1. Unbreakable Enterprise Kernel Release 7 - Release Notes (5.15.0-0.30)
  2. New Features and Changes

2 New Features and Changes

This chapter describes new features, enhancements, and other notable changes that are introduced in UEK R7.

Summary of Notable Changes in UEK R7

The following is a summary of the features, changes, and improvements that are introduced in UEK R7, relative to UEK R6:

  • Linux 5.15 stable kernel base

    The 5.15.0 mainline kernel release that is used as the base kernel for UEK R7 includes many upstream kernel features and improvements over previous UEK releases and over RHCK. For a listing of the major new features and enhancements that are introduced in this kernel, see Core Kernel Features and Functionality.

  • 64-bit Arm (aarch64) support

    This release provides improved support for the 64-bit Arm (aarch64) platform. One significant change for the Arm platform is that the default page size has changed to 4 KB, from the previous 64 KB default. The new 4 KB size pairs well with the workloads and memory amounts that exist on the majority of Arm-based systems. See Default Page Size on Arm Platform Changed to 4 KB for more detailed information about this notable change.

  • DTrace v2.0

    Dtrace v2.0 continues to be available in UEK R7 and leverages kernel tracing facilities like eBPF. Detailed information about DTrace releases and other notable changes are available at Oracle Linux: DTrace Release Notes.

  • File systems support

    Support for the Btrfs and OCFS2 file systems is enabled in UEK R7. The XFS and NFS file systems have also been enhanced in this release. For more information about new file systems features that are introduced in UEK R7, see File Systems.

Default Page Size on Arm Platform Changed to 4 KB

The default page size on the 64-bit Arm (aarch64) platform has changed to 4 KB, from the previous 64 KB default. The new 4 KB size pairs well with the workloads and memory amounts that exist on the majority of Arm-based systems.

This change has important implications if you intend to upgrade kernel from a previous release of UEK. See About Upgrading From a Previous Oracle Linux or UEK Release to UEK R7 for more information.

For information about other known issues that are related to this important change, see Known Issues.

Core Kernel Features and Functionality

Several major, core kernel features have been implemented in the upstream kernel, between the 5.4 release that was used as the base kernel version for UEK R6 and the 5.15.0 kernel release that is used as the base kernel version for UEK R7. Although some features have been backported into the UEK R6 kernel in update releases, the following are the significant new features that are available in UEK R7:

  • BPF improvements

    UEK R7 introduces numerous Berkeley Packet Filter (BPF) improvements, including the following:

    • The introduction of Compile Once Run Everywhere in libbpf and in LLVM and BPF Type Format (BTF). This change enables the BPF verifier to use in-kernel BTF to type check BPF assembly code, which provides for safer and faster BPF tracing.

    • BPF trampoline, which is a feature that enables kernel code to call into BPF programs with nearly zero overhead, is available for the x86_64 architecture. Support for memory-mapping BPF array map and other improvements are also introduced in this release.

    • BPF support for calling kernel functions directly. This enhancement enables BPF programs that call kernel functions initially to reuse Transmission Control Protocol (TCP) congestion control implementations.

    • BPF programs are capable of sleeping during executing, simplifying the mechanism to bind a socket to a range of addresses or port numbers. The new BPF_PROG_TYPE_SK_LOOKUP program type runs when the kernel is searching for an open socket for an incoming connection. The mechanism can then decide which socket should receive the connection. This mechanism has been added as a way to bind a socket to a range of addresses or port numbers in a more simple way. Currently, this feature is limited to tracing and security-module programs.

  • Core scheduling capability included

    Core scheduling provides the ability to isolate groups of processes that are running on the same core, ensuring maximum protection against side-channel attacks. You can use core scheduling as a method for preventing Spectra-class vulnerability attacks, while keeping Simultaneous Multithreading (SMT) enabled and avoiding a performance penalty for disabling SMT.

  • New cgroup slab memory controller

    UEK R7 introduces a new control group (cgroup) slab memory controller that enables you to share slab memory between memory cgroups. This new implementation of the slab memory controller aims to reach much better slab utilization by sharing slab pages between multiple memory cgroups. Also, accounting is performed per-object rather than per-page. The new capability saves a significant amount of memory, which greatly reduces inefficiencies.

  • io_uring enhancements

    The io_uring system call, which is a Linux API for asynchronous I/O, is designed for higher performance than the previous Linux AIO API that is supported by QEMU. Several enhancements for io_uring are introduced in UEK R7, the majority of which are focused around networked I/O.

    One io_uring performance improvement that is related to I/O is a new BIO recycling mechanism for removing some internal memory-management overhead, which reportedly provides a 10% increase in the number of I/O operations per second that io_uring is capable of sustaining.

    Other notable changes for io_uring include Oracle ASMLib v3 + oracaleasm-support. With this release, Oracle ASMLib uses the io_uring system call in place of the legacy oracleasm driver interface, which has been removed in UEK R7.

  • Split lock detection

    In this release, the split lock detection CPU feature is enabled by default on x86_64 systems that have the capability for this functionality, such as the Ice Lake processor. The split_lock_detect boot command enables you to warn or send SIGBUS (Bus error signals) to applications that make use of split locks. A split lock occurs when an atomic CPU instruction operates on data that spans two cache lines. This operation is much slower than an atomic operation within a cache line, and it disrupts performance on other cores.

    Note that you can disable this feature in the kernel by setting split_lock_detect=off.

Changes to UEK Content Distribution and Packaging

How content is distributed and packaged in the UEK release has changed. Starting with UEK R7, the kernel is repackaged and streamlined into several separate RPMs to facilitate particular hardware requirements. A meta RPM package, named kernel-uek, continues to be the required package for all UEK installations and maintains backward compatibility with previous releases.

By default, the kernel-uek package and its dependencies are installed. Installing this package is equivalent to installing the full UEK kernel.

The following table provides additional details about how UEK R7 content is distributed and packaged and includes information about package dependencies, as well as any other notable requirements.

Package Description

kernel-uek

This is a meta package that does not contain any files. The package has a dependency on kernel-uek-core and kernel-uek-modules.

Installing this package is equivalent to installing the full UEK kernel. This is the required package for all UEK installations and maintains compatibility with previous releases.

kernel-uek-core

This package contains the UEK kernel and a minimal number of kernel modules and is installed along with the kernel-uek-modules package. Note that this package requires that the linux-firmware-core package also be installed.

kernel-uek-modules

This package contains remaining kernel modules that are required by the majority of server configurations. Note that this package requires that the linux-firmware package also be installed.

kernel-uek-modules-extra

This is an optional package that contains modules for hardware and subsystems that are uncommon for servers, as well as support for certain devices, such as Bluetooth, Wi-Fi, and video capture cards. If support for any of these components is required, install the package manually from the yum repository.

You can list the modules explicitly provided by this package by running: 

rpm -q -l kernel-uek-modules-extra

linux-firmware-core

This package contains core firmware components and is a dependency for the kernel-uek-core package.

linux-firmware

This package contains firmware components that are not provided in the linux-firmware-core package and is a dependency for the kernel-uek-modules package.

Note that this package requires that the linux-firmware-core package also be installed.

File Systems

The following file systems features and enhancements are introduced in UEK R7:

Btrfs

Note:

The default page size on the 64-bit Arm platform has changed to 4 KB, from the previous 64 KB default. If you are running Oracle Linux 8 on an Arm-based system with an earlier UEK release, this change impacts Btrfs file systems, for example, systems that are running the Raspberry Pi on an Oracle Linux 8 developer image. Prior to upgrading to UEK R7, you must migrate your data and prepare to reformat your file systems to prevent any data loss and ensure that the system does not become unbootable. See Default Page Size on Arm Platform Changed to 4 KB.

This release introduces several Btrfs performance and data recovery improvements, as well as some RAID 1 enhancements, support for Linux read-write semaphores, and checksum support. Other notable changes for Btrfs include the following:

  • New rescue mount option added

    A new rescue mount option to group all existing mount options for recovery. usebackuproot is now an alias for rescue=usebackuproot; nologreplay is an alias for rescue=nologreplay.

  • Aynchronous SSD trimming available

    Asynchronous SSD trimming is available in Btrfs. For performance and wear-leveling reasons, solid-state storage drives benefit from receiving notification when a disk block goes unused. This operation is referred to as discard or trim and is performed automatically by Btrfs. When a file is deleted, Btrfs notifies the drive that the blocks belonging to the file are no longer being used. Previously, these notifications occurred synchronously, meaning the trim notifications were sent before ending the delete operation, which can harm performance. These notifications are now sent asynchronously.

  • fsync() performance improvements

    The following fsync() improvements are introduced:

    • Improved fsync() performance (12% decrease on max latency reported by dbench).

    • Substantial speed-up of parallel fsync by reducing the number of checksum tree look-ups and contention.

    • Substantial speed up of parallel fsync for files with reflinked/deduped extents. For jobs 16 to 1024, on average, throughput is improved by roughly 50%; runtime is decreased by about 30%.

  • Pre-fetch chunk tree leaves at mount support

    Pre-fetch chunk tree leaves at mount, which improves mount speed in multi-TB file systems.

  • fs-verity and ID mapping support

    Support for fs-verity and ID mapping, as well as the DAMON to improve capability for monitoring memory access patterns of specific processes, is included in this release. The fs-verity generic layer, which is already available in the ext4 and F2FS file systems, provides transparent integrity and authenticity protection of read-only files. The feature also includes capability for ID-mapped mount points, which provides the ability to map the user and group IDs of one mount to another mount.

ext4

The ext4 file system continues to be supported in UEK releases.

OCFS2

OCFS2 continues to be supported in UEK releases. For Oracle Linux 9, user space packages are updated to enable OCFS2 support on this release.

XFS

Note:

The default page size on the 64-bit Arm platform has changed to 4 KB, from the previous 64 KB default. As a result, if you are running Oracle Linux 8 on an Arm-based system with an earlier UEK release, and you previously manually changed an XFS file system to a block size that is greater than 4 KB, you must migrate your data and prepare to reformat file systems prior to upgrading to UEK R7. Systems with XFS file systems that are configured to use a 4 KB block size are unaffected. See Default Page Size on Arm Platform Changed to 4 KB.

The following notable XFS file system changes are introduced in UEK R7:

  • Enhancements for XFS 2038+ and DAX operations and DAX metadata reduction.

    Capability for XFS 2038+, per-file and per-directory DAX operations, and DAX metadata reduction has been added in this release.

  • XFS file system includes new features

    The XFS file system supports two new options: bigtime and inobtcount. The bigtime option provides support for timestamps beyond the year 2038; the inobtcount option reduces mount time on large file systems. By default, these options are disabled. To enable these options while creating an XFS file system, use the mkfs.xfs command as follows: 

    sudo mkfs.xfs -m bigtime=1,inobtcount=1

    Caution:

    Enabling these mkfs.xfs options creates a file system that is unmountable by older kernels, where these options are not supported.

WireGuard Communication Protocol

The WireGuard communication protocol is available in UEK R7 for both IPv4 and IPv6 networks. WireGuard uses encrypted virtual private networks (VPNs) by passing traffic over the User Datagram Protocol (UDP).

Note:

WireGuard was previously enabled as a technology preview feature in UEK R6U1, with full support introduced in UEK R6U3.

WireGuard uses public key encryption for identification and encryption, while OpenVPN uses certificates for these tasks. With WireGuard, secure key generation and management is handled in the background. Note that although IPsec is still the standard for secure network communication, WireGuard is gaining in popularity because it is simpler to configure, as well as deploy.

For more information and step-by-step instructions, see Oracle Linux: Configuring Virtual Private Networks.

RDMA

UEK R7 includes Remote Direct Memory Access (RDMA) features that are provided in the upstream kernel, with the addition of Ksplice and DTrace functionality. RDMA enables direct memory access between two systems that are connected by a network. RDMA facilitates high-throughput and low-latency networking in clusters.

Starting with Oracle Linux 9, the process of installing Oracle-supported RDMA packages has been simplified through the use of new, user space packages and a dedicated ULN channel and yum repository for RDMA-related packages. For more information, see Installing and Upgrading Oracle-Supported RDMA Packages on Oracle Linux.

If you are running Oracle Linux 8, the process of installing Oracle-supported RDMA packages remains the same as in previous releases.

Security

The following security features are introduced in UEK R7:

New .machine Kernel Keyring Introduced

The .machine kernel keyring is introduced in UEK R7. You can use this keyring as a kernel level trust anchor for any operation that uses asymmetrical keys. The .machine keyring has the same level of trust within the kernel as the .builtin_trusted_keys and the .secondary_trusted_keys keyrings. Similar to the built-in and secondary keyrings, you can use keys in the .machine keyring to do the following:

  • Perform kernel module signature validation.

  • Add additional keys to the .secondary_trusted_keys keyring.

  • Serve as a CA for IMA appraisal keys.

Note that keys contained within the .machine keyring must be a root CA certificate. To qualify as a root CA certificate, the following two requirements must be met:

  • The X.509 certificate shall be self-signed.

  • The X.509 certificate shall contain X509v3 extensions with basicConstraints=critical,CA:TRUE

It is also highly advised the keyUsage field is set with keyCertSign.

Unlike previous UEK releases, keys contained within the .platform keyring in UEK R7 may only be used for kexec. Also, you may not use the .platform keys for any other purpose; whereas, in previous UEK releases, you could use the .platform keyring for kernel module signature validation, but they could not be used for any other kernel key operations.

The easiest way to add keys to the .machine keyring is by enrolling them with the mokutil utility. Note that this method requires that you first create an X.509 key pair.

SGX Enabled on Intel Architecture

Unbreakable Enterprise Kernel Release 7 enables Intel Software Guard Extensions (SGX) technology on the third-generation Intel Xeon Scalable processor (codename Ice Lake).

Applications can use this hardware functionality to populate protected regions of user code and data, called enclaves. When activated, the new hardware protects enclave code and data from outside access and modification. Enclaves provide a place to store secrets and then process data with those secrets, such as DRM software. SGX assists in providing protection against many known cybersecurity threats, thereby reducing the attack surface of servers through the use of secure enclaves, which protect information from processes running at a higher privilege.

Zonefs for Zoned Block Devices

The zonefs (zone file system) feature is a simple file system that exposes each zone of a zoned block device as a file. Unlike a regular POSIX-compliant file system with native zoned block device support, for example, f2fs, zonefs does not hide the sequential write constraint of zoned block devices to the user. Files that represent sequential write zones of the device must be written sequentially, starting from the end of the file (append only writes).

Deprecated and Removed Features

The following features are deprecated, removed, or no longer supported in UEK R7:

  • /dev/raw Device Removed

    The /dev/raw driver that was marked obsolete in the year 2005 has been removed in this release. In previous releases, the device nodes under /dev/raw provided an interface to direct I/O semantics for applications that were written prior to the introduction of the O_DIRECT file flag in Linux. This change also makes the raw command that is part of the util-linux package nonfunctional.

    To obtain direct I/O file semantics, use the appropriate setting for the I/O file, as follows:

    • For C, use the O_DIRECT flag as part of the open() system call.

    • For Java, use the RandomAccessFile mode, "rwd", (Open for reading and writing).

    • From the shell, you can use the dd flags, iflag=direct (for reading), and oflag=direct (for writing).

  • resilient_rdmaip Module Deprecated

    The resilient_rdmaip module is deprecated in UEK R7. This module may be removed in a subsequent UEK release.

  • Cisco fnic 1.6 Driver Unsupported

    Cisco no longer supports the Cisco FCoE HBA Driver (fnic 1.6) that is sourced from the upstream kernel and which is available in most kernels, including UEK R5, UEK R6, and UEK R7. Cisco provides a fully supported UCS Linux driver (version 2.0.0.83 and later) that is tested on and compatible with Oracle Linux, with UEK R5 and later UEK releases, on the Cisco software download page. The driver package includes features that are not available in the currently included driver module such as NVMe support and multi-queue support.

    Customers who are running Oracle Linux on Cisco servers must install the Cisco driver package to receive driver fixes, driver updates, new hardware support, and new feature support. Contact Cisco for more information about driver solutions on Oracle Linux.

  • oracleasm Kernel Module Removed

    The oracleasm kernel module is removed in UEK R7. Note that this module continues to be supported in the UEK R5 and UEK R6 releases.

    Note that Oracle ASMLib continues be supported through the use of io_uring interfaces. See Core Kernel Features and Functionality for more information.

  • DRBD Kernel Module Removed

    The DRBD (Distributed Replicated Block Device) kernel module and the drbd-utils package are removed in UEK R7. Note that the DRBD kernel module and its associated package, which was introduced as a technology preview in UEK R4 and deprecated in UEK R6U3, continues to be enabled in UEK R5 and UEK R6.