Este conteúdo não está disponível no idioma selecionado.
Chapter 4. New Features
This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.7.
4.1. Authentication and Interoperability
SSSD now fully supports sudo rules stored in AD
The System Security Services Daemon (SSSD) now fully supports sudo rules stored in Active Directory (AD). This feature was first introduced in Red Hat Enterprise Linux 7.0 as a Technology Preview. Note that the administrator must update the AD schema to support sudo rules.
SSSD no longer uses the fallback_homedir
value from the [nss]
section as fallback for AD domains
Prior to RHEL 7.7, the SSSD fallback_homedir
parameter in an Active Directory (AD) provider had no default value. If fallback_homedir
was not set, SSSD used instead the value from the same parameter from the [nss]
section in the /etc/sssd/sssd.conf
file. To increase security, SSSD in RHEL 7.7 introduced a default value for fallback_homedir
. As a consequence, SSSD no longer falls back to the value set in the [nss]
section. If you want to use a different value than the default for the fallback_homedir
parameter in an AD domain, you must manually set it in the domain’s section.
(BZ#1740779)
Directory Server rebased to version 1.3.9.1
The 389-ds-base
packages have been upgraded to upstream version 1.3.9.1, which provides a number of bug fixes and enhancements over the previous version.
The Directory Server Auto Membership plug-in can now be additionally invoked by modify operations
This update enhances the Auto Membership plug-in in Directory Server to work with modify operations. Previously, the plug-in was only invoked by ADD
operations. When an administrator changed a user entry, and that change impacted what Auto Membership groups the user belonged to, the user was not removed from the old group and only added to the new group. With the enhancement provided by this update, users can now configure that Directory Server removes the user from the old group in the mentioned scenario.
To enable the new behavior, set the autoMemberProcessModifyOps
attribute in the cn=Auto Membership Plugin,cn=plugins,cn=config
entry to on
.
(BZ#1438144)
The replicaLastUpdateStatusJSON
status attribute has been added to replication agreements in Directory Server
This update introduces the replicaLastUpdateStatusJSON
status attribute to the cn=<replication_agreement_name>,cn=replica,cn=<suffix_DN>,cn=mapping tree,cn=config
entry. The status displayed in the replicaLastUpdateStatus
attribute was vague and unclear. The new attribute provides a clear status message and result code and can be parsed by other applications that support the JSON format.
IdM now provides a utility to promote a CA to a CRL generation master
With this enhancement, administrators can promote an existing Identity Management (IdM) certificate authority (CA) to a certificate revocation list (CRL) generation master or remove this feature from a CA. Previously, multiple manual steps were required to configure an IdM CA as CRL generation master, and the procedure was error-prone. As a result, administrators can now use the ipa-crlgen-manage enable
and ipa-crlgen-manage disable
commands to enable and disable CRL generation on an IdM CA.
A command to detect and remove orphaned automember rules has been added to IdM
Automember rules in Identity Management (IdM) can refer to a hostgroup or a group that has been deleted. Previously, the ipa automember-rebuild
command failed unexpectedly and it was difficult to diagnose the reason of the failure. This enhancement adds ipa automember-find-orphans
to IdM to IdM to identify and remove such orphaned automember rules.
IdM now supports IP addresses in the SAN extension of certificates
In certain situations, administrators need to issue certificates with an IP address in the Subject Alternative Name (SAN) extension. This update adds this feature. As a result, administrators can set an IP address in the SAN extension if the address is managed in the IdM DNS service and associated with the subject host or service principal.
IdM now supports renewing expired system certificates when the server is offline
With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new ipa-cert-fix
command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.
pki-core rebased to version 10.5.16
The pki-core packages have been upgraded to upstream version 10.5.16, which provides a number of bug fixes and enhancements over the previous version.
Certificate System can now create CSRs with SKI extension for external CA signing
With this enhancement, Certificate System supports creating a certificate signing request (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority (CA) signing. Certain CAs require this extension either with a particular value or derived from the CA public key. As a result, administrators can now use the pki_req_ski
parameter in the configuration file passed to the pkispawn
utility to create a CSR with SKI extension.
(BZ#1491453)
Uninstalling Certificate System no longer removes all log files
Previously, Certificate System removed all corresponding logs when you uninstalled subsystems. With this update, by default, the pkidestroy utility no longer removes the logs. To remove the logs when you uninstall a subsystem, pass the new --remove-logs parameter to pkidestroy. Additionally, this update adds the --force parameter to pkidestroy. Previously, an incomplete installation left some files and directories, which prevented a complete uninstallation of a Certificate System instance. Pass --force to pkidestroy to completely remove a subsystem and all corresponding files of an instance.
The pkispawn
utility now supports using keys created in the NSS database during CA, KRA, and OCSP installations
Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.
Certificate System now preserves the logs of previous installations when reinstalling the service
Previously, the pkispawn
utility reported a name collision error when installing a Certificate System subsystem on a server with an existing Certificate System log directory structure. With this enhancement, Certificate System reuses the existing log directory structure to preserve logs of previous installations.
Certificate System now supports additional strong ciphers by default
With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_GCM_SHA384
For a full list of enabled ciphers, enter:
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
If you use a Hardware Security Module (HSM) with Certificate System, see the documentation of the HSM for supported ciphers.
The samba
packages have been to version 4.9.1
The samba
packages have been upgraded to upstream version 4.9.1, which provides a number of bug fixes and enhancements over the previous version. The most notable changes include:
-
The Clustered Trivial Database (CTDB) configuration has been changed completely. Administrators must now specify parameters for the
ctdb
service and corresponding utilities in the/etc/ctdb/ctdb.conf
file in a format similar to the Samba configuration. For further details, see thectdb.conf(5)
man page. Use the/usr/share/doc/ctdb/examples/config_migrate.sh
script to migrate the current configuration. The default values of the following parameters in the
/etc/samba/smb.conf
file have been changed as follows:-
map readonly
:no
-
store dos attributes
:yes
-
ea support
:yes
-
full_audit:success
: Not set -
full_audit:failure
: Not set
-
-
The
net ads setspn
command has been added for managing Windows Service Principal Names (SPN) on Active Directory (AD). This command provides the same basic functionality as thesetspn.exe
utility on Windows. For example, administrators can use it to add, delete, and list Windows SPNs stored in an AD computer object. -
The
net ads keytab add
command no longer attempts to convert the service class passed to the command into a Windows SPN, which is then added to the AD computer object. By default, the command now only updates the keytab file. The newnet ads add_update_ads
command has been added to preserve the previous behavior. However, administrators should use the newnet ads setspn add
command instead.
Samba automatically updates its tdb database files when the "smbd", "nmbd", or "winbind" daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.9.0.html
4.2. Clustering
Maximum size of a supported RHEL HA cluster increased from 16 to 32 nodes
With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes.
Improved status display of fencing actions
The output of the pcs status
command now shows failed and pending fence actions.
(BZ#1461964)
4.3. Compiler and Tools
New packages: python3
New python3
packages are available in RHEL 7, which provide the Python 3.6 interpreter, as well as the pip
and setuptools
utilities. Previously, Python 3 versions were available only as a part of Red Hat Software Collections.
When installing, invoking, or otherwise interacting with Python 3, always specify the major version of Python. For example, to install Python 3, use the yum install python3
command. All Python-related commands should also include the version, for example, pip3
.
Note that Python 3 is the default Python implementation in RHEL 8, so it is advisable to migrate your Python 2 code to Python 3. For more information on how to migrate large code bases to Python 3, see The Conservative Python 3 Porting Guide.
(BZ#1597718)
New packages: compat-sap-c++-8
The compat-sap-c++-8
packages contain the libstdc++
library named compat-sap-c++-8.so
, which is a runtime compatibility library needed for SAP applications. The compat-sap-c++-8
packages are based on GCC 8.
(BZ#1669683)
The elfutils
packages have been rebased to version 0.176
The elfutils
packages have been upgraded to upstream version 0.176. Notable changes include:
- Various bugs related to multiple CVEs have been fixed.
-
The
libdw
library has been extended with thedwelf_elf_begin()
function which is a variant ofelf_begin()
that handles compressed files. -
The
eu-readelf
tool now recognizes and prints out GNU Property notes and GNU Build Attribute ELF Notes with the--notes
or-n
options. -
A new
--reloc-debug-sections-only
option has been added to theeu-strip
tool to resolve all trivial relocations between debug sections in place without any other stripping. This functionality is relevant only forET_REL
files in certain circumstances. -
A new function
dwarf_next_lines
has been added to thelibdw
library. This function reads.debug_line
data without CU. -
The
dwarf_begin_elf
function from thelibdw
library now accepts ELF files containing only.debug_line
or.debug_frame
sections.
(BZ#1676504)
gcc-libraries
rebased to version 8.3.1
The gcc-libraries
packages have been updated to the upstream version 8.3.1 which brings a number of bug fixes.
(BZ#1551629)
Geolite2 Databases are now available
This update introduces Geolite2 Databases as an addition to the legacy Geolite Databases, provided by the GeoIP
package.
Geolite2 Databases are provided by multiple packages. The libmaxminddb
package includes the library and the mmdblookup
command line tool, which enables manual searching of addresses. The geoipupdate
binary from the legacy GeoIP
package is now provided by the geoipupdate
package, and is capable of downloading both legacy databases and the new Geolite2 databases.
The GeoIP
package, together with the legacy database, is no longer supported in upstream, and is not distributed with RHEL 8.
(BZ#1643472, BZ#1643470, BZ#1643464)
Date formatting updates for the Japanese Reiwa era
The GNU C Library now provides correct Japanese era name formatting for the Reiwa era starting on May 1st, 2019. The time handling API data has been updated, including the data used by the strftime
and strptime
functions. All APIs will correctly print the Reiwa era including when strftime
is used along with one of the era conversion specifiers such as %EC
, %EY
, or %Ey
.
SystemTap rebased to version 4.0
The SystemTap instrumentation tool has been upgraded to upstream version 4.0. Notable improvements include:
-
The extended Berkeley Packet Filter (eBPF) backend has been improved, especially for strings and functions. To use this backend, start SystemTap with the
--runtime=bpf
option. - A new export network service for use with the Prometheus monitoring system has been added.
- The system call probing implementation has been improved to use the kernel tracepoints if necessary.
Valgrind rebased to version 3.14
The Valgrind packages have been upgraded to upstream version 3.14, which provides a number of bug fixes and enhancements over the previous version:
- Valgrind can now process integer and string vector instructions for the z13 processor of the IBM Z architecture.
-
An option
--keep-debuginfo=no|yes
has been added to retain debugging information for unloaded code. This allows saved stack traces to include file and line information in more cases. For more information and known limitations, see the Valgrind user manual. -
The Helgrind tool can now be configured to compute full history stack traces as deltas with the new
--delta-stracktrace=yes|no
option. As a result, keeping full Helgrind history with the--history-level=full
option can be up to 25% faster when--delta-stracktrace=yes
is added. -
False positive rate in the Memcheck tool has been reduced on the AMD64 and 64-bit ARM architectures. Notably, you can use the
--expensive-definedness-checks=no|auto|yes
option to control analysis for the expensive definedness checks without loss of precision.
(BZ#1519410)
Performance Co-Pilot rebased to version 4.3.2
The Performance Co-Pilot (PCP) has been updated to upstream version 4.3.2. Notable improvements include:
-
The
pcp-dstat
tool now includes historical analysis and Comma-separated Values (CSV) format output. - The log utilities can use metric labels and help text records.
-
The
pmdaperfevent
tool now reports the correct CPU numbers at the lower Simultaneous Multi Threading (SMT) levels. -
The
pmdapostgresql
tool now supports Postgres series 10.x. -
The
pmdaredis
tool now supports Redis series 5.x. -
The
pmdabcc
tool has been enhanced with dynamic process filtering and per-process syscalls, ucalls, and ustat. -
The
pmdammv
tool now exports metric labels, and the format version is increased to 3. -
The
pmdagfs2
tool supports additional glock and glock holder metrics. - Several fixes have been made to the SELinux policy.
-
The
pmcd
utility now supports PMDA suspend and resume (fencing) without configuration changes. - Pressure-stall information metrics are now reported.
- Additional VDO metrics are now reported.
-
The
pcp-atop
tool now reports statistics for pressure stall information, infiniband, perf_event, and NVIDIA GPUs. -
The
pmlogger
andpmie
tools can now usesystemd
timers as an alternative to cron jobs.
(BZ#1647308, BZ#1641161)
ptp4l
now supports team interfaces in active-backup mode
With this update, support for team interfaces in active-backup mode has been added into the PTP Boundary/Ordinary Clock
(ptp4l).
(BZ#1650672)
linuxptp
rebased to version 2.0
The linuxptp
packages have been upgraded to upstream version 2.0, which provides a number of bug fixes and enhancements over the previous version.
The most notable features are as follows:
- Support for unicast messaging has been added
- Support for telecom G.8275.1 and G.8275.2 profiles has been added
- Support for the NetSync Monitor (NSM) protocol has been added
- Implementation of transparent clock (TC) has been added
The DateTime::TimeZone
Perl module is now aware of recent time zone updates
The Olson time zone database has been updated to version 2018i. Previously, applications written in the Perl language that use the DateTime::TimeZone
module mishandled time zones that changed their specifications since version 2017b due to the outdated database.
The trace-cmd
packages have been updated to version 2.7
The updated packages provide the latest bug fixes and upstream features. As a result, the Red Hat Enterprise Linux users can now use an up-to-date trace-cmd
command.
(BZ#1655111)
vim
rebased to version 7.4.629
The vim
packages have been upgraded to upstream version 7.4.629, which is in RHEL 6. This version provides a number of bug fixes and enhancements over the previous version.
Notable enhancements include the breakindent
feature. For more information about the feature, see :help breakindent
in Vim.
4.4. Desktop
cups-filters
updated
The cups-filters
packages, distributed in version 1.0.35, have been updated to provide the following enhancements:
-
The
cups-browsed
daemon, which provides the functionality removed from CUPS since the version 1.5, has been rebased to version 1.13.4, excluding the support for CUPS temporary queues. -
A new backend,
implicitclass
, has been introduced to support high availability and load balancing.
Mutter now allows for mass-deployable homogenized display configuration
The Mutter window manager now makes it possible to deploy pre-set display configurations for all users on a system. As a result, Mutter no longer requires that the configuration for each user is copied to its own configuration directory, but it can use a system wide configuration file instead. This feature makes Mutter suitable for mass deployment of homogenized display configuration.
To set the configuration for a single user, create and populate the ~/.config/monitors.xml
file. For the login screen in particular, use the ~/gdm/.config/monitors.xml
file. For system-wide configurations, use the /etc/xdg/monitors.xml
file.
4.5. File Systems
Improved quota
reports
The quota
tool in non-verbose mode now distinguishes between a file system with no limits and a file system with limits but with no used resources. Previously, none
was printed for both use cases, which was confusing.
(BZ#1601109)
4.6. Installation and Booting
The graphical installation program now detects if SMT is enabled
Previously, the RHEL 7 graphical installation program did not detect if Simultaneous Multithreading (SMT) was enabled on a system. With this update, the installation program now detects if SMT is enabled on a system. If it is enabled, a warning message is displayed in the Status bar, which is located at the bottom of the Installation Summary window.
(BZ#1678353)
New --g-libs
option for the find-debuginfo.sh
script
This update introduces the new --g-libs
option for the find-debuginfo.sh
script. This new option is an alternative to previous -g
option, which instructed the script to remove only debugging symbols from both binary and library files. The new --g-libs
option works the same way as -g
, but only for library files. The binary files are stripped completely.
The Image Builder rebased to version 19.7.33 and fully supported
The Image Builder, provided by the lorax-composer
package in the RHEL 7 Extras Channel, has been upgraded to version 19.7.33.
Notable changes in this version include:
- The Image Builder, previously available as Technology Preview, is now fully supported.
- Cloud images can be built for Amazon Web Services, VMware vSphere, and OpenStack.
- A Red Hat Content Delivery Network (CDN) repository mirror is no longer needed.
- You can now set a host name and create users.
-
Boot loader parameters can be set, such as disabling Simultaneous Multi-Threading (SMT) with the
nosmt=force
option. This is only possible fromcomposer-cli
tool on command line. - The web console UI can now edit external repositories ("sources").
- The Image Builder can now run with SElinux in enforcing mode.
To access the Image Builder functionality, use a command-line interface in the composer-cli
utility, or a graphical user interface in the RHEL 7 web console from the cockpit-composer
package.
(BZ#1713880, BZ#1656105, BZ#1654795, BZ#1689314, BZ#1688335)
4.7. Kernel
Kernel version in RHEL 7.7
Red Hat Enterprise Linux 7.7 is distributed with the kernel version 3.10.0-1062.
(BZ#1801759)
Live patching for the kernel is now available
Live patching for the kernel, kpatch
, provides a mechanism to patch a running kernel without rebooting or restarting any processes. Live kernel patches will be provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important CVEs.
To subscribe to the kpatch
stream for the RHEL 7.7 version of kernel, install the kpatch-patch-3_10_0-1062
package provided by the RHEA-2019:2011 advisory.
For more information, see Applying patches with kernel live patching in the Kernel Administration Guide.
The IMA and EVM features are now supported on all architectures
The Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) are now fully supported on all available architectures. In RHEL 7.6, they were supported only on the AMD64 and Intel 64 architecture.
IMA and EVM enable the kernel to check the integrity of files at runtime using labels attached to extended attributes. You can use IMA and EVM to monitor if files have been accidentally or maliciously altered.
The ima-evm-utils
package provides userspace utilities to interface between user applications and the kernel features.
(BZ#1636601)
Spectre V2 mitigation default changed from IBRS to Retpoline in new installations of RHEL 7.7
The default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the 6th Generation Intel Core Processors and its close derivatives [1] has changed from Indirect Branch Restricted Speculation (IBRS) to Retpoline in new installations of RHEL 7.7. Red Hat has implemented this change as a result of Intel’s recommendations to align with the defaults used in the Linux community and to restore lost performance. However, note that using Retpoline in some cases may not fully mitigate Spectre V2. Intel’s Retpoline document [2] describes any cases of exposure. This document also states that the risk of an attack is low.
For installations of RHEL 7.6 and prior, IBRS is still the default mitigation. New installations of RHEL 7.7 and later versions will have "spectre_v2=retpoline" added to the kernel command line. No change will be made for upgrades to RHEL 7.7 from earlier versions of RHEL 7.
Note that users can select which spectre_v2 mitigation will be used. To select Retpoline: a) Add the "spectre_v2=retpoline" flag to the kernel command line, and reboot. b) Alternatively, issue the following command at runtime: "echo 1 > /sys/kernel/debug/x86/retp_enabled"
To select IBRS: a) Remove the "spectre_v2=retpoline" flag from the kernel command line, and reboot. b) Alternatively, issue the following command at runtime: "echo 1 > /sys/kernel/debug/x86/ibrs_enabled"
If one or more kernel modules were not built with Retpoline support, the /sys/devices/system/cpu/vulnerabilities/spectre_v2
file will indicate vulnerability and the /var/log/messages
file will identify the offending modules. See How to determine which modules are responsible for spectre_v2 returning "Vulnerable: Retpoline with unsafe module(s)"? for further information.
[1] "6th generation Intel Core Processors and its close derivatives" are what the Intel’s Retpoline document refers to as "Skylake-generation".
[2] Retpoline: A Branch Target Injection Mitigation - White Paper
(BZ#1653428, BZ#1659626)
PMTU discovery and route redirection is now supported with VXLAN and GENEVE tunnels
Previously, the kernel in Red Hat Enterprise Linux (RHEL) did not handle Internet Control Message Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery and route redirection was not supported with VXLAN and GENEVE tunnels. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by adjusting the PMTU and modifying forwarding information. As a result, PMTU discovery and route redirection are now supported with VXLAN and GENEVE tunnels.
(BZ#1511372)
A new kernel command-line option to disable hardware transactional memory on IBM POWER
RHEL 7.7 introduces the ppc_tm=off
kernel command-line option. When the user passes ppc_tm=off
at boot time, the kernel disables hardware transactional memory on IBM POWER systems and makes it unavailable to applications. Previously, the RHEL 7 kernel unconditionally made the hardware transactional memory feature on IBM POWER systems available to applications whenever it was supported by hardware and firmware.
(BZ#1694778)
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.7. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on installing Intel Omni-Path Architecture documentation, see: https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_RHEL_7_7_RN_K65224.pdf
(BZ#1739072)
IBPB cannot be directly disabled
With this RHEL kernel source code update, it is not possible to directly disable the Indirect Branch Prediction Barrier (IBPB) control mechanism. Red Hat does not anticipate any performance issues from this setting.
(BZ#1807647)
4.8. Real-Time Kernel
kernel-rt
source tree now matches the latest RHEL 7 tree
The kernel-rt
sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
The RHEL 7 kernel-rt timer wheel has been updated to a non-cascading timer wheel
The current timer wheel has been switched to a non-cascading wheel which improves the timer subsystem and reduces the overheads on many operations. With the backport of the non-cascading timer wheel, kernel-rt is very close to the upstream kernel in enabling the backport of future improvements.
4.9. Networking
rpz-drop
now prevents BIND for repetitive resolving of unreachable domain
The Berkeley Internet Name Domain (BIND) version distributed with RHEL 7.7 introduces the rpz-drop
policy, which enables to mitigate DNS amplification attacks. Previously, if an attacker generated a lot of queries for an irresolvable domain, BIND was constantly trying to resolve such queries, which caused considerable load on CPU. With rpz-drop
, BIND does not process the queries when the target domain is unreachable. This behavior significantly saves CPU capacity.
(BZ#1325789)
bind
rebased to version 9.11
The bind
packages have been upgraded to upstream version 9.11, which provides a number of bug fixes and enhancements over the previous version:
New features:
- A new method of provisioning secondary servers called Catalog Zones has been added.
-
Domain Name System Cookies can now be sent by the
named
service and thedig
utility. - The Response Rate Limiting feature can now help with mitigation of DNS amplification attacks.
- Performance of response-policy zone (RPZ) has been improved.
-
A new zone file format called
map
has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster. -
A new tool called
delv
(domain entity lookup and validation) for sending DNS queries and validating the results has been added. The tool uses the same internal resolver and validator logic as thenamed
daemon. -
A new
mdig
command is now available. This command is a version of thedig
command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query. -
A new
prefetch
option, which improves the recursive resolver performance, has been added. -
A new
in-view
zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory. -
A new
max-zone-ttl
option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated. - New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
-
The
nslookup
utility now looks up both IPv6 and IPv4 addresses by default. -
The
named
service now checks whether other name server processes are running before starting up. -
When loading a signed zone,
named
now checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately. - Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.
Feature changes:
-
The version
3 XML
schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version2 XML
schema is still the default format.
ipset rebased to version 7.1
The ipset
packages have been upgraded to upstream version 7.1, which provides a number of bug fixes and enhancements over the previous version:
-
The
ipset
protocol version 7 introduces theIPSET_CMD_GET_BYNAME
andIPSET_CMD_GET_BYINDEX
operations. Additionally, the user space component can now detect the exact compatibility level that the kernel component supports. - A significant number of bugs have been fixed, such as memory leaks and use-after-free bugs.
(BZ#1649080)
NetworkManager
now supports VLAN filtering on bridge interfaces
With this enhancement, administrators can configure virtual LAN (VLAN) filtering on bridge interfaces in the corresponding NetworkManager
connection profiles. This enables administrators to define VLANs directly on bridge ports.
NetworkManager
now supports configuring policy routing rules
Previously, users must set up policy routing rules outside of NetworkManager
, for example by using the dispatcher script provided by the NetworkManager-dispatcher-routing-rules
package. With this update, users can now configure rules as part of a connection profile. As a result, NetworkManager
adds the rules when the profile is activated and removes the rules when the profile is deactivated.
4.10. Security
NSS now supports keys restricted to RSASSA-PSS
The Network Security Services (NSS) library now supports keys restricted to Rivest–Shamir–Adleman Signature Scheme with Appendix – Probabilistic Signature Scheme (RSASSA-PSS). The legacy signature scheme, Public Key Cryptography Standard #1 (PKCS#1) v1.5, permits the keys to be reused for encrypting data or keys. This makes those keys vulnerable to signature forging attacks published by Bleichenbacher. Restricting the keys to the RSASSA-PSS algorithm makes them resilient to attacks that utilize decryption.
With this update, NSS can be configured to support keys which are restricted to the RSASSA-PSS algorithm only. This enables the use of such keys included in X.509 certificates for both server and client authentication in TLS 1.2 and 1.3.
NSS now accepts signatures with the NULL object only when correctly included in PKCS#1 v1.5 DigestInfo
The first specification of PKCS#1 v1.5-compatible signatures used text that could be interpreted in two different ways. The encoding of parameters that are encrypted by the signer could include an encoding of a NULL ASN.1
object or omit it. Later revisions of the standard made the requirement to include the NULL object encoding explicit.
Previous versions of Network Security Service (NSS) tried to verify signatures while allowing either encoding. With this version, NSS accepts signatures only when they correctly include the NULL object in the DigestInfo structure in the PKSC#1 v1.5 signature.
This change impacts interoperability with implementations that continue to create signatures that are not PKCS#1 v1.5-compliant.
(BZ#1552854)
OpenSC supports HID Crescendo 144K smart cards
With this enhancement, OpenSC supports HID Crescendo 144K smart cards. These tokens are not fully compatible with the Common Access Card (CAC) specification. The token also use some more advanced parts of the specification than CAC tokens issued by the government. The OpenSC driver has been enhanced to manage these tokens and special cases of the CAC specification to support HID Crescendo 144K smart cards.
(BZ#1612372)
AES-GCM ciphers are enabled in OpenSSH in FIPS mode
Previously, AES-GCM ciphers were allowed in FIPS mode only in TLS. In the current version, we clarified with NIST that these ciphers can be allowed and certified in OpenSSH, as well.
As a result, the AES-GCM ciphers are allowed in OpenSSH running in FIPS mode.
(BZ#1600869)
SCAP Security Guide supports Universal Base Image
SCAP Security Guide security policies have been enhanced to support Universal Base Image (UBI) containers and UBI images, including ubi-minimal
images. This enables configuration compliance scanning of UBI containers and images using the atomic scan
command. UBI containers and images can be scanned against any profile shipped in SCAP Security Guide. Only the rules that are relevant to secure configuration of UBI are evaluated, which prevents false positives and produces relevant results. The rules that are not applicable to UBI images and containers are skipped automatically.
(BZ#1695213)
scap-security-guide
rebased to version 0.1.43
The scap-security-guide
packages have been upgraded to upstream version 0.1.43, which provides a number of bug fixes and enhancements over the previous version, most notably:
- Minimum supported Ansible version changed to 2.5
- New RHEL7 profile: VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)
tangd_port_t
allows changes of the default port for Tang
This update introduces the tangd_port_t
SELinux type that allows the tangd
service run as confined with SELinux enforcing mode. That change helps to simplify configuring a Tang server to listen on a user-defined port and it also preserves the security level provided by SELinux in enforcing mode.
A new SELinux type: boltd_t
A new SELinux type, boltd_t
, confines boltd
, a system daemon for managing Thunderbolt 3 devices. As a result, boltd
now runs as a confined service in SELinux enforcing mode.
A new SELinux policy class: bpf
A new SELinux policy class, bpf
, has been introduced. The bpf
class enables users to control the Berkeley Packet Filter (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux.
(BZ#1626115)
shadow-utils
rebased to version 4.6
The shadow-utils
packages have been upgraded to upstream version 4.6, which provides a number of bug fixes and enhancements over the previous version, most notably the newuidmap
and newgidmap
commands for manipulating the UID and GID namespace mapping.
4.11. Servers and Services
chrony
rebased to version 3.4
The chrony
packages have been upgraded to upstream version 3.4, which provides a number of bug fixes and enhancements over the previous version, notably:
- The support for hardware time stamping has received improvements.
- The range of supported polling intervals has been extended.
- Burst and filter options have been added to NTP sources.
-
A pid file has been moved to prevent the
chronyd -q
command from breaking the system service. - An compatibility with NTPv1 clients has been fixed.
GNU enscript now supports ISO-8859-15 encoding
With this update, support for ISO-8859-15 encoding has been added into the GNU enscript program.
ghostscript
rebased to version 9.25
The ghostscript
packages have been upgraded to upstream version 9.25, which provides a number of bug fixes and enhancements over the previous version.
(BZ#1636115)
libssh2
package rebased to version 1.8.0
This update rebases the libssh2
package to version 1.8.0.
This version includes the following:
- Added support for HMAC-SHA-256 and HMAC-SHA-512
- Added support for diffie-hellman-group-exchange-sha256 key exchange
- Fixed many small bugs in the code
(BZ#1592784)
ReaR updates
ReaR has been updated to a later version. Notable bug fixes and enhancements over the previous version include:
- Shared libraries provided by the system are now correctly added into the ReaR rescue system in cases where additional libraries of the same name are needed by the backup mechanism. Verification of NetBackup binaries is performed using the correct libraries, so the verification no longer fails when creating the rescue image. As a result, you can now use NetBackup as a backup mechanism with ReaR. Note that this applies only for NetBackup versions prior to NetBackup 8.0.0. Note that it is currently impossible to use NetBackup 8.0.0 and later versions due to other unresolved problems.
Creation of a rescue image in cases with large number of multipath devices now proceeds faster. Scanning of devices has been improved in the following ways:
- Scanning uses caching to avoid querying the multipath devices multiple times.
- Scanning queries only device-mapper devices for device-mapper specific information.
- Scanning avoids collecting information about FibreChannel devices.
Several bugs in ReaR affecting complex network configurations have been fixed:
-
The Link Aggregation Control Protocol (LACP) configuration is now correctly restored in the rescue system in cases when teaming, or bonding with the
SIMPLIFY_BONDING
option, is used together with LACP. -
ReaR now correctly restores the configuration of the interface in the rescue system in cases when a network interface is renamed from the standard name, such as
ethX
, to a custom name. - ReaR has been fixed to record a correct MAC address of the network interfaces in cases when bonding or teaming is used.
-
The Link Aggregation Control Protocol (LACP) configuration is now correctly restored in the rescue system in cases when teaming, or bonding with the
- ReaR has been fixed to correctly report errors when saving the rescue image. Previously, such errors resulted only in creation of unusable rescue images. As a result of the fix, ReaR now fails in such cases, so the problem can be properly investigated.
- The computation of disk layout for disks with a logical sector size different from 512 bytes has been fixed.
- ReaR now properly sets the bootlist during a restore on IBM Power Systems that use more than one bootable disk.
-
ReaR now properly excludes its temporary directory from backup when an alternate temporary directory is specified using the
TMPDIR
environment variable. -
ReaR now depends on the
xorriso
packages instead of on thegenisoimage
package for ISO image generation. This makes it possible to create an image with a file larger than 4 GB, which occurs especially when creating an image with an embedded backup.
(BZ#1652828, BZ#1652853, BZ#1631183, BZ#1610638, BZ#1426341, BZ#1655956, BZ#1462189, BZ#1700807)
tuned
rebased to version 2.11
The tuned
packages have been upgraded to upstream version 2.11, which provides a number of bug fixes and enhancements over the previous version, notably:
- Support for boot loader specification (BLS) has been added. (BZ#1576435)
-
The
mssql
profile has been updated. (BZ#1660178) -
The
virtual-host
profile has been updated. (BZ#1569375) - A range feature for CPU exclusion has been added. (BZ#1533908)
-
Profile configuration now automatically reloads when the
tuned
service detects the hang-up signal (SIGHUP). (BZ#1631744)
For full list of changes see the upstream git log: https://github.com/redhat-performance/tuned/commits/v2.11.0
New packages: xorriso
Xorriso is a program for creating and manipulating ISO 9660 images, and for writing CD-ROMs or DVD-ROMs. The program includes the xorrisofs
command, which is a recommended replacement for the genisoimage
utility. The xorrisofs
command has a compatible interface with genisoimage
, and provides multiple enhancements over genisoimage
. For example, with xorrisofs
, maximum file size is no longer limited to 4 GB. Xorriso is suitable for backups, and it is used by Relax-and-Recover (ReaR), a recovery and system migration utility.
(BZ#1638857)
4.12. Storage
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
(BZ#1649493)
New scan_lvs
configuration setting
A new lvm.conf
configuration file setting, scan_lvs
, has been added and set to 0 by default. The new default behavior stops LVM from looking for PVs that may exist on top of LVs; that is, it will not scan active LVs for more PVs. The default setting also prevents LVM from creating PVs on top of LVs.
Layering PVs on top of LVs can occur by way of VM images placed on top of LVs, in which case it is not safe for the host to access the PVs. Avoiding this unsafe access is the primary reason for the new default behavior. Also, in environments with many active LVs, the amount of device scanning done by LVM can be significantly decreased.
The previous behavior can be restored by changing this setting to 1.
4.13. System and Subscription Management
The web console rebased to version 195
The web console, provided by the cockpit
packages, has been upgraded to version 195, which provides a number of new features and bug fixes.
The cockpit
packages distributed in the Base channel of RHEL 7 include the following features:
- You can now open individual ports for services in the firewall.
- The firewall page now enables adding and removing firewall zones and adding services to a specific zone.
- Cockpit can now help you with enabling certain security vulnerability mitigations, starting with the disabling SMT (Simultaneous Multi-Threading) option.
The cockpit
packages distributed in the Extras channel of RHEL 7 have been updated to version 151.1, which provides the following additional features:
- You can now add an iSCSI direct target as a storage pool for your virtual machines.
- Notifications about virtual machines have been streamlined and use a common presentation now.
- You can select encryption type separately from the file system.
With this update, support for the Internet Explorer browser has been removed from the RHEL 7 web console. Attempting to open the web console in Internet Explorer now displays an error screen with a list of recommended browsers that can be used instead.
4.14. Virtualization
virt-v2v
can now convert SUSE Linux VMs
You can now use the virt-v2v
utility to convert virtual machines (VMs) that use SUSE Linux Enterprise Server (SLES) and SUSE Linux Enterprise Desktop (SLED) guest operating systems (OSs) from non-KVM hypervisors to KVM.
Note that the conversion is only supported for SLES or SLED guest OSs version 11 Service Pack 4 or later. In addition, SLES 11 and SLED 11 VMs that use X graphics need to be re-adjusted after the conversion for the graphics to work properly. To do so, use the sax2 distribution tool in the guest OS after the migration is finished.
(BZ#1463620)
virt-v2v
can now use vmx configuration files to convert VMware guests
The virt-v2v
utility now includes the vmx
input mode, which enables the user to convert a guest virtual machine from a VMware vmx configuration file. Note that to do this, you also need access to the corresponding VMware storage, for example by mounting the storage using NFS. It is also possible to access the storage using SSH, by adding the -it ssh
parameter.
virt-v2v
converts VMWare guests faster and more reliably
The virt-v2v
utility can now use the VMWare Virtual Disk Development Kit (VDDK) to convert a VMWare guest virtual machine to a KVM guest. This enables virt-v2v
to connect directly to the VMWare ESXi hypervisor, which improves the speed and reliability of the conversion.
Note that this conversion import method requires the external nbdkit
utility and its VDDK plug-in.
(BZ#1477912)
virt-v2v
can convert UEFI guests for RHV
Using the virt-v2v
utility, it is now possible to convert virtual machines that use the UEFI firmware to run in Red Hat Virtualization (RHV).
virt-v2v
removes VMware Tools more reliably
This update makes it more likely that the virt-v2v
utility automatically attempts to remove VMware Tools software from a VMware virtual machine that virt-v2v
is converting to KVM. Notably, virt-v2v
now attempts to remove VMWare Tools in the following scenarios:
- When converting Windows virtual machines.
- When VMMware Tools were installed on a Linux virtual machine from a tarball.
- When WMware Tools were installed as open-vm-tools.
4.15. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers.
4.16. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM Z, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl
utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl
utility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.