Chapter 2 New Features and Changes

This chapter describes new features, major enhancements, bug fixes, and other changes that are introduced in Oracle Linux 9. These features generally apply to both the x86_64 and 64-bit Arm (aarch64) platforms, unless otherwise noted. For information that applies specifically to the Arm platform, see Chapter 5, Release-Specific Information for Oracle Linux 9 (aarch64).

2.1 Installation

The following installation features and changes are introduced in Oracle Linux 9:

  • Graphical installation program activates the network automatically during interactive installations.  In the interactive installation mode that uses the graphical user interface, the network is automatically enabled. Manually activating the network is no longer required.

    Note that this change does not impact the kickstart installations and installations that use the ip= boot option.

  • Licensing and user setting configuration screens no longer part of post installation.  Initial setup screens for licensing and for configuring users that previously appeared as post installation steps are now disabled. To restore these screens, run the following commands which install and enable the relevant packages, and then reboot the system. The initial setup screens appear when the boot up system is completed.

    sudo dnf install initial-setup initial-setup-gui -y
    systemctl enable initial setup
    reboot

    For kickstart installations, add and enable these packages as follows:

    firstboot --enable
    %packages
    @^graphical-server-environment
    initial-setup-gui
    %end
  • Root account is locked by default.  As an added security feature, the root account in an Oracle Linux 9 installation is locked by default. However, the installation program provides options for you to enable SSH root logins with appropriately set passwords during the installation. For instructions, see Oracle® Linux 9: Installing Oracle Linux.

  • Kickstart changes have been implemented.  The following changes in Oracle Linux 9 affect how you configure automatic installations that use kickstart:

    • All boot options must use the inst prefix; otherwise, those options are ignored. Add the prefix to previously configured standalone options to maintain their functionality.

    • The new timesource command replaces the previous timezone --ntpservers command, which has been deprecated.

    • The following kickstart commands and options are removed and generate errors if used:

      • device

      • deviceprobe

      • dmraid

      • multipath

      • bootloader --upgrade

      • ignoredisk --interactive

      • partition --active

      • harddrive --biospart

      • autostep

  • Changes to boot options implemented.  The following changes were applied to some boot options:

    • inst.zram and inst.singlelang options are not supported in Oracle Linux 9.

    • inst.loglevel is always set to debug. Other log levels in previous Oracle Linux releases have been removed.

2.2 Kernel

The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 9.

  • RHCK kernel is signed with trusted Secure Boot certificates.  This feature eliminates the need to enroll a separate public key to use the kernel versions on systems that have UEFI Secure Boot enabled. Previous releases required you to enroll a separate public key by using the Machine Owner Key (MOK) facility.

  • cgroup-v2 enabled by default.  Version 2 of the control groups (cgroup-v2) is enabled together with version 1 (cgroup-v1).

    cgroup-v2 implements a single hierarchy model to simplify the management of control groups. The model ensures that a process can only be a member of a single control group at a time. The feature is integrated with systemd and improves resource control configuration on an Oracle Linux system.

    Note that feature incompatibilities exist between cgroup-v2 and cgroup-v1. Moreover, control interfaces are different between the two versions. Consequently, third-party software that has a direct dependency on cgroup-v1 might not run properly in the cgroup-v2 environment.

    While both versions are enabled in the kernel, no default control group version is set in the kernel. Instead, the version that mounts at startup is determined by systemd.

    To use cgroup-v1, add the following parameters to the kernel command line:

    systemd.unified_cgroup_hierarchy=0
    systemd.legacy_systemd_cgroup_controller
  • Kernel changes might affect third-party kernel modules.  Linux distributions with a kernel version prior to 5.9 included support for exporting GPL functions as non-GPL functions. This support enabled users to link proprietary functions to GPL kernel functions by using the shim mechanism. In this release, upstream changes have been incorporated into the kernel that enable Oracle Linux to enforce GPL more strictly. Accordingly, shim is now rebuffed.

    Important

    Partners and independent software vendors (ISVs) should test their kernel modules with an early version of Oracle Linux 9 to ensure compliance with GPL.

  • Fixes to strace utility implemented.  In this release, the strace utility correctly displays SELinux context mismatches through the extension of the utilities --secontext option. This extension is the mismatch parameter. See the following example:

    [...]
    $ strace --secontext=full,mismatch -e statx stat /home/user/file
    statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ...
    
    $ strace --secontext=mismatch -e statx stat /home/user/file
    statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...
  • perf-top capable of sorting by a specific column.  The perf-top system profiling tool can sort samples by an arbitrary event column instead of just the first column when multiple events in the group are sampled. Samples are sorted through the --group-sort-idx option, where you press a number key to sort the table by the data column that corresponds to that key. Column numbering starts from 0.

  • New jigawatts package added.  The new jigawatts package includes a Java library that works to improve the functionality of the Checkpoint/Restore in Userspace (CRIU) utility specifically on Java applications.

  • trace-cmd reset behavior change implemented.  Instead of disabling, trace-cmd reset now resets settings of the ftrace framework to their default values. This behavior specifically affects tracing_on, trace_clock, set_event_pid, and tracing_max_latency.

  • Support for Extended Berkeley Packet Filter.  The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that enables code execution in the kernel space in a restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.

  • crash utility 8.0.0.  This version of the utility has a new offset parameter in the add-symbol-file command that helps to set the kaslr-offset to gdb. The parameter also upgrades gdb-7.6 to gdb-10.2.

  • Changes implemented on makedumpfile utility.  The following enhancements and improvements are in the utility:

    • Support for the Zstandard compression capability.  The utility is thus able to take advantage of zstd's high compression ratios which improve compression efficiency especially in large memory systems. The improved compression mechanism creates a smaller vmcore file within a reasonable compression time.

    • New options improve ways to obtain an estimate of the vmcore size.  The following options can be used with the makedump command:

      • --dry-run performs all operations specified by the command without writing the output file.

      • --show-stats prints the report messages. This option is an alternative to enabling bit 4 that is provided to the --message-level option.

        The following shows an example in the use of these options:

        sudo makedumpfile --dry-run --show-stats -l --message-level 7 -d 31 /proc/kcore dump.dummy
  • numatop utility for Intel Xeon scalable processors supported.  numatop monitors and analyzes threads and processes running on Numa systems. It uses Intel performance counter sampling technologies and associates the performance data with Linux system runtime information for better analysis of Numa systems deployed in production.

  • New crashkernel.default file for kdump memory allocation.  In the kexec-tools package, the new crashkernel.default file for kdump contains a default crash kernel value for the corresponding kernel build. kdump uses the value to control the default crash kernel memory value of each kernel.

    crashkernel.default serves as a good reference for kdump memory reservation. By basing on this value, you can configure the desired setting for crashkernel=. Consequently, memory allocation for kdump is improved for systems that have less than 4 GB of available memory.

    To query the default crashkernel value, type:

    sudo kdumpctl get-default-crashkernel
    Note

    In Oracle Linux 9, the crashkernel=auto option in the boot command line is no longer supported for both UEK and RHCK. For a related issue that involves the crashkernel parameter, see Section 4.3.2, “Sub-optimal Kdump settings on some platforms”.

    For more details, refer to the /usr/share/doc/kexec-tools/crashkernel-howto.txt file.

  • Core scheduling functionality added.  The core scheduling functionality enables you to define groups of tasks that can share a CPU core, and thereby exclude tasks that should not trust each other from sharing the same resource. This feature enhances security by mitigating some cross-Symmetric Multithreading (SMT) attacks. It also isolates tasks that need a whole core, such as those that are performed in real-time environments or those that rely on specific processor features, such as Single Instruction, Multiple Data (SIMD) processing.

  • CPU hot-plug in the hv_24x7 and hv_gpci PMUs.  PMU counters can correctly react to the hot plugging of a CPU, such that if an hv_gpci event counter is running on a CPU that becomes disabled, the counting redirects to another CPU.

  • IRDMA driver added.  The IRDMA driver enables RDMA functionality on the following RDMA-capable Intel network devices:

    • Ethernet Network Adapter X722: an Internet Wide-area RDMA Protocol (iWARP) device.

      This device supports only iWARP and a more limited set of configuration parameters.

    • Ethernet Controller E810: a device that supports iWARP and RDMA over Converged Ethernet (RoCEv2)

      This device iWARP and RoCEv2 RDMA transports, Priority Flow Control (PFC), and Explicit Congestion Notification (ECN).

    The IRDMA module replaces as well as extends the Application Binary Interface (ABI) defined for the legacy i40iw module for X722. The change is backward compatible with legacy X722 RDMA-Core provider (libi40iw).

2.3 Software Management

The following software management features and enhancements are introduced in Oracle Linux 9:

  • RPM updated to version 4.16.  The updated version includes notable changes such as the following:

    • Support for new SPEC features such as caret version operator, %autopatch for specifying patch ranges, meta or unordered dependencies, generation of dynamic build dependencies through the %generate_buildrequires section, and so on.

    • RPM is fully based on the sqlite library. For Berkeley DB databases, Read-only support is provided.

    • rpm-audit-plugin is a new plugin for recording audit log events on transactions.

    • Validation of UTF-8 headers is performed at build time.

    • Increased parallelism is applied in package builds.

  • New RPM plugin notifies fapolicyd about changes during RPM transactions.  Updated rpm packages include a new RPM plugin that integrates the fapolicyd framework with the RPM database. By informing fapolicyd about any installed and changed files during an RPM transaction, the plugin enables fapolicyd to support integrity checking. The plugin's functionality extends its coverage beyond just Yum transactions to changes made by RPM as a whole. Thus, the plugin is effectively a replacement to the Yum plugin.

  • Support for signing keys using EdDSA public key algorithm added to the rpm command.  This added support to the rpm command enables you to use EdDSA-generated keys for signing and verifying packages. However, RSA continues to be the default public key algorithm in GnuPG.

  • RPM supports Zstd algorithm.  RPM supports the Zstandard (zstd) compression algorithm, which makes package installations faster, especially in large transactions. Oracle Linux 9 uses Zstandard as the default compression algorithm.

  • New options available for DNF.  The following are new DNF options:

    • exclude_from_weak_autodetect automatically detects unwanted weak dependencies of packages being installed. Thus, providers of the weak dependencies are not installed as weak dependencies. However, if pulled in, these weak dependencies are installed as regular dependencies. The option is enabled by default.

    • exclude_from_weak prevents the installation of packages as weak dependencies.

  • libmodulemd packages updated to version 2.13.0.  This version of libmodulemd packages includes the following features and changes:

    • Support for delisting demodularized packages from a module.

    • Support for validating modulemd-packager-v3 documents by using modulemd-validator --type, where --type is a new option.

    • Fortified parsing integers.

2.4 Shells and Command-Line Tools

The following shells and command-line tools features and improvements are introduced in Oracle Linux 9:

  • bash readline library version 8.1 is supported.  In this library, bracketed paste mode is enabled by default. This mode causes text that you paste on your terminal to be highlighted and requires you to press Enter to execute the command in the text. This feature prevents you from executing malicious commands.

    To disable the feature, add the following line to either ~/.inputrc or /etc/inputrc:

    set enabled-bracketed-paste off
    • If added to ~/.inputrc, the feature is disabled for a specific user.

    • If added to /etc/inputrc, the feature is disabled for all users.

    Disabling the feature causes pasted commands on the terminal to be immediately executed.

  • Additional shell related packages are available with updated versions

    • opal-prd 6.7.1

    • lvspd 1.7.12

    • Fetchmail 6.4.24

    • Eigen 3.4

  • New cdrskin package is introduced.  The package replaces the cdrecord executable. However, the cdrskin package includes the cdrecord command as a symbolic link to the cdrskin binary so that existing user scripts need not be revised.

  • util-linux-core added as a package.  The util-linux-core is added as a subpackage to the util-linux package to manage scenarios where the size of installed package is a critical issue, such as in buildroots, some containers, and boot images.

    However, for standard installations, install the util-linux package, which automatically includes the util-linux-core package.

2.5 Compilers and Development Tools

Oracle Linux 9 introduces the following features, enhancements, and changes to compilers and development toolsets.

Summary list of tools and compilers and their latest versions

  • System toolchain components

    • GCC 11.2.1

    • glibc 2.34

    • binutils 2.35.2

  • Performance tools and debuggers

    • GDB 10.2

    • Valgrind 3.18.1

    • SystemTap 4.6

    • Dyninst 11.0.0

    • elfutils 0.186

  • Performance monitoring tools

    • PCP 5.3.5

    • Grafana 7.5.11

  • Compiler toolsets

    • LLVM Toolset 13.0.1

    • Rust Toolset 1.58.1

    • Go Toolset 1.17.7

  • python-jsonpointer is rebased to version 2.0

  • grafana-pcp is rebased to 3.2.0

Selected Feature Descriptions

The following are brief descriptions of some of the tools and compilers:

  • GCC 11.2.  This version includes notable changes such as the following:

    • DWARF Version 5 is used as the default debugging format.

    • Diagnostics column numbers represent real column numbers by default and recognizes multicolumn numbers.

    • The straight-line code vectorizer considers the whole function when vectorizing.

    • A series of conditional expressions that compare the same variable can be transformed into a switch statement if each of them contains a comparison expression.

    • Procedural optimizations have been implemented through a new IPS-modref pass which tracks side effects of function calls and improves the precision of points-to analysis, and the identical code folding pass, which is improved to increase the number of unified functions and reduce compile-time memory use.

    • Memory allocation during linking is improved to reduce peak memory use.

    • Through the new GCC_EXTRA_DIAGNOSTIC_OUTPUT environment variable in IDEs, you can request machine-readable "fix-it-hints" without adjusting build flags.

  • Go Toolset 1.17.7.  This version includes notable changes such as the following:

    • The GO111MODULE environment variable is set to on by default. To revert this setting, set the variable to auto.

    • The Go linker uses less resources and improves code robustness and maintainability in all supported CPU architectures and operating systems.

    • The new embed package enables you to access embedded files while compiling.

    • All functions of the io/ioutil package have been moved to the io and os packages, both of which provide better definitions.

    • The Delve debugger 1.6.0 supports Go Toolset 1.16.6.

  • Go FIPS mode is supported with OpenSSL 3.  With this support, you can use the OpenSSL library while on Go FIPS mode.

  • Rust Toolset updated to version 1.54.0.  This version includes notable changes such as the following:

    • The Rust standard library is available for the wasm32-unknown-unknown target and enables you to generate WebAssembly binaries, including newly stabilized intrinsics.

    • You can use constant-value parameters to define generics. This change enables you to write functions completely generic over the values of any integer, boolean, or character type, and arrays generic over their element type as well as their length. Additionally, you can also iterate items from an array by value by using the new standard library’s array type API std::array::IntoIter.

    • Rust includes the IntoIterator implementation for arrays. Use the IntoIterator trait to iterate over arrays by value and pass arrays to methods. However, array.into_iter() still iterates values by reference until the 2021 edition of Rust.

    • The syntax for or patterns allows nesting anywhere in the pattern, for example: Pattern(1|2) instead of Pattern(1)|Pattern(2).

    • Unicode identifiers can contain all valid identifier characters as defined in the Unicode Standard Annex #31.

    • Methods and trait implementations have been stabilized.

  • LLVM Toolset updated to version 12.0.1.  This version includes notable changes such as the following:

    • New compiler flag -march=x86-64-v[234] introduced.

    • Compiler flag -fasynchronous-unwind-tables of the clang compiler is the default on Oracle Linux aarch64 systems in this release.

    • The clang compiler supports the C++20 [[likely]] and [[unlikely]] attributes.

    • With the newly added function attribute tune-cpu, microarchitectural optimizations can be applied independently from the target-cpu attribute or TargetMachine CPU.

    • The -fsanitize=unsigned-shift-base sanitizer is added to the integer sanitizer -fsanitizer=integer to improve security.

    • The WebAssembly backend is now enabled in LLVM. when enables you to generate WebAssembly binaries with LLVM and Clang.

  • CMake updated to version 3.20.2.  This version includes notable changes such as the following:

    • C++ compiler modes can be specified through the target properties CXX_STANDARD, CUDA_STANDARD, and OBJCXX_STANDARD or, alternatively, the cxx_std_23 metafeature of the compile features section.

    • The NVIDIA CUDA compiler as a symbolic link is supported.

    • The Intel oneAPI NextGen LLVM compilers are supported with the IntelLLVM compiler ID.

    • CMake now facilitates cross compiling for Android by merging with the Android NDK’s toolchain file.

    • When generating a project build system, the cmake command rejects unknown arguments that start with a hyphen.

    To use CMake on projects that require this or an earlier version, use the command cmake_minimum_required (version 3.20.2).

  • Java in Oracle Linux 9.  In this release, Java includes the following packages:

    • java-17-openjdk

    • java-11-openjdk

    • java-1.8.0-openjdk

  • Java tools implementation.  In this release, Java tools include the following:

    • Maven 6.3.6

    • Ant 1.10.9

    You can install these tools as non-modular RPM packages from AppStream.

  • SWIG 4.0 is available in CodeReady Builder repository.  Version 4.0 of Simplified Wrapper and Interface Generator (SWIG), which includes support for PHP 8, can be installed as an RPM package from the CRB repository.

  • pcp 5.3.5.  The Performance Co-Pilot (PCP) package (pcp) includes bug fixes, enhancements, and new features, including the following:

    • Large number of hosts can have performance metrics centrally logged (pmlogger farms) and automatically monitored with performance rules (pmie farms).

    • New pcp-ss tool for historical socket statistics is supported.

    • php-htop tool is improved.

    • Extensions have been added to the over-the-wire PCP protocol, which support higher resolution timestamps.

2.6 Database

Oracle Linux 9 is distributed with the MySQL 8.0 database software. For this software's documentation, see https://dev.mysql.com/doc/relnotes/mysql/8.0/en/.

2.7 Desktop

The following desktop features are included with Oracle Linux 9:

  • GNOME desktop environment updated to version 40.  This version includes numerous new and improved features, including a redesigned Activities Overview that provides for better navigation of the system and the launching of applications. Note that workspaces are now arranged horizontally and the window overview, as well as the application grid, are accessed vertically.

  • Pipewire is the default audio service.  Pipewire replaces both the PulseAudio and Jack audio services that was used in previous releases. All audio applications that use these earlier services are redirected to Pipewire. Jack applications work well with default Oracle Linux configurations and therefore do not require additional configurations.

  • Power profiles provided in GNOME.  Power profiles enable you to optimize power usage of your system. The selected profile persists across system reboots. You can select from the following:

    • Performance sets the system for peak performance but reduces battery life. The profile is not available in all system configurations.

    • Balanced is the default profile which provides standard performance and power consumption.

    • Power Saver prioritizes battery life and can impact system performance. The system switches to this profile automatically if low battery level is detected.

  • Boot loader introduces changes.  Configuration files are unified across CPU architectures. These files are stored in /boot/grub2, regardless of the platform. The grub.cfg file that GRUB previously used on UEFI systems is now a symbolic link to /boot/grub2/grub.cfg. This change provides benefits, such as improved user experience, simplified GRUB layout configuration, the ability to boot the same installation with either EFI or legacy BIOS, and so on.

  • Langpacks have replaced comps language groups.  Previously, language support was provided by comps language groups, which required you to install the corresponding code-support package. In this release, you would install the langpacks-code package instead.

  • Single-application GNOME sessions supported.  This support enables users to use a lightweight UI for single applications. Also described as the kiosk mode of a GNOME session, this feature displays a full-screen window only of the application that you have configured. In this mode, use of resources is less intensive than in a standard GNOME session.

2.8 Dynamic Programming Languages, Web, and Database Servers

Oracle Linux 9 includes several notable feature changes and improvements for dynamic programming languages, and web and database servers. This release also introduces new and improved module streams, which are described in the following list:

  • Python 3.9.  Python 3.9 is the default version in Oracle Linux 9, and is also installed by default. Python 3.9 will be supported for the entire Oracle Linux 9 life cycle. However, additional versions of Python 3 are also distributed as RPM packages with a shorter life cycle through the AppStream repository. These versions can be installed in parallel.

    The /usr/bin/python command and other Python-related commands, such as pip, are made available in an unversioned form and point to the default Python 3.9 version.

    Note

    Python 2 is excluded in Oracle Linux 9.

  • Node.js 16.  The following are notable changes:

    • The V8 engine is updated to version 9.2.

    • The npm package manager is updated to version 7.20.3.

    • A new Timers Promises API that provides an alternative set of timer functions that return Promise objects is included.

    • A new experimental Web Streams API is included.

    • Node.js is compatible with OpenSSL version 3.0.

    Node.js 16 is the initial version of this Application Stream. However, additional Node.js versions will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.

  • Ruby 3.0.3.  The following are notable changes:

    • Concurrency and parallelism features, such as Ractor and Fiber Scheduler.

    • Static analysis features, such as the RBS language and the Typeprof utility,

    • Pattern matching with the case/in expression is no longer experimental.

    • The experimental one-line pattern matching feature is redesigned.

    • The Find pattern is added as an experimental feature.

    Ruby 3.0 is the initial version of this Application Stream. Additional versions of Ruby will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.

  • Perl 5.32.  This version includes numerous enhancements and bug fixes, some of which are the following:

    • Support for Unicode 13.0

    • Enhanced qr quote-like operator

    • Alpha assertions and script runs no longer experimental

    • Faster feature checks

    • Ability to dump compiled patterns prior to optimization

    Perl 5.32 is the initial version of this Application Stream. Additional versions of Perl will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.

  • PHP 8.0.  This version includes numerous enhancements and bug fixes, some of which are the following:

    • New self-documented and order-independent named arguments so you can specify only required parameters

    • New attributes for using structured metadata with PHP's native syntax

    • New union types for using native union types in place of PHPDoc annotations for a combination of types. These types are validated at runtime.

    • Error exception is consistently generated when parameter validation fails.

    • Improved Just-In-Time compilation performance

    PHP 8.0 is the initial version of this Application Stream. Additional versions of PHP will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.

  • Git 2.31 and Git LFS 2.13.  Git 2.31 includes numerous enhancements, some of which are the following:

    • Status of sparse checkout is included in the output of git status.

    • git archive --add-file includes untracked files in a snapshot from a tree-like identifier.

    • clone.remotedefaultname enables you to customize nickname for a source remote repository.

    • Maximum length of output file names is now configurable beyond the previous 64 byte limit.

    • PCRE1 library no longer supported.

    In addition, the Git Large File Storage (LFS) extension 2.13 includes numerous enhancements, some of which are the following:

    • SHA-256 repositories, as well as the socks5h protocol, are supported.

    • The git lfs install|uninstall commands include a new --worktree option.

    • The git lfs migrate import command includes a new --above option.

  • Subversion 1.14.  Subversion 1.14 is the initial version of this Application Stream. Additional versions of Subversion will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.

  • Apache HTTP Server 2.4.51.  The following are notable changes:

    • Changes to the Apache HTTP Server Control Interface (apachectl)

      • In the apachectl status output, systemctl pager is disabled.

      • Instead of the previous behavior of issuing warnings, the apachectl fails if you include additional arguments to the command.

      • The graceful-stop subcommand returns immediately.

      • The configtest subcommand runs httpd -t without changing the SELinux context.

    • The Apache eXtenSion tool (apxs) does not use or expose compiler optimization flags in the process of building the httpd package.

    • The mod_lua Apache module is provided in a separate package.

    • In the mod_access_compat module's deprecated Allow directive, the use of the comment character (#) generates a syntax error.

    • Kernel thread IDs are directly used in error log messages for accuracy and conciseness.

    Apache HTTP Server 2.4 is the initial version of this Application Stream, which you can install easily as an RPM package.

  • nginx 1.20.  The following are notable changes:

    • Support for client SSL certificate validation using the Online Certificate Status Protocol (OCSP).

    • Through the min_free parameter of the proxy_cache_path directive, the driver now supports cache clearing.

    • A new ngx_stream_set_module module is introduced.

    • New directives as well as directive variables are supported.

    • Support for HTTP/2 is improved.

  • Varnish Cache 6.6.  Varnish Cache 6.5, which is a high-performance HTTP reverse proxy, provides a number of enhancements and bug fixes version 6.0 available.

    Varnish Cache 6 is the initial version of this Application Stream.

  • Squid 5.2.  Squid 5.2 is a high-performance proxy caching server for web clients. Squid 5.2 includes support for FTP, Gopher, and HTTP data objects as well as the following additional features:

    • Uses a received IP address immediately when request forwarding requires it.

    • New directive have been introduced.

    • dns_v4_first directive no longer included in this version.

    • Uses the CDN-Loop header for loop detection in Content Delivery Networks (CDN).

    • Internet Content Adaptation Protocol (ICAP) trailers introduced as a new feature to enable ICAP agents to reliably send message metadata after the message body.

    • New configuration options are introduced to replace existing ones, such as mark_client_packet for clientside_mark and shared_transient_entries_limit for collapsed_forwarding_shared_entries_limit.

    Squid 5.2 is the initial version of this Application Stream.

  • MySQL 8.0.  Oracle Linux 9 includes MySQL version 8.0. MySQL 8.0 is the initial version of this Application Stream.

  • Redis 6.2.  Among enhancements and fixes in this version, the most notable is that the paths of Redis server configuration files are dedicated directories /etc/redis/redis.conf and /etc/redis/sentinel.conf. In Oracle Linux 8, these files were located in /etc/redis.conf and /etc/redis-sentinel.conf.

    Redis 6 is the initial version of this Application Stream. In future minor releases of Oracle Linux 9, additional Redis versions will be provided as modules with a shorter life cycle.

  • MariaDB.  MariaDB is updated to version 10.5

  • PostgreSQL.  PostgreSQL is updated to version 13.

2.9 File Systems

The following file system features are included in Oracle Linux 9:

  • XFS file system includes new features.  The XFS file system supports two new options for the mkfs.xfs command: bigtime that supports timestamps beyond the year 2038 and inobtcount that reduces mount time on large file systems.

    Caution

    These options are enabled by default. Consequently, in Oracle Linux 9, the mkfs.xfs command creates an XFS file system that is unmountable by previous kernels where these options are not supported. To disable these options, type the mkfs.xfs command as follows:

    mkfs.xfs -m bigtime=0,inobtcount=0

    For more information about file systems in Oracle Linux, see Oracle® Linux 9: Managing Local File Systems.

  • ext4 file systems support 2038 or later timestamps.  The ext4 file system supports timestamps beyond the year 2038. This feature is enabled automatically and requires only that the file system size is not lower than the default 128 bytes size.

  • exFAT support.  The newly supported Extensible File Allocation Table (exFAT) file system enables you to use this file system, which is typically used by default on flash memory.

  • GFS2 use format version 1802.  In this release, GFS2 file systems are created with format version 1802, which provides the following benefits:

    • Extended attributes in the trusted namespace are recognized by gfs2 and gfs2-utils.

    • The rgrplvb option is active by default. Thus, gfs2 can attach updated resource group data to DLM lock requests. The node that acquires the lock does not need to update the resource group information from disk. The overall result is performance improvement.

    File systems that are created with the new format version cannot be mounted under previous Oracle Linux versions. Likewise, these file systems cannot be checked by previous versions of the fsck.gfs2 utility.

    To create a file system with the older format version, use the following syntax:

    sudo mkfs.gfs2 -o format=1801

    To upgrade file systems that use the previous format, unmount the file system, then run the following command:

    sudo tunegfs2 -r 1802 device

    Note that downgrading from the new format is not supported.

2.10 High Availability and Clusters

The following high availability and clustering features are included in Oracle Linux 9:

  • resource-stickiness meta-attribute default is 1 instead of 0 for newly-created clusters.  The change is in response to user preference that resources are not automatically moved in the process of a cluster balancing operation. Only newly-created clusters are affected by this change. The behavior does not change for existing clusters.

    This new default value of 1 keeps the resources in place during balancing. However, a possible consequence might be that newly added nodes become resourceless and would require the administrator to manually intervene to allot resources to the nodes. Both resource stickiness (1) and non-stickiness (0) can produce unexpected behavior. However, user preference is to implement stickiness for resources.

    If you prefer the old behavior for your cluster, delete the resource-stickiness entry from resource defaults.

  • New LVM volume group flag for controlling autoactivation.  The setautoactivation flag controls whether logical volumes that are created from a volume group are automatically activated upon startup. When creating a volume group to be managed by Pacemaker in a cluster, you can set this flag to n by using the vgcreate --setautoactivation n command for the volume group. Running this command prevents possible data corruption. If you have an existing volume group that is used in a Pacemaker cluster, set the flag by using the vgchange --setautoactivation n command.

  • New command options for pcs resource status and pcs stonith status.  The pcs resource status and the pcs stonith status commands include support for the following new options:

    • The pcs resource status node=node_id and pcs stonith status node=node_id options display the status of resources that are configured on a specific node.

    • The pcs resource status resource_id and pcs stonith status resource_id options display the status of a single resource.

    • The pcs resource status tag_id and pcs stonith status tag_id options display the status of all of the resources with a specified tag.

  • pcs resource safe-disable command includes a new reduced output display option.  To print errors only in a report instead of including lengthy simulation results, you can use the --brief option in some pcs resource subcommands as follows:

    • pcs resource safe-disable --brief

    • pcs resource disable --safe --brief

    The error report now always contains resource IDs of affected resources.

  • New pcs command introduced for updating SCSI fencing device.  The new pcs stonith update-scsi-devices command enables you to update SCSI devices without causing a restart of other cluster resources. The pcs stonith update command causes a restart of all of the resources that are running on the same node that the stonith resource was running.

  • fence_watchdog agent for configuring watchdog-only SBD setup.  Use the new fence_watchdog agent to configure a watchdog-only SBD setup. This setup enables cluster configurations where only some nodes use watchdog-only SBD for fencing, while other nodes use other fencing types. Note that a cluster may only have a single such device, and it must be named watchdog. Previous watchdog-only SBD configurations had no such flexibility and required that all of the nodes in the cluster use SBD.

  • Local mode version of pcs cluster setup command supported.  The --corosync-conf option switches the pcs cluster setup command to local mode. In this mode, the pcs command creates a corosync.conf file and saves on the local node only without communicating with any other node. You can thus create a corosync.conf file in a script and handle that file by using a script.

  • Automatic removal of location constraint following resource move.  The pcs resource move command adds a constraint to the resource to prevent it from running on its original node. By default, the location constraint is automatically removed when the resource has been moved. The removal does not necessarily move the resource back to the original node. Where resources can run at that point depends on how your resources are initially configured. To move a resource and leave the resulting constraint in place, use the pcs resource move-with-constraint command.

  • pcs command accepts Promoted and Unpromoted roles.  The pcs command accepts the Promoted and Unpromoted anywhere roles that are specified in Pacemaker configuration. Note that these role names are the functional equivalent of the Master and Slave Pacemaker roles that was used in previous releases. Also, these role names are visible in configuration displays and help pages.

2.11 Infrastructure Services

Oracle Linux 9 introduces several version updates to infrastructure and command-line tools, as well as other notable improvements, including the following:

  • chrony updated to version 4.1.  This updated chrony package includes notable changes including the following:

    • Additional support for Network Time Security (NTS) authentication.

    • In Oracle Linux 9, Authenticated Network Time Protocol (NTP) sources are trusted over non-authenticated NTP sources. To restore the previous behavior, add the autoselectmode ignore argument to the chrony.conf file.

    • Removal of support for authentication with the following RIPEMD keys: RMD128, RMD160, RMD256, RMD320.

    • Removal of support for long non-standard MACs in NTPv4 packets. If you are using chrony 2.x non-MD5/SHA1 keys, you will need to configure chrony by using the version 3 option.

    The following differences exist between this release's version of chrony from the version in Oracle Linux 8:

    • The seccomp filter is enabled by default.

      The -F Z option is set in /etc/sysconfig/chronyd.

    • The seccomp filter conflicts with the mailonchange directive. If you set this directive in /etc/chrony.conf, then disable the filter by removing the -F Z setting.

2.12 Networking

Oracle Linux 9 introduces the following networking features, enhancements, and changes:

  • WireGuard is available on UEK.  WireGuard is a Virtual Private Network (VPN) implementation with advanced security features, but is also designed to be simple to use and can be a replacement for earlier tunneling protocols. WireGuard has been in production support in the UEK release since UEK R6U3 and continues to be a supported feature in Oracle Linux 9, with UEK R7. For more details, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 . To configure WireGuard, see Oracle® Linux: Configuring Virtual Private Networks.

    Note, however, that in RHCK, WireGuard is available only as a Technology Preview. See Section 2.17, “Technology Preview”.

  • diag modules available with kernel image.  The kernel image includes the following diag modules:

    CONFIG_INET_DIAG
    CONFIG_INET_RAW_DIAG
    CONFIG_INET_TCP_DIAG
    CONFIG_INET_UDP_DIAG
    CONFIG_INET_MPTCP_DIAG
    CONFIG_NETLINK_DIAG
    CONFIG_PACKET_DIAG
    CONFIG_UNIX_DIAG

    Being part of the kernel, these modules no longer need to be dynamically loaded with the ss command. The change facilitates debugging of networking issues regardless of customer policy in the kernel modules.

  • Core and IPv4-related networking kernel parameters added to sysctl.  For a list of these parameters and their descriptions, install the kernel-doc package and refer to the following files:

    • /usr/share/doc/kernel-doc-version/Documentation/admin-guide/sysctl/net.rst

    • /usr/share/doc/kernel-doc-version/Documentation/networking/ip-sysctl.rst

  • Nmstate API uses more inclusive terminology.  As part of an ongoing effort to make terms more inclusive, the term slave term has been replaced with the term port in the nmstate API.

  • NetworkManager support for queue_id in a bond port.  NetworkManager ports that are in a bond include support for the setting the queue_id parameter.

    For example, if eth1 is a port of a bond interface, you can enable the queue_id parameter for that bond port by using the following command:

    sudo nmcli connection modify eth1 bond-port.queue-id 1
    sudo nmcli connection up eth1
    Note

    A network interface that needs to use this option should configure it with multiple calls until the appropriate priorities are set for all interfaces. For more information, see the /usr/share/docs/kernel-doc-_version/Documentation/networking/bonding.rst file, which is provided in the kernel-docs package.

  • Oracle-provided RDMA packages.  Oracle provides Remote Direct Memory Access (RDMA) packages for use with UEK R7 to enable direct memory access between two systems that are connected by a network. For more details, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7.

2.13 Security

Oracle Linux 9 introduces the following security features, enhancements, and changes:

  • System-wide crypto-policies are more secure.  System wide cryptographic policies are more secure through the disabling of older cryptographic algorithms and increased minimum RSA key size. Using SHA-1 is restricted in the DEFAULT crypto policy. With the exception of HMAC and DNSSec usage, SHA-1 is not allowed in TLS, DTLS, SSH, IKEv2 and Kerberos protocols. As part of this change, some algorithms have been disabled.

    If you require that some of the disabled algorithms and ciphers be enabled, use policy modifiers or customize the policy.

  • OpenSSL version 3.0.1 is supported.  This version contains enhancements and fixes such as new versioning schemes, support for new algorithms, new HTTP(S) client that supports GET and POST, and many others. The following are features related to OpenSSL:

    • OpenSSL supports new concept of providers.  The OpenSSL 3.0.1 toolkit introduces the concept of providers, which are collections of algorithms from which you can choose for different applications. The following providers are provided: base, default, FIPS, legacy, and null.

      By default, OpenSSL loads and activates the default provider, which is comprised of commonly used algorithms such as RSA, DSA, DH, CAMELLIA, SHA-1, and SHA-2. If the FIPS flag is set in the kernel, the FIPS provider is automatically loaded, and no manual switching to FIPS mode is required. To change the provider on the system level, edit the openssl.cnf configuration file.

      Caution

      Explicitly activating a provider overrides the default provider selection, which might make the system remotely inaccessible.

    • OpenSSL random bit generator includes CPACF support.  The openssl packages provide support for the CP Assist for Cryptographic Functions (CPACF) in the OpenSSL NIST SP800-90A-compliant AES-based deterministic random bit generator (DRBG).

    • openssl-spkac can create SPKAC files signed with SHA-1 and SHA-256.  You can use the openssl-spkac utility to create Netscape signed public key and challenge (SPKAC) files that are signed with hashes different from MD5. Likewise, you can also create and verify SPKAC files that are signed with SHA-1 and SHA-256 hashes.

      To use FIPS-approved only algorithms, you need only to set the FIPS flag in the kernel. OpenSSL then opens the FIPS provider that contains the approved algorithms. Thus, you no longer need to switch OpenSSL to FIPS mode.

  • openCryptoki 3.17.0 is supported.  Some differences exist between this version and what is provided upstream. Although opencryptoki supports the old data format that uses non-FIPs approved algorithms, the FIPS provider no longer allows those algorithms. Thus, you must migrate your existing tokens to the new format before enabling FIPS mode on your system. To migrate tokens using the old data format, use the pkcstok_migrate utility. See https://www.ibm.com/docs/en/linux-on-systems?topic=tools-pkcstok-migrate.

  • GnuTLS version 3.7.3 provided.  gnutls 3.7.3 packages include numerous improvements and bug fixes over previous versions, including the following: Fixed timing of the early date (zero round trip data, 0-RTT) exchange; the cerutil tool no longer inherits the CRL (Certificate Revocation List) distribution point from the certificate authority (CA) when signing a certificate signing request (CSR).

  • Network Security Service 3.71.  The Network Security Services (NSS) libraries 3.71 support only the SQLite format. Support for legacy DBM format has been removed.

  • System Roles support VPN management.  With the availability of VPN support, the Oracle Linux System Role can be used to more easily create VPN tunnels for host-to-host and mesh connections that involve large numbers of hosts. Consequently, you obtain a VPN configuration interface as well as tunneling configuration s that are more stable and constant within the System Roles project.

  • OpenSSH updated to version 8.7p1.  OpenSSH 8.7p1 includes notable features and enhancements such as LogVerbose configuration, client address-based rate-limiting through new directives, support for Universal 2nd Factor (U2F) hardware authenticators specified by the FIDO Alliance, and others. This version also includes the following fixes:

    • A bug fix to address an exploitable integer overflow issue in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it.

    • A bug fix to clarify the semantics of the ClientAliveCountMax=0 keyword has been implemented in Oracle Linux 9. Instead of the previous behavior of instantly killing the connection after the first liveness test, regardless of its success, the mechanism entirely disables connection killing.

    • Added protection is provided for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown, and Rambleed. Oracle Linux 9 encrypts private keys when not in use with a symmetric key that is derived from a relatively large “prekey” that consists of random data (currently 16 KB).

  • Libreswan 4.6 is supported.  This version of Libreswan contains enhancements and fixes. Notably, because IKEv2 is now generally deployed, IKEv1 packets are no longer supported by default. If your setup requires the use of IKEv1 packets, you can enable support for these packets by adding the ikev1-policy=accept line to the /etc/ipsec.conf file.

  • stunnel 5.62 is supported.  This package version includes bug fixes and enhancements such as enabling or disabling the resumption of a session through the sessionResume option and the availability of a Bash-completion script.

  • nettle updated to version 3.7.3.  This new version contains the following enhancements:

    • New algorithms and modes are supported, such as Ed448, SHAKE256, AES-XTS, and SIV-CMAC.

    • Support is provided for architecture-specific optimizations for existing algorithms.

  • pk11-kit updated to version 0.24.  In this package version, the subdirectory for the location of distrusted Certificate Authorities is renamed blocklist for easier identification.

  • cyrus-sasl uses GDBM instead of Berkeley DB.  The cyrus-sasl package no longer has the libdb dependency. Further, the sasldb plugin uses the GDBM (GNU dbm) database format instead of Berkeley DB.

    To migrate existing SASL databases that are stored in the old Berkeley DB format, use the following command:

    cyrusbdb2current sasldb-path new-path
  • SELinux policy is up to date with the current kernel.  Performance of SELinux has improved through faster loading of SELinux policy to the kernel, reduction of memory overhead, and efficient disk space use. Additionally, the SELinux policy integrates well with the current kernel and can use the current's permissions, classes, and capabilities. which improves security. Better granularity in defining permissions enables systems to run with the MLS SELinuxpolicy, which can prevent systems with permissions undefined in the policy from starting.

    Additionally, you can only disable SELinux by using the selinux=0 parameter in the kernel command line. Using the older method of disabling SELinux in the /etc/selinux/config does not disable SELinux; but rather, SELinux stays enabled, but no policy is loaded.

    By default, SELinux policy prohibits commands with text relocation libraries. SELinux can enter commands that use libraries requiring text relocation provided that the library files have the textrel_shlib_t label.

  • scap-security-guide 0.1.60 changes.  In this version, rules for hardening PAM stack use authselect as the configuration tool.

  • fapolicyd version 1.1 is supported.  The following are notable features in this version:

    • /etc/fapolicyd/rules.d/ replaces /etc/fapolicyd/fapolicyd.rules to store files that allow or deny execution rules.

    • The new /etc/fapolicyd/trust.d directory supports separating a list of trusted files into more files. You can also add an entry for a file by using the fapolicyd-cli -f command syntax enables you to add an entry for a file with the --trust-file directive to these files.

    • White spaces in file names are supported through the fapolicyd trust database.

    • fapolicyd stores the correct path to an executable file when it adds the file to the trust database.

  • Rsyslog package includes rsyslog-mmfields subpackage.  The subpackage provides the mmfields module as an alternative to the property replacer field extraction. The module extracts all the fields at once and stores them inside the structured data part. Thus, mmfields enables you to process field based log formats such as the Common Event Format (CEF). You can also use the module in cases where you need a large number of fields, or reuse specific fields.

  • logrotate provided in a separate rsyslog-logrotate package.  In this release, the logrotate configuration has been removed from the main rsyslog package and is included in a new rsyslog-logrotate package. This change is useful in certain minimal environments for preventing the installation of unnecessary dependencies, for example, where log rotation is not required.

  • sudo program includes Python plugins.  The sudo 1.9 program provides capability for writing sudo plugins in Python. This capability makes it easier to enhance the sudo program to more precisely suit specific scenarios.

  • libseccomp 2.5.2 is supported.  This version contains bug fixes and enhancements such as an updated syscall table for Linux v5.14-rc7, consolidated multiplexed syscall handling for all architectures into a single location, clarification of the maintainers' GPG keys, and so on.

  • Clevis includes support for SHA-256.  The Clevis framework is in compliance with the recommendations of RFC 7638 and supports the SHA-256 algorithm as the default hash for JSON Web Key (JWK) thumbprints. The older thumbprints (SHA-1) continue to be supported so you can still decrypt previously encrypted data.

2.14 Virtualization

The following virtualization features, enhancements, and changes are introduced in Oracle Linux 9:

  • QEMU uses Clang.  In Oracle Linux 9, the QEMU emulator is built by using the Clang compiler. This improvement enables the KVM hypervisor to use several advanced security and debugging features, which provides better opportunities for future feature development.

  • Capability for using SafeStack on VMs added.  As of Oracle Linux 9, the QEMU machine emulator on x86_64 and AMD64 hardware can use the SafeStack feature. SafeStack is a enhanced compiler-based stack protection feature that reduces the ability of an attacker to exploit a stack- based buffer overflow to change return pointers in the stack and create Return-Oriented Programming (ROP) attacks. This change makes virtual machines (VMs) that are hosted on Oracle Linux 9 significantly more secure against ROP-based vulnerabilities.

2.15 Containers

The following containers features, enhancements, and changes are introduced in Oracle Linux 9:

  • Podman supports short names.  The registries.conf file now accepts configuration of short-name aliases for images in the [aliases] table. The short-names modes are:

    • Enforcing: If no matching alias is found during the image pull, Podman prompts the user to choose one of the unqualified-search registries. If the selected image is pulled successfully, Podman automatically records a new short-name alias in the $HOME/.cache/containers/short-name-aliases.conf file (rootless user) and in the /var/cache/containers/short-name-aliases.conf (root user). If the user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note that the short-name-aliases.conf file has precedence over registries.conf file if both specify the same alias.

    • Permissive: Similar to enforcing mode, but Podman does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded.

  • Changes implemented on container-tools module.  The container-tools module contains the Podman, Buildah, Skopeo, and runc tools. The rolling stream, represented by the container-tools:ol8 stream in Oracle Linux 8, is named container-tools:latest in Oracle Linux 9. Similarly to Oracle Linux 8, stable versions of container tools are going to be available in numbered streams (for example, 3.0).

  • containers-common package available in the containers-tools:latest module.  The containers-common package has been added to the container-tools:latest module. The containers-common package contains common configuration files and documentation for the container tools' ecosystem, such as Podman, Buildah, and Skopeo.

  • podman-py package is available.  The podman-py package has been added to the container-tools:3.0 stable module stream and the container-tools:latest module. The podman-py package is a library of bindings to use the RESTful API of Podman.

  • Improvements from control groups version 2.  With the availability of cgroupv2, system administrators can limit resources for any application without causing performance problems that were encountered in the previous version.

    For additional information about notable changes in cgroupv2, see Section 2.2, “Kernel”.

  • container-tools meta-package is available.  This RPM meta-package includes Podman, Buildah, Skopeo, CRIU, Udica, and all required libraries, and are in Oracle Linux 9. To install the container-tools meta-package, run the following command:

    sudo dnf install container-tools
  • Podman supports auto-building and auto-running pods using a YAML file.  The podman play kube command automatically builds and runs multiple pods with multiple containers in the pods using a YAML file.

  • Oracle Linux 9 containers on Oracle Linux 7 host is unsupported.  Running Oracle Linux 9 containers on an Oracle Linux 7 host is not supported. Such a setup might work, but cannot be guaranteed.

2.16 Oracle Linux in Cloud Environments

The following changes and features apply to Oracle Linux used in cloud environments.

  • WALinuxAgent updated to 2.3.0.2.  The Windows Azure Linux Agent (WALinuxAgent) has been upgraded to upstream version 2.3.0.2, which introduces a number of bug fixes and enhancement, most notably the following:

    • Support has been added for RequiredFeatures and GoalStateAggregateStatus APIs.

    • Fallback locations for extension manifests have been added.

    • Missing calls to str.format() have been added when creating exceptions.

2.17 Technology Preview

For RHCK, the following features are currently under technology preview.

  • KTLS: The Linux Kernel TLS (KTLS) handles TLS records for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to NICs that support this functionality. OpenSSL 3.0 supports KTLS if the enable-ktls configuration option is used during compiling.

  • SGX: Software Guard Extensions (SGX) from Intel protects software code and data from disclosure and modification. Presently, the current kernel supports SGX v1 and v1.5.

  • DAX: Direct Access (DAX) is available for the ext4 and XFS file systems. It enables an application to directly map persistent memory into its address space. DAX can be used on systems that have available persistent memory, typically NVDIMMs.

  • SEV and SEV-ES: Secure Encrypted Virtualization (SEV) feature is provided for AMD EPYC host machines that use the KVM hypervisor. It encrypts a virtual machine's memory and protects the VM from access by the host. SEV's enhanced Encrypted State version (SEV-ES) encrypts all CPU register contents when a VM stops running, thus preventing the host from modifying the VM’s CPU registers or reading any information from them.

  • WireGuard is a VPN solution that has improved security features and is easily configurable. Note, however, that this technology is fully supported as a production feature in UEK since UEKR6.