2 New Features and Changes
This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.
Operating System and Software Management
DNF Includes an offline-upgrade
Command
Oracle Linux includes the dnf offline-upgrade
command from the DNF
system-upgrade
plugin. Offline upgrades help protect a system during
upgrades by performing package installations after a reboot and before libraries that might
be affected by package updates are loaded.
This feature includes the option to apply security advisory filters, such as
--advisory
, --security
, and --bugfix
,
to limit the download of packages and their dependencies to a specified advisory.
DNF API Includes an unload_plugins
Function
The DNF API supports the unload_plugins
function which enables you to
unload plugins. To use this feature, first run the init_plugins
function,
and then run the unload_plugins
function.
rpm2archive
Includes a --nocompression
Option
The rpm2archive command includes a --nocompression
option that prevents compression when unpacking an RPM package.
Compilers and Development Toolsets
Updated Compilers and Development Tools
The following performance tools and debuggers are updated:
-
Valgrind 3.19
-
SystemTap 4.8
-
Dyninst 12.1.0
-
elfutils 0.188
The following performance monitoring tools are updated:
-
PCP 5.3.7
-
Grafana 7.5.15
The following compiler toolsets are updated :
-
GCC Toolset 12
-
LLVM Toolset 15.0.7
-
Rust Toolset 1.66
-
Go Toolset 1.19.4
GCC Toolset 12
GCC Toolset 12 is a compiler toolset that provides recent versions of development tools.
The toolset is available as an Application Stream in the form of a Software Collection in
the AppStream
repository.
The following tools and versions are available in the GCC Toolset 12:
-
GCC 12.2.1
-
GDB 11.2
-
binutils 2.38
-
dwz 0.14
-
anobin 11.08
To install the toolset, type:
sudo dnf install gcc-toolset-12
To run a tool from GCC Toolset 12, type:
scl enable gcc-toolset-12 tool
To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:
scl enable gcc-toolset-12 bash
swig:4.1 Module Stream Introduced
Oracle Linux 8 introduces the Simplified Wrapper and Interface Generator (SWIG) version
4.1, which is available as a new module stream, swig:4.1
.
To install the swig:4.1
module stream, type:
sudo dnf module install swig:4.1
jaxb:4 Module Stream Is Introduced
Jakarta XML Binding (JAXB) 4 is the new jaxb:4
module stream. With the
JAXB framework, developers can map Java classes to and from XML representations. To install
jaxb:4
, type:
sudo dnf install jaxb:4
Security Improvements for glibc
The SafeLinking
feature is added to glibc
, which improves
protection for the malloc
family of functions against certain single-linked
list corruption, including the allocator's thread-local cache.
Rust Toolset Updated to Version 1.66.1
The updated version includes the following features:
-
Additions to the toolset's API
-
Keyword and statement changes
-
Generic associated types (GATs) for new abstractions over types and lifetimes
-
rust-analyzer
as a new Language Server Protocol implementation -
Additional subcommands
tzdata
Package Includes the leap-seconds.list
File
The /usr/share/zoneinfo/leap-seconds.list
file accommodates an alternate
format to the /usr/share/zoneinfo/leapseconds
file that is shipped with the
tzdata
package. With the two files, applications can use either format to
calculate International Atomic Time (TAI) from Coordinated Universal Time (UTC) values.
Improved glibc Dynamic Loader Algorithm
While processing shared objects with deeply nested dependencies, the glibc
dyanmic loader algorithm can slow down application startup and shutdown times. The updated
algorithm avoids this impact by using depth-first search (DFS).
The dynamic loader's O(n3) algorithm is used through the
glibc.rtld.dynamic_sort
tunable, whose new default setting is 2 to use
the updated version. To use the previous algorithm, set the tunable to 1, as follows:
GLIBC_TUNABLES=glibc.rtld.dynamic_sort=1 export GLIBC_TUNABLES
Dynamic Programming Languages, Web and Database Servers
Python 3.11 Is Available
Python 3.11 is an update from Python 3.9. Some notable changes that are introduced in this version include the following:
-
Availability of the
match
keyword for Structural Pattern Matching -
Availability of the
tomllib
standard library module for parsing Tom's Obvious Minimal Language (TOML) formats -
Additional features related to type hints and the
typing
module, such as the newX | Y
type union operator, variadic generics, and the newSelf
type -
Capability for raising and handling multiple unrelated exceptions simultaneously through Exception Groups and the new
except*
syntax -
Better error handling by providing precise error locations in tracebacks that point to the expression that caused the error, improved error messages, and so on
Python 3.11 can be installed in parallel with Python 3.9, Python 3.8, and Python 3.6. Note that, unlike the previous versions, Python 3.11 is distributed as standard RPM packages instead of a module.
To install packages from the python3.11
stack, type:
sudo dnf install python3.11 sudo dnf install python3.11-pip
To run the interpreter, type:
python3.11 python3.11 -m pip --help
git Updated to Version 2.39.1
-
Logging function accepts specification of a description of the output by using the
git log --format=%(describe)
command syntax. -
Options are added to the commit operation:
-
--fixup<commit>
fixes the content of the commit without changing the log message. -
--fixup=amend:<commit>
changes both the message and the content. -
--fixup=reword:<commit>
updates only the commit message.
-
-
Cloning accepts the new
--reject-shallow
option to disable cloning from a shallow repository. -
Branching accepts the new
--recurse-submodules
option. -
The
git merge-tree
command can be used to test if two branches can merge or to compute a tree that results from a merge commit that merges the branches.: -
The new
safe.bareRepository
configuration variable can filter out bare repositories.
git-lfs Updated to Version 3.2.0
Some notable features of the updated Git Large File Storage include the following:
-
Introduction of a pure SSH based transport protocol
-
Provision of a merge driver
-
The
git lfs fsck
command also checks that pointers are canonical and that expected LFS files have the correct format -
Removal of support for the NT LAN Manager (NTLM) authentication protocol, which is replaced by Kerberos or Basic authentication
New nginx Module Stream
The nginx 1.22
web and proxy server is available as the
nginx:1.22
module stream and contains new features such as the
following:
-
Support for OpenSSL 3.0 and the
SSL_sendfile()
function, the PCRE2 library, and the POP3 and IMAP pipelining in themail
proxy module. -
Passes the
Auth-SSL-Protocol
andAuth-SSL-Cipher
header lines to the mail proxy authentication server. -
Multiple enhanced directives.
-
Better error handling capabilities.
-
Uses the Application Layer Protocol Negotiation (ALPN) for HTTP/2 connections and no longer supports the Next Protocol Negotiation (NPN) protocol.
To install the nginx:1.22
stream, type:
sudo dnf install nginx:1.22
mod_security Updated to 2.9.6
This updated mod_serucity
module for the Apache HTTP Server includes
adjusted parser activation rules in the modsecurity.conf-recommended
file
as well as enhancements to the way the module parses HTTP multipart requests. The module
also includes the following additions:
-
New
MULTIPART_PART_HEADERS
collection. -
Microsec timestamp resolution to the formatted log timestamp.
-
Missing Geo Countries.
postgresql:15 Module Stream Added
PostgreSQL version 15 is made available as the postgresql:15
module
stream. PostgreSQL 15 includes several new features and enhancements over version 13. See
https://www.postgresql.org/docs/release/15.0/ for more information.
Module stream life cycle information is available in Oracle Linux: Product Life Cycle Information.
New Tomcat Package Introduced
The current Oracle Linux release includes the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.
nodejs:18 Updated to Version 18.14 With npm Updated to Version 9
The updated Node.js 18.14
includes a SemVer major upgrade of
npm
from version 8 to version 9. In this update, support for unscoped
authentication configurations is removed to improve security. This update might require
adjustments to the current npm
configuration.
If you use unscoped authentication tokens, generate and supply registry-scoped tokens in
the .npmrc
file. If the .npmrc
file contains lines that
use _auth
, for example, ///registry.npmjs.org/:_auth
,
replace these lines with ///registry.npmjs.org:_authToken=${NPM_TOKEN}
.
Then apply the scoped token that is generated.
High Availability and Clusters
Pacemaker Can Run the validate-all Action for Resource and STONITH Agents
Use the validate-all --agent-validation
command option when creating or
updating a resource or a STONITH device to trigger additional validation to that performed
by pcs
based on the agent's metadata.
Infrastructure Services
synce41 Package for Frequency Synchronization Added
The synce4l
package manages devices that include the SyncE (Synchronous
Ethernet), a hardware feature that helps PTP clocks to achieve precise synchronization of
frequency at the physical layer. SyncE is available in certain network interface cards
(NICs) and network switches and helps Telco Radio Access Network (RAN) applications to
achieve accurate time synchronization for better communication efficiency. See https://github.com/intel/synce4l for more information.
powertop Updated to Version 2.15
The updated powertop
package includes the following features and
changes:
-
General fixes and stability improvements
-
Improved compatibility with Ryzen processors and Kaby Lake platforms
-
Enabled Lake Field, Alder Lake N, and Raptor Lake platform functionality
-
Enabled Ice Lake NNPI and Meteor Lake mobile and desktop functionality
tuned Updated Version 2.20.0
The updated tuned
package includes the following features and changes:
-
API update to facilitate moving devices between plugin instances at runtime.
-
Updates to the
plugin_cpu
module:-
The
pm_qos_resume_latency_us
feature limits the maximum time permitted for each CPU to transition from an idle state to an active state. -
The
intel_pstate
scaling driver provides scaling algorithms to tune power management for a system based on usage scenarios.
-
-
Addition of a socket API to control TuneD through a UNIX domain socket is now available as a technology preview.
samba Updated to Version 4.17.5
The updated samba
packages include the following features and changes:
-
Improvements in performance around security for the Server Message Block (SMB) server when working with high metadata workloads.
-
Addition of a
--json
option to the smbstatus command to display status information in JSON format. -
Addition of
samba.smb.conf
andsamba.samba3.smb.conf
modules to thesmbconf
Python API to facilitate reading and writing the Samba configuration directly from Python programs.Server Message Block version 1 (SMB1) protocol is deprecated in Samba 4.11 and later and might be removed in a future release. Back up the database files before starting Samba. When the
smbd
,nmbd
, orwinbind
services start, Samba automatically updates itstdb
database files. Downgradingtdb
database files isn't supported. After updating Samba, use thetestparm
utility to verify the/etc/samba/smb.conf
file.
Networking
NetworkManager Updated to Version 1.40.16
The updated version includes the following features:
-
Correctly calculates expiration times for items configured from IPv6 neighbor discovery messages.
-
Automatically updates the
/etc/resolv.conf
file when the configuration changes. -
Rejects DHCPv6 leases if all addresses fail IPv6 duplicate address detection (DAD).
-
Resolves system hostname on interfaces from DNS only after the interfaces are connected.
-
No longer sets nonexistent interfaces as primary when activating a bond.
The following changes are also implemented:
-
The
--print-config
subcommand no longer prints duplicate entries. -
The
nm-cloud-setup
utility preserves externally added addresses. -
Setting a primary interface in a bond now always works, even if the interface doesn't exist when you active the bond.
-
The
ifcfg-rh
plugin can now read InfiniBand P-Key connection profiles without an explicit interface name. -
The
nmcli
utility can now remove a bond port connection profile from a bond. -
A race condition was fixed that could occur during the activation of
veth
profiles if the peer already existed. -
Profiles created by the
nm-initrd-generator
utility now have a lower-than-default priority. -
A race condition was fixed that prevented the automatic activation of MACsec connections at boot.
nm-initrd-generator Profiles Have Lower Priority Than Autoconnect Profiles
NetworkManager's configuration generator utility creates connection profiles that have
lower priority than that of autoconnect connection profiles. Consequently, generated network
profiles can coexist with user configuration in the default root
account.
nispor Updated to Version 1.2.10
The updated nispor
packages include the following enhancements and bug
fixes:
NetStateFilter
can use the kernel filter on network routes and interfaces.- Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
- Additional bonding options, namely,
lacp_active
,arp_missed_max
, andns_ip6_target
.
Security
fapolicyd Provides Filtering of the RPM Database
The list of RPM-database files that fapolicyd
stores in the trust database
can be customized by editing a new /etc/fapolicyd/rpm-filter.conf
configuration file. By using this feature, you can override the default configuration filter
to specify which applications installed by RPM are permitted or excluded.
Libreswan Updated to Version 4.9
The following features were added:
-
{left,right}pubkey=
toaddconn
andwhack
-
KDF self-tests to Crypto
-
Updated syscall allow-list in
seccomp
-
Support of show host's authentication key (
showhostkey
) for ECDSA pubkeys and for printing PEM encoded public key through the--pem
option - New functionalities for the Internet Key Exchange Protocol Version 2 (IKEv2) and the
pluto
IKE daemon
Changes and Updates to SELinux
Updates include confining ufdtools
and introducing an SELinux policy for
systemd-socket-proxyd
with rules for the service to run in its SELinux
domain.
OpenSCAP Updated to Version 1.3.7
The updated OpenSCAP packages include the following features and changes:
-
Fixed error when processing OVAL filters.
-
OpenSCAP no longer generates invalid empty
xmlfilecontent
items if an XPath doesn't match. -
Removed
Failed to check available memory
errors.
OpenSSL Driver Can Use Certificates Chains in Rsyslog
With this update, the OpenSSL library can validate multiple CA files that you might
specify. Consequently, you can use certificate chains in Rsyslog
with the
OpenSSL driver.
FIPS Mode Better Conforms to FIPS 140-3
The FIPS mode settings in the RHCK kernel have been adjusted to conform to the Federal Information Processing Standard (FIPS) 140-3. This change introduces stricter settings to many cryptographic algorithms, functions, and cipher suites such as the following:
- The Triple Data Encryption Standard (3DES), Elliptic-curve Diffie-Hellman (ECDH), and Finite-Field Diffie-Hellman (FFDH) algorithms are disabled. This change affects Bluetooth, DH-related operations in the kernel keyring, and Intel QuickAssist Technology (QAT) cryptographic accelerators.
- The hash-based message authentication code (HMAC) key can no longer be shorter than 112 bits. The minimum key length is set to 2048 bits for Rivest-Shamir-Adleman (RSA) algorithms.
- Drivers that used the
xts_check_key()
function have been updated to use thexts_verify_key()
function instead. - The following Deterministic Random Bit Generator (DRBG) hash functions are disabled: SHA-224, SHA-384, SHA512-224, SHA512-256, SHA3-224, and SHA3-384.
SELinux Confines udftools
With updated selinux-policy
packages, SELinux confines
udftools
services.
Compatibility Between scap-security-guide Rules and RainerScript logs
Rules in scap-security-guide
are now compatible with the RainerScript
syntax. Therefore, scap-security-guide
rules can check and remediate
ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.
SCAP Security Guide Updated to Version 0.1.66
The SCAP Security Guide (SSG) packages are updated to the upstream version 0.1.66 and provides enhancements and bug fixes such as the following:
-
Oracle Linux 8
stig
andstig_gui
profiles are alligned with DISA STIG for Oracle Linux 8 V1r6. -
account_passwords_pam_faillock_audit
rule is deprecated in favor ofaccounts_passwords_pam_faillock_audit
. -
accounts_user_dot_no_world_writable_programs
rule is updated to look for initialization files on the users' home directories only and to prevent the search for world-writables to descend to other file systems. -
New OVAL macro is introduced to consistently identify interactive users.
-
Remediation of
sebool_secure_mode_insmod
is fixed, which was preventing system boot when theanssi-high
profile is applied.
opencryptoki Updated to 3.19.0
The updated package version provides notable features such as the following:
- Dual-function cryptographic functions
- New
C_SessionCancel
function cancels active session-based operations, as described in the PKCS #11 Cryptographic Token Interface Base Specification v3.0
Containers
The following features, enhancements, and changes related to container tools are introduced in this Oracle Linux 8.
Updated container-tools
Package
The container-tools
package is updated for Podman v4.4. The package
contains the Podman, Buildah, Skopeo, crun
and runc
tools.
The updates have the following features and changes:
-
Information about a container can be audited directly from a
journald
entry in Podman v4.4 and later. To enable Podman auditing, modify thecontainer.conf
file and add theevents_container_create_inspect_data=true
option to the[engine]
section. The audit data is in JSON format, equivalent to the output of the podman container inspect command. -
The podman network update command is added to update networks for containers and pods.
-
The
podman buildx version
command is added to display the Buildah version. -
Container startup health checks are available to trigger a command to check that the container is fully started before the regular health check is activated.
-
New Docker compatibility options and aliases are included.
-
Improved Kubernetes integration by consolidating kube commands: the podman kube generate and podman kube play replace the
podman generate kube
andpodman play kube
commands. -
The following feature support are added to pods that are created by the
podman kube play
command and managed bysystemd
:-
The pods can integrate with
sd-notify
through theio.containers.sdnotify
annotation or, for specific containers, theio.containers.sdnotify/$name
annotation. -
The pods can be auto updated through the
io.containers.auto-update
annotation or, for specific containers, theio.containers.auto-update/$name
annotation.
-
Custom DNS Server Selection Is Available for Aardvark and Netavark
Custom DNS server selection for containers using the Aardvark and Netavark network stack is
available. Containers are able to use customer DNS servers instead of the default DNS
servers on the host. To enable a custom DNS server, either add the
dns_servers
field in the containers.conf
configuration
file or use the new --dns
option to specify the IP address of the DNS
server when running the podman command. The --dns
option overrides any values that are set in the container.conf
file.
Generate Sigstore Key Pairs With Skopeo
Skopeo can generate sigstore key pairs through the skopeo
generate-sigstore-key command. For more information, see
skopeo-generate-sigstore-key
manual page.
Toolbox Utility Is Available
Use the toolbox utility to access the container command line environment without installing additional troubleshooting tools directly on the system. Toolbox uses Podman and other standard container technologies from the Open Container Initiative. For more information, see toolbx.
sigstore Signatures Available
Beginning with Podman 4.2, you can use the sigstore
format of container
image signatures. These signatures are stored in the container registry together with the
container image instead of in a separate signature server for storing image signatures.
Podman Supports Pre-execution Hooks
Podman can be configured with pre-execution hooks that can be used to control container
operations by creating plugin scripts in /usr/libexec/podman/pre-exec-hooks
or /etc/containers/pre-exec-hooks
. Pre-execution scripts are only run if a
file named /etc/containers/podman_preexec_hooks.txt
exists. If all plugin
scripts return zero value, then the podman
command is run, otherwise, the
podman
command exits with the exit code returned by the script that
failed.