1. Release Notes for Oracle Linux 8.9
  2. New Features and Changes

2 New Features and Changes

This chapter describes the new features, major enhancements, bug fixes, and other changes that are included in this release of Oracle Linux 8.

Cloud Environment

The following features, enhancements, and changes related to the cloud environment are introduced in this Oracle Linux 8 release.

cloud-init Integration With NetworkManager

The cloud-init tool can use a network-manager keyfile to configure the network by using NetworkManager instead of the default sysconfig method for network setup.

To use NetworkManager as the primary network renderer, edit /etc/cloud/cloud.cfg and set network-manager as the first entry in the list: 

network:
    renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']

Containers

The following features, enhancements, and changes related to containers are introduced in this Oracle Linux 8 release.

Container Tools Packages Are Updated

The Podman, Buildah, Skopeo, crun, and runc packages in the container-tools module are updated for version 4.6.

Notable changes in Podman v4.6 include:

  • Updates to the podman kube play command, including:
    • a --configmap=<path> option to provide one or more Kubernetes YAML files with environment variables to be used within the containers of the pod;
    • the ability to use containerPort names and port numbers in liveness probes;
    • automatic addition of ctrName as an alias to the pod network
    • handling of SELinux filetype labels and ulimit annotations.
  • The podman secret exists command is added to verifiy whether a secret with the specified name exists.
  • The --shm-size-systemd option is available in the podman create, podman run, podman pod create, and podman pod clone commands to limit the size of tmpfs for systemd mounts.
  • The --security-opt label=nested option can be specified to use SELinux labeling within a confined container when using the podman create command.
  • Podman can automatically update containers running inside a pod.
  • You can configure Podman to use a SQLite database as a backend database. The default database type is the BoltDB database. You can change the database type by setting the database_backend field in the containers.conf file. Changing the backend database requires that you reset Podman back to its initial state first. All existing containers and pods are lost and must be re-created after the backend database is changed. This feature is available as a technology preview.
  • Quadlets can be used to automatically generate a systemd service file from the container description. See Quadlet in Podman Available.

Quadlet in Podman Available

Quadlet is available beginning with Podman 4.6. Quadlets can be used to automatically generate a systemd service file from the container description. The container description is in the systemd unit file format and simplifies much of the technical complexity of running containers under systemd. Quadlet formatted descriptions might be easier to write and maintain than systemd unit files.

Note:

Quadlets don't work on Oracle Linux 8 in rootless mode.

For more details, see the Quadlet upstream documentation.

Compilers and Development Tools

The following features, enhancements, and changes related to compilers and development tools are introduced in this Oracle Linux 8 release.

Updated Compilers and Development Tools

The following performance tools and debuggers are updated:

  • Valgrind 3.21.0
  • SystemTap 4.9
  • elfutils 0.189

The following performance monitoring tools are updated:

  • libpfm 4.13

The following compiler toolsets are updated :

  • GCC Toolset 13

  • LLVM Toolset 16.0.6

  • Rust Toolset 1.71.1

    With this update, the Rust profile_builtins runtime component is now available.

  • Go Toolset 1.20.10

GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. The toolset is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The following tools and versions are available in the GCC Toolset 13:

  • GCC 13.1.1

  • GDB 12.1

  • binutils 2.40

  • dwz 0.14

  • annobin 12.20

To install the toolset, type:

sudo dnf install gcc-toolset-13

To run a tool from GCC Toolset 13, type:

scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools, type:

scl enable gcc-toolset-13 bash

GCC Preserves Register Arguments

GCC is updated to preserve register argument content and generate proper Call Frame Information (CFI) to make it easier for the unwinder to find this information without negatively impacting performance.

binutils Updated to Version 2.40 in GCC Toolset 13

The GCC Toolset 13 includes version 2,40 of binutils which includes the following notable changes:

  • Added a -w (--no-warnings) option for the linker to disable warning messages.

  • Improved warning messages in the ELF linker for notifications around permissions changes.

  • Added a --private option in the objdump tool that shows the fields in the file header and section headers for Portable Executable (PE) format files.
  • Added a --show-all-symbols option for the objdump tool to show all symbols matching an address when disassembling.
  • Added a --strip-section-headers option for the objcopy and strip tools to remove the ELF section header from ELF files.
  • Added a -W (--no-weak) option to the nm tool to set it to ignore weak symbols.

  • Added syntax highlighting for disassembler output in the objdump tool.

glibc Performance Enhancement for Intel Xeon V5 Hardware

The default amount of cache used by glibc for string and memory routines is tuned to improve performance on Intel Xeon v5 hardware.

Backward Incompatibility From C++ Code Changes

Changes were applied to C++ to improve startup performance of C++ programs. For example, global iostream objects such as std::cout, std::cin are constructed inside the standard library rather than in source files that include the <iostream> header. However, the consequence is that code compiled with the GCC 13.1 toolset would fail if the incorrect libstdc++.so version is used at runtime. For more information about using the correct libstdc++.so at runtime, see https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_dynamic_or_shared.html#manual.intro.using.linkage.dynamic.

Dynamic Programming Languages, Web and Database Servers

The following features, enhancements, and changes related to programming languages, web servers, and database servers are introduced in this Oracle Linux 8 release.

nodejs:20 Module Stream Support

The nodejs:20 module stream is supported and includes Node.js 20.9, which is a Long Term Support (LTS) version. The following notable features are included:

  • The V8 JavaScript engine is updated to version 11.3.

  • The npm package manager is updated to version 9.8.0.

  • Node.js includes the experimental Permission Model.

  • Node.js includes the experimental Single Executable Application (SEA) feature.

  • Node.js includes improvements to the Experimental ECMAScript modules (ESM) loader.

  • The node:test module is now considered stable.

To install the nodejs:20 module stream, run: 

sudo dnf module install nodejs:20

For information about the length of support for Application Streams, see Oracle Linux: Product Life Cycle Information.

Python tarfile Extraction Functions Include a filter Argument

Python now includes a filter argument to tarfile extraction functions to disable some features of tar to enhance security. If a filter isn't specified, the 'data' filter, which is the safest but most limited, is used by default.

HTTP::Tiny Perl Module Updated to Perform TLS Verification By Default

The HTTP::Tiny Perl module is updated to perform TLS certificate verification by default when using HTTPS. The update adds the following dependencies to the perl-HTTP-Tiny package:

  • perl-IO-Socket-SSL
  • perl-Mozilla-CA
  • perl-Net-SSLeay

The verify_SSL option is changed from 0 to 1 when the package is installed.

High Availability and Clusters

The following features, enhancements, and changes related to high availability are introduced in this Oracle Linux 8 release.

Improvements to Pacemaker Scheduler for Colocation Constraint Handling

The Pacemaker scheduler is updated and improved to prioritize mandatory colocation constraints, including those between group members, over optional colocation constraints. This change improves how the scheduler works with resources that have a heterogeneous mix of colocation constraints. Note that this feature requires at least three nodes.

alert_snmp.sh.sample Alert Agent Works With SNMPv3

The alert_snmp.sh.sample alert agent now works with SNMPv2 and SNMPv3 without any requirement to modify the agent.

New Meta Option to Disable Alerts

You can configure a Boolean value for the enabled meta option to control whether Pacemaker generates alerts for a recipient, by setting the value to either true or false. The default value is set to true.

Enhancements to the pcs property Command

The pcs property command now supports the following enhancements:

  • The pcs property config --output-format= option

    • Specify --output-format=cmd to display the pcs property set command created from the current cluster properties configuration. You can use this command to re-create configured cluster properties on a different system.
    • Specify --output-format=json to display the configured cluster properties in JSON format.
    • Specify output-format=text to display the configured cluster properties in plain text format, which is the default value for this option.
  • The pcs property defaults command, which replaces the deprecated pcs property --defaults option
  • The pcs property describe command, which describes the meaning of cluster properties.

Infrastructure Services

The following features, enhancements, and changes related to infrastructure services are introduced in this Oracle Linux 8 release.

Postfix Can Handle SRV Lookups

DNS service records resolution (SRV) entries can be used by Postfix to automatically configure mail clients and balance server load. Furthermore, Postfix can handle temporary DNS issues and provides configurable options for fault-resilience in case of SRV record failures. You can configure SRV handling for Postfix by setting the following options in the Postfix server configuration:
  • use_srv_lookup=smtp

    Enables discovery of the specified service by using DNS SRV records.

  • allow_srv_lookup_fallback=yes

    Configures the service for SRV lookup fallback, so that Postfix falls back to using MX and IP address records in the case where an SRV entry lookup fails either because of misconfiguration or a missing entry, but continues to use SRV for the service.

  • ignore_srv_lookup_error=yes

    Configures the service to stop using SRV when a lookup fails, and to switch to using MX or IP address records instead.

TLS 1.3 Cipher Suites Can Be Used in vsftpd

The ssl_ciphersuites option can be used when configuring vsftpd to configure the service to use different cipher suites, including TLS 1.3 cipher suites that weren't available in the service before. Cipher suite entries are specified on a single line separated using the colon (:) character.

Kernel and System Libraries

The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that's shipped with the current Oracle Linux 8 version.

RHCK Can Handle AutoIBRS Configurations on AMD Processors

RHCK can handle Automatic Indirect Branch Restricted Speculation (AutoIBRS) configurations on AMD processors. AutoIBRS is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation used for the Spectre v2 CPU to reduce vulnerabilities, boost performance, and improve scalability.

Updated Intel® QAT Kernel Driver

The Intel® Quick Assist Technology (QAT), as of version 6.2, includes both bug fixes and enhancements. The most notable enhancement includes added functionality for the following QAT GEN4 hardware accelerator devices:

  • Intel Quick Assist Technology 401xx devices

  • Intel Quick Assist Technology 402xx devices

makedumpfile Updated to Version 1.7.2

The makedumpfile utility is updated to version 1.7.2. This tool is used to reduce the size of dump files by compression and by excluding pages.

Networking

The following features, enhancements, and changes related to networking are introduced in this Oracle Linux 8 release.

nftables Default Service Configuration Update

The default service configuration for nftables now includes the do_masquerade chain to reduce the risk of a port shadow attack. The update is applied to /etc/sysconfig/nftables/nat.nft to add a rule in the do_masquerade chain that detects suitable packets and enforces source port randomization.

NetworkManager Includes an Option to Suppress AAAA Queries

The no-aaaa option can be used to configure DNS settings to suppress AAAA queries. By using this option, IPv6 DNS resolution can be disabled by using the nmcli utility. After the NetworkManager service is restarted, the no-aaaa setting is added to the /etc/resolv.conf file.

libnftnl Package Version 1.2.2 Updates

The Netlink API to the in-kernel nf_tables subsystem (libnftnl) package has been updated. Notable changes and enhancements include:

  • New features:

    • Nesting of the udata attribute
    • Resetting TCP options with the exthdr expression
    • Meta keywords: sdif and sdifname
    • Ability to handle a new attribute NFTNL_CHAIN_FLAGS in the nftnl_chain struct, to communicate flags between the kernel and user space.
    • New nftnl_set struct for nftables to add expressions to sets and set elements.
    • Comment abililty for sets, tables, objects, and chains
    • The nftnl_table struct includes an NFTNL_TABLE_OWNER attribute. Use this attribute to enable the kernel to communicate the owner to the user space.
    • Readiness for incremental updates to flowtable device
    • The typeof keyword related nftnl_set udata definitions
    • A chain ID attribute
    • Capability to remove expressions from a rule
    • Capability for a last expression

  • Bitwise expressions enhancements:

    • New attributes: op and data
    • Left and right shifts
    • Debug output alignment of other expressions

  • Socket expression enhancements:

    • New attribute: wildcard
    • Ability to handle cgroups v2

  • Debug output enhancements:

    • key_end data register included in set elements
    • Removal of unused registers from masq and nat expressions
    • Fix applied to verdict map elements
    • Removed leftovers from dropped XML formatting
    • Payload offset of inner header

iproute Updated to Version 6.2.0

The iproute package is updated to version 6.2.0. Notable changes include:

  • New ip stats command to view and manage interface statistics. See the ip-stats(8) manual page for more information.

  • New --threads option for the ss command to display thread information. See the ss(8) manual page for more information.

  • New bridge fdb flush command to flush forwarding database entries. See the bridge(8) manual page for more information.

Security

The following features, enhancements, and changes related to security are introduced in this Oracle Linux 8 release.

FIPS-enabled In-place Upgrades of Oracle Linux 8.9 to Latest Oracle Linux 9

Beginning with Oracle Linux 8.9, you can perform in-place upgrades of FIPS-enabled Oracle Linux 8 systems to Oracle Linux 9.2 and later. For more information, see Oracle Linux 9: Upgrading Systems With Leapp.

SCAP Security Guide Updated ANSSI-BP-028 Security Profiles to Version 2.0

The Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) BP-028 profiles in the SCAP security guide were updated to align with the version 2.0 guidelines described at https://cyber.gouv.fr/publications/recommandations-de-securite-relatives-un-systeme-gnulinux.

SCAP Security Guide Rule Update for Consistent Interactive User Configuration

Several rules were updated in the SCAP security guide to provide more consistent interactive user configuration. User accounts with UID greater than or equal to 1000 are considered interactive, unless the account username is nobody or nfsnobody, or the account login shell is set to /sbin/nologin. With these updates, SCAP users are no longer considered interactive users.

The following rules are updated for more consistent interactive user configuration :

  • accounts_umask_interactive_users
  • accounts_user_dot_user_ownership
  • accounts_user_dot_group_ownership
  • accounts_user_dot_no_world_writable_programs
  • accounts_user_interactive_home_directory_defined
  • accounts_user_interactive_home_directory_exists
  • accounts_users_home_files_groupownership
  • accounts_users_home_files_ownership
  • accounts_users_home_files_permissions
  • file_groupownership_home_directories
  • file_ownership_home_directories
  • file_permissions_home_directories
  • file_permissions_home_dirs
  • no_forward_files

OpenSCAP Updated to 1.3.8

The OpenSCAP packages are updated to version 1.3.8. Notable changes include:

  • Fixes to systemd probes to not ignore some systemd units.
  • Addition of offline capabilities to the shadow OVAL probe.
  • Addition of offline capabilities to the sysctl OVAL probe.
  • Addition of auristorfs to the list of network file systems.
  • Improved handling of tailoring files generated by autotailor.

opencryptoki Updated to 3.21.0

The opencryptoki package is updated to version 3.21.0 and includes the following notable changes:

  • Concurrent hardware security module (HSM) master key updates

  • Added a new protected-key option to transform a chosen key into a protected key

  • Added several key types, including DH, DSA, AES-XTS, Kyber, Dilithium, and generic secret key types

  • Added EP11 host library version 4

  • pkcsslotd no longer runs as root

  • New commands:

    • p11sak set-key-attr: to change key attributes
    • p11sak copy-key: to copy a key
    • p11sak import-key: to import a key
    • p11sak export-key: to export a key

Expanded fanotify Information in Audit Logs

The Audit service includes information about fanotify events in appropriate audit record fields, as follows:

  • fan_type: Specifies the type of fanotify event.

  • fan_info: Specifies added context information.

  • sub_trust and obj_trust: Specify trust levels for a subject and an object in an event.

The fanotify information can clarify causes of access denials in certain cases, and thereby helps with creating policies for tools such as the fapolicyd framework.

This feature is available only in RHCK.

fapolicyd Includes Rule Numbers in Audit Output

Fapolicyd is updated along with kernel and Auditd components to include the rule number when outputting to the audit log so that it's easier to troubleshoot policy related issues.

This feature is available only in RHCK.

SCAP Security Guide Updated to Version 0.1.69

Updates to the SCAP Security Guide include the following notable changes:

  • Password aging rules no longer ignore empty string as passwords.
  • The remote OVAL content URL is updated to be more specific to Oracle Linux 8 to improve memory usage when scanning with --fetch-remote-resources.
  • Rules related to /var/log and /var/log/audit are now only applicable if those partitions exist.
  • Bash remediations are fixed to handle ISO9660 partitions in the fstab.
  • The Oracle Linux 8 stig profile has been updated to comply with DISA Oracle Linux 8 STIG - Ver 1, Rel 8.

Support

The following features, enhancements, and changes related to support are introduced in this Oracle Linux 8 release.

sos Updated to Version 4.6

The sos utility that's used to collect configuration, diagnostic, and troubleshooting data, is updated to version 4.6 to provide the following notable changes:

  • The contents of the /boot/grub2/custom.cfg and /boot/grub2/user.cfg files are included in reports to help with troubleshooting boot issues.
  • sos removes the bindpw option when used with the sudo plugin.
  • Various improvements to remove and mask username and password information for plugins
  • sos completes the tailed log collection even when the size of the log file is exceeded and when a plugin times out
  • sos collects the sos report from the same cluster node as where it's run, when running on a Pacemaker cluster node
  • The sos report --clean command obfuscates all MAC addresses.

For details on each release of sos, see upstream release notes.