2 New Features and Changes
Unless indicated otherwise, the following new features, major enhancements, bug fixes, and other changes that are introduced in this release of Oracle Linux 9 apply to both the x86_64 and 64-bit Arm (aarch64) platforms.
Operating System and Software Management
The following features, enhancements, and changes related to the OS and software management are introduced in this Oracle Linux 9 release.
DNF Includes an offline-upgrade Command
Oracle Linux now includes the dnf offline-upgrade
command from the DNF
system-upgrade
plugin. Offline upgrades can help protect a system during
upgrades by performing package installations after a reboot and before libraries that might
be affected by package updates have loaded.
This feature includes the option to apply security advisory filters such as
--advisory
, --security
, and --bugfix
to
limit the download of packages and their dependencies to a specified advisory.
Infrastructure Services
The following features, enhancements, and changes related to infrastructure services are introduced in this Oracle Linux 9 release.
chrony Updated to Version 4.3
The chrony
package is updated to version 4.3. Notable features and changes
include:
- Long-term quantile-based filtering of Network Time Protocol (NTP) measurements, which
can be enabled by adding the
maxdelayquant
option to thepool
,server
, orpeer
directives. - Selection log provides more information about
chronyd
selection of sources and can be enabled by adding theselection
option to thelog
directive. - Improved synchronization stability when using the hardware timestamping and Pulse-Per-Second Hardware Clock (PHC) reference clocks.
- System clock stabilization by using a free-running stable clock, such as a Temperature Compensated Crystal Oscillator (TCXO), Oven-Controlled Crystal Oscillator (OCXO), or an atomic clock.
- Maximum polling rate increased to 128 messages per second.
FRRouting Updated to Version 8.3.1
The frr
package is updated to version 8.3.1. Notable features and changes
include:
- New command for managing FRR daemons:
show thread timers
displays FRR's timer data. -
New Border Gateway Protocol (BGP) related commands:
set as-path replace
: replaces the Autonomous System (AS) path attribute of a BGP route with a new value.match peer
: matches a specific BGP peer or group when configuring a BGP route map.ead-es-frag evi-limit
: sets a limit on the number of Ethernet A-D per EVI fragments that can be sent in a specified period in EVPN.match evpn route-type
: used to specify actions for certain types of EVPN routes, such as route-target, route-distinguisher, or MAC/IP routes.
-
New commands for the Protocol Independent Multicast (PIM) daemon:
debug igmp trace detail
: enables debugging for Internet Group Management Protocol (IGMP) messages with detailed tracing.ip pim passive
: sets the interface as passive and disables the sending PIM messages.
- New command for Open Shortest Path First (OSPF) protocol:
show ip ospf reachable-routers
displays a list of routers that are reachable at the time the command is run. - New outputs for the
show zebra
command, including statuses for ECMP, EVPN, and MPLS.
See https://github.com/FRRouting/frr/releases?q=8.3.1&expanded=true for more information.
SELinux rules for FRR are included in the frr
package to improve
integration with SELinux as new features and changes are released.
Very Secure FTP Daemon Updated to Version 3.0.5
The Very Secure FTP Daemon (vsftpd
) is updated to version 3.0.5. Notable
features and changes include:
- Default requirement to use TLS version 1.2 or later for secure connections.
- Compatibility updates for use with the latest FileZilla client.
powertop Updated to Version 2.15
The powertop
package is updated to version 2.15. Notable features and
changes include:
- General fixes and stability improvements.
- Improved compatibility with Ryzen processors and Kaby Lake platforms.
- Enabled Lake Field, Alder Lake N, and Raptor Lake platform functionality.
- Enabled Ice Lake NNPI and Meteor Lake mobile and desktop functionality.
Package Updates for systemd-sysusers Integration
The systemd-sysusers
utility creates system users and groups during
package installation and removes them during a removal of the package. Several packages are
updated to integrate with the systemd-sysusers
utility. The packages that
are updated include:
-
chrony
-
dhcp
-
radvd
-
squid
synce4l Package for Frequency Synchronization Added
The synce4l
package manages devices that include the SyncE (Synchronous
Ethernet), a hardware feature that helps PTP clocks to achieve precise synchronization of
frequency at the physical layer. SyncE is available in certain network interface cards
(NICs) and network switches and helps Telco Radio Access Network (RAN) applications to
achieve accurate time synchronization that results in better communication efficiency. See
https://github.com/intel/synce4l for more
information.
TuneD Updated to Version 2.20.0
The tuned
package is updated to version 2.20.0. Notable features and
changes include:
- API update to facilitate moving devices between plugin instances at runtime.
-
Update to the
plugin_cpu
module:- The
pm_qos_resume_latency_us
feature limits the maximum time permitted for each CPU to transition from an idle state to an active state. - The
Intel® _pstate
scaling driver provides scaling algorithms to tune power management for a system based on usage scenarios.
- The
samba Updated to Version 4.17.5
The samba
packages are upgraded to upstream version 4.17.5. Notable
features and changes include:
- Improvements in performance around security for the Server Message Block (SMB) server when working with high metadata workloads.
- Addition of a
--json
option to the smbstatus command to display status information in JSON format. - Addition of
samba.smb.conf
andsamba.samba3.smb.conf
modules to thesmbconf
Python API to facilitate reading and writing the Samba configuration directly from Python programs.
Server Message Block version 1 (SMB1) protocol is deprecated in Samba 4.11 and later. SMB1
will be removed in a future release. Back up the database files before starting Samba. When
the smbd
, nmbd
, or winbind
services
start, Samba automatically updates its tdb
database files. Downgrading
tdb
database files isn't supported. After updating Samba, use the
testparm
utility to verify the /etc/samba/smb.conf
file.
Security
The following features, enhancements, and changes related to security are introduced in this Oracle Linux 9 release.
Libreswan Updated to Version 4.9
The following features were added:
-
{left,right}pubkey=
toaddconn
andwhack
-
KDF self-tests to Crypto
-
Updated syscall allow-list in
seccomp
-
Support of show host's authentication key (
showhostkey
) for ECDSA pubkeys and for printing PEM encoded public key through the--pem
option - New functionalities for the Internet Key Exchange Protocol Version 2 (IKEv2) and the
pluto
IKE daemon
OpenSSL Updated to Version 3.0.7
The OpenSSL packages are updated to version 3.0.7. Notable features and changes include:
- Various bug fixes and improvements
- The default provider includes the
RIPEMD160
hash function.
SELinux User-Space Packages Updated to Version 3.5
SELinux user-space packages are updated to version 3.5. Packages affected include:
libselinux
, libsepol
, libsemanage
,
checkpolicy
, mcstrans
, and
policycoreutils
. Notable features and changes include:
-
The
sepolicy
utility includes several Python and GTK updates. The manual pages are also updated to cover several missing descriptions. libselinux
is improved to reduce heap memory usage by thePCRE2
library.-
The
libsepol
package is updated for stricter policy validation and to reject attributes in Access Vector (AV) rules for kernel policies. - The
fixfiles
script unmounts temporary bind mounts on theSIGINT
signal - The
semodule
--refresh
option replaces--rebuild-if-modules-changed
. - Bug fixes and improvements to errors and descriptions, including translation fixes.
OpenSCAP Updated to Version 1.3.7
The OpenSCAP packages are updated to version 1.3.7. Notable features and changes include:
- Fixed error when processing OVAL filters.
- OpenSCAP no longer emits invalid empty
xmlfilecontent
items if an XPath doesn't match. - Removed
Failed to check available memory
errors.
SCAP Security Guide Updated to Version 0.1.66
The SCAP Security Guide (SSG) packages are updated to version 0.1.66. Notable features and changes include:
- Deprecation of rule
account_passwords_pam_faillock_audit
in favor ofaccounts_passwords_pam_faillock_audit
-
Updated Oracle Linux 9
stig
andstig_gui
draft profiles to obtain more secure configuration.
Rsyslog Updated
RSyslog is updated for several changes. Notable features and changes include:
- A new
NetstreamDriverCaExtraFiles
directive that can be used to specify a list of additional certificate authority (CA) certificates for TLS encrypted remote logging. The new directive is available only for theossl
(OpenSSL) Rsyslog network stream driver. - Improved privileges to the Rsyslog log processing system to limit privileges to those required by Rsyslog. This update tightens security for Rsyslog but doesn't affect existing functionality.
SELinux Policy Supports Rsyslog to Drop Privileges at Start
As a consequence of the privilege limitations of the Rsyslog log processing system, which
is described in the previous item, the SELinux policy has been updated so that the
rsyslog
service can drop privileges at start.
Clevis Can Use External Tokens for Configuration
Clevis includes a new -e
option that can be used to specify an external
token ID to avoid entering a password during cryptsetup
. Use of external
token IDs can be used to automate configuration.
Tang Now Uses systemd-sysusers
The Tang server handles the addition of system users and groups through the
systemd-sysusers
service to simplify user management and providing the
option to override system user creation by providing sysuser.d
files with
higher priority.
Fapolicyd Now Provides Filtering of the RPM Database
The list of RPM-database files that fapolicyd
stores in the trust
database can be customized by editing a new /etc/fapolicyd/rpm-filter.conf
configuration file. By using this feature, you can override by the default configuration
filter to specify which applications installed by RPM are permitted or excluded.
GnuTLS Handles PKCS#7 Padding During Decryption and Encryption
The gnutls_cipher_encrypt3
and gnutls_cipher_decrypt3
block cipher functions in GnuTLS handle the PKCS#7padding, required by some protocols,
transparently. The functions can be used in combination with the
GNUTLS_CIPHER_PADDING_PKCS7
flag to automatically add or remove padding
if the length of the original plaintext isn't a multiple of the block size.
NSS No Longer Support RSA Keys Shorter Than 1023 Bits
Network Security Services (NSS) libraries are updated to change the minimum key size for all RSA operations from 128 to 1023 bits. The following NSS functions are no longer available:
- Generating RSA keys shorter than 1023 bits.
- Signing or verifying RSA signatures with RSA keys shorter than 1023 bits.
- Encrypting or decrypting values with RSA key shorter than 1023 bits.
libssh Supports Smart Cards
Smart cards are supported through Public-Key Cryptography Standard (PKCS) #11 Uniform
Resource Identifier (URI). Therefore, you can use smart cards with the
libssh
SSH library and with applications that use
libssh
.
libssh Updated to 0.10.4
The libssh
library is updated to version 0.10.4 and includes the
following support:
- OpenSSL 3.0
- Smart cards has been added.
- Two new configuration options
IdentityAgent
andModuliFile
have been added.
With this update, OpenSSL versions previous to 1.0.1 are no longer supported. Further,
Digital Signature Algorithm (DSA) support is disabled, and both the SCP API,
pubkey
and privatekey
APIs have been deprecated.
Compatibility Between scap-security-guide Rules and RainerScript logs
Rules in scap-security-guide
are now compatible with the RainerScript
syntax. Therefore, scap-security-guide
rules can check and remediate
ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.
Keylime Updated to 6.5.2
This version contains various enhancements and bug fixes, most notably the following:
- Vulnerability reported in CVE-2022-3500 is addressed.
- The Keylime agent no longer fails IMA attestation in cases where race conditions exist between running scripts.
- Segmentation fault in the
/usr/share/keylime/create_mb_refstate
script is fixed. - Registrar no longer fails during EK validation when the
require_ek_cert
option is enabled
Networking
The following features, enhancements, and changes related to networking are introduced in this Oracle Linux 9 release.
NetworkManager Updated to Version 1.42.2
The NetworkManager
packages are updated to version 1.42.2. Notable
features and changes include:
- Ethernet bonds can be configured for source load balancing.
- NetworkManager can manage connections on the
loopback
device. - IPv4 equal-cost multipath (ECMP) route management is included.
802.1ad
tagging in Virtual Local Area Networks (VLANs) connections is now possible.- The
nmtui
application can be used with Wi-Fi WPA-Enterprise, Ethernet with 802.1X authentication, and MACsec connection profiles. - NetworkManager is updated to reject DHCPv6 leases if all addresses fail IPv6 duplicate address detection (DAD).
For more information, see https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.42.2/NEWS.
ECMP Routing in NetworkManager Can Use Weights
NetworkManager can now be configured using a weight
property when defining
IPv4 Equal-Cost MultiPath (ECMP) routes. You can configure multipath routing to load-balance
and stabilize network traffic. The weight
property can have a value from 1
to 256. You must define multiple next-hop routes as single-hop routes that use the
weight
property. If no weight
property is set on a
route, the routes aren't merged into an ECMP route.
The balance-slb Bonding Mode Is Available in NetworkManager
The balance-slb
bonding mode used to configure source load balancing is
available in NetworkManager. The balance-slb
mode divides traffic on the
source ethernet address using
xmit_hash_policy
=vlan+srcmac
, and NetworkManager
automatically adds necessary nftables
rules for traffic filtering.
Flexible DNS Configuration Across Multiple Networks in NetworkManager
The [global-dns]
section in the
/etc/Networkmanager/NetworkManager.conf
file can be configured without
specifying the nameserver
value in the
[global-dns-domain-*]
section. By avoiding nameserver
configuration you are able to configure DNS in the /etc/resolv.conf
file
while still relying on the DNS servers provided by the network connection for actual DNS
resolution. This update makes it easier to configure DNS across multiple networks.
VLAN Protocol Can Be Specified in NetworkManager
vlan
interface types can be configured with a protocol
property in NetworkManager to specify the VLAN protocol that controls the tag identified for
encapsulation. The property can be set to either 802.1Q
(default), or
802.1ad
.
VLANs Can Be Configured on Unmanaged Interfaces in NetworkManager
NetworkManager can configure an unmanaged networking interface as a base interface when configuring VLANs. The VLAN base interface remains intact unless changed explicitly by NetworkManager.
loopback Interface Connections Can Be Configured In NetworkManager
NetworkManager can configure the loopback
interface to provide additional
IP addresses, DNS configuration, routing that isn't bound to an interface and MTU
settings.
nmstate API Accepts IPv6 Link-Local Addresses for DNS Server Entries
The nmstate
API is updated to accept IPv6 link-local addresses for DNS
server entries. Use the
<link-local_address>
%<interface>
format, for
example:
dns-resolver: config: server: - fe80::deef:1%enp1s0
nmstate API Includes Default MTU Range Properties on All Interfaces
Default properties for the min-mtu
and max-mtu
values are
set on all interfaces, so that if the required MTU is out of range, nmstate
indicates the available MTU range.
firewalld Updated to Version 1.2
The firewalld
package is updated to version 1.2. Notable features and
changes include:
- New services including Kodi JSON-RPC, EventServer, netdata, and IPFS.
- A fail-safe mode can be used to ensure that the system remains protected and that
network communication continues if the
firewalld
service encounters an error when it's started. If errors are encountered in the user configuration or another startup issue causes thefirewalld
service to fail,firewalld
falls back to failsafe defaults. - Tab-completion updated in the CLI for some
firewalld
policy commands.
conntrack-tools Updated to Version 1.4.7
The conntrack-tools
package is updated to version 1.4.7. Notable features
and changes include:
- A new
IPS_HW_OFFLOAD
flag, which specifies offloading of aconntrack
entry to the hardware. - New
clash_resolve
andchaintoolong
statistical counters. - Filtering of events by IP address family.
- The
conntrackd.conf
file accepts 'yes' or 'no' values, as synonyms of 'on' and 'off'. - A user space helper can be configured to automatically load upon daemon startup. Users
don't have to manually run the
nfct add helper
commands. - The
-o userspace
command option is removed and user space triggered events are always tagged. - External inject problems are only logged as warnings.
- The conntrack ID is ignored when looking up cache entries to replace old stale entries.
- Parsing of IPv6
M-SEARCH
requests in thessdp cthelper
module is fixed. - The
nfct
library no longer requires lazy binding. - Protocol value parsing is improved and has better detection of invalid values.
xdp-tools Updated to Version 1.3.1
The xdp-tools
packages are updated to version 1.3.1. Notable features and
changes include:
-
New utility commands:
xdp-bench
: XDP benchmarking on the receive side.xdp-monitor
: XDP error and statistic monitoring using kernel trace points.xdp-trafficgen
: Generates and sends traffic through the XDP driver hook.
-
New features in the
libxdp
library:- Reference counting is improved when attaching programs to
AF_XDP
socket, so that applications no longer have to manually detach XDP programs when using sockets. -
New functions are added to the library:
xdp_program__create()
for creatingxdp_program
objectsxdp_program__clone()
for cloning anxdp_program
referencexdp_program__test_run()
for running XDP programs through theBPF_PROG_TEST_RUN
kernel API- The
xdp_multiprog__xdp_frags_support()
,xdp_program__set_xdp_frags_support()
, andxdp_program__xdp_frags_support()
functions are added for loading programs with XDPfrags
or multibuffer XDP.
- When the
LIBXDP_BPFFS_AUTOMOUNT
environment variable is set, thelibxdp
library automatically mounts abpffs
virtual file system if none is found. A subset of the library features can now also function when nobpffs
is mounted.
- Reference counting is improved when attaching programs to
This version also changes the version number of the XDP dispatcher program that's loaded on
the network devices. You can't use a previous and a new version of libxdp
and xdp-tools
at the same time. The libxdp
1.3 library
displays old versions of the dispatcher, but doesn't automatically upgrade them. Programs
that are loaded with libxdp
1.3 don't work with programs that are loaded
with a previous version of the library.
iproute Updated to Version 6.1.0
The iproute
package is updated to version 6.1.0. Notable features and
changes include:
-
The vdpa command includes the ability to read device statistics, For example, you can read the
virtqueue
data structure at index 1, by running:sudo vdpa dev vstats show vdpa-a qidx 1
- Updates to the corresponding manual pages
Kernel and System Libraries
The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that's shipped with the current Oracle Linux 9 version.
BPF Functionality Updated to Version Upstream Linux 6.0
The Berkeley Packet Filter (BPF) functionality in Red Hat Compatible Kernel (RHCK) is
updated to upstream Linux 6.0. All BPF features that depend on the BPF Type Format (BTF) for
kernel modules are enabled, including the usage of BPF trampolines for tracing, the
availability of the Compile Once - Run Everywhere (CO-RE) principle, and several
networking-related features. Kernel modules also contain debugging information, which means
that you no longer need to install debuginfo
packages to inspect running
modules. For more information on the complete list of BPF features available in the running
kernel, use the bpftool feature
command.
tuna Command Is Updated for Better Command Line Argument Parsing
The tuna command now uses argparse
to provide
better command line argument parsing and the CLI can now display a standardized menu of
commands and options. You can now perform the following tasks:
- Change the attributes of the application and kernel threads.
- Operate on interrupt requests (IRQs) by name or number.
- Operate on tasks or threads by using the process identifier.
- Specify CPUs and sets of CPUs with the CPU or the socket number.
You can also use the tuna -h
command to print the command line arguments
and their corresponding options.
Note that this functionality also works with UEK.
File Systems and Storage
The following features, enhancements, and changes related to file systems and storage are introduced in this Oracle Linux 9 release.
nvme-cli Updated to Version 2.2.1
The nvme-cli
packages are updated to version 2.2.1. Notable features and
changes include:
- A new
nvme show-topology
command to display the NVMe subsystem topology. - The
uint128
data fields are displayed correctly. - The
libnvme
dependency is updated to version 1.2. - The
libuuid
dependency is dropped.
libnvme Updated to Version 1.2
The libnvme
packages are updated to version 1.2. Dependency on the
libuuid
library is dropped.
Stratis Enforces Consistent Block Size in Pools
Potential edge case problems can occur when mixed block size devices exist within a pool. With this enforcement, users are prevented from creating a pool with devices of differing block sizes. or from adding new devices with a different block size to existing devices in the pool. Consequently, the risk of pool fiaure is reduced.
Support for Existing Disk Growth Within the Stratis Pool
Previous versions of Stratis did not recognize devices in a RAID array that have grown in size. Thus, users could increase the pool size only by adding new disks. This improvement enables Stratis to recognize those devices that have grown in size. Therefore, Stratis can now support the growth of existing disks within its pool, in addition to the existing feature of growing the pool by adding new disks.
Improved Functionality of the lvreduce Command
The lvreduce
command does not reduce the size of an active logical volume
(LV) unless the lvreduce esizefs
option is enabled. In this manner, the
risk of file system damage resulting from a reduction in the size of the LV is
prevented.
New options are available to the command for better control of the file systems while the logical volume is beng reduced.
High Availability and Clusters
The following features, enhancements, and changes related to high availability are introduced in this Oracle Linux 9 release.
Dynamic Programming Languages, Web and Database Servers
The following features, enhancements, and changes related to programming languages, web servers, and database servers are introduced in this Oracle Linux 9 release.
Python 3.11 Available
Python 3.11 is available in the package python3.11
. An additional suite of
packages compatible with Python 3.11 are also available. Notable features and changes
include:
- Improved performance.
- The new
match
keyword (similar toswitch
in other languages) can be used for structural pattern matching. - Improved error messages, for example, indicating unclosed parentheses or brackets. Precise error locations in tracebacks pointing to the expression that caused the error. Exact line numbers for debugging and other use cases.
- The ability to define context managers across multiple lines by enclosing the definitions in parentheses.
- Various new features related to type hints and the
typing
module, such as the newX | Y
type union operator, variadic generics, and the newSelf
type. - A new
tomllib
standard library module which can be used to parse TOML. - An ability to raise and handle multiple unrelated exceptions simultaneously using
Exception Groups and the new
except*
syntax.
Git Updated to Version 2.39.1
The git
version control system is updated to version 2.39.1. Notable
features and changes include:
- The
git log
command includes a format placeholder for thegit describe
output:git log --format=%(describe)
-
The
git commit
command includes the--fixup<commit>
option so that you to fix the content of the commit without changing the log message. With this update, you can also use:- The
--fixup=amend:<commit>
option to change both the message and the content. - The
--fixup=reword:<commit>
option to update only the commit message.
- The
- The
git clone
command includes the--reject-shallow
option to disable cloning from a shallow repository. - The
git branch
command includes the--recurse-submodules
option. -
The
git merge-tree
command can be used to:- Test if two branches can merge.
- Compute a tree that would result in the merge commit if the branches were merged.
- T
safe.bareRepository
configuration variable can filter out bare repositories.
git-lfs Updated to Version 3.2.0
The Git Large File Storage (LFS)
extension is updated to version 3.2.0.
Notable features and changes include:
Git LFS
introduces a pure SSH-based transport protocol.Git LFS
provides a merge driver.- The
git lfs fsck
command checks that pointers are canonical and that expected LFS files have the correct format. - NT LAN Manager (NTLM) authentication protocol is removed. Use Kerberos or Basic authentication instead.
nginx:1.22 Available as a Module Stream
The nginx 1.22
web and proxy server is available as the
nginx:1.22
module stream. New features and changes include:
- OpenSSL 3.0 integration and handling of the
SSL_sendfile()
function when using OpenSSL 3.0. - Integration with the PCRE2 library.
- POP3 and IMAP pipelining in the
mail
proxy module. Additionally, theAuth-SSL-Protocol
andAuth-SSL-Cipher
header lines are passed to the mail proxy authentication server.
- Multiple new directives are available, including
ssl_conf_command
andssl_reject_handshake
. - Variables can be used in multiple directives, including
proxy_cookie_flags
,proxy_ssl_certificate
,proxy_ssl_certificate_key
,grpc_ssl_certificate
,grpc_ssl_certificate_key
,uwsgi_ssl_certificate
, anduwsgi_ssl_certificate_key
. - The
listen
directive in the stream module now can take a newfastopen
parameter to useTCP Fast Open
mode for listening sockets. - A new
max_errors
directive is added to themail
proxy module. -
nginx
always returns an error if:- The
CONNECT
method is used. - Both
Content-Length
andTransfer-Encoding
headers are specified in the request. - The request header name contains spaces or control characters.
- The
Host
request header line contains spaces or control characters.
- The
nginx
blocks all HTTP/1.0 requests that include theTransfer-Encoding
header.nginx
establishes HTTP/2 connections using the Application Layer Protocol Negotiation (ALPN) and can no longer use the Next Protocol Negotiation (NPN) protocol.
mod_security Updated to Version 2.9.6
The mod_security
module for the Apache HTTP Server is updated to version
2.9.6. Notable features and changes include:
- Adjusted parser activation rules in the
modsecurity.conf-recommended
file. - Improvements to HTTP multipart request parsing.
- A new
MULTIPART_PART_HEADERS
collection. - Microsecond timestamp resolution is used in the formatted log timestamp.
- Geo Countries updated for missing entries
postgresql:15 Module Stream Added
PostgreSQL version 15 is made available as the postgresql:15
module
stream. PostgreSQL 15 includes several new features and enhancements over version 13. See
https://www.postgresql.org/docs/release/15.0/ for more information.
Module stream life cycle information is available in Oracle Linux: Product Life Cycle Information.
nodejs:18 Version 18.14 Includes npm Version 9
The updated Node.js 18.14
includes a SemVer major upgrade of
npm
from version 8 to version 9. In this update, support for unscoped
authentication configurations is removed to improve security. This update might require
adjustments to the current npm
configuration.
If you use unscoped authentication tokens, generate and supply registry-scoped tokens in
the .npmrc
file. If the .npmrc
file contains lines that
use _auth
, for example, ///registry.npmjs.org/:_auth
,
replace these lines with ///registry.npmjs.org:_authToken=${NPM_TOKEN}
.
Then apply the scoped token that is generated.
New Tomcat Package Introduced
The current Oracle Linux release includes the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.
Compilers and Development Tools
The following features, enhancements, and changes related to compilers and development tools are introduced in this Oracle Linux 9 release.
Updated Compilers and Development Tools
The following system toolchain components are updated in Oracle Linux 9.2:
- GCC 11.3.1
- glibc 2.34
- binutils 2.35.2
The following performance tools and debuggers are updated in Oracle Linux 9.2:
- GDB 10.2
- Valgrind 3.19
- SystemTap 4.8
- Dyninst 12.1.0
- elfutils 0.188
The following performance monitoring tools are updated in Oracle Linux 9.2:
- PCP 6.0.1
- Grafana 9.0.9
The following compiler toolsets are updated in Oracle Linux 9.2:
- GCC Toolset 12
- LLVM Toolset 15.0.7
- Rust Toolset 1.66.1
- Go Toolset 1.19.6
Updated GCC Toolset 12
GCC Toolset 12 is a compiler toolset that provides recent versions of development tools.The
toolset is available as an Application Stream in the form of a Software Collection in the
AppStream
repository. Notable features and changes include:
- Updated the GCC compiler to version 12.2.1.
annobin
is updated to version 11.08.
The following tools and versions are provided by GCC Toolset 12:
Tool | Version |
---|---|
GCC | 12.2.1 |
GDB | 11.2 |
binutils | 2.38 |
dwz | 0.14 |
annobin | 11.08 |
To install GCC Toolset 12, run the following command as root:
sudo dnf install gcc-toolset-12
To run a tool from GCC Toolset 12:
scl enable gcc-toolset-12 tool
To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:
scl enable gcc-toolset-12 bash
LLVM Toolset Updated to Version 15.0.7
LLVM Toolset is updated to version 15.0.7.The update includes changes that enable the
-Wimplicit-function-declaration
and -Wimplicit-int
warnings by default in C99 and later.
Go Toolset Updated to Version 1.19.6
Go Toolset is updated to version 1.19.6 to include several notable security and bug fixes.
System GCC Compiler Is Updated
The system GCC compiler, version 11.3.1, is updated to include numerous bug fixes and enhancements available in the upstream GCC. The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.
Performance Co-Pilot Updated to Version 6.0
Performance Co-Pilot (PCP
) is updated to version 6.0. Notable improvements
include:
-
Version 3 PCP archive:
Instance domain change-deltas, Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones, and 64-bit file offsets used throughout for larger (beyond 2GB) individual volumes can all be used by configuring the
PCP_ARCHIVE_VERSION
setting in the/etc/pcp.conf
file.Version 2 archives remain the default.
-
Only OpenSSL is used throughout PCP. Mozilla NSS/NSPR use is dropped:
libpcp
,PMAPI
clients andPMCD
use of encryption is impacted. These elements are now configured and used consistently withpmproxy
HTTPS support andredis-server
, which were both already using OpenSSL. -
New nanosecond precision timestamp
PMAPI
calls forPCP
library interfaces that use timestamps are included for optional use, but full backward compatibility is preserved for existing tools. -
The following tools and services are updated:
-
pcp2elasticsearch
- Authentication feature enabled.
-
pcp-dstat
- Can use
top-alike
plugins. -
pcp-htop
- Updated to the latest stable upstream release.
-
pmseries
- Added
sum
,avg
,stdev
,nth_percentile
,max_inst
,max_sample
,min_inst
andmin_sample
functions. -
pmdabpf
- Added CO-RE (Compile Once - Run Everywhere) modules.
-
pmdabpftrace
- Moved example autostart scripts to the
/usr/share
directory. -
pmdadenki
- Multiple active batteries can be used.
-
pmdalinux
- Updates for the latest
/proc/net/netstat
changes. -
pmdaopenvswitch
- Added additional interface and coverage statistics.
-
pmproxy
- Request parameters can now be sent in the request body.
-
pmieconf
- Added several
pmie
rules for Open vSwitch metrics. -
pmlogger_farm
- Added a default configuration file for farm loggers.
-
pmlogger_daily_report
- Code changes for efficiency.
-
grafana Updated to Version 9.0.9
The grafana
package is updated to version 9.0.9. Notable features and
changes include:
- The time series panel is now the default visualization option, replacing the graph panel
- New heatmap panel
- New Prometheus and Loki query builder
- Updated Grafana Alerting
- UI/UX and performance improvements
- License changed from Apache 2.0 to GNU Affero General Public License (AGPL)
The following are offered as opt-in experimental features:
- New bar chart panel
- New state timeline panel
- New status history panel
- New histogram panel
grafana-pcp Updated to Version 5.1.1
The grafana-pcp
package is updated to version 5.1.1. Notable features and
changes include:
- Added buttons to disable rate conversation and time usage conversation in the query editor.
- Removed the deprecated
label_values(metric, label)
function for Redis. - Fixed the network error for metrics with many series (requires Performance Co-Pilot v6+).
- Set the
pmproxy
API timeout to 1 minute.
tzdata Package Includes the leap-seconds.list File
The /usr/share/zoneinfo/leap-seconds.list
file accommodates an alternate
format to the /usr/share/zoneinfo/leapseconds
file that was previously
shipped with the tzdata
package. Both formats are included to support
applications that choose to use either format to calculate International Atomic Time (TAI)
from Coordinated Universal Time (UTC) values that are used by almost all time services.
Virtualization
The following features, enhancements, and changes related to virtualization are introduced in this Oracle Linux 9 release.
passt Package Introduced
The package enables you to configure passt
and pasta
network connections for virtual machines and containers, respectively, that are running in
the non privileged connection mode of libvirt
(qemu:///session
). The two functionalities further offer the following
improvements for IPv6:
- Use of the Neighbor Discvoery Protocol (NDP) responder and for DHCPv6
- Port forwarding on TCP and UDP protocols on IPv6
This update adds the passt
package, which makes it possible to use the
passt
and pasta
network connections. As a result, you
can set up passt
and pasta
for virtual machines and
containers, respectively, that run in the non-privileged connection mode of
libvirt
(qemu:///session
).
For more information on using passt
, see the libvirt upstream documentation.
To use pasta
in a podman container, use -network pasta
command-line option.
Containers
The following features, enhancements, and changes related to containers are introduced in this Oracle Linux 9 release.
Multiple GPG Keys for Podman Images
The /etc/containers/policy.json
file accepts a keyPaths
field that contains a list of trusted GPG keys. Usage of more than one GPG key in the
container policy is a technology preview feature that permits Podman to install images
signed by any one of multiple GPG keys.
Updated container-tools Package and Podman
The container-tools
package is updated for Podman v4.4. The package
contains the Podman, Buildah, Skopeo, crun
and runc
tools.
The updates have the following features and changes:
- Information about a container can be audited directly from a
journald
entry in Podman v4.4 and later. To enable Podman auditing, modify thecontainer.conf
configuration file and add theevents_container_create_inspect_data=true
option to the[engine]
section. The audit data is in JSON format, equivalent to the output of the podman container inspect command. - The podman network update command is added to update networks for containers and pods.
-
Podman can be configured with pre-execution hooks that can be used to control container operations by creating plugin scripts in
/usr/libexec/podman/pre-exec-hooks
or/etc/containers/pre-exec-hooks
. Pre-execution scripts are only run if a file named/etc/containers/podman_preexec_hooks.txt
exists. If all plugin scripts return zero value, then thepodman
command is run, otherwise, thepodman
command exits with the exit code returned by the script that failed. - The podman buildx version command is added to output the Buildah version.
- Container startup health checks are available, to trigger a command to check that the container is fully started before the regular health check is activated.
- New Docker compatibility options and aliases are included.
- Improved Kubernetes integration by consolidating kube commands:
the podman kube generate and podman kube
play replace the
podman generate kube
andpodman play kube
commands. - Systemd-managed pods created by the
podman kube play
command now integrate with sd-notify, using theio.containers.sdnotify
annotation (orio.containers.sdnotify/$name
for specific containers). - Systemd-managed pods created by
podman kube play
can be auto-updated by using theio.containers.auto-update
annotation.
For further information about notable changes, see upstream release notes.
Custom DNS Server Selection Is Available for Aardvark and Netavark
Custom DNS server selection for containers using the Aardvark and Netavark network stack is
available. Containers are able to use customer DNS servers instead of the default DNS
servers on the host. To enable a custom DNS server, either add the
dns_servers
field in the containers.conf
configuration
file or use the new --dns
option to specify the IP address of the DNS
server when running the podman command. The --dns
option overrides any values that are set in the container.conf
file.
Generate Sigstore Key Pairs With Skopeo
Skopeo can generate sigstore key pairs through the skopeo
generate-sigstore-key command. For more information, see
skopeo-generate-sigstore-key
manual page.
Toolbox Utility Is Available
Use the toolbox utility to access the container command line environment without installing additional troubleshooting tools directly on the system. Toolbox uses Podman and other standard container technologies from the Open Container Initiative. For more information, see toolbx.