Oracle Linux now includes the dnf offline-upgrade command from the DNF system-upgrade plugin. Offline upgrades can help protect a system during upgrades by performing package installations after a reboot and before libraries that might be affected by package updates have loaded.

This feature includes the option to apply security advisory filters such as --advisory, --security, and --bugfix to limit the download of packages and their dependencies to a specified advisory.

The unload_plugins function is added to the DNF API so that you can unload plugins by using the API. To use this feature, first run the init_plugins function, and then run the unload_plugins function.

The rpm2archive command includes a --nocompression option that can prevent compression when unpacking an RPM package.

The chrony package is updated to version 4.3. Notable features and changes include:

• Long-term quantile-based filtering of Network Time Protocol (NTP) measurements, which can be enabled by adding the maxdelayquant option to the pool, server, or peer directives.
• Selection log provides more information about chronyd selection of sources and can be enabled by adding the selection option to the log directive.
• Improved synchronization stability when using the hardware timestamping and Pulse-Per-Second Hardware Clock (PHC) reference clocks.
• System clock stabilization by using a free-running stable clock, such as a Temperature Compensated Crystal Oscillator (TCXO), Oven-Controlled Crystal Oscillator (OCXO), or an atomic clock.
• Maximum polling rate increased to 128 messages per second.

The frr package is updated to version 8.3.1. Notable features and changes include:

• New command for managing FRR daemons: show thread timers displays FRR's timer data.

• New Border Gateway Protocol (BGP) related commands:

  • set as-path replace: replaces the Autonomous System (AS) path attribute of a BGP route with a new value.
  • match peer: matches a specific BGP peer or group when configuring a BGP route map.
  • ead-es-frag evi-limit: sets a limit on the number of Ethernet A-D per EVI fragments that can be sent in a specified period in EVPN.
  • match evpn route-type: used to specify actions for certain types of EVPN routes, such as route-target, route-distinguisher, or MAC/IP routes.

• New commands for the Protocol Independent Multicast (PIM) daemon:

  • debug igmp trace detail: enables debugging for Internet Group Management Protocol (IGMP) messages with detailed tracing.
  • ip pim passive: sets the interface as passive and disables the sending PIM messages.
• New command for Open Shortest Path First (OSPF) protocol: show ip ospf reachable-routers displays a list of routers that are reachable at the time the command is run.
• New outputs for the show zebra command, including statuses for ECMP, EVPN, and MPLS.

See https://github.com/FRRouting/frr/releases?q=8.3.1&expanded=true for more information.

SELinux rules for FRR are included in the frr package to improve integration with SELinux as new features and changes are released.

The Very Secure FTP Daemon (vsftpd) is updated to version 3.0.5. Notable features and changes include:

• Default requirement to use TLS version 1.2 or later for secure connections.
• Compatibility updates for use with the latest FileZilla client.

The powertop package is updated to version 2.15. Notable features and changes include:

• General fixes and stability improvements.
• Improved compatibility with Ryzen processors and Kaby Lake platforms.
• Enabled Lake Field, Alder Lake N, and Raptor Lake platform functionality.
• Enabled Ice Lake NNPI and Meteor Lake mobile and desktop functionality.

The systemd-sysusers utility creates system users and groups during package installation and removes them during a removal of the package. Several packages are updated to integrate with the systemd-sysusers utility. The packages that are updated include:

• chrony
• dhcp
• radvd
• squid

The synce4l package manages devices that include the SyncE (Synchronous Ethernet), a hardware feature that helps PTP clocks to achieve precise synchronization of frequency at the physical layer. SyncE is available in certain network interface cards (NICs) and network switches and helps Telco Radio Access Network (RAN) applications to achieve accurate time synchronization that results in better communication efficiency. See https://github.com/intel/synce4l for more information.

The tuned package is updated to version 2.20.0. Notable features and changes include:

• API update to facilitate moving devices between plugin instances at runtime.

• Update to the plugin_cpu module:

  • The pm_qos_resume_latency_us feature limits the maximum time permitted for each CPU to transition from an idle state to an active state.
  • The Intel® _pstate scaling driver provides scaling algorithms to tune power management for a system based on usage scenarios.

The samba packages are upgraded to upstream version 4.17.5. Notable features and changes include:

• Improvements in performance around security for the Server Message Block (SMB) server when working with high metadata workloads.
• Addition of a --json option to the smbstatus command to display status information in JSON format.
• Addition of samba.smb.conf and samba.samba3.smb.conf modules to the smbconf Python API to facilitate reading and writing the Samba configuration directly from Python programs.

Server Message Block version 1 (SMB1) protocol is deprecated in Samba 4.11 and later. SMB1 will be removed in a future release. Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Downgrading tdb database files isn't supported. After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

The following features were added:

• {left,right}pubkey= to addconn and whack

• KDF self-tests to Crypto

• Updated syscall allow-list in seccomp

• Support of show host's authentication key (showhostkey) for ECDSA pubkeys and for printing PEM encoded public key through the --pem option

• New functionalities for the Internet Key Exchange Protocol Version 2 (IKEv2) and the pluto IKE daemon

The OpenSSL packages are updated to version 3.0.7. Notable features and changes include:

• Various bug fixes and improvements
• The default provider includes the RIPEMD160 hash function.

SELinux user-space packages are updated to version 3.5. Packages affected include: libselinux, libsepol, libsemanage, checkpolicy, mcstrans, and policycoreutils. Notable features and changes include:

• The sepolicy utility includes several Python and GTK updates. The manual pages are also updated to cover several missing descriptions.

• libselinux is improved to reduce heap memory usage by the PCRE2 library.

• The libsepol package is updated for stricter policy validation and to reject attributes in Access Vector (AV) rules for kernel policies.

• The fixfiles script unmounts temporary bind mounts on the SIGINT signal
• The semodule --refresh option replaces --rebuild-if-modules-changed.
• Bug fixes and improvements to errors and descriptions, including translation fixes.

The OpenSCAP packages are updated to version 1.3.7. Notable features and changes include:

• Fixed error when processing OVAL filters.
• OpenSCAP no longer emits invalid empty xmlfilecontent items if an XPath doesn't match.
• Removed Failed to check available memory errors.

The SCAP Security Guide (SSG) packages are updated to version 0.1.66. Notable features and changes include:

• Deprecation of rule account_passwords_pam_faillock_audit in favor of accounts_passwords_pam_faillock_audit

• Updated Oracle Linux 9 stig and stig_gui draft profiles to obtain more secure configuration.

RSyslog is updated for several changes. Notable features and changes include:

• A new NetstreamDriverCaExtraFiles directive that can be used to specify a list of additional certificate authority (CA) certificates for TLS encrypted remote logging. The new directive is available only for the ossl (OpenSSL) Rsyslog network stream driver.
• Improved privileges to the Rsyslog log processing system to limit privileges to those required by Rsyslog. This update tightens security for Rsyslog but doesn't affect existing functionality.

As a consequence of the privilege limitations of the Rsyslog log processing system, which is described in the previous item, the SELinux policy has been updated so that the rsyslog service can drop privileges at start.

With updated selinux-policy packages, SELinux confines udftools services.

Clevis includes a new -e option that can be used to specify an external token ID to avoid entering a password during cryptsetup. Use of external token IDs can be used to automate configuration.

The Tang server handles the addition of system users and groups through the systemd-sysusers service to simplify user management and providing the option to override system user creation by providing sysuser.d files with higher priority.

The list of RPM-database files that fapolicyd stores in the trust database can be customized by editing a new /etc/fapolicyd/rpm-filter.conf configuration file. By using this feature, you can override by the default configuration filter to specify which applications installed by RPM are permitted or excluded.

The gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 block cipher functions in GnuTLS handle the PKCS#7padding, required by some protocols, transparently. The functions can be used in combination with the GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add or remove padding if the length of the original plaintext isn't a multiple of the block size.

Network Security Services (NSS) libraries are updated to change the minimum key size for all RSA operations from 128 to 1023 bits. The following NSS functions are no longer available:

• Generating RSA keys shorter than 1023 bits.
• Signing or verifying RSA signatures with RSA keys shorter than 1023 bits.
• Encrypting or decrypting values with RSA key shorter than 1023 bits.

Smart cards are supported through Public-Key Cryptography Standard (PKCS) #11 Uniform Resource Identifier (URI). Therefore, you can use smart cards with the libssh SSH library and with applications that use libssh.

The libssh library is updated to version 0.10.4 and includes the following support:

• OpenSSL 3.0
• Smart cards has been added.
• Two new configuration options IdentityAgent and ModuliFile have been added.

With this update, OpenSSL versions previous to 1.0.1 are no longer supported. Further, Digital Signature Algorithm (DSA) support is disabled, and both the SCP API, pubkey and privatekey APIs have been deprecated.

Rules in scap-security-guide are now compatible with the RainerScript syntax. Therefore, scap-security-guide rules can check and remediate ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.

This version contains various enhancements and bug fixes, most notably the following:

• Vulnerability reported in CVE-2022-3500 is addressed.
• The Keylime agent no longer fails IMA attestation in cases where race conditions exist between running scripts.
• Segmentation fault in the /usr/share/keylime/create_mb_refstate script is fixed.
• Registrar no longer fails during EK validation when the require_ek_cert option is enabled

The updated package version provides notable features such as the following:

• Dual-function cryptographic functions
• New C_SessionCancel function cancels active session-based operations, as described in the PKCS #11 Cryptographic Token Interface Base Specification v3.0

The NetworkManager packages are updated to version 1.42.2. Notable features and changes include:

• Ethernet bonds can be configured for source load balancing.
• NetworkManager can manage connections on the loopback device.
• IPv4 equal-cost multipath (ECMP) route management is included.
• 802.1ad tagging in Virtual Local Area Networks (VLANs) connections is now possible.
• The nmtui application can be used with Wi-Fi WPA-Enterprise, Ethernet with 802.1X authentication, and MACsec connection profiles.
• NetworkManager is updated to reject DHCPv6 leases if all addresses fail IPv6 duplicate address detection (DAD).

For more information, see https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.42.2/NEWS.

NetworkManager can now be configured using a weight property when defining IPv4 Equal-Cost MultiPath (ECMP) routes. You can configure multipath routing to load-balance and stabilize network traffic. The weight property can have a value from 1 to 256. You must define multiple next-hop routes as single-hop routes that use the weight property. If no weight property is set on a route, the routes aren't merged into an ECMP route.

The balance-slb bonding mode used to configure source load balancing is available in NetworkManager. The balance-slb mode divides traffic on the source ethernet address using xmit_hash_policy=vlan+srcmac, and NetworkManager automatically adds necessary nftables rules for traffic filtering.

The [global-dns] section in the /etc/Networkmanager/NetworkManager.conf file can be configured without specifying the nameserver value in the [global-dns-domain-*] section. By avoiding nameserver configuration you are able to configure DNS in the /etc/resolv.conf file while still relying on the DNS servers provided by the network connection for actual DNS resolution. This update makes it easier to configure DNS across multiple networks.

vlan interface types can be configured with a protocol property in NetworkManager to specify the VLAN protocol that controls the tag identified for encapsulation. The property can be set to either 802.1Q (default), or 802.1ad.

NetworkManager can configure an unmanaged networking interface as a base interface when configuring VLANs. The VLAN base interface remains intact unless changed explicitly by NetworkManager.

NetworkManager can configure the loopback interface to provide additional IP addresses, DNS configuration, routing that isn't bound to an interface and MTU settings.

The nmstate API is updated to accept IPv6 link-local addresses for DNS server entries. Use the <link-local_address>%<interface> format, for example:

dns-resolver:
  config:
    server:
    - fe80::deef:1%enp1s0

Default properties for the min-mtu and max-mtu values are set on all interfaces, so that if the required MTU is out of range, nmstate indicates the available MTU range.

The firewalld package is updated to version 1.2. Notable features and changes include:

• New services including Kodi JSON-RPC, EventServer, netdata, and IPFS.
• A fail-safe mode can be used to ensure that the system remains protected and that network communication continues if the firewalld service encounters an error when it's started. If errors are encountered in the user configuration or another startup issue causes the firewalld service to fail, firewalld falls back to failsafe defaults.
• Tab-completion updated in the CLI for some firewalld policy commands.

The conntrack-tools package is updated to version 1.4.7. Notable features and changes include:

• A new IPS_HW_OFFLOAD flag, which specifies offloading of a conntrack entry to the hardware.
• New clash_resolve and chaintoolong statistical counters.
• Filtering of events by IP address family.
• The conntrackd.conf file accepts 'yes' or 'no' values, as synonyms of 'on' and 'off'.
• A user space helper can be configured to automatically load upon daemon startup. Users don't have to manually run the nfct add helper commands.
• The -o userspace command option is removed and user space triggered events are always tagged.
• External inject problems are only logged as warnings.
• The conntrack ID is ignored when looking up cache entries to replace old stale entries.
• Parsing of IPv6 M-SEARCH requests in the ssdp cthelper module is fixed.
• The nfct library no longer requires lazy binding.
• Protocol value parsing is improved and has better detection of invalid values.

The xdp-tools packages are updated to version 1.3.1. Notable features and changes include:

• New utility commands:

  • xdp-bench: XDP benchmarking on the receive side.
  • xdp-monitor: XDP error and statistic monitoring using kernel trace points.
  • xdp-trafficgen: Generates and sends traffic through the XDP driver hook.

• New features in the libxdp library:

  • Reference counting is improved when attaching programs to AF_XDP socket, so that applications no longer have to manually detach XDP programs when using sockets.

  • New functions are added to the library:

    • xdp_program__create() for creating xdp_program objects
    • xdp_program__clone() for cloning an xdp_program reference
    • xdp_program__test_run() for running XDP programs through the BPF_PROG_TEST_RUN kernel API
    • The xdp_multiprog__xdp_frags_support(), xdp_program__set_xdp_frags_support(), and xdp_program__xdp_frags_support() functions are added for loading programs with XDP fragsor multibuffer XDP.
  • When the LIBXDP_BPFFS_AUTOMOUNT environment variable is set, the libxdp library automatically mounts a bpffs virtual file system if none is found. A subset of the library features can now also function when no bpffs is mounted.

This version also changes the version number of the XDP dispatcher program that's loaded on the network devices. You can't use a previous and a new version of libxdp and xdp-tools at the same time. The libxdp 1.3 library displays old versions of the dispatcher, but doesn't automatically upgrade them. Programs that are loaded with libxdp 1.3 don't work with programs that are loaded with a previous version of the library.

The iproute package is updated to version 6.1.0. Notable features and changes include:

• The vdpa command includes the ability to read device statistics, For example, you can read the virtqueue data structure at index 1, by running:

  sudo vdpa dev vstats show vdpa-a qidx 1

• Updates to the corresponding manual pages

The Berkeley Packet Filter (BPF) functionality in Red Hat Compatible Kernel (RHCK) is updated to upstream Linux 6.0. All BPF features that depend on the BPF Type Format (BTF) for kernel modules are enabled, including the usage of BPF trampolines for tracing, the availability of the Compile Once - Run Everywhere (CO-RE) principle, and several networking-related features. Kernel modules also contain debugging information, which means that you no longer need to install debuginfo packages to inspect running modules. For more information on the complete list of BPF features available in the running kernel, use the bpftool feature command.

The tuna command now uses argparse to provide better command line argument parsing and the CLI can now display a standardized menu of commands and options. You can now perform the following tasks:

• Change the attributes of the application and kernel threads.
• Operate on interrupt requests (IRQs) by name or number.
• Operate on tasks or threads by using the process identifier.
• Specify CPUs and sets of CPUs with the CPU or the socket number.

You can also use the tuna -h command to print the command line arguments and their corresponding options.

Note that this functionality also works with UEK.

The nvme-cli packages are updated to version 2.2.1. Notable features and changes include:

• A new nvme show-topology command to display the NVMe subsystem topology.
• The uint128 data fields are displayed correctly.
• The libnvme dependency is updated to version 1.2.
• The libuuid dependency is dropped.

The libnvme packages are updated to version 1.2. Dependency on the libuuid library is dropped.

The lvreduce command does not reduce the size of an active logical volume (LV) unless the lvreduce esizefs option is enabled. In this manner, the risk of file system damage resulting from a reduction in the size of the LV is prevented.

New options are available to the command for better control of the file systems while the logical volume is beng reduced.

Use the validate-all --agent-validation command option when creating or updating a resource or a STONITH device to trigger additional validation to that performed by pcs based on the agent's metadata.

Python 3.11 is available in the package python3.11. An additional suite of packages compatible with Python 3.11 are also available. Notable features and changes include:

• Improved performance.
• The new match keyword (similar to switch in other languages) can be used for structural pattern matching.
• Improved error messages, for example, indicating unclosed parentheses or brackets. Precise error locations in tracebacks pointing to the expression that caused the error. Exact line numbers for debugging and other use cases.
• The ability to define context managers across multiple lines by enclosing the definitions in parentheses.
• Various new features related to type hints and the typing module, such as the new X | Y type union operator, variadic generics, and the new Self type.
• A new tomllib standard library module which can be used to parse TOML.
• An ability to raise and handle multiple unrelated exceptions simultaneously using Exception Groups and the new except* syntax.

The git version control system is updated to version 2.39.1. Notable features and changes include:

• The git log command includes a format placeholder for the git describe output: git log --format=%(describe)

• The git commit command includes the --fixup<commit> option so that you to fix the content of the commit without changing the log message. With this update, you can also use:

  • The --fixup=amend:<commit> option to change both the message and the content.
  • The --fixup=reword:<commit> option to update only the commit message.
• The git clone command includes the --reject-shallow option to disable cloning from a shallow repository.
• The git branch command includes the --recurse-submodules option.

• The git merge-tree command can be used to:

  • Test if two branches can merge.
  • Compute a tree that would result in the merge commit if the branches were merged.
• T safe.bareRepository configuration variable can filter out bare repositories.

The Git Large File Storage (LFS) extension is updated to version 3.2.0. Notable features and changes include:

• Git LFS introduces a pure SSH-based transport protocol.
• Git LFS provides a merge driver.
• The git lfs fsck command checks that pointers are canonical and that expected LFS files have the correct format.
• NT LAN Manager (NTLM) authentication protocol is removed. Use Kerberos or Basic authentication instead.

The nginx 1.22 web and proxy server is available as the nginx:1.22 module stream. New features and changes include:

• OpenSSL 3.0 integration and handling of the SSL_sendfile() function when using OpenSSL 3.0.
• Integration with the PCRE2 library.
• POP3 and IMAP pipelining in the mail proxy module. Additionally, the Auth-SSL-Protocol and Auth-SSL-Cipher header lines are passed to the mail proxy authentication server.

• Multiple new directives are available, including ssl_conf_command and ssl_reject_handshake.
• Variables can be used in multiple directives, including proxy_cookie_flags, proxy_ssl_certificate, proxy_ssl_certificate_key, grpc_ssl_certificate, grpc_ssl_certificate_key, uwsgi_ssl_certificate, and uwsgi_ssl_certificate_key.
• The listen directive in the stream module now can take a new fastopen parameter to use TCP Fast Open mode for listening sockets.
• A new max_errors directive is added to the mail proxy module.

• nginx always returns an error if:

  • The CONNECT method is used.
  • Both Content-Length and Transfer-Encoding headers are specified in the request.
  • The request header name contains spaces or control characters.
  • The Host request header line contains spaces or control characters.
• nginx blocks all HTTP/1.0 requests that include the Transfer-Encoding header.
• nginx establishes HTTP/2 connections using the Application Layer Protocol Negotiation (ALPN) and can no longer use the Next Protocol Negotiation (NPN) protocol.

The mod_security module for the Apache HTTP Server is updated to version 2.9.6. Notable features and changes include:

• Adjusted parser activation rules in the modsecurity.conf-recommended file.
• Improvements to HTTP multipart request parsing.
• A new MULTIPART_PART_HEADERS collection.
• Microsecond timestamp resolution is used in the formatted log timestamp.
• Geo Countries updated for missing entries

PostgreSQL version 15 is made available as the postgresql:15 module stream. PostgreSQL 15 includes several new features and enhancements over version 13. See https://www.postgresql.org/docs/release/15.0/ for more information.

Module stream life cycle information is available in Oracle Linux: Product Life Cycle Information.

The updated Node.js 18.14 includes a SemVer major upgrade of npm from version 8 to version 9. In this update, support for unscoped authentication configurations is removed to improve security. This update might require adjustments to the current npm configuration.

If you use unscoped authentication tokens, generate and supply registry-scoped tokens in the .npmrc file. If the .npmrc file contains lines that use _auth, for example, ///registry.npmjs.org/:_auth, replace these lines with ///registry.npmjs.org:_authToken=${NPM_TOKEN}. Then apply the scoped token that is generated.

The current Oracle Linux release includes the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.

The following system toolchain components are updated in Oracle Linux 9.2:

• GCC 11.3.1
• glibc 2.34
• binutils 2.35.2

The following performance tools and debuggers are updated in Oracle Linux 9.2:

• GDB 10.2
• Valgrind 3.19
• SystemTap 4.8
• Dyninst 12.1.0
• elfutils 0.188

The following performance monitoring tools are updated in Oracle Linux 9.2:

• PCP 6.0.1
• Grafana 9.0.9

The following compiler toolsets are updated in Oracle Linux 9.2:

• GCC Toolset 12
• LLVM Toolset 15.0.7
• Rust Toolset 1.66.1
• Go Toolset 1.19.6

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools.The toolset is available as an Application Stream in the form of a Software Collection in the AppStream repository. Notable features and changes include:

• Updated the GCC compiler to version 12.2.1.
• annobin is updated to version 11.08.

The following tools and versions are provided by GCC Toolset 12:

To install GCC Toolset 12, run the following command as root:

sudo dnf install gcc-toolset-12

To run a tool from GCC Toolset 12:

scl enable gcc-toolset-12 tool

To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:

scl enable gcc-toolset-12 bash

LLVM Toolset is updated to version 15.0.7.The update includes changes that enable the -Wimplicit-function-declaration and -Wimplicit-int warnings by default in C99 and later.

Go Toolset is updated to version 1.19.6 to include several notable security and bug fixes.

The system GCC compiler, version 11.3.1, is updated to include numerous bug fixes and enhancements available in the upstream GCC. The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.

Performance Co-Pilot (PCP) is updated to version 6.0. Notable improvements include:

1. Version 3 PCP archive:

   Instance domain change-deltas, Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones, and 64-bit file offsets used throughout for larger (beyond 2GB) individual volumes can all be used by configuring the PCP_ARCHIVE_VERSION setting in the /etc/pcp.conf file.

   Version 2 archives remain the default.

2. Only OpenSSL is used throughout PCP. Mozilla NSS/NSPR use is dropped:

   libpcp, PMAPI clients and PMCD use of encryption is impacted. These elements are now configured and used consistently with pmproxy HTTPS support and redis-server, which were both already using OpenSSL.

3. New nanosecond precision timestamp PMAPI calls for PCP library interfaces that use timestamps are included for optional use, but full backward compatibility is preserved for existing tools.

4. The following tools and services are updated:

   pcp2elasticsearch

   Authentication feature enabled.

   pcp-dstat

   Can use top-alike plugins.

   pcp-htop

   Updated to the latest stable upstream release.

   pmseries

   Added sum, avg, stdev, nth_percentile, max_inst, max_sample, min_inst and min_sample functions.

   pmdabpf

   Added CO-RE (Compile Once - Run Everywhere) modules.

   pmdabpftrace

   Moved example autostart scripts to the /usr/share directory.

   pmdadenki

   Multiple active batteries can be used.

   pmdalinux

   Updates for the latest /proc/net/netstat changes.

   pmdaopenvswitch

   Added additional interface and coverage statistics.

   pmproxy

   Request parameters can now be sent in the request body.

   pmieconf

   Added several pmie rules for Open vSwitch metrics.

   pmlogger_farm

   Added a default configuration file for farm loggers.

   pmlogger_daily_report

   Code changes for efficiency.

The grafana package is updated to version 9.0.9. Notable features and changes include:

• The time series panel is now the default visualization option, replacing the graph panel
• New heatmap panel
• New Prometheus and Loki query builder
• Updated Grafana Alerting
• UI/UX and performance improvements
• License changed from Apache 2.0 to GNU Affero General Public License (AGPL)

The following are offered as opt-in experimental features:

• New bar chart panel
• New state timeline panel
• New status history panel
• New histogram panel

The grafana-pcp package is updated to version 5.1.1. Notable features and changes include:

• Added buttons to disable rate conversation and time usage conversation in the query editor.
• Removed the deprecated label_values(metric, label) function for Redis.
• Fixed the network error for metrics with many series (requires Performance Co-Pilot v6+).
• Set the pmproxy API timeout to 1 minute.

The /usr/share/zoneinfo/leap-seconds.list file accommodates an alternate format to the /usr/share/zoneinfo/leapseconds file that was previously shipped with the tzdata package. Both formats are included to support applications that choose to use either format to calculate International Atomic Time (TAI) from Coordinated Universal Time (UTC) values that are used by almost all time services.

The package enables you to configure passt and pasta network connections for virtual machines and containers, respectively, that are running in the non privileged connection mode of libvirt (qemu:///session). The two functionalities further offer the following improvements for IPv6:

• Use of the Neighbor Discvoery Protocol (NDP) responder and for DHCPv6
• Port forwarding on TCP and UDP protocols on IPv6

This update adds the passt package, which makes it possible to use the passt and pasta network connections. As a result, you can set up passt and pasta for virtual machines and containers, respectively, that run in the non-privileged connection mode of libvirt (qemu:///session).

For more information on using passt, see the libvirt upstream documentation.

To use pasta in a podman container, use -network pasta command-line option.

The /etc/containers/policy.json file accepts a keyPaths field that contains a list of trusted GPG keys. Usage of more than one GPG key in the container policy is a technology preview feature that permits Podman to install images signed by any one of multiple GPG keys.

The container-tools package is updated for Podman v4.4. The package contains the Podman, Buildah, Skopeo, crun and runc tools. The updates have the following features and changes:

• Information about a container can be audited directly from a journald entry in Podman v4.4 and later. To enable Podman auditing, modify the container.conf configuration file and add the events_container_create_inspect_data=true option to the [engine] section. The audit data is in JSON format, equivalent to the output of the podman container inspect command.
• The podman network update command is added to update networks for containers and pods.

• Podman can be configured with pre-execution hooks that can be used to control container operations by creating plugin scripts in /usr/libexec/podman/pre-exec-hooks or /etc/containers/pre-exec-hooks. Pre-execution scripts are only run if a file named /etc/containers/podman_preexec_hooks.txt exists. If all plugin scripts return zero value, then the podman command is run, otherwise, the podman command exits with the exit code returned by the script that failed.

• The podman buildx version command is added to output the Buildah version.
• Container startup health checks are available, to trigger a command to check that the container is fully started before the regular health check is activated.
• New Docker compatibility options and aliases are included.
• Improved Kubernetes integration by consolidating kube commands: the podman kube generate and podman kube play replace the podman generate kube and podman play kube commands.
• Systemd-managed pods created by the podman kube play command now integrate with sd-notify, using the io.containers.sdnotify annotation (or io.containers.sdnotify/$name for specific containers).
• Systemd-managed pods created by podman kube play can be auto-updated by using the io.containers.auto-update annotation.

For further information about notable changes, see upstream release notes.

Custom DNS server selection for containers using the Aardvark and Netavark network stack is available. Containers are able to use customer DNS servers instead of the default DNS servers on the host. To enable a custom DNS server, either add the dns_servers field in the containers.conf configuration file or use the new --dns option to specify the IP address of the DNS server when running the podman command. The --dns option overrides any values that are set in the container.conf file.

Skopeo can generate sigstore key pairs through the skopeo generate-sigstore-key command. For more information, see skopeo-generate-sigstore-key manual page.

Use the toolbox utility to access the container command line environment without installing additional troubleshooting tools directly on the system. Toolbox uses Podman and other standard container technologies from the Open Container Initiative. For more information, see toolbx.

In Oracle Linux 9.0 and Oracle Linux 9.1, container images had a three-digit tag. Starting from Oracle Linux 9.2, container images have a two-digit tag.

sos clean detects and obfuscates IPv6 addresses to ensure that customer-sensitive data is appropriately obfuscated.