1. Release Notes for Oracle Linux 7.4
  2. New Features and Changes

3 New Features and Changes

WARNING:

Oracle Linux 7 is now in Extended Support. See Oracle Linux Extended Support and Oracle Open Source Support Policies for more information.

Migrate applications and data to Oracle Linux 8 or Oracle Linux 9 as soon as possible.

This section describes new features and changes in Update 4 for Oracle Linux 7.

For details of the new features and changes in the initial release of Oracle Linux 7, see Oracle Linux 7: Release Notes for Oracle Linux 7.

Booting

This section describes booting features in this release, including improvements, changes, and bug fixes.

  • UEFI Secure Boot

    You can install and use Oracle Linux 7 on systems that have UEFI Secure Boot enabled. A system in Secure Boot mode loads only those boot loaders and kernels that have been signed by Oracle. Oracle has updated the kernel and grub2 packages to sign them with a valid Extended Validation (EV) certificate. The EV certificate has been compiled into the shim binary and has been signed by Microsoft. This feature is fully supported on Oracle Linux 7 update 4.

    If you have previously enabled Secure Boot while it was available under a technology preview, ensure that the shim, grub2 and kernel packages are updated as an atomic operation if you intend to upgrade the system. If all of these packages are not updated, the Secure Boot process might break and must be disabled until a full system upgrade has been completed. (Bug ID 24616226)

  • Updated shim-signed package

    The shim-signed package is updated to include numerous bug fixes and enhancements over the previously shipped version.

Desktop

The following desktop features, improvements, and changes are included in this release:

  • GNOME desktop updated to 3.22.3

    This version of the GNOME desktop includes several improvements and bug fixes, including the following:

    • Desktop notifications overhauled

    • Built-in integration with world clocks and media players

    • Automatic screen brightness adjustment capabilities (for systems with an integrated light sensor)

    • Standard dialog for documenting key keyboard shortcuts for several applications

    • Setting panels improvements (printer, mouse, touchpad, keyboard shortcuts)

    • Option for renaming multiple files simultaneously

    • Undo support for trash

    • Built-in support for compressed files and Google Drive

  • Added xorg-x11-drv-libinput driver to X.Org input drivers

    After you install xorg-x11-drv-libinput, you can remove the xorg-x11-drv-synaptics driver, which enables you to access to some of the improved input device handling features that are offered by libinpu.

  • cloud-init package moved to Base channel

    The Cloud-init tool handles the early initialization of a system using metadata that is provided by the environment. You typically use cloud-init to configure servers that are booted in a cloud environment, such as OpenStack or Amazon Web Services.

Development Tools

The following development tools have been updated and improved:

  • demidecode package version updated to 3.0

    The updated version of the demidecode includes several bug fixes and hardware enablement improvements.

  • TLS version restriction capability added to IO::Socket::SSL Perl module

    For improved security, the Net:SSLeay Perl module has been updated to enable the explicit specification of TLS version 1.1 or 1.2, and the IO::Socket::SSL module has been updated accordingly.

    When creating a new IO::Socket::SSL, you can restrict the TLS version to 1.1 or 1.2 by setting the SSL_version option to TLSv1_1 or TLSv1_2, respectively. Alternatively, you can specify the TLSv11 and TLSv12 options. Note that these values are case-sensitive.

  • TLS version restriction capability added to Net:SSLeay Perl module

    For improved security, the Net:SSLeay Perl module has been updated to enable the explicit specification of TLS version 1.1 or 1.2. To restrict the TLS version, set the Net::SSLeay::ssl_version variable to 11 or 12, respectively.

  • TLS version specification capability added to wget

    Previously, the wget command used the highest TLS version (1.2) by default. In this update, the wget command has been enhanced to enable you to explicitly select the TLS protocol minor version by specifying either the --secure-protocol=TLSv1_1 or --secure-protocol=TLSv1_2 options with the wget command.

File Systems

The following file systems features have been updated and improved:

  • autofs browse options added for amd format maps

    You can now add mount point sections to the autofs configuration for amd format mounts, similarly to how automount points are configured in amd, without the need to also add a corresponding entry to the master map. This improvement helps to avoid having incompatible master map entries in the autofs master map within shared multi-vendor environments.

    You can use the browsable_dirs option in either the autofs [ amd ] configuration section, or following the amd mount point sections. You can also use the browsable and utimeout map options of amd type auto map entries.

    For information about an issue related to using the browsable_dirs option, see AutoFS: AMD map browsable_dirs option does not work unless it is set in the [amd] section of autofs.conf.

  • Capability for adding mount request log entries in autofs configuration

    By enabling the adding of a mount request log identifier to the mount request log entries in the autofs configuration, you can quickly filter entries for specific mount requests. The improvement makes searching logs easier.

  • rpc.idmapd capability for obtaining NFSv4 ID domains from the Domain Name System (DNS)

    In the event that an NFSv4 ID map domain name is not configured on the system, this feature enables the NFS idmapping library to attempt to obtain the proper domain name by performing a DNS lookup of a special TXT record. If the TXT record is not present, it uses other heuristics to obtain the proper domain name.

  • Added support for Kerberos authentication for NFSoRDMA client and server

    This improvement enables you to use krb5, krb5i, and krb5p authentication with NFS over RDMA (NFSoRDMA) features, for both client and server. You can now use Kerberos with NFSoRDMA to securely authenticate each Remote Procedure Call (RPC) transaction.

    Note:

    To use Kerberos with NFSoRDMA, you must install the nfs-utils package, version 1.3.0-0.36 or higher.

  • SEEK_DATA and SEEK_HOLE Options for FUSE lseek System Call

    The SEEK_DATA and SEEK_HOLE are now available for the Filesystem in Userspace (FUSE) lseek system call when using the RedHat Compatible Kernel (RHCK). Use the SEEK_DATA option to adjust the file offset to the next location in the file that contains data. Use the SEEK_HOLE option to adjust the file offset to the next hole in the file, greater than or equal to the offset. Note that this functionality is not available in UEK at the time of this update release.

btrfs: Deprecated in RedHat Compatible Kernel (RHCK)

As of Oracle Linux 7 update 4, btrfs is deprecated in the RHCK. With UEK R4, btrfs is fully supported.

xfs: d_type support (ftype=1) enabled by default on newly formatted partitions

For systems installed with the Oracle Linux 7 Update 4 installer, when formatting a device using XFS, d_type support is enabled automatically, which means all XFS-formatted partitions are created using the ftype=1 parameter as the default. Whereas, in previous Oracle Linux 7 updates, ftype=0 was the default parameter, meaning d_type was disabled or off and XFS-formatted partitions were created using ftype=0 as the default.

The d_type functionality exposed by this feature enables the file system to store additional metadata that is critical for overlay file system types.

Installation

Several changes, bug fixes and improvements have been made to the installation process in this update release. These include:

  • Change to kickstart parameters to support specification of RAID chunk size

    Changes were implemented in the installer to enable the ability to set RAID chunk sizing in a kickstart file using the --chunksize parameter. This update allows tuning for performance when using RAID.

  • Added kickstart support for thin LVM snapshots during installation

    The new kickstart snapshot command creates an LVM thin volume snapshot before or during installation. To use this functionality, specify all of the required parameters for the command. For example: 

    snapshot <origin_vg/origin_lv> --name=<snapshot_name> --when=<pre-install | post-install>

  • Change to automatic partitioning behavior for LVM thin pools

    Changes to automatic partitioning behavior where LVM thin pools are created during installation are important to note.

    LVM thin pools created with automatic partitioning reserve 20% of the volume group size and require a minimum of 1GiB and a maximum of 100 GiB.

    The logvol --thinpool --grow command causes the thin pool to grow to the maximum possible size. To reserve space for the volume group, use the volgroup --reserved-space or volgroup --reserved-percent command to specify the amount of space to keep available for the volume group.

  • Added kickstart option to disable the creation of a /home partition

    The --nohome option can be used with the autopart command in a kickstart installation to prevent the creation of a partition designated for /home use.

  • Added support for loading driver disks from hard disk or USB device

    Support has been added to enable loading a driver disk from a hard disk or USB device. This can be triggered either via kickstart or as a boot option. To use this option you must set the label for the device where the driver disk RPM files are stored. To load a driver from the specified driver disk, use: 

    driverdisk LABEL=<LABEL>:/<driver.rpm>

    Substitute <LABEL> with the label that you set for the device and substitute <driver.rpm> with the driver RPM file name.

    To specify the driver disk as a boot option, use: 

    inst.dd=hd:LABEL=<LABEL>:/<driver.rpm>

    Substitute <LABEL> with the label that you set for the device and substitute <driver.rpm> with the driver RPM file name.

  • Added support for IP over InfiniBand (IPoIB) in text mode installation

    The text mode installer now supports IPoIB network interfaces during a manual installation. IPoIB interface status information and configuration options are available.

  • Improvements to cater for multiple network locations for stage2 or kickstart files to provide failover during installation

    The installer is now capable of handling multiple inst.stage2 and inst.ks boot options where those options point to alternate network locations. This caters to a scenario where the network location for either stage2 or kickstart file is not available and a failover may be required for installation to continue. Options are processed sequentially until all location options are exhausted. If a file system is specified as one of the locations for either of these options only the last location specified is used, regardless of whether that location is a file system or URL.

  • Improved debug functionality for Anaconda installation issues

    The new inst.debug boot option can be used to start the Anaconda installer in debug mode. This option stores log files for lsblk, dmesg and lvmdump in the /tmp/pre-anaconda-logs directory to help with debugging installation issues.

  • Fix to enable Lorax to ignore SSL errors

    The lorax tool, which is used to create an Anaconda installer boot.iso and the release tree and related metadata, has the new --noverifyssl command line switch to disable SSL certificate verification, allowing the tool to be used with systems using self-signed certificates.

Kernel

The following changes are specific to the RedHat Compatible Kernel (RHCK). For more information, refer to latest versions of the release notes for Unbreakable Enterprise Kernel Release 4 at Unbreakable Enterprise Kernel documentation.

  • crash package version updated to 7.1.9

    The updated version of the crash utility includes a number of bug fixes and enhancements from the previous version.

  • New dbxtool package

    The dbxtool package provides a command-line interface (CLI) and a one-shot systemd service for applying UEFI Secure Boot DBX updates.

  • fjes driver updated to version 1.2

    The updated version of the fjes driver includes a number of bug fixes and enhancements from the previous version.

  • Added getrandom system call to kernel

    The getrandom system call has been added to the kernel. As a result, the user space can now request randomness from the same non-blocking entropy pool that is used by /dev/urandom. In addition, the user space can block until at least 128 bits of entropy has been accumulated in that pool.

  • Changes to hardware utility tools to correctly identify recently released hardware

    The PCI, USB, and vendor device identification files have been updated. As a result, the hardware utility tools can now correctly identify recently released hardware.

  • Added i40e support for trusted and untrusted virtual functions

    The i40e NIC driver now includes support for both trusted and untrusted virtual functions.

  • Addition of the Intel Cache Allocation Technology

    The Intel Cache Allocation Technology enables the software to restrict cache allocation to a defined subset of cache. The defined subset can overlap with other subsets.

  • Jitter Entropy Random Number Generator included

    The Jitter Entropy Random Number Generator (RNG) is responsible for collecting entropy through CPU timing differences for the kernel. By default, this RNG is available through the algif_rng interface. The generated numbers can be added back to the kernel through the /dev/random file, which makes these numbers available to other /dev/random users, thus making the operating system have more sources of entropy available.

  • macsec driver added

    The macsec driver enables support for the MACsec/IEEE 802.1AE network device. This driver provides authentication and encryption of traffic in a LAN, typically with GCM-AES-128 and optional replay protection. Patches have also been applied to bring this version of the driver up to the most current level for compatibility with this kernel release. The iproute package has also been updated to include support for the ip macsec command and related functionality.

  • makedumpfile updated to version 2.0.14-1

    This version of the makedumpfile utility includes a number of bug fixes and enhancements from the previous version.

  • NVMe driver updated to version 4.10

    The updated version of the NVMe driver includes a number of bug fixes and enhancements from the previous version.

  • nvme-cli package version updated to 1.1

    The updated version of the nvme-cli utility includes support for Nonvolatile Memory Express (NVMe). With NVMe support, you can find targets over Remote Direct Memory Access (RDMA) and connect to these targets.

  • Added perf support for uncore events on Intel Xeon v5

    The perf performance analysis tool now includes support for uncore events on the Intel Xeon v5 server CPU. These events provide additional performance monitoring information.

  • Random driver (/dev/random) displays messages pertaining to urandom pool initialization

    The random driver (/dev/random) now prints a message when the non-blocking pool that is used by /dev/urandom is initialized.

  • Change to spinlock implementation in the kernel

    The spinlock implementation in the kernel has changed from ticket spinlocks to queued spinlocks on AMD64 and Intel 64 architectures. Because queued spinclocks are more scalable than the ticket spinlocks, system performance is improved, especially on Symmetric Multi Processing (SMP) systems with large number of CPUs. The performance now increases more linearly with an increasing number of the CPUs.

    Note:

    Note that because of this change in the spinlock implementation, kernel modules that are built on Red Hat Enterprise Linux 7 might not be loadable on kernels from earlier releases. Kernel modules released in Red Hat Enterprise Linux (RHEL) versions earlier than 7.4 are loadable on the kernel that is released in RHEL 7.4.

  • Added functionality for switchdev infrastructure and mlxsw driver

    The following functionality has been added in this update:

    • Ethernet switch device driver model (switchdev infrastructure)

      Switch devices can now offload forwarding data plane from the kernel.

    • mlxsw driver support

      The following switch hardware is supported by the mlxsw driver: Mellanox SwitchX-2 (slow path only), Mellanox SwitchIB and SwitchIB-2, and Mellanox Spectrum.

      Features that are supported by the mlxsw driver include the following:

      • Per port jumbo frames

      • Speed setting, state setting, statistics

      • Port splitting together with splitter cables

      • Port mirroring

      • QoS: 802.1p, Data Center Bridging (DCB)

      • Access Control Lists (ACLs) using TC flower offloading

        Note that this feature is introduced as a Technology Preview.

    • Layer 2 and Layer 3 features:

      Layer 2:

      • Virtual local area networks (VLANs)

      • Spanning Tree Protocol (STP)

      • Link Aggregation (LAG) using team or bonding offloading

      • Link Layer Discovery Protocol (LLDP)

      Layer 3 now includes the unicast feature.

      You can configure these features by using the standard tools that are provided by the iproute package, which has also been updated in this release.

Significant Changes to Kernel Entries and Parameters

The following is a summary of significant changes in the kernel that is shipped with the RHCK for Oracle Linux 7.4. Included are new or updated proc entries, sysctl and sysfs default values, boot parameters, kernel configuration options, as well as other notable behavior changes.

Table 3-1 Updated /proc/sys/kernel Entries

Kernel Entry Description Format

hung_task_panic

Controls the behavior of the kernel when an unresponsive task is detected. This file occurs if CONFIG_DETECT_HUNG_TASK is enabled.

{ "0" | "1" }

0 - Continue operation (Default behavior).

1 - Panic immediately.

hung_task_check_count

Provides the upper bound on the number of tasks that are checked. This file occurs if CONFIG_DETECT_HUNG_TASK is enabled.

N/A

hung_task_timeout_secs

Checks interval. Reports a warning in case that a task in D state is not scheduled for longer time than this value. This file occurs if CONFIG_DETECT_HUNG_TASK is enabled.

0 - Infinite timeout. No checking done.

hung_task_warning

Provides the maximum number of warnings to report during a check interval. When this value is reached, no more warnings will be reported. This file occurs if CONFIG_DETECT_HUNG_TASK is enabled.

-1 - Reports an infinite number of warnings.

panic_on_rcu_stall When set to 1, calls the panic() function after RCU stall detection messages. This is useful to define the root cause of RCU stalls using a vmcore.

0 - Do not panic when RCU stall takes place (Default behavior).

1 - Panic after printing RCU stall messages.

Files in the /proc/sys/user directory can be used to override the default limits for the number of namespaces and other objects that have per-user namespace limits. These limits are used to stop programs that malfunction and attempt to create a high number of objects. The default values of these limits are adjusted so that any program in normal operation cannot reach them.

Table 3-2 Updated /proc/sys/user Entries

Updated file Description

max_cgroup_namespaces

Maximum number of cgroup namespaces that any user in the current user namespace can create.

max_ipc_namespaces

Maximum number of ipc namespaces that any user in the current user namespace can create.

max_mnt_namespaces

Maximum number of mount namespaces that any user in the current user namespace can create.

max_net_namespaces

Maximum number of network namespaces that any user in the current user namespace can create.

max_pid_namespaces

Maximum number of pid namespaces that any user in the current user namespace can create.

max_user_namespaces

Maximum number of user namespaces that any user in the current user namespace can create.

max_uts_namespaces

Maximum number of user namespaces that any user in the current user namespace can create.

Table 3-3 Kernel Parameter Changes

Kernel Parameter Description and Format

acpi_force_table_verification [HW,ACPI]

Enables table checksum verification during early stage. By default, disabled due to x86 early mapping size limitation.

acpi_no_static_ssdt [HW,ACPI]

Disables the installation of static SSDTs at early boot time. By default, SSDTs contained in the RSDT/XSDT are installed automatically and they appear in the /sys/firmware/acpi/tables directory.

This option turns off this feature. Specifying this option does not affect dynamic table installation which installs SSDT tables to the /sys/firmware/acpi/tables/dynamic directory.

irqaffinity= [SMP]

Sets the default irq affinity mask.

Formats:

cpu number,..., cpu number

cpu number-cpu number

Or, you can use a positive range in ascending order or a mixture:

cpu number,...,cpu number-cpu number

nokaslr [KNL]]

Disables installation of static SSDTs at early boot time. By default, SSDTs contained in the RSDT/XSDT are installed automatically and they appear in the /sys/firmware/acpi/tables directory.

Disables kernel and module base offset Address SpaceLayout Randomization (ASLR) if CONFIG_RANDOMIZE_BASE is set.

nohibernate

Disables hibernation and resume.

crash_kexec_post_notifiers

Runs kdump after running panic-notifiers and dumping kmsg.

[PCI] hpbussize=nn

Provides the minimum amount of additional bus numbers reserved for buses below a hotplug bridge (Default is 1).

pcie_port_pm=[PCIE]

PCIe port power management handling.

Format: { "off" | "force" }

off - Disables power management of all PCIe ports.

1 - Enabled power management of all PCIe ports.

sunrpc.svc_rpc_per_connection_limit=[NFS,SUNRPC]

Limits the number of requests for the server to process in parallel from a single connection( Default value is 0 (no limit)).

Networking

Networking features, changes, and bug fixes in this release include the following.

  • iproute package includes changing bridge port options

    In this update, changing bridge port options, such as state, priority, and cost, are included in the iproute package. This change enables you to use the iproute package as an alternative to the bridge-utils package.

  • Load Balancing and High Availability

    Oracle Linux 7 includes the Keepalived and HAProxy technologies for balancing access to network services while maintaining continuous access to those services.

    Keepalived uses the IP Virtual Server (IPVS) kernel module to provide transport layer (Layer 4) load balancing, redirecting requests for network-based services to individual members of a server cluster. IPVS monitors the status of each server and uses the Virtual Router Redundancy Protocol (VRRP) to implement high availability.

    HAProxy is an application layer (Layer 7) load balancing and high availability solution that you can use to implement a reverse proxy for HTTP and TCP-based Internet services.

    For more information, see Oracle Linux 7: Administrator's Guide.

  • Support for MACsec (802.1AE) added to NetworkManager

    The wpa_supplicant utility now supports the Media Access Control Security (MACsec) encryption 802.1AE, which enables MACsec to be used in configuration by default. This change provides a convenient way to deploy MACsec.

  • Packages related to rdma consolidated into rdma-core version 13

    Several packages that are related to the rdma package have been upgraded and consolidated into a single source package, rdma-core version 13.

Packaging

The following packaging additions and changes are included this release.

  • payload_gpgcheck Option Added to yum

    The new payload_gpgcheck option enables yum to perform a GNU Privacy Guard (GPG) signature check on the payload sections of packages. This capability provides enhanced security and integrity when installing packages.

    Before, when the gpgcheck option was used, yum only checked package headers. In the event that the payload data were tampered with or somehow corrupted, and an RPM unpacking error occurred, the package would only be partially installed. As a result, the operating system could be inconsistent or in a vulnerable state. You can use the payload_gpgcheck option with the gpgcheck or localpkg_gpgcheck option to prevent this problem from occurring.

    Note that using the payload_gpgcheck option is the same as manually running the rpm -K command on downloaded packages.

Security

This section describes new, changed, and improved security features.

  • New NBDE security packages

    The following new security packages are provided for the Network Bound Disk Encryption (NBDE) feature. NBDE enables you to encrypt root volumes of hard drives on physical machines without requiring you to manually enter a password when the systems are rebooted.

    • clevis – Is a plugable framework for automated decryption. You can use clevis to provide an automated decryption of data or even an automated unlocking of LUKS volumes. The clevis package provides the client side of the NBDE project.

    • jose – Is a C-language implementation of the Javascript Object Signing and Encryption standards. The jose package is a dependency of the clevis and tang packages.

    • luksmeta – LUKSMeta is a simple library for storing metadata in the LUKSv1 header. The luksmeta package is a dependency of the clevis and tang packages.

    • tang – Is a server for binding data to a network presence. the tang package includes a daemon that provides cryptographic operations for binding to a remote service. The tang package provides the server side of the NBDE project.

  • New http-parser package

    The http-parser package provides a utility for parsing HTTP messages (both requests and responses). The parser is designed for use in performance HTTP applications. The parser does not make any system calls or allocations, does not buffer data, and can be interrupted at any time. Depending on your architecture, the parser only requires about 40 bytes of data, per message stream.

  • New usbguard package

    The USBGuard software framework provides system protection against intrusive USB devices by implementing basic allowlisting and blocklisting capabilities that are based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature.

    The USBGuard framework provides the following components:

    • Daemon – Is the component with an inter-process communication (IPC) interface that is used for dynamic interaction and policy enforcement.

    • Command-line interface – Is the component that interacts with a running USBGuard instance.

    • Rule language – Is the component that is used for writing USB device authorization policies.

    • C++ API – Is the component that interacts with the daemon component that is implemented in a shared library.

  • Updated security package versions

    The versions of the following security package have been updated. The updated version provides a number of new features, improvements, and bug fixes:

    • audit version updated to 2.7.6

    • libica version updated to 3.0.2

    • libreswan version updated to 3.20

    • opensc version updated to 0.16.0

    • openssh version updated to 7.4

    • openssl version updated to 1.0.2k

    • openssl-ibmca version updated to 1.3.0

  • Modification to openSSH to use SHA-2 for public key signatures

    By default, the algorithm for public key signatures that is used in this release is SHA-2. Note that SHA-1 is available for backward compatibility purposes only.

  • pmrfc3164 replaces pmrfc3164sd in resyslog

    The pmrfc3164sd module, which is used for parsing logs in the BSD syslog protocol format (RFC 3164), has been replaced by the official pmrfc3164 module in this update.

    Note:

    Because the pmrfc3164 module does not fully cover pmrfc3164sd functionality, the pmrfc3164sd module is still available in rsyslog. However, whenever possible, you should use the new pmrfc3164 module, as the pmrfc3164sd module is no longer supported.

Server and Services

The following server and services improvements and changes have been made:

  • New libfastjson package

    The libfastjson library replaces the json-c library for rsyslog in this update. The libfastjson library includes a limited feature set that provides significantly improved performance, compared to json-c.

  • New cache configuration options for mod_nss

    New options for controlling caching of Offensive Security Certified Professional (OCSP) responses have been added to the mod_nss module.

    You can use these new options to control the following:

    • Time to wait for OCSP responses.

    • Size of the OCSP cache.

    • Minimum and maximum duration for an item's presence in cache, including not caching at all.

  • Server and service package version updates

    The following package versions have been updated. These updated versions include various enhancements and bug fixes:

    • chrony version updated to 3.1

    • rear version updated to 2.0

    • rsyslog version updated to 8.24.0

    • tuned version updated to 2.8.0

  • Change to default state file path for logrotate

    To prevent confusion and potential mismatching of paths, the default state file path that is used by logrotate has been changed to match the state file path that is used by the logrotate cron job. As a result, logrotate now uses /var/lib/logrotate/logrotate.status as the default state file path in both scenarios.

  • Removed nss_pcache options

    The nss_pcache pin-caching service no longer shares the Network Security Services (NSS) database of the mod_nss Apache module because nss_pcache does not need access to the tokens. Also, options for the NSS database and the prefix have been removed and are now handled automatically by mod_nss.

  • Expanded support in openwsman for disabling SSL protocols

    The openwsman utility has been updated to include a new configuration file option for listing disabled protocols. The new option enables you to specifically disable particular SSL protocols.

  • Deprecated openldap-server

    Starting with Oracle Linux 7.4, the openldap-server package is deprecated and new versions of this package will not be included in the next major release of Oracle Linux. Consider using an alternate LDAP server application included with Oracle Linux, such as the 389 Directory Server.

Spacewalk Client Registration

It is not necessary to install the Spacewalk client before registering an Oracle Linux 7 Update 4 system with a Spacewalk server. Instead, you can use the rhnreg_ks command, specifying the CA certificate file for the server, the server URL, and the activation key to be associated with the system.

For detailed instructions, see the Spacewalk 2.6 for Oracle Linux Client Life Cycle Management Guide at Oracle® Linux Manager & Spacewalk for Oracle® Linux Documentation. (Bug ID 20656368)

Storage

This update includes the following storage features, improvements, and changes.

  • LVM commands for reducing RAID logical volume size added

    As of this update, you can use the Logical Volume Manager (LVM) commands, lvreduce or lvresize, to reduce the size of a RAID logical volume.

  • Added support in LVM for RAID takeover and reshaping

    LVM now fully supports RAID takeover, which enables users to convert a RAID logical volume from one RAID level to another RAID level. Note that this feature was previously only available as a Technology Preview. In addition, LVM now provides support for RAID reshaping, which enables you to reshape properties such as the RAID algorithm, stripe size, and number of images.

    Note:

    The new RAID types that are added by means of RAID takeover or reshape are not supported in older kernel versions. These RAID types include the following: raid0, raid0_meta, raid5_n, and raid6_{ls,rs,la,ra,n}_6. Creating or converting to these RAID types on RHCK for Oracle Linux 7.4 cannot activate the logical volumes on systems that are running previous releases.

  • Capability for changing region size of RAID logical volume added

    You can now change the region size of a RAID logical volume using the -R/--regionsize option of the lvconvert command. You must also change the old default value set by the activation.raid_region_size = N parameter in the existing lvm.conf file or the old value will still will be applied when you create new logical volumes

Multipathing Improvements and Changes

The following are new, improved, or changed Multipathing features:

  • New detect_checker multipath parameter

    The Multipath feature now supports the detect_checker parameter in the multipath.conf defaults and devices sections. If the parameter is set, multipath detects whether device supports the Asymmetric Logical Unit Access (ALUA) mode. If so, multipath overrides the configured path_checker and uses the Test Unit Ready (TUR) checker instead. The detect_checker option enables devices with an optional ALUA mode to be correctly auto configured, regardless of the device's current mode.

  • Support added to device-mapper-multipath for max_sectors_kb configuration parameter

    The device-mapper-multipath resource includes a new max_sectors_kb parameter in the defaults, devices, and multipaths sections of the multipath.conf file. This new parameter enables you to set the max_sectors_kb device queue parameter to the specified value on all underlying paths of a multipath device before the multipath device is first activated.

    When a multipath device is created, it inherits the max_sectors_kb value from the path devices. Manually raising or lowering this value for the multipath device can cause multipath to create I/O operations that are larger than the path devices allow. The addition of the max_sectors_kb multipath.conf parameter provides a way to set these values before a multipath device is created on top of the path devices, thus preventing invalid sized I/O operations from being passed down.

  • New disabled_changed_wwids multipath configuration parameter

    The Multipath feature now includes a new disable_changed_wwids parameter that you can set in the default section of the multipath.conf file. When this parameter is set, multipathd notes whenever a path device changes its wwid while it is in use, and then disables access to that device until its wwid returns its previous value.

  • New multipathd commands for resetting device statistics

    In this update, two new multipathd commands are introduced: multipathd reset multipaths stats and multipathd reset multipath dev stats. You use these commands to reset the device statistics that multipathd tracks for all devices, or a specified device, respectively. This capability enables you to reset device statistics after making changes to them.

  • New remove retries multipath configuration value

    You can now control the number of times that the multipath command tries to remove a multipath device that is busy. You enable this capability by changing the remove_retries configuration value from its default value of 0, as when the value is set to 0, multipath will not retry any failed removes.

  • Warning messages printed when multipathd is not running

    The multipathd daemon now prints a warning message if you run a multipath command that creates or lists multipath devices while multipathd is not running.

Support Tools

Oracle Linux 7 includes tools to assist with the resolution of runtime issues. Notable features and changes in this update are as follows:

  • Kdump Configuration During Installation

    It is now possible to configure Kdump during a non-graphical installation. For limitations on using the crashkernel=auto setting, see crashkernel=auto setting on UEK R3.

  • makedumpfile Support for Large Memory Images

    makedumpfile can now use sadump format for dumps of more than 16 TB of physical memory.

  • Kpatch Removed

    The upstream Kpatch RPM has been removed from Oracle Linux. Customers who want to patch their running kernel with zero downtime should evaluate Oracle's Ksplice technology, which is included at no additional cost with Oracle Linux Premier support. For more information, see Oracle Linux: Ksplice User's Guide.

Virtualization

This section describes new, improved, and updated virtualization features.

  • KVM and QEMU support for new features in 2nd Generation Xeon and Xeon Phi processors

    The Kernel-based Virtual Machine (KVM) modules and the QEMU hypervisor are now capable of supporting the new features that are present in 2nd Generation Xeon and Xeon Phi processors. KVM guests can use the avx512_4vnniw and avx512_4fmaps instructions if they are enabled in the virtual machine CPU configuration.

  • Configuring MTU settings on KVM guest interfaces added

    In this update, you have the ability to configure MTU settings on KVM guest interfaces.

  • libvirt changed to use generic PCIe root ports in QEMU

  • libvirt version updated to 3.2.0

    This update makes it possible to install and uninstall specific libvirt storage sub-drivers, thereby reducing the installation footprint. In addition, you can now configure the /etc/nsswitch.conf file to instruct the Name Services Switch (NSS) to automatically resolve names of KVM guests to their network addresses.

  • Added support in KVM for MCE

    Support for Machine Check Exception (MCE) has been added to the KVM kernel modules. It is now possible to use the Local MCE (LMCE) feature of Intel Xeon v5 processors in KVM guest virtual machines. LMCE can deliver MCE to a single processor thread, instead of broadcasting to all threads, which ensures the machine check does not impact the performance of more vCPUs than is needed. As a result, the software load is reduced when processing MCE on machines with a large number of processor threads.

  • Improved virt-v2v installation of QXL drivers

    The virt-v2v implementation of QXL driver installation in Windows guest virtual machines has been improved. This change ensures that QXL drivers are installed correctly on these guests.

Technology Preview

Features that are currently under technology preview when using UEK R4u4 are described in Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 4 Update 4 (4.1.12-94).

For RHCK, the following features are currently under technology preview:

  • Systemd:

    • Importd features for container image imports and exports

  • File Systems:

    • DAX (Direct Access) for direct persistent memory mapping from an application. This is under technical preview for the ext4 and XFS file systems.

    • Block and object storage layouts for parallel NFS (pNFS).

    • SCSI layout for parallel NFS (pNFS), including support for both client and server configurations.

    • OverlayFS remains in technical preview.

  • Kernel:

    • Heterogeneous memory management (HMM).

    • User namespace (security features for isolating Linux containers from the host).

    • 10GbE RoCE Express for RDMA.

    • ocrdma and libocrdma packages for RDMA over RoCE.

    • No-IOMMU mode virtual I/O feature.

  • Networking:

    • Support for a Cisco proprietary User Space Network Interface Controller in UCM servers provided in the libusnic_verbs driver

    • Cisco VIC InfiniBand kernel driver that provides similar functionality to RDMA on proprietary Cisco architectures.

    • Trusted Network Connect support.

    • Single-Root I/O virtualization (SR-IOV) in the qlcnic driver.

    • nftables and libnftnl network filtering and classification functionality

  • Storage:

    • Multi-queue I/O scheduling for SCSI (scsi-mq). This functionality is disabled by default.

    • The plug-in for the libStorageMgmt API used for storage array management. The libStorageMgmt API is now fully supported, but the plug-in is under technology preview.

    • DIF/DIX for data integrity checking on SCSI devices, other than certain, specified native HBA and storage hardware. Oracle supports DIF/DIX with UEK R4.

Compatibility

Oracle Linux maintains user-space compatibility with Red Hat Enterprise Linux, which is independent of the kernel version that underlies the operating system. Existing applications in user space will continue to run unmodified on the Unbreakable Enterprise Kernel Release 4 (UEK R4) and no re-certifications are needed for RHEL certified applications.

To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R4 will remain unchanged in all subsequent updates to the initial release. UEK R4 contains changes to the kernel ABI relative to UEK R3 that require recompilation of third-party kernel modules on the system. Before installing UEK R4, verify its support status with your application vendor.