Oracle Company first stable release (UEK R6), an extended build of the Linux kernel marketed for use in the Oracle Linux distribution as an alternative to the stock kernel package from Red Hat Enterprise Linux. The kernel is only available for x86_64 and ARM64 (aarch64) architectures. The source code for the kernel, including the breakdown into individual patches, in the public Oracle Git repository.
Unbreakable Enterprise Kernel 6 is based on the kernel (UEK R5 was based on the 4.14 kernel), which has been updated with new features, optimizations, and fixes, has been tested for compatibility with most applications running on RHEL, and has been specifically optimized to work with Oracle industrial software and hardware. UEK R6 kernel installation and src packages prepared for Oracle Linux ΠΈ . Support for the 6.x branch has been discontinued, to use UEK R6, you must upgrade the system to Oracle Linux 7 (there are no obstacles to using this kernel in similar versions of RHEL, CentOS and Scientific Linux).
Key Unbreakable Enterprise Kernel 6:
- Extended support for systems based on the 64-bit ARM architecture (aarch64).
- Implemented support for all features of Cgroup v2.
- The ktask framework has been implemented to parallelize tasks in the kernel that consume significant CPU resources. For example, with the help of ktask, parallelization of operations for clearing memory page ranges or processing the list of inodes can be organized;
- A parallelized version of kswapd has been included to process page swaps asynchronously, reducing the number of direct (synchronous) swaps. When the number of free memory pages decreases, kswapd scans for unused pages that can be freed.
- Support for verifying the integrity of the kernel image and digitally signed firmware when loading the kernel using the Kexec mechanism (loading the kernel from an already loaded system).
- The performance of the virtual memory management system has been optimized, the efficiency of clearing memory and cache pages has been improved, and the processing of accesses to unallocated memory pages (page faults) has been improved.
- Support for NVDIMM has been expanded, the specified permanent memory can now be used as traditional RAM.
- The transition to the DTrace 2.0 dynamic debugging system has been made, which to use the eBPF kernel subsystem. DTrace now runs on top of eBPF, similar to how existing Linux tracing tools work on top of eBPF.
- Improvements have been made to the OCFS2 (Oracle Cluster File System) file system.
- Improved support for the Btrfs file system. Added the ability to use Btrfs on root partitions. An option has been added to the installer to select Btrfs when formatting devices. Added the ability to place paging files on partitions with Btrfs. Btrfs adds support for compression using the ZStandard algorithm.
- Added support for an interface for asynchronous I / O - io_uring, which is notable for supporting I / O polling and the ability to work both with buffering and without buffering. In terms of performance, io_uring is very close to SPDK and significantly outperforms libaio when polling is enabled. To use io_uring in end applications running in user space, the liburing library has been prepared, providing a high-level binding over the kernel interface;
- Added mode support for fast encryption of drives.
- Added support for compression using an algorithm (zstd).
- The ext4 filesystem uses 64-bit timestamps in superblock fields.
- XFS includes facilities for informing about the integrity of a file system at runtime and for getting status about fsck execution on the fly.
- The TCP stack is defaulted to the "" instead of "As Fast As Possible" when sending packages. GRO (Generic Receive Offload) support is enabled for UDP. Added support for receiving and sending TCP packets in zero-copy mode.
- The implementation of the TLS protocol at the kernel level (KTLS) is involved, which can now be used not only for sent, but also for received data.
- Enabled as a backend for the firewall by default
nftables. Optional support added . - Added support for the XDP (eXpress Data Path) subsystem, which allows running BPF programs on Linux at the network driver level with the ability to directly access the DMA packet buffer and at the stage before the network stack allocates the skbuff buffer.
- Improved and enabled when using UEFI Secure Boot mode , which restricts root user access to the kernel and blocks UEFI Secure Boot bypass paths. For example, lockdown mode restricts access to /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, debug mode kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), some interfaces CPU ACPI and MSR registers, blocks kexec_file and kexec_load calls, prohibits sleep mode, limits the use of DMA for PCI devices, prohibits importing ACPI code from EFI variables, does not allow manipulations with I / O ports, including changing the interrupt number and an I/O port for the serial port.
- Added support for Enhanced Indirect Branch Restricted Speculation (IBRS) instructions that allow you to adaptively enable and disable speculative instruction execution during interrupts, system calls, and context switches. If Enhanced IBRS is supported, this method is used to protect against Specter V2 attacks instead of Retpoline, as it provides better performance.
- Improved protection in directories writable by everyone. In such directories, the creation of FIFO files and files owned by users that do not match the owner of the directory with the sticky flag is prohibited.
- By default on ARM systems, kernel address space randomization on systems (KASLR) is enabled. Aarch64 has pointer authentication enabled.
- Added support for "NVMe over Fabrics TCP".
- The virtio-pmem driver has been added to provide access to physical address space-mapped storage devices such as NVDIMMs.
Source: opennet.ru