2 New Features and Changes
This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.
Installation and Update Changes
-
Instructions when performing system updates
If you are performing a fresh Oracle Linux 8.7 installation from an ISO image, then after the installation completes, the UEK R7 kernel is automatically enabled. However, if the system has been registered on ULN, then the UEK R6 ULN channel is enabled by default. See UEK R7 ULN Channel Not Enabled After ULN Registration for instructions on the steps to complete in this case.
UEK R7 includes many new features including security and performance enhancements. For more details, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 (5.15.0-0.30).
If you choose to use RHCK as your default kernel instead of UEK, ensure that you disable UEK repositories or channels on yum or ULN, respectively. For more information about switching to RHCK, see Managing Kernels and System Boot in Oracle Linux 8: Managing Core System Configuration.
In the case of updates, switching to UEK R7 is not automatic. If you are upgrading from a prior release of Oracle Linux 8, your system will continue to run with the kernel that is already installed.
If your system is currently using UEK R6, the following provides instructions for upgrading to UEK R7:
-
Updating by using yum
When you update to Oracle Linux 8.7, the previous kernel is preserved. At the same time, the UEK R7 yum repository is also added to your configuration. To move to the latest kernel, run the following commands, depending on the platform you are using:
-
On x86_64 systems:
sudo dnf config-manager --disable ol8_UEKR6 sudo dnf config-manager --enable ol8_UEKR7 sudo dnf install -y kernel-uek sudo dnf update
-
On aarch64 systems:
sudo dnf config-manager -enable ol8_UEKR7 sudo dnf install -y kernel-uek sudo dnf update
-
-
Updating by using ULN
Similar to the previous scenario, the previous kernel is preserved. However, your subscriptions might change as a result. You should log in to https://linux.oracle.com and ensure that the channels that are enabled as well as disabled match what you intend for the updated kernel.
-
Users of the aarch64 platform
In the UEK R7 implementation, the default base page size has changed from 64 KB to 4 KB. Therefore, updating to UEK R7 might require additional preparations especially in connection with prior existing file systems. See the section Information About Upgrading From a Previous Oracle Linux or UEK Release to UEK R7 in Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 (5.15.0-0.30).
After setting the default kernel, you can further configure kernel boot parameters so that these parameters are applied at every system boot. For instructions, see Oracle Linux 8: Managing Core System Configuration.
-
Operating System and Software Management
The following operating system and software management features and enhancements are introduced in Oracle Linux 8.7:
-
Maximum error file size option available in Rsyslog
You can now specify a byte-size value for the new
action.errorfile.maxsize
option, which prevents the Rsyslog error file from exceeding the specified size. Once the maximum file size is reached, further writes are prevented to protect the system from excessive file system usage.
Shells and Command-Line Tools
The following shells and command-line interface (CLI) tools features and improvements are introduced in Oracle Linux 8.7:
-
The
xmlstarlet
package is available in a supported repositoryThe
xmlstarlet
package was previously available in theol8_developer_EPEL
repository, but is now available in the supportedol8_appstream
repository. This package contains utilities that are frequently used on the command line to perform common operations on XML files that other command line tools are unable to do easily by taking advantage of XPath syntax to properly locate, add or modify information within the file.
Compilers and Development Toolsets
Oracle Linux 8.7 introduces the following features, enhancements, and changes to compilers and development toolsets.
-
Rust Toolset is updated to version 1.62.1
- You can now use tuple, slice, and struct patterns as the left-hand side of an
assignment. For example, a tuple assignment can swap two variables:
Note that destructuring assignments with operators such as(a, b) = (b, a);
+=
are not allowed. - Inline assembly is available on x86_64 and aarch64 using the
core::arch::asm!
macro. - Enums can derive the
Default
trait with an explicitly annotated#[default]
variant. - An optimized
futex
-based implementation is used forMutex
,CondVar
, andRwLock
, to replace pthreads. - Custom exit codes from
main
, including user-defined types that use theTermination
trait, can be used. - Cargo supports more control over dependency features. The
dep:
prefix can refer to an optional dependency without exposing that as a feature, and a?
only enables a dependency feature if that dependency is enabled elsewhere, likepackage-name?/feature-name
. - A new
cargo add
sub-command for adding dependencies toCargo.toml
is available.
- You can now use tuple, slice, and struct patterns as the left-hand side of an
assignment. For example, a tuple assignment can swap two variables:
-
LLVM Toolset is updated to version 14.0.0
- On 64-bit x86, support for
AVX512-FP16
instructions has been added. - Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added.
This version also includes the following changes in
clang
:if consteval
forC++2b
is now implemented.AVX512-FP16
instructions have been added for the x86_64 architecture.- The
-E -P
preprocessor output now always omits blank lines, matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the output. - Support
-Wdeclaration-after-statement
withC99
and later standards, and not just C89, matching GCC’s behavior. A notable use case is supporting style guides that forbid mixing declarations and code, but want to move to newer C standards.
For more information, see the LLVM Toolset and Clang upstream release notes.
- On 64-bit x86, support for
-
Maven 3.8 is now available as a new module stream
Maven 3.8 as a new
maven:3.8
module stream.
GCC Toolset 12
Oracle Linux 8.7 provides the GCC Toolset 12, which is an Application Stream that is
distributed in the form of a Software Collection in the AppStream
repository.
The GCC Toolset is similar to the Oracle Linux Developer Toolset. See unresolvable-reference.html#ol8-features-developer for
additional information about changes to compilers and developer toolsets in this release.
-
GCC Toolset 12 supports
_FORTIFY_SOURCE
level 3Use the
-D_FORTIFY_SOURCE=3
in the compiler command line when building with GCC version 12 or later to improve coverage of source code fortification and the security of your applications. -
Thebinutils
updated to version 2.38binutils
package now supports options that display or warn about the presence of multibyte characters, making it easier to create software that is compatible with a wide range of languages.The
readelf
andobjdump
tools automatically follow links to separatedebuginfo
files, making it easier to debug programs. This behavior can be disabled by using the--debug-dump=no-follow-links
option forreadelf
or the--dwarf=no-follow-links
option forobjdump
. -
Annobin updated to version 10.79
A new command line option forannocheck
tells it to avoid using thedebuginfod
service if it is unable to find debug information in another way. This option can help improve performance if thedebuginfod
server is unavailable. Binaries built by the Rust 1.18 compiler are now supported byannocheck
. Annobin sources can alternatively be built usingmeson
andninja
if these tools are preferred overconfigure
andmake
. -
gdb
updated to version 11.2This update includes many changes to functionality including the addition of several new commands and options as well as several feature enhancements. For a complete list of updates, see the GDB upstream release notes at https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob_plain;f=gdb/NEWS;hb=gdb-11.2-release.
GCC Toolset 12 is available as an Application Stream within the AppStream
repository, in the form of a Software Collection.
To install this toolset, use the following command:
sudo dnf install gcc-toolset-12
If you previously installed this toolset, use the following command to upgrade to the latest version:
sudo dnf upgrade gcc-toolset-12
To run a tool from GCC Toolset 12, use the following command:
scl enable gcc-toolset-12 tool
The following command initiates a shell session, where tool versions from the GCC Toolset 12 take precedence over system versions of the same tools:
scl enable gcc-toolset-12 bash
Dynamic Programming Languages, Web and Database Servers
Oracle Linux 8.7 includes several feature changes and improvements for dynamic programming languages and web and database servers. Note that this release also introduces several new and improved module streams:
-
Ruby 3.1.2 available as a new module stream
Ruby 3.1.2 is available in a new
ruby:3.1
module stream. This version of Ruby includes several enhancements and performance improvements over theruby:3.0
module stream, including:- An auto-complete feature and a documentation dialog included in the
Interactive Ruby
(IRB) utility. - New
debug
anderror_highlight
gems to provide improved performance, more functionality and more granular control. - Values in the hash literal data types and keyword arguments can now be omitted
- Parentheses can now be omitted in one-line pattern matching and the pin operator
(
^
) now accepts an expression in pattern matching. - YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD and Intel 64-bit architectures
- The Method Based Just-in-Time Compiler (MJIT) includes several performance improvements including an increase in the default maximum JIT cache value for large workloads like Rails.
- An auto-complete feature and a documentation dialog included in the
-
Mercurial 6.2 available as a new module stream
Mercurial 6.2 is now available as a new
mercurial:6.2
module stream. This version includes several notable changes when compared to themercurial:4.8
module stream, including:- Python 2 is no longer compatible with this version of Mercurial. Mercurial is compatible with Python 3.6 or later.
- A new
-i
option, which enables you to delete ignored files instead of untracked files is available for thehg purge
andhg clean
commands. - The
--from <revision>
and--to <revision>
arguments can now be used with thehg diff
andhg extdiff
commands and a new internal merge utility,internal:mergediff
, is now available. - New repositories use The Zstandard (ZSTD) compression by default.
- A new way of specifying required extensions is now available that makes it impossible for Mercurial to start if the required extensions are not found.
- A new
mercurial-chg
utility is available, which provides a C wrapper for thehg
command. When you use thechg
command, the wrapper is used to provide significant performance improvements.
File Systems and Storage
Oracle Linux 8.7 provides the following file systems and storage features, enhancements, and changes:
-
Btrfs removed from RHCK. The Btrfs file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, note that any Btrfs user space packages that are provided are not supported with RHCK.
Note:
Support for the Btrfs file system is enabled in UEK R7 and UEK R6. Starting with Oracle Linux 8.3, you have the option to create a Btrfs root file system during an installation, as well as select Btrfs as the file system type when formatting devices. See Oracle Linux 8: Installing Oracle Linux for more information about this feature.
For more information about managing a Btrfs root file system, see Oracle Linux 8: Managing Local File Systems.
For changes that have been made to Btrfs in UEK R6, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 6 Update 3 (5.4.17-2136).
For changes to Btrfs in UEK R7, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 (5.15.0-0.30).
-
OCFS2 removed from RHCK. The Oracle Cluster File System version 2 (OCFS2) file system is removed from RHCK in Oracle Linux 8. As such, you cannot create or mount OCFS2 file systems when using this kernel. Also, any OCFS2 user space packages that are provided are not supported with RHCK.
Note:
OCFS2 is fully supported with UEK R6 and UEK R7 in Oracle Linux 8.7.
-
nfsrahead
utility addedThe
nfsrahead
utility, used to modify thereadahead
value for NFS mounts, is now available. This utility can help to improve NFS performance. -
rpcctl
command displays SunRPC connection informationThe
rpcctl
command now displays and allows you to show information, add and remove objects in the SunRPCsysfs
files. -
Device Mapper Multipath configuration can be configured per protocol
You can now configure Device Mapper multipath device paths on a per-protocol basis, allowing for the optimal configuration of multipath devices accessible through multiple protocols. Edit the
multipath.conf
file to specify protocol override configuration.overrides { protocol { type "scsi:fcp" dev_loss_tmo 70 fast_io_fail_tmo 10 eh_deadline 360 } protocol { type "scsi:iscsi" fast_io_fail 120 } }
The mandatorytype
attribute is used to match path devices for the protocol. Thetype
attribute can be set to:scsi:fcp
,scsi:spi
,scsi:ssa
,scsi:sbp
,scsi:srp
,scsi:iscsi
,scsi:sas
,scsi:adt
,scsi:ata
,scsi:unspec
,ccw
,cciss
,nvme
, orundef
. The path device protocol can be determined by running: multipathd show paths format "%d %P". Attributes in a matching protocol subsection take precedence over attributes in the rest of the overrides section. If there are multiple matching protocol subsections, later entries take precedence.
High Availability and Clusters
-
pcs stonith update-scsi-devices
allows updates to multipath SCSI devices without restarting the clusterThe
pcs stonith update-scsi-devices
command can be used to update fencing on a cluster by using multipath devices without requiring a restart of other cluster resources running on the same node. For example:sudo pcs stonith update-scsi-devices <mpath-fence-dev> set <device-path> sudo pcs stonith update-scsi-devices <mpath-fence-dev> add <device-path> sudo pcs stonith update-scsi-devices <mpath-fence-dev> remove <device-path>...
-
Pacemaker clusters have UUIDs
The
pcs
command generates a UUID that you can use to uniquely identify the cluster when it is created. The UUID is displayed when you run thepcs cluster config [show]
command. You can add a UUID to an existing cluster or regenerate a UUID if one already exists by runningpcs cluster config uuid generate
. -
The
multiple-active
resource parameter now accepts a value ofstop_unexpected
The
multiple-active
resource parameter determines recovery behavior when a resource is active on more than one node when it should not be. By default, this situation requires a full restart of the resource, even if the resource is running successfully where it should be. With this update, themultiple-active
resource parameter accepts a value ofstop_unexpected
, which allows you to specify that only unexpected instances of a multiply-active resource are stopped. It is the user’s responsibility to verify that the service and its resource agent can function with extra active instances without requiring a full restart. -
Pacemaker
allow-unhealthy-node
resource meta-attribute addedThe
allow-unhealthy-node
resource meta-attribute can be set totrue
to ensure that the resource is not forced off a node due to degraded node health. This feature allows the health agent to continue to run on an unhealthy node so that the cluster is able to automatically detect when the node becomes healthy again, before moving resources back to the node. -
Pacemaker includes Access Control Lists (ACLs) for system groups
In addition to the ACLs that were previously allows for individual users, Pacemaker includes ACLs for system groups to facilitate role-based access controls. The
pcs acl group
command can now be used to apply ACLs to system groups. For example, to create a read-only ACL for the pcs_ro_group system group:sudo pcs acl group create pcs_ro_group readonly
-
Pacemaker
--output-format=cmd
option generates command line output to recreate fence devices and resourcesUse the
--output-format=cmd
option when running thepcs stonith config
command to generate output of thepcs
commands that you must run on a different system to reconfigure fence devices. You can also use this option with thepcs resource config
command to get a list of command to run to reconfigure resources on an alternate system.
Infrastructure Services
-
samba
rebased to version 4.16.1The
samba
packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version:- By default, the
smbd
process automatically starts the newsamba-dcerpcd
process on demand to serve Distributed Computing Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always requiressamba-dcerpcd
to use DCERPC. If you disable therpc start on demand helpers
setting in the[global]
section in the/etc/samba/smb.conf
file, you must create asystemd
service unit to runsamba-dcerpcd
in standalone mode. -
The Cluster Trivial Database (CTDB)
recovery master
role has been renamed toleader
. As a result, the followingctdb
sub-commands have been renamed:recmaster
toleader
setrecmasterrole
tosetleaderrole
- The CTDB
recovery lock
configuration has been renamed tocluster lock
. - CTDB now uses leader broadcasts and an associated timeout to determine if an election is required.
Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the
smbd
,nmbd
, orwinbind
services start, Samba automatically updates itstdb
database files. Note that Red Hat does not support downgradingtdb
database files.After updating Samba, verify the
/etc/samba/smb.conf
file using thetestparm
utility.For further information about notable changes, read the upstream release notes before updating.
- By default, the
Security
Oracle Linux 8.7 introduces the following security features, enhancements, and changes:
-
NSS no longer supports RSA keys shorter than 1023 bits
Network Security Services (NSS) libraries are updated to set the minimum key size for all RSA operations from 128 to 1023 bits. NSS can no longer generate, sign or verify or encypt or decrypt information with RSA keys shorter than 1023 bits.
-
SCAP Security Guide updated to 0.1.63
The SCAP Security Guide (SSG) provides new compliance rules for
sysctl
,grub2
,pam_pwquality
, and build time kernel configuration. -
STIG profile in Oracle Linux 8 is better aligned with DISA STIG
A DISA STIG profile for Oracle Linux 8 is included in the
scap-security-guide
package. This profile is aligned to DISA Oracle Linux 8 STIG V1R3 and covers new or updated rules related to the handling of account passwords, password quality, checking of home partition mount points, and the configurations ofsysctl
. These updated rules ensure greater compliance with the DISA's STIG requirements. -
SSG rules that previously reported ascap-security-guide
rules for mount options no longer fail if/tmp
and/var/tmp
partitions do not existfail
result if the/tmp
and/var/tmp
partitions did not exist on a system have been updated to only report a failure if the partitions exist but the system has the wrong mount options. -
fapolicyd
is updated to 1.1.3The
fapolicyd
software framework is updated to version 1.1.3 to include several enhancements including a change to use the OpenSSL library as the cryptographic engine for hash computation and a facility to allow rules to match the parent process ID (PPID) of a subject. A fix to thefagenrules --load
command is also included. -
opencryptoki
is updated to version 3.18.0This version includes the following improvements:
- Default to Federal Information Processing Standards (FIPS) compliant token data format (tokversion = 3.12).
- Enabled restricting usage of mechanisms and keys using a global policy.
- Enabled statistics counting of mechanism usage.
- The
ICA/EP11
tokens can uselibica
library version 4. - The
p11sak
tool allows setting different attributes for public and private keys. - The
C_GetMechanismList
does not returnCKR_BUFFER_TOO_SMALL
in the EP11 token.
Virtualization
The following virtualization features, enhancements, and changes are introduced in Oracle Linux 8.7:
-
open-vm-tools
updated to 12.0.5In this updated version of the open source implementation of VMware Tools, support has been added for the Salt Minion tool which is managed through guest OS variables.
-
ESXi hypervisor and SEV-ES is now supported
If you are running Oracle Linux 8.4 or later on VMware's ESXi hypervisor, you can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) feature to secure your virtual machines. This feature was previously introduced as a Technology Preview, but is now fully supported.