Oracle Linux 8 Beta

Oracle Linux is based on Red Hat Enterprise Linux and Red Hat has released Red Hat Enterprise Linux 8 Beta few months ago. Now, Oracle released Oracle Linux 8 beta version with new major features and improvements.

Oracle Linux 8 Beta includes DNF (Dandified yum), the modern replacement for the yum package manager as well as RPM changes, security feature updates, networking, high availability, and file system improvements, and enhanced developer tools, compilers, and scripting language support. Oracle Linux 8 Beta ships with the kernel-4.18.0-32.el8 Red Hat Compatible Kernel (RHCK) package.

Oracle Linux 8 Beta content is now distributed through the BaseOS and Application Stream (AppStream) repositories. The BaseOS repository includes the core set of RPM packages that are needed to run Oracle Linux. The AppStream repository contains modules, which are sets of RPMs that can or must be installed together, and includes packages that provide additional support for a variety of workloads, such as user-space applications, runtime languages, and databases.  The beta release should be deployed and tested as a bundle as shipped on the Oracle provided installation image, as downgrading kernel packages is not supported.

Oracle Linux 8 Beta, Major Features and Improvements

Let’s review major changes on Oracle Linux 8 beta version.

Installation, Boot, and Image Creation

Oracle Linux 8 Beta introduces the following notable features and improvements to installing and booting a system, and creating images:

  • Support for LUKS2 disk encryption added to installer.  By default, the Oracle Linux 8 Beta installer uses the LUKS2 format. This change introduces several improvements such as extending the capabilities of the on-disk format and providing flexible ways to store metadata. During an installation with the installer, you can now select a LUKS version in the Custom Partitioning window. Or, you can specify these new command options in a kickstart profile by using the autopartlogvolpart, and RAID options.
  • New kernel boot parameter added to the installer.  A new kernel boot parameter, inst.addrepo=name,url, has been added to the installer. You can use this parameter to specify an additional repository during an installation. Note that the parameter has two mandatory values that must be provided: the name of the repository and a URL that points to that repository. Previously, you could only specify a base repository by setting kernel boot parameters.
  • Support for unified ISO added to the installer.  In this release, the installer uses a unified ISO, which automatically loads the BaseOS and AppStream installation source repositories. The feature works for the first base repository that is loaded during an installation, but it does not work if you boot by using a different base repository and then attempt to change to the unified ISO. Doing so replaces the base repository; however, the AppStream repository is not replaced and continues to point to the original file.

Red Hat Compatible Kernel

The following notable features, enhancements, and changes apply to the version of RHCK that is shipped with Oracle Linux 8 Beta.

  • 5-level paging added.  T has been updated to include a new P4d_t software page table type. This change enables 5-level paging in Oracle Linux 8 Beta. This feature requires hardware support which may not be available on your processor type.
  • Memory management 5-level paging added.  Memory bus limits have been extended to 57/52 bit of virtual/physical memory addressing, with 128 PiB of virtual address space and 4 PB of physical memory capacity. This extended address range allows the memory management feature in Oracle Linux 8 Beta to enable 5-level paging, which is capable of handling an expanded address range.The I/O memory management unit (IOMMU) code in the Linux kernel is also updated in this release to enable 5-level paging tables.
  • Support for Control Group v2 added.  This release supports the Control Group v2 mechanism, which organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner. Unlike the previously supported version, Control Group v2 is a single hierarchy that categorizes processes based on the role of the process owner and eliminates issues with conflicting policies and multiple hierarchies. In addition, Control Group v2 supports numerous controllers, including the following: CPU controller, memory controller, I/O controller, and the write-back controller.
  • Capability for reporting eBPF-based programs and maps added to sosreport tool.  In Oracle Linux 8 Beta, the sosreport tool includes the capability for reporting any loaded extended Berkeley Packet Filtering (eBPF) programs and maps.
  • bpftool added.  Support for the bpftool tool has been added to the Linux kernel. This tool is used for inspection and the basic manipulation of programs and maps that are based on eBPF. The bpftool tool is part of the kernel source tree and is provided by the bpftool package, which is a subpackage of the kernel package.
  • Support for early kdump added.  The early kdump feature enables the crash kernel and initramfs to load early so that it can capture vmcoreinformation, including early crashes. Previously, the kdump service did not start soon enough to capture crash information (vmcore), especially for early kernel crashes. See the /usr/share/doc/kexec-tools/early-kdump-howto.txt file for more details.

File Systems and Storage

Oracle Linux 8 Beta introduces the following notable file systems and storage features, enhancements, and changes:

  • Btrfs file system removed in RHCK.  The Btrfs file system is removed from RHCK in Oracle Linux 8 Beta. As such, you cannot create or mount Btrfs file systems when using this kernel. Also, no Btrfs user-space packages are provided in this release. If you are using Btrfs, continue to use Oracle Linux 7.
  • OCFS2 file system support not available in RHCK.  The OCFS2 file system is not supported on RHCK in Oracle Linux 8 Beta. If you need to use OCFS2, continue to run Oracle Linux 7.
  • Boom Boot Manager added.  The Boom Boot Manager uses boot loaders that support the BootLoader Specification for boot entry configuration. Boom provides flexible boot configuration and simplifies the creation of new or modified boot entries. Boom includes a simple command-line interface (CLI) and an API that make the task of creating boot entries easier.Note that the Boom Boot Manager does not modify any existing boot loader configuration; it only inserts additional entries, thereby maintaining the existing configuration, as well as any distribution integration such as kernel installation and update scripts. This configuration continues to function as in previous releases.
  • LUKS2 replaces LUKS1.  The LUKS version 2 (LUKS2) format replaces the legacy LUKS (LUKS1) format in this release. Also, the dm-crypt subsystem and the cryptsetup tool now use LUKS2 as the default format for encrypted volumes.
  • DM Multipathing enhancements.  Oracle Linux 8 Beta introduces some noteworthy enhancements for the Device Mapper Multipathing (DM Multipathing) configuration, including the following:
    • New overrides section has been added to the /etc/multipath.conf file. You can enter a configuration value for all of your devices by using this section. The attributes that you set are then used by DM Multipathing for all of your devices, unless the values are overwritten by any attributes that are set in the multipaths section of the /etc/multipath.conf file for paths that contain the device. Note that this new functionality is a replacement for the all_devs parameter in the devices section of the configuration file, which is no longer supported.
    • Support for improved detection of marginal paths has been added to the multipathd service. This enhancement helps multipath devices avoid paths that are likely to fail repeatedly, thereby improving performance. For more details about this change, including information about the options in the/etc/multipath.conf file that control marginal paths behavior, see the multipath.conf man page.
  • SCSI Multiqueue driver support added.  In Oracle Linux 8 Beta, block devices use multiqueue scheduling. This feature enhancement enables block layer performance to scale well with fast solid-state drives (SSDs) and multi-core systems.Also, the SCSI Multiqueue (scsi-mq) driver is enabled by default and the kernel boots with the scsi_mod.use_blk_mq=Y option. Note that a requirement of DM Multipathing is that the scsi-mq driver be active.
  • Stratis local storage manager introduced.  Oracle Linux 8 Beta includes the Stratis local storage management tool. Stratis enables you to perform complex storage tasks and manage your storage stack more easily by using a unified interface.
  • XFS support for shared COW data extents.  The XFS file system now supports shared copy-on-write (COW) data extent functionality, whereby two or more files can share a common set of data blocks. This feature is similar to Copy on write (COW) functionality that is found in other file systems, where if either of the files that are sharing common blocks change, XFS breaks the link to those common blocks and then creates a new file.Shared COW extents are fast, space efficient, and transparent. User-space utilities can use COW extents for cloning, per-file snapshots, and out-of-band deduplication. Some kernel subsystems, such as Overlayfs and NFS, also use COW extents.Shared COW data extents are enabled by default during the creation of an XFS file system, starting with the xfsprogs 4.17.0-2.el8 package version. To create an XFS file system without this feature, run the following command:# mkfs.xfs -m reflink=0 block-device

Replacement of iptables with nftables

In Oracle Linux 8 Beta, the default iptables network packet filtering framework been replaced with the nftables framework. As the designated successor to iptablesip6tablesarptables, and ebtables, the nftables framework includes packet classification facilities and several improvements, which provide added convenience and improved performance over the previously used packet-filtering tools.

The nftables implementation provides the following improvements:

  • Replacement of linear processing with lookup tables
  • Single framework for both the IPv4 and IPv6 protocols
  • More consistent and compact syntax
  • Support for debugging and tracing in the ruleset with nftrace
  • Netlink API for third-party applications

Note the following additional information about the nftables implementation:

  • The nftables framework uses tables for storing chains, similarly to iptablesChains contain individual rules for performing actions.
  • The nft tool replaces all of the previously used packet-filtering framework tools.
  • You can use the libnftables library for low-level interaction with the nftables Netlink API over the libmnl library.
  • The iptablesip6tablesebtables and arptables tools are replaced by drop-in replacements that are nftables-based and use the same name.Although these tools behave identically to their legacy counterparts, internally, they use nftables with legacy netfilter kernel modules through a compatibility interface, as required.You can use the nft list ruleset command to observe the effect of the modules on the nftables ruleset. It is worth noting, however, that these tools add tables, chains, and rules to the nftables ruleset; and as such, some nftables ruleset operations, for example, the nft flush ruleset command, might affect rulesets that were installed by using legacy commands, as these were formerly separate.To determine which version of the tool is currently running, use the iptables –version command, as version information has been updated to include the back-end name. For example, if you are running Oracle Linux 8 Beta, the nftables-based iptables tool displays the following information:# iptables --version iptables v1.8.0 (nf_tables)If the legacy version of the iptables tool is installed, the output would be as follows:# iptables --version iptables v1.8.0 (legacy)

Security

Oracle Linux 8 Beta introduces the following security features, enhancements, and changes:

  • OpenSSH updated to version 7.8p1.  The openssh packages have been upgraded to upstream version 7.8p1. This version of OpenSSH includes the following changes:
    • UsePrivilegeSeparation=sandbox option is now mandatory and cannot be disabled.
    • Minimal accepted RSA key size is set to 1024 bits.
    • Modulus size for Diffie-Hellman parameters has been changed to 2048 bits.
    • Default value of the UseDNS option has been changed to no.
    • DSA public key algorithms are disabled by default.
    • Semantics of the ExposeAuthInfo configuration option has changed.
    • The following features are removed in OpenSSh 7.8p1:
      • SSH version 1 protocol
      • hmac-ripemd160 message authentication code
      • RC4 (arcfour), Blowfish, and CAST ciphers
  • Replacement of nfsnobody user and group pair with nobody user and group pair.  The nobody user and group pair, with the ID of 99, and the nfsnobody user and group pair, with the ID of 65534 (the default kernel overflow ID), have been merged into the nobody user and group pair. This change reduces confusion about the files that are owned by nobody and have nothing to do with NFS. The merged user and group pair use the 65534 ID. Note that the nfsnobody user and group pair are no longer created during a fresh installation.
  • GPG key length increased to 4096 bits.  Oracle Linux 8 Beta RPM packages are now signed with a new 4096-bit GNU Privacy Guard (GPG) key for greater security. Previously, the GPG key length was 2048 bits.
  • RSA-PSS supported in OpenSC.  Oracle Linux 8 Beta provides support for the RSA-PSS cryptographic signature scheme to the OpenSC smart card driver. The new scheme enables a secure cryptographic algorithm, which is required for the TLS 1.3 support in the client software.
  • rsyslog updated to version 8.37.0.  In Oracle Linux 8 Beta, the rsyslog packages have been upgraded to version 8.37.0. This version of rsyslogincludes several bug fixes and improvements over previous versions.
  • New omkafka rsyslog module added.  In the Oracle Linux 8 Beta release, you can use the omkafka module to enable Kafka centralized data storage scenarios. You can also use this module to forward logs to the Kafka infrastructure.
  • libssh implements SSH as a core cryptographic component.  The libssh library, which implements the SSH protocol, is introduced as a core cryptographic component in Oracle Linux 8 Beta. Note that libssh does not comply with the system-wide cryptographic policy.
  • Consolidation of OpenSCAP API.  In Oracle Linux 8 Beta, the OpenSCAP shared library API has been consolidated. As a result, 63 symbols are removed, 14 symbols are added, and 4 symbols have an updated signature.The following symbols are removed in OpenSCAP 1.3.0:
    • Symbols marked as deprecated in version 1.2.0
    • SEAP protocol symbols
    • Internal helper functions
    • Unused library symbols
    • Unimplemented symbols
  • PKCS #11 support for smart cards and HSMs is now consistent.  In Oracle Linux 8 Beta, using smart cards and Hardware Security Modules (HSM) with the PKCS #11 cryptographic token interface is consistent, which means users and administrators can use the same syntax for all related tools in the system.
  • SELinux policy improvement to enable iscsiuio processes to work correctly.  Oracle Linux 8 Beta adds missing rules to the SELinux policy to enableiscsiuio processes to access /dev/uio* devices by using the mmap system call. Previously, SELinux policy restricted this access, which caused the connection to the discovery portal to fail.
  • System-wide cryptographic policies applied by default.  In Oracle Linux 8 Beta, the crypto-policies component configures the core cryptographic subsystems and covers the TLS, IPSec, SSH, DNSSec, and Kerberos protocols. The component provides a small set of policies that can be selected by using the update-crypto-policies command.The DEFAULT system-wide cryptographic policy that provides secure settings for current threat models is also compatible with PCI-DSS requirements, as it allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted, if they are larger than 2047 bits.See the update-crypto-policies(8) man page.
  • Support for OSPP 4.2 added to SCAP Security Guide.  The SCAP Security Guide includes a draft of the OSPP (Protection Profile for General Purpose Operating Systems) profile version 4.2 RHEL 8. This profile reflects the mandatory configuration controls that are identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2). The SCAP Security Guide provides automated checks and scripts so that users can meet the requirements that are defined in the OSPP.
  • Improvements to the OpenSCAP command-line interface.  The verbose mode is now available in all oscap modules and submodules. In addition, improvements have been made to the tool output.Several options are deprecated and have been removed, including the following:
    • The --show option in the osccap xccdf generate report command is completely removed.
    • The --probe-root option in the oscap oval eval. As a replacement, you can set the environment variable, OSCAP_PROBE_ROOT.
    • The --sce-results option in the oscap xccdf eval command is replaced by the --check-engine-results option.
    • The validate-xml submodule validator has been dropped from the CPE, OVAL, and XCCDF modules. You can use validate submodules to validate SCAP content against XML schemas and XSD schematrons.
    • The oscap oval list-probes command. Instead, use the oscap command with the --version option to display this information.
    • NoteOpenSCAP allows for evaluating all of the rules in a given XCCDF benchmark by using –profile ‘(all)’, regardless of the profile.
  • Support for SELinux map permission code added.  Oracle Linux 8 Beta provides support for the SELinux map permission feature. This support controls memory mapped access to files, directories, and sockets and enables SELinux policy to prevent direct memory access to various file system objects and also ensure that all such access is revalidated.
  • Support for systemd No New Privileges added to SELinux.  Oracle Linux 8 Beta provides support for the nnp_nosuid_transition policy capability, which enables SELinux domain transitions under No New Privileges (NNP) or nosuid, if nnp_nosuid_transition is allowed between the old and new contexts. The selinux-policy packages now contain a policy for systemd services that use the NNP security feature.The following example shows the rule that defines how you would allow this capability for a service:allow source_domain target_type:process2 { nnp_transition nosuid_transition };would be defined as follows for this service:allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };Note that the distribution policy now also contains the m4 macro interface, which can be used in SELinux security policies for services that use theinit_nnp_daemon_domain() function.
  • Support for getrlimit permission in the process class added to SELinux.  A new SELinux access control check, process:getrlimit, has been added to the prlimit() function. This change enables SELinux policy developers to control when one process attempts to read and then modify the resource limits of another process by using the process:setrlimit permission. Note that SELinux does not restrict a process from manipulating its own resource limits through prlimit(). See the prlimit(2) and getrlimit(2) man pages for details.
  • New SELinux booleans added.  Oracle Linux 8 Beta includes the following new SELinux booleans:
    • colord_use_nfs
    • mysql_connect_http
    • pdns_can_network_connect_db
    • ssh_use_tcpd
    • sslh_can_bind_any_port
    • sslh_can_connect_any_port
    • virt_use_pcscdFor more details, run the semanage boolean -l command.
  • TLS 1.3 in cryptographic libraries added.  This release enables support for Transport Layer Security (TLS) 1.3, by default, in all major back-end cryptographic libraries. This change enables low latency across the operating system communications layer and enhances privacy and security for applications by taking advantage of new algorithms such as RSA-PSS or X25519.
  • OpenSCAP updated to version 1.3.0.  In Oracle Linux 8 Beta, the OpenSCAP suite has been upgraded to version 1.3.0. This version of the OpenSCAP suite introduces many enhancements, including the consolidation of the API and the ABI, an enhanced command-line interface, and other notable improvements over the previous OpenSCAP version.
  • Replacement of audispd with auditd in Audit 3.0.  In this release, the functionality of audispd has been moved to auditd. As a result, audispdconfiguration options are now part of auditd.conf, and the plugins.d directory is now under /etc/audit. You can check the current status of auditdand its plugins by running the auditd state command.
  • imfile module added to rsyslog.  In Oracle Linux 8 Beta, the rsyslog imfile module has been enhanced for improved performance and the addition of more configuration options. This change enables you to use the module for more complicated file monitoring.

Virtualization

Oracle Linux 8 Beta introduces the following virtualization features, enhancements, and changes:

  • 5-level paging added to KVM.  In Oracle Linux 8 Beta, Kernel-based Virtual Machine (KVM) virtualization enables the 5-level paging feature for hardware that can support this feature. This enhancement significantly increases the physical and virtual address space that the host and guest systems can use.
  • UMIP added to KVM.  Oracle Linux 8 Beta includes the addition of the User-Mode Instruction (UMIP) feature for KVM virtualization. This security enhancement assists in preventing user-space applications from accessing system-wide settings, resulting in a reduction in the potential vectors for privilege escalation attacks.
  • Additional information included in KVM guest crash reports.  In this release, the crash information that KVM hypervisor generates if a guest terminates unexpectedly or becomes unresponsive includes additional information, which makes it easier to diagnose and fix problems when using KVM virtualization.
  • qemu-kvm updated to version 2.12.  Oracle Linux 8 Beta provides the qemu-kvm 2.12 package. This version of qemu-kvm includes numerous bug fixes and improvements over the previously supported 1.5.3 version.
  • NVIDIA vGPU compatible with the VNC console.  As of Oracle Linux 8 Beta, you can use the VNC console to display the visual output of the guest when using the NVIDIA virtual GPU (vGPU) feature.
  • Virtualization support for Ceph added.  In this release, Ceph storage is supported by KVM virtualization on all CPU architectures that are supported by Red Hat.
  • Virtualization support for Q35 machine type added.  Oracle Linux 8 Beta provides support for the Q35 machine type, which is a more modern PCI Express-based machine type. Feature changes include a wide variety of improvements and performance enhancements for virtual devices, which ensure that a wider range of modern devices are compatible with virtualization features. Note that any virtual machines that you create in Oracle Linux 8 Beta are set to use the Q35 machine type by default.
  • QEMU sandboxing added.  In Oracle Linux 8 Beta, the QEMU emulator introduces sandboxing, which is enabled and configured by default. Sandboxing provides configurable limitations for the system calls that QEMU can perform, thereby making virtual machines more secure.
  • Mounting ephemeral disks on VMs running on Microsoft Azure works more reliably in Oracle Linux 8 Beta.  An improvement has been made in Oracle Linux 8 Beta to ensure that reconnecting an ephemeral disk on a virtual machine (VM) running on the Microsoft Azure platform is handled correctly and does not fail if the disk was recently detached from the VM, which was the case in previous releases.

Further Reading

Oracle Linux Yum Server

Oracle Help Center

Backup Solutions – Oracle VM

How to Configure VNC Server in Red Hat Enterprise Linux 6.x/7.x

External Links

Download Oracle Linux 8 Beta

Oracle Linux 8 Beta Release Notes

Davoud Teimouri

Davoud Teimouri is as a professional blogger, vExpert 2015/2016/2017/2018, VCA, MCITP. This blog is started with simple posts and now, it has large following readers.

Leave a Reply

Your email address will not be published. Required fields are marked *