Chapter 4. New Features

Smart-card sharing is now supported on Windows guests with ActivClient drivers

This update adds support for smart-card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart-card authentication for user logins using emulated or shared smart cards on these VMs.

The ipa-client-automount utility now supports setting an NFS domain that differs from the IdM domain

This enhancement adds the --idmap-domain option to the ipa-client-automount utility. Previously, ipa-client-automount assumed that the NFS domain is the same as the Identity Management (IdM) domain, but this is not always the case. As a result, you can now specify an NFS domain that is different from the IdM domain.

samba rebased to version 4.10.4

The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:

Default value of Pacemaker concurrent-fencing cluster property now set to true

Pacemaker now defaults the concurrent-fencing cluster property to true. If multiple nodes need to be fenced at the same time and they use different configured fence devices, Pacemaker will execute the fencing simultaneously rather than serialized as before. This can greatly speed up recovery in a large cluster when multiple nodes must be fenced.

Pacemaker support for configuring resources to remain stopped on clean node shutdown

When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the shutdown-lock and shutdown-lock-limit cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see Configuring Resources to Remain Stopped on Clean Node Shutdown.

Optimized implementation of SHA-2 operations on IBM PowerPC systems

This update adds an assembly code implementation of SHA-2 operations on IBM PowerPC systems, which significantly improves performance.

OpenJDK now supports also secp256k1

Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.

Modified workspace switcher in GNOME Classic

Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails.

GNOME now warns against a root graphical login

With this update, GNOME now displays a warning notification if you log into a graphical session as the root user.

Aero adapters are now fully supported

The following Aero adapters, previously available as a Technology Preview, are now fully supported:

RHEL 7.8 now supports blueprint customizations

With this enhancement, RHEL 7.8 now supports a set of image customizations within blueprints when using the CLI. To make use of these customizations, you must configure them in the blueprint and import (push) to Image Builder. As a result, you are able to add specifications for your system.

Kernel version in RHEL 7.8

Red Hat Enterprise Linux 7.8 is distributed with the kernel version 3.10.0-1127.

FUSE file system can be used inside of a user namespace

RHEL 7 now enables users to mount the Filesystem in Userspace (FUSE) based filesystems inside of the user namespace. As a result, users are able to use the fuse-overlayfs command inside of rootless containers that were created with Buildah or Podman utilities.

ipcmin_extend increases the number of unique System V IPC identifiers

A new kernel command line parameter ipcmin_extend increases the number of unique System V Interprocess Communication (IPC) identifiers from 32,768 to 16,777,216. As a result, users with applications that exceed 32,768 of unique System V IPC identifiers can add ipcmin_extend to port the relevant applications to RHEL without a major redesign.

Intel® Omni-Path Architecture (OPA) Host Software

Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.8. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

kernel-rt source tree now matches the latest RHEL 7 tree

The kernel-rt sources have been upgraded to the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.

A new storage role added to RHEL System Roles

The storage role has been added to RHEL System Roles provided by the rhel-system-roles package, which is available in the RHEL 7 Extras repository.

SCAP Security Guide now provides OSPP 4.2.1 and NCP Profiles

The OSPP (Protection Profile for General Purpose Operating Systems) profile has been updated, and it now conforms to OSPP 4.2.1 baseline. The profile with the ospp42 ID has been merged to the OSPP profile. Administrators should switch systems using the ospp42 profile to ospp because ospp42 is no longer a valid ID.

SCAP Security Guide now supports ACSC Essential Eight

The scap-security-guide packages now provides the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.

SCAP Security Guide now correctly disables services

With this update, the SCAP Security Guide (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.

SCAP Security Guide rebased to version 0.1.46

The SCAP Security Guide (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably:

SCAP Security Guide now supports scanning RHEL 8 systems from RHEL 7

The scap-security-guide package now contains SCAP content and Ansible playbooks for RHEL 8. This enables you to scan RHEL 8 systems and containers from a RHEL 7 environment.

selinux-policy now allows tomcat processes to connect to redis database

This update of selinux-policy packages introduces rules that allow the tomcat_t domain to connect to ports labeled redis_port_t when the tomcat_can_network_connect_db SELinux boolean is enabled. You can now use this boolean to allow tomcat_t to access several databases, which was not previously supported for redis processes.

sysadm_u users can now log in to graphical sessions

Previously, Linux users mapped to the sysadm_u SELinux user were unable to log in to graphical sessions. The SELinux policy has been updated to allow these users to use graphical sessions while conforming to DISA STIG requirements. If the xdm_sysadm_login Boolean is enabled, the sysadm_u user can now successfully log in to X Window System session from the GNOME Display Manager.

An option for rsyslog to preserve case of FROMHOST for imudp and imtcp is available

This update to the rsyslog service introduces the option to manage letter-case preservation of the FROMHOST property for the imudp and imtcp modules. Setting the preservecase value to on means the FROMHOST property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of preservecase are on for imtcp and off for imudp.

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

NVMe/FC is now fully supported in Qlogic HBAs

The NVMe over Fibre Channel (NVMe/FC) transport type is now fully supported in Qlogic Fibre Channel (FC) host bus adapters (HBAs), which use the qla2xxx driver.