarlet package was previously available in the ol8_developer_EPEL repository, but is now available in the supported ol8_appstream repository. This package contains utilities that are frequently used on the command line to perform common operations on XML files that other command line tools are unable to do easily by taking advantage of XPath syntax to properly locate, add or modify information within the file.

Compilers and Development Toolsets

Oracle Linux 8.7 introduces the following features, enhancements, and changes to compilers and development toolsets.

  • Rust Toolset is updated to version 1.62.1

    • You can now use tuple, slice, and struct patterns as the left-hand side of an assignment. For example, a tuple assignment can swap two variables:
      (a, b) = (b, a);
      Note that destructuring assignments with operators such as += are not allowed.
    • Inline assembly is available on x86_64 and aarch64 using the core::arch::asm! macro.
    • Enums can derive the Default trait with an explicitly annotated #[default] variant.
    • An optimized futex-based implementation is used for Mutex, CondVar, and RwLock, to replace pthreads.
    • Custom exit codes from main, including user-defined types that use the Termination trait, can be used.
    • Cargo supports more control over dependency features. The dep: prefix can refer to an optional dependency without exposing that as a feature, and a ? only enables a dependency feature if that dependency is enabled elsewhere, like package-name?/feature-name.
    • A new cargo add sub-command for adding dependencies to Cargo.toml is available.
    For more details, please see consecutive upstream release announcements, including Rust 1.59.0, Rust 1.60.0,Rust 1.61.0,Rust 1.62.0 and Rust 1.62.1.
  • LLVM Toolset is updated to version 14.0.0

    • On 64-bit x86, support for AVX512-FP16 instructions has been added.
    • Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added.

    This version also includes the following changes in clang:

    • if consteval for C++2b is now implemented.
    • AVX512-FP16 instructions have been added for the x86_64 architecture.
    • The -E -P preprocessor output now always omits blank lines, matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the output.
    • Support -Wdeclaration-after-statement with C99 and later standards, and not just C89, matching GCC’s behavior. A notable use case is supporting style guides that forbid mixing declarations and code, but want to move to newer C standards.

    For more information, see the LLVM Toolset and Clang upstream release notes.

  • Maven 3.8 is now available as a new module stream

    Maven 3.8 as a new maven:3.8 module stream.

GCC Toolset 12

Oracle Linux 8.7 provides the GCC Toolset 12, which is an Application Stream that is distributed in the form of a Software Collection in the AppStream repository. The GCC Toolset is similar to the Oracle Linux Developer Toolset. See unresolvable-reference.html#ol8-features-developer for additional information about changes to compilers and developer toolsets in this release.

The following notable updates to tooling are included in the GCC Toolset 12:
  • GCC Toolset 12 supports _FORTIFY_SOURCE level 3

    Use the -D_FORTIFY_SOURCE=3 in the compiler command line when building with GCC version 12 or later to improve coverage of source code fortification and the security of your applications.

  • binutils updated to version 2.38

    The binutils package now supports options that display or warn about the presence of multibyte characters, making it easier to create software that is compatible with a wide range of languages.

    The readelf and objdump tools automatically follow links to separate debuginfo files, making it easier to debug programs. This behavior can be disabled by using the --debug-dump=no-follow-links option for readelf or the --dwarf=no-follow-links option for objdump.

  • Annobin updated to version 10.79

    A new command line option for annocheck tells it to avoid using the debuginfod service if it is unable to find debug information in another way. This option can help improve performance if the debuginfod server is unavailable. Binaries built by the Rust 1.18 compiler are now supported by annocheck. Annobin sources can alternatively be built using meson and ninja if these tools are preferred over configure and make.
  • gdb updated to version 11.2

    This update includes many changes to functionality including the addition of several new commands and options as well as several feature enhancements. For a complete list of updates, see the GDB upstream release notes at https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob_plain;f=gdb/NEWS;hb=gdb-11.2-release.

GCC Toolset 12 is available as an Application Stream within the AppStream repository, in the form of a Software Collection.

To install this toolset, use the following command:

sudo dnf install gcc-toolset-12

If you previously installed this toolset, use the following command to upgrade to the latest version:

sudo dnf upgrade gcc-toolset-12

To run a tool from GCC Toolset 12, use the following command:

scl enable gcc-toolset-12 tool

The following command initiates a shell session, where tool versions from the GCC Toolset 12 take precedence over system versions of the same tools:

scl enable gcc-toolset-12 bash

Database

This release of Oracle Linux 8 ships with version 8.0 of the MySQL database software.

Dynamic Programming Languages, Web and Database Servers

Oracle Linux 8.7 includes several feature changes and improvements for dynamic programming languages and web and database servers. Note that this release also introduces several new and improved module streams:

  • Ruby 3.1.2 available as a new module stream

    Ruby 3.1.2 is available in a new ruby:3.1 module stream. This version of Ruby includes several enhancements and performance improvements over the ruby:3.0 module stream, including:

    • An auto-complete feature and a documentation dialog included in the Interactive Ruby (IRB) utility.
    • New debug and error_highlight gems to provide improved performance, more functionality and more granular control.
    • Values in the hash literal data types and keyword arguments can now be omitted
    • Parentheses can now be omitted in one-line pattern matching and the pin operator (^) now accepts an expression in pattern matching.
    • YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD and Intel 64-bit architectures
    • The Method Based Just-in-Time Compiler (MJIT) includes several performance improvements including an increase in the default maximum JIT cache value for large workloads like Rails.
  • Mercurial 6.2 available as a new module stream

    Mercurial 6.2 is now available as a new mercurial:6.2 module stream. This version includes several notable changes when compared to the mercurial:4.8 module stream, including:

    • Python 2 is no longer compatible with this version of Mercurial. Mercurial is compatible with Python 3.6 or later.
    • A new -i option, which enables you to delete ignored files instead of untracked files is available for the hg purge and hg clean commands.
    • The --from <revision> and --to <revision> arguments can now be used with the hg diff and hg extdiff commands and a new internal merge utility, internal:mergediff, is now available.
    • New repositories use The Zstandard (ZSTD) compression by default.
    • A new way of specifying required extensions is now available that makes it impossible for Mercurial to start if the required extensions are not found.
    • A new mercurial-chg utility is available, which provides a C wrapper for the hg command. When you use the chg command, the wrapper is used to provide significant performance improvements.

File Systems and Storage

Oracle Linux 8.7 provides the following file systems and storage features, enhancements, and changes:

  • Btrfs removed from RHCK. The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, note that any Btrfs user space packages that are provided are not supported with RHCK.

    Note:

    Support for the Btrfs file system is enabled in UEK R7 and UEK R6. Starting with Oracle Linux 8.3, you have the option to create a Btrfs root file system during an installation, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.

    For more information about managing a Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.

    For changes that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 3 (5.4.17-2136).

    For changes to Btrfs in UEK R7, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 (5.15.0-0.30).

  • OCFS2 removed from RHCK. The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.

    Note:

    OCFS2 is fully supported with UEK R6 and UEK R7 in Oracle Linux 8.7.

  • nfsrahead utility added

    The nfsrahead utility, used to modify the readahead value for NFS mounts, is now available. This utility can help to improve NFS performance.

  • rpcctl command displays SunRPC connection information

    The rpcctl command now displays and allows you to show information, add and remove objects in the SunRPC sysfs files.

  • Device Mapper Multipath configuration can be configured per protocol

    You can now configure Device Mapper multipath device paths on a per-protocol basis, allowing for the optimal configuration of multipath devices accessible through multiple protocols. Edit the multipath.conf file to specify protocol override configuration.

    overrides {
            protocol {
                    type "scsi:fcp"
                    dev_loss_tmo 70
                    fast_io_fail_tmo 10
                    eh_deadline 360
            }
            protocol {
                    type "scsi:iscsi"
                    fast_io_fail 120
            }
    }
    The mandatory type attribute is used to match path devices for the protocol. The type attribute can be set to: scsi:fcp, scsi:spi, scsi:ssa, scsi:sbp, scsi:srp, scsi:iscsi, scsi:sas, scsi:adt, scsi:ata, scsi:unspec, ccw, cciss, nvme, or undef. The path device protocol can be determined by running: multipathd show paths format "%d %P". Attributes in a matching protocol subsection take precedence over attributes in the rest of the overrides section. If there are multiple matching protocol subsections, later entries take precedence.

High Availability and Clusters

The following high availability and clustering features are included in Oracle Linux 8.7:
  • pcs stonith update-scsi-devices allows updates to multipath SCSI devices without restarting the cluster

    The pcs stonith update-scsi-devices command can be used to update fencing on a cluster by using multipath devices without requiring a restart of other cluster resources running on the same node. For example:

    sudo pcs stonith update-scsi-devices <mpath-fence-dev> set <device-path>
    sudo pcs stonith update-scsi-devices <mpath-fence-dev> add <device-path>
    sudo pcs stonith update-scsi-devices <mpath-fence-dev> remove <device-path>...
  • Pacemaker clusters have UUIDs

    The pcs command generates a UUID that you can use to uniquely identify the cluster when it is created. The UUID is displayed when you run the pcs cluster config [show] command. You can add a UUID to an existing cluster or regenerate a UUID if one already exists by running pcs cluster config uuid generate.

  • The multiple-active resource parameter now accepts a value of stop_unexpected

    The multiple-active resource parameter determines recovery behavior when a resource is active on more than one node when it should not be. By default, this situation requires a full restart of the resource, even if the resource is running successfully where it should be. With this update, the multiple-active resource parameter accepts a value of stop_unexpected, which allows you to specify that only unexpected instances of a multiply-active resource are stopped. It is the user’s responsibility to verify that the service and its resource agent can function with extra active instances without requiring a full restart.

  • Pacemaker allow-unhealthy-node resource meta-attribute added

    The allow-unhealthy-node resource meta-attribute can be set to true to ensure that the resource is not forced off a node due to degraded node health. This feature allows the health agent to continue to run on an unhealthy node so that the cluster is able to automatically detect when the node becomes healthy again, before moving resources back to the node.

  • Pacemaker includes Access Control Lists (ACLs) for system groups

    In addition to the ACLs that were previously allows for individual users, Pacemaker includes ACLs for system groups to facilitate role-based access controls. The pcs acl group command can now be used to apply ACLs to system groups. For example, to create a read-only ACL for the pcs_ro_group system group:

    sudo pcs acl group create pcs_ro_group readonly
  • Pacemaker --output-format=cmd option generates command line output to recreate fence devices and resources

    Use the --output-format=cmd option when running the pcs stonith config command to generate output of the pcs commands that you must run on a different system to reconfigure fence devices. You can also use this option with the pcs resource config command to get a list of command to run to reconfigure resources on an alternate system.

Infrastructure Services

Oracle Linux 8.7 introduces several version updates to infrastructure and command-line tools, including the following features:
  • samba rebased to version 4.16.1

    The samba packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version:

    • By default, the smbd process automatically starts the new samba-dcerpcd process on demand to serve Distributed Computing Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always requires samba-dcerpcd to use DCERPC. If you disable the rpc start on demand helpers setting in the [global] section in the /etc/samba/smb.conf file, you must create a systemd service unit to run samba-dcerpcd in standalone mode.
    • The Cluster Trivial Database (CTDB) recovery master role has been renamed to leader. As a result, the following ctdb sub-commands have been renamed:

      • recmaster to leader
      • setrecmasterrole to setleaderrole
    • The CTDB recovery lock configuration has been renamed to cluster lock.
    • CTDB now uses leader broadcasts and an associated timeout to determine if an election is required.

    Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.

    Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Note that Red Hat does not support downgrading tdb database files.

    After updating Samba, verify the /etc/samba/smb.conf file using the testparm utility.

    For further information about notable changes, read the upstream release notes before updating.

Security

Oracle Linux 8.7 introduces the following security features, enhancements, and changes:

  • NSS no longer supports RSA keys shorter than 1023 bits

    Network Security Services (NSS) libraries are updated to set the minimum key size for all RSA operations from 128 to 1023 bits. NSS can no longer generate, sign or verify or encypt or decrypt information with RSA keys shorter than 1023 bits.

  • SCAP Security Guide updated to 0.1.63

    The SCAP Security Guide (SSG) provides new compliance rules for sysctl, grub2, pam_pwquality, and build time kernel configuration.

  • STIG profile in Oracle Linux 8 is better aligned with DISA STIG

    A DISA STIG profile for Oracle Linux 8 is included in the scap-security-guide package. This profile is aligned to DISA Oracle Linux 8 STIG V1R3 and covers new or updated rules related to the handling of account passwords, password quality, checking of home partition mount points, and the configurations of sysctl. These updated rules ensure greater compliance with the DISA's STIG requirements.

  • scap-security-guide rules for mount options no longer fail if /tmp and /var/tmp partitions do not exist

    SSG rules that previously reported a fail result if the /tmp and /var/tmp partitions did not exist on a system have been updated to only report a failure if the partitions exist but the system has the wrong mount options.
  • fapolicyd is updated to 1.1.3

    The fapolicyd software framework is updated to version 1.1.3 to include several enhancements including a change to use the OpenSSL library as the cryptographic engine for hash computation and a facility to allow rules to match the parent process ID (PPID) of a subject. A fix to the fagenrules --load command is also included.

  • opencryptoki is updated to version 3.18.0

    This version includes the following improvements:

    • Default to Federal Information Processing Standards (FIPS) compliant token data format (tokversion = 3.12).
    • Enabled restricting usage of mechanisms and keys using a global policy.
    • Enabled statistics counting of mechanism usage.
    • The ICA/EP11 tokens can use libica library version 4.
    • The p11sak tool allows setting different attributes for public and private keys.
    • The C_GetMechanismList does not return CKR_BUFFER_TOO_SMALL in the EP11 token.

Virtualization

The following virtualization features, enhancements, and changes are introduced in Oracle Linux 8.7:

  • open-vm-tools updated to 12.0.5

    In this updated version of the open source implementation of VMware Tools, support has been added for the Salt Minion tool which is managed through guest OS variables.

  • ESXi hypervisor and SEV-ES is now supported

    If you are running Oracle Linux 8.4 or later on VMware's ESXi hypervisor, you can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) feature to secure your virtual machines. This feature was previously introduced as a Technology Preview, but is now fully supported.