Chapter 4. New Features
This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.
4.1. General Updates
Smart-card sharing is now supported on Windows guests with ActivClient drivers
This update adds support for smart-card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart-card authentication for user logins using emulated or shared smart cards on these VMs.
(BZ#917867)
4.2. Authentication and Interoperability
The ipa-client-automount
utility now supports setting an NFS domain that differs from the IdM domain
This enhancement adds the --idmap-domain
option to the ipa-client-automount
utility. Previously, ipa-client-automount
assumed that the NFS domain is the same as the Identity Management (IdM) domain, but this is not always the case. As a result, you can now specify an NFS domain that is different from the IdM domain.
The ipa-client-automount
utility now behaves as follows:
-
If
--idmap-domain
option is not set,ipa-client-automount
uses the IdM domain as the NIS domain. -
If the domain passed to
--idmap-domain
is set toDNS
,ipa-client-automount
removes the value specified in theDomain
parameter in the/etc/idmapd.conf
file, and theidmapd
service auto-detects the domain. -
If the domain passed to
--idmap-domain
does not match the DNS domain,ipa-client-automount
sets the specified value in theDomain
parameter in the/etc/idmapd.conf
file.
samba rebased to version 4.10.4
The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:
- Samba 4.10 fully supports Python 3. Note that future Samba versions will not have any runtime support for Python 2.
- The JavaScript Object Notation (JSON) logging feature now logs the Windows event ID and logon type for authentication messages.
-
The new
vfs_glusterfs_fuse
file system in user space (FUSE) module improves the performance when Samba accesses a GlusterFS volume. To enable this module, addglusterfs_fuse
to thevfs_objects
parameter of the share in the/etc/samba/smb.conf
file. Note thatvfs_glusterfs_fuse
does not replace the existingvfs_glusterfs
module. - The server message block (SMB) client Python bindings are now deprecated and will be removed in a future Samba release. This only affects users who use the Samba Python bindings to write their own utilities.
Samba automatically updates its tdb
database files when the smbd
, nmbd
, or winbind
service starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb
database files.
For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.10.0.html
4.3. Clustering
Default value of Pacemaker concurrent-fencing
cluster property now set to true
Pacemaker now defaults the concurrent-fencing
cluster property to true
. If multiple nodes need to be fenced at the same time and they use different configured fence devices, Pacemaker will execute the fencing simultaneously rather than serialized as before. This can greatly speed up recovery in a large cluster when multiple nodes must be fenced.
Pacemaker support for configuring resources to remain stopped on clean node shutdown
When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the shutdown-lock
and shutdown-lock-limit
cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see Configuring Resources to Remain Stopped on Clean Node Shutdown.
4.4. Compiler and Tools
Optimized implementation of SHA-2 operations on IBM PowerPC systems
This update adds an assembly code implementation of SHA-2 operations on IBM PowerPC systems, which significantly improves performance.
(BZ#1498932)
OpenJDK now supports also secp256k1
Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.
4.5. Desktop
Modified workspace switcher in GNOME Classic
Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails.
Switching between workspaces is possible by clicking on the required thumbnail. Alternatively, you can also use the kbd:[Ctrl + Alt + ↑] and kbd:[Ctrl + Alt + ↓] keyboard shortcuts to switch between workspaces. The content of the active workspace is shown in the left part of the bottom bar in form of the window list.
When you press the kbd:[Super] key within the particular workspace, you can see the window picker, which includes all windows that are open in this workspace. However, the window picker no longer displays the following elements that were available in the previous release of RHEL:
- dock (vertical bar on the left side of the screen)
- workspace switcher (vertical bar on the right side of the screen)
- search entry
For particular tasks that were previously achieved with the help of these elements, adopt the following approaches:
To launch applications, instead of using dock, you can:
- Use the Applications menu on the top bar
- Press the kdb:[Alt + F2] keys to make the Enter a Command screen appear, and write the name of the executable into this screen.
- To switch between workspaces, instead of using the vertical workspace switcher, use the horizontal workspace switcher in the right bottom bar.
- If you require the search entry or the vertical workspace switcher, use the GNOME Standard environment instead of GNOME Classic.
GNOME now warns against a root graphical login
With this update, GNOME now displays a warning notification if you log into a graphical session as the root user.
Logging into a graphical session as root causes serious and unexpected issues, is non-secure, and is against Unix principles.
(BZ#1539772)
4.6. Hardware Enablement
Aero adapters are now fully supported
The following Aero adapters, previously available as a Technology Preview, are now fully supported:
-
PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the
mpt3sas
driver -
PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the
megaraid_sas
driver
(BZ#1660791, BZ#1660289)
4.7. Installation and Booting
RHEL 7.8 now supports blueprint customizations
With this enhancement, RHEL 7.8 now supports a set of image customizations within blueprints when using the CLI. To make use of these customizations, you must configure them in the blueprint and import (push) to Image Builder. As a result, you are able to add specifications for your system.
4.8. Kernel
Kernel version in RHEL 7.8
Red Hat Enterprise Linux 7.8 is distributed with the kernel version 3.10.0-1127.
FUSE file system can be used inside of a user namespace
RHEL 7 now enables users to mount the Filesystem in Userspace (FUSE) based filesystems inside of the user namespace. As a result, users are able to use the fuse-overlayfs
command inside of rootless containers that were created with Buildah or Podman utilities.
(BZ#1713642)
ipcmin_extend
increases the number of unique System V IPC identifiers
A new kernel command line parameter ipcmin_extend
increases the number of unique System V Interprocess Communication (IPC) identifiers from 32,768 to 16,777,216. As a result, users with applications that exceed 32,768 of unique System V IPC identifiers can add ipcmin_extend
to port the relevant applications to RHEL without a major redesign.
(BZ#1373519)
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.8. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
4.9. Real-Time Kernel
kernel-rt source tree now matches the latest RHEL 7 tree
The kernel-rt sources have been upgraded to the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
4.10. Red Hat Enterprise Linux System Roles
A new storage
role added to RHEL System Roles
The storage
role has been added to RHEL System Roles provided by the rhel-system-roles
package, which is available in the RHEL 7 Extras repository.
The storage
role can be used to manage local storage using Ansible. Currently, the storage
role supports the following types of tasks:
- Managing file systems on whole disks
- Managing LVM volume groups
- Managing logical volumes and their file systems
For more information, see the Knowledgebase article about RHEL System Roles.
4.11. Security
SCAP Security Guide
now provides OSPP 4.2.1 and NCP Profiles
The OSPP (Protection Profile for General Purpose Operating Systems) profile has been updated, and it now conforms to OSPP 4.2.1 baseline. The profile with the ospp42
ID has been merged to the OSPP profile. Administrators should switch systems using the ospp42
profile to ospp
because ospp42
is no longer a valid ID.
Additionally, the NCP (NIST National Checklist Program Security Guide) profile with the ncp
ID has been introduced. The NCP profile conforms to the OSPP 4.2.1 and implements configuration requirements of additional policies. In particular CNSSI 1253, NIST 800-171, NIST 800-53, USGCB, and OS SRG.
SCAP Security Guide now supports ACSC Essential Eight
The scap-security-guide
packages now provides the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.
SCAP Security Guide
now correctly disables services
With this update, the SCAP Security Guide
(SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
SCAP Security Guide
rebased to version 0.1.46
The SCAP Security Guide
(SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably:
- SSG now provides content that follows guidelines conforming to the SCAP 1.3 standard. The 1.3 data streams are compatible with OpenSCAP and used by default.
Note that you can still use content suffixed with -1.2
if you require the use of SCAP 1.2 data streams, as this data moved to the "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml" path. The new 1.3 data stream is located in the usual path.
SCAP Security Guide now supports scanning RHEL 8 systems from RHEL 7
The scap-security-guide
package now contains SCAP content and Ansible playbooks for RHEL 8. This enables you to scan RHEL 8 systems and containers from a RHEL 7 environment.
selinux-policy
now allows tomcat
processes to connect to redis
database
This update of selinux-policy
packages introduces rules that allow the tomcat_t
domain to connect to ports labeled redis_port_t
when the tomcat_can_network_connect_db
SELinux boolean is enabled. You can now use this boolean to allow tomcat_t
to access several databases, which was not previously supported for redis
processes.
(BZ#1687497)
sysadm_u users can now log in to graphical sessions
Previously, Linux users mapped to the sysadm_u
SELinux user were unable to log in to graphical sessions. The SELinux policy has been updated to allow these users to use graphical sessions while conforming to DISA STIG requirements. If the xdm_sysadm_login
Boolean is enabled, the sysadm_u
user can now successfully log in to X Window System session from the GNOME Display Manager.
4.12. Servers and Services
An option for rsyslog
to preserve case of FROMHOST
for imudp
and imtcp
is available
This update to the rsyslog
service introduces the option to manage letter-case preservation of the FROMHOST
property for the imudp
and imtcp
modules. Setting the preservecase
value to on
means the FROMHOST
property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of preservecase
are on
for imtcp
and off
for imudp
.
(BZ#1309698)
4.13. Storage
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
(BZ#1649493)
NVMe/FC is now fully supported in Qlogic HBAs
The NVMe over Fibre Channel (NVMe/FC) transport type is now fully supported in Qlogic Fibre Channel (FC) host bus adapters (HBAs), which use the qla2xxx
driver.
NVMe/FC is an additional fabric transport type for the Nonvolatile Memory Express (NVMe) protocol, in addition to the Remote Direct Memory Access (RDMA) protocol that was previously introduced in Red Hat Enterprise Linux.
NVMe/FC provides a higher-performance, lower-latency I/O protocol over existing FC infrastructure. This is especially important with solid-state storage arrays, because it allows the performance benefits of NVMe storage to be passed through the fabric transport, rather than being encapsulated in a different protocol, SCSI.
Note that since Red Hat Enterprise Linux 7.6, NVMe/FC is also fully supported with Broadcom Emulex Fibre Channel 32Gbit adapters using the lpfc
driver.
(BZ#1642968)
4.14. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers.
4.15. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM Z, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl
utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl
utility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.