Red Hat Company distribution kit . Installation builds are prepared for the x86_64, s390x (IBM System z), ppc64le, and Aarch64 architectures, but for registered users of the Red Hat Customer Portal only. Red Hat Enterprise Linux 8 rpm packages are distributed via CentOS. The RHEL 8.x branch will be supported until at least 2029.
Red Hat Enterprise Linux 8.1 was the first release prepared in accordance with the new predictable development cycle, which implies the formation of releases every six months at a predetermined time. Having accurate information about when a new release will be published allows you to synchronize the development schedules of various projects, prepare in advance for a new release, and plan when updates will be applied.
It is noted that the new RHEL products span multiple layers, including Fedora as a springboard for new features, for access to packages created for the next intermediate release of RHEL (rolling version of RHEL),
minimalistic universal base image (UBI, Universal Base Image) for running applications in isolated containers and for free use of RHEL during development.
Key :
- Full support for the mechanism for applying Live patches is provided () to eliminate vulnerabilities in the Linux kernel without restarting the system and without stopping work. Previously, kpatch was classified as an experimental feature;
- Based on the framework The ability to create white and black lists of applications has been implemented, which allow you to differentiate which programs can be launched by the user and which cannot (for example, to block the launch of unverified external executable files). The decision to block or allow a launch can be made based on the application name, path, content hash, and MIME type. Rule checking occurs during the open() and exec() system calls, so may have a negative impact on performance;
- The composition includes SELinux profiles, focused on use with isolated containers and allowing more granular control over the access of services running in containers to host system resources. To generate SELinux rules for containers, a new udica utility has been proposed, which allows, taking into account the specifics of a particular container, to provide access only to the necessary external resources, such as storage, devices and network. The SELinux utilities (libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, mcstrans) have been updated to release 2.9, and the SETools package to version 4.2.2.
Added a new SELinux type, boltd_t, which restricts boltd, a process for managing Thunderbolt 3 devices (boltd now runs in a container limited by SELinux). Added a new class of SELinux rules - bpf, which controls access to Berkeley Packet Filter (BPF) and inspects applications for eBPF;
- Includes a stack of routing protocols (BGP4, MP-BGP, OSPFv2, OSPFv3, RIPv1, RIPv2, RIPng, PIM-SM/MSDP, LDP, IS-IS), which replaced the previously used Quagga package (FRRouting is a fork of Quagga, so compatibility was not affected);
- For encrypted partitions in the LUKS2 format, support has been added for re-encrypting block devices on the fly, without stopping their use in the system (for example, you can now change the key or encryption algorithm without unmounting the partition);
- Support for the new edition of the SCAP 1.3 protocol (Security Content Automation Protocol) has been added to the OpenSCAP framework;
- Updated versions of OpenSSH 8.0p1, Tuned 2.12, chrony 3.5, samba 4.10.4. Modules with new branches of PHP 7.3, Ruby 2.6, Node.js 12 and nginx 1.16 have been added to the AppStream repository (updating modules with previous branches has continued). Packages with GCC 9, LLVM 8.0.1, Rust 1.37 and Go 1.12.8 have been added to the Software Collection;
- The SystemTap tracing tool has been updated to the 4.1 branch, and the Valgrind memory debug tool to version 3.15;
- A new healthcheck utility has been added to the identification server deployment tools (IdM, Identity Management), which simplifies the identification of problems with the operation of environments with the identification server. Installation and configuration of IdM environments is simplified, thanks to support for Ansible roles and the ability to install modules. Added support for Active Directory Trusted Forests based on Windows Server 2019.
- The virtual desktop switcher has been changed in the GNOME Classic session. The widget for switching between desktops is now located on the right side of the bottom panel and is designed as a strip with desktop thumbnails (to switch to another desktop, just click on the thumbnail that reflects its contents);
- The DRM (Direct Rendering Manager) subsystem and low-level graphics drivers (amdgpu, nouveau, i915, mgag200) have been updated to match the Linux 5.1 kernel. Added support for AMD Raven 2, AMD Picasso, AMD Vega, Intel Amber Lake-Y and Intel Comet Lake-U video subsystems;
- The toolkit for upgrading RHEL 7.6 to RHEL 8.1 has added support for upgrading without reinstallation for ARM64, IBM POWER (little endian) and IBM Z architectures. A system pre-upgrade mode has been added to the web console. Added cockpit-leapp plugin to restore state in case of problems during the update. The /var and /usr directories are separated into separate sections. Added UEFI support. IN packages are updated from the Supplementary repository (includes proprietary packages);
- Image Builder has added support for building images for Google Cloud and Alibaba Cloud cloud environments. When creating image filling, the ability to use repo.git has been added to include additional files from arbitrary Git repositories;
- Additional checks have been added to Glibc for malloc to detect when allocated memory blocks are corrupted;
- The dnf-utils package has been renamed to yum-utils for compatibility (the ability to install dnf-utils is retained, but this package will automatically be replaced by yum-utils);
- Added a new edition of Red Hat Enterprise Linux System Roles, a set of modules and roles for deploying a centralized configuration management system based on Ansible and configuring subsystems to enable specific functions related to storage, networking, time synchronization, SElinux rules and the use of the kdump mechanism. For example, a new role
storage allows you to perform tasks such as managing file systems on the disk, working with LVM groups and logical partitions; - The network stack for VXLAN and GENEVE tunnels implemented the ability to process ICMP packets “Destination Unreachable”, “Packet Too Big” and “Redirect Message”, which solved the problem with the inability to use route redirections and Path MTU Discovery in VXLAN and GENEVE.
- An experimental implementation of the XDP (eXpress Data Path) subsystem, which allows Linux to run BPF programs at the network driver level with the ability to directly access the DMA packet buffer and at the stage before the skbuff buffer is allocated by the network stack, as well as eBPF components, synchronized with the Linux 5.0 kernel . Added experimental support for the AF_XDP kernel subsystem ();
- Full network protocol support provided (Transparent Inter-process Communication), designed to organize inter-process communication in a cluster. The protocol provides a means for applications to communicate quickly and reliably, regardless of which nodes in the cluster they are running on;
- A new mode for saving a core dump in case of failure has been added to initramfs - “", working in the early stages of loading;
- Added a new kernel parameter ipcmni_extend, which extends the IPC ID limit from 32 KB (15 bits) to 16 MB (24 bits), allowing applications to use more shared memory segments;
- Ipset has been updated to release 7.1 with support for the IPSET_CMD_GET_BYNAME and IPSET_CMD_GET_BYINDEX operations;
- The rngd daemon, which fills the entropy pool of the pseudorandom number generator, is freed from the need to run as root;
- Full support provided (Omni-Path Architecture) for equipment with Host Fabric Interface (HFI) and full support for Intel Optane DC Persistent Memory devices.
- Debug kernels by default include a build with the UBSAN (Undefined Behavior Sanitizer) detector, which adds additional checks to the compiled code to detect situations when program behavior becomes undefined (for example, the use of non-static variables before they are initialized, dividing integers by zero, overflows signed integer types, dereferencing NULL pointers, problems with pointer alignment, etc.);
- The kernel source tree with real-time extensions (kernel-rt) is synchronized with the main RHEL 8 kernel code;
- Added ibmvnic driver for the vNIC (Virtual Network Interface Controller) network controller with the implementation of PowerVM virtual network technology. When used in conjunction with the SR-IOV NIC, the new driver allows for bandwidth and quality of service control at the virtual network adapter level, significantly reducing virtualization overhead and reducing CPU load;
- Added support for Data Integrity Extensions, which allow you to protect data from damage when writing to storage by saving additional corrective blocks;
- Added experimental support (Technology Preview) for the package , which provides the nmstatectl library and utility for managing network settings through a declarative API (the network state is described in the form of a predefined scheme);
- Added experimental support for kernel-level TLS (KTLS) implementation with AES-GCM-based encryption, as well as experimental support for OverlayFS, cgroup v2, , mdev() and DAX (direct access to the file system bypassing the page cache without using the block device level) in ext4 and XFS;
- Deprecated support for DSA, TLS 1.0 and TLS 1.1, which were removed from the DEFAULT set and moved to LEGACY (“update-crypto-policies —set LEGACY”);
- The 389-ds-base-legacy-tools packages have been deprecated.
authd
custody,
hostname
libidn,
net tools,
network scripts,
nss-pam-ldapd,
sendmail,
yp-tools
ypbind and ypserv. They may be discontinued in a future significant release; - The ifup and ifdown scripts have been replaced with wrappers that call NetworkManager via nmcli (to return the old scripts, you need to run “yum install network-scripts”).
Source: opennet.ru