, Oracle and/or its affiliates. Legal Notices
F51009-03
June 2022
Abstract
Oracle ® Linux 9: Release Notes for Oracle Linux 9 provides information about the new features and known issues in the Oracle Linux 9 release. This document may be updated after it is released.
Table of Contents
Oracle ® Linux 9: Release Notes for Oracle Linux 9 provides information about the new features and known issues in the Oracle Linux 9 release. This document might be updated after it is released.
Document generated on: 2022-06-24 (revision: 13264)
These release notes contain information that applies to both the x86_64 and 64-bit Arm (aarch64) architectures. See Chapter 4, Release-Specific Information for Oracle Linux 9 (aarch64) for information that applies specifically to the 64-bit Arm (aarch64) platform.
The following text conventions are used in this document:
|
Convention |
Meaning |
|---|---|
|
boldface |
Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary. |
|
italic |
Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values. |
|
|
Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter. |
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at https://www.oracle.com/corporate/accessibility/ .
For information about the accessibility of the Oracle Help Center, see the Oracle Accessibility Conformance Report at https://www.oracle.com/corporate/accessibility/templates/t2-11535.html .
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit https://www.oracle.com/corporate/accessibility/learning-support.html#support-tab .
Oracle is fully committed to diversity and inclusion. Oracle respects and values having a diverse workforce that increases thought leadership and innovation. As part of our initiative to build a more inclusive culture that positively impacts our employees, customers, and partners, we are working to remove insensitive terms from our products and documentation. We are also mindful of the necessity to maintain compatibility with our customers' existing technologies and the need to ensure continuity of service as Oracle's offerings and industry standards evolve. Because of these technical constraints, our effort to remove insensitive terms is ongoing and will take time and external cooperation.
Table of Contents
Oracle Linux 9 contains new features and enhancements that improve performance in different areas including automation and management, security and compliance, container management, and developer tools. These enhancements are especially designed to make the operating system adaptable to different types of deployment from strictly on-premises installations, hybrid deployments that combine on-premises and cloud installations, and full cloud deployment.
Upgrading to the official Oracle Linux 9 release from the Oracle Linux 9 Developer Preview version is not supported. You must reinstall Oracle Linux 9 if you are currently running the Developer Preview version.
To determine whether your hardware is supported on the current Oracle Linux 9 release, check the Hardware Certification List at https://linux.oracle.com/hardware-certifications . Note that hardware is added to the list as it becomes available and validated on Oracle Linux.
The release is available for installation on the following platforms:
Intel 64-bit (x86_64) (x86-64-v2)
AMD 64-bit (x86_64) (x86-64-v2)
64-bit Arm (aarch64) (Arm v8.0-A)
The aarch64 platform is supported with Unbreakable Enterprise Kernel (UEK), which currently is the only kernel that is supported on this platform.
Oracle Linux 9 on the x86_64 platform ships with the following default kernel packages:
kernel-5.14.0-70.13.1.el9_0
(Red Hat Compatible Kernel (RHCK) )
kernel-uek-5.15.0-0.30.19.el9uek
(Unbreakable Enterprise Kernel Release 7 (UEK R7))
For new installations, the UEK kernel is automatically enabled and installed. It also becomes the default kernel on first boot.
For the 64-bit Arm (aarch64) platform, Oracle Linux ships only with the UEK kernel. For more information that is specific to this platform, see Chapter 4, Release-Specific Information for Oracle Linux 9 (aarch64) .
The Oracle Linux release is tested as a bundle, as shipped on the installation media image. When installed from the installation media image, the kernel's version included in the image is the minimum version that is supported. Downgrading kernel packages is not supported, unless recommended by Oracle Support.
Oracle Linux maintains user space compatibility with Red Hat Enterprise Linux (RHEL), which is independent of the kernel version that underlies the operating system. Existing applications in user space continue to run unmodified on Unbreakable Enterprise Kernel. No recertifications are required for RHEL certified applications.
The Unbreakable Enterprise Kernel (UEK) is a Linux kernel built by Oracle and supported through Oracle Linux support. UEK is well tested on Arm (aarch64), Intel x86, and AMD x86 (x86_64) platforms. Each release contains additional features, bug fixes, and updated drivers to provide support for key functional requirements, improve performance, and optimize the kernel for use on Oracle products such as Oracle's Engineered Systems, Oracle Cloud Infrastructure, and large enterprise deployments for Oracle customers.
Typically, a UEK release contains changes to the kernel ABI relative to a previous UEK release. These changes require recompilation of third-party kernel modules on the system. To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors regarding hardware and software that have dependencies on kernel modules. Thus, before installing the latest UEK release, verify its support status with your application vendor.
The kernel ABI for a UEK release remains unchanged in all subsequent updates to the initial release.
For more information about UEK such as tutorials, notices, and release notes of different UEK versions, go to https://docs.oracle.com/en/operating-systems/uek/ .
The following installation images for Oracle Linux 9 are available:
Full ISO of Oracle Linux for typical on-premise installations
Boot ISO of Oracle Linux for network installations
Boot ISO of the supported UEK release for installing on hardware that is supported only on UEK
Source DVDs
For additional information about Oracle Linux ISOs for aarch64 platforms, see Chapter 4, Release-Specific Information for Oracle Linux 9 (aarch64) .
You can download these images from the following locations. Note that the images in these locations are for both the x86_64 and aarch64 platforms, unless indicated otherwise:
Oracle Software Delivery Cloud at https://edelivery.oracle.com
Oracle Linux yum server at https://yum.oracle.com/oracle-linux-downloads.html
For more information managing and updating software on your Oracle Linux systems, see Oracle ® Linux: Managing Software on Oracle Linux .
To prepare a downloaded image for installing Oracle Linux, see Oracle ® Linux 9: Installing Oracle Linux .
Aside from installation ISOs, you can also use Oracle Linux images to create compute instances on Oracle Cloud Infrastructure. For information about these images, see the release notes for the specific image that you are using on the Oracle Cloud Infrastructure Documentation page.
To use Oracle Linux on Oracle Cloud Infrastructure, see https://docs.oracle.com/iaas/oracle-linux/home.htm .
For information about the available ISOs for the three most recent updates to the Oracle Linux releases, refer to https://yum.oracle.com/oracle-linux-isos.html .
You can upgrade an Oracle Linux 8 system to the Oracle Linux 9 release by using the leapp utility.
For step-by-step instructions, as well as information about any known issues that you might encounter when upgrading your system, see Oracle ® Linux 9: Performing System Upgrades With Leapp .
Table of Contents
This chapter describes new features, major enhancements, bug fixes, and other changes that are introduced in Oracle Linux 9. These features generally apply to both the x86_64 and 64-bit Arm (aarch64) platforms, unless otherwise noted. For information that applies specifically to the Arm platform, see Chapter 4, Release-Specific Information for Oracle Linux 9 (aarch64) .
The following installation features and changes are introduced in Oracle Linux 9:
Graphical installation program activates the network automatically during interactive installations. In the interactive installation mode that uses the graphical user interface, the network is automatically enabled. Manually activating the network is no longer required.
Note that this change does not impact the kickstart
installations and installations that use the
ip=
boot option.
Licensing and user setting configuration screens no longer part of post installation. Initial setup screens for licensing and for configuring users that previously appeared as post installation steps are now disabled. To restore these screens, run the following commands which install and enable the relevant packages, and then reboot the system. The initial setup screens appear when the boot up system is completed.
sudo dnf install initial-setup initial-setup-gui -y systemctl enable initial setup reboot
For kickstart installations, add and enable these packages as follows:
firstboot --enable %packages @^graphical-server-environment initial-setup-gui %end
Root account is locked by default. As an added security feature, the root account in an Oracle Linux 9 installation is locked by default. However, the installation program provides options for you to enable SSH root logins with appropriately set passwords during the installation. For instructions, see Oracle ® Linux 9: Installing Oracle Linux .
Kickstart changes have been implemented. The following changes in Oracle Linux 9 affect how you configure automatic installations that use kickstart:
All boot options must use the
inst
prefix; otherwise, those options are ignored. Add the
prefix to previously configured standalone options to
maintain their functionality.
The new timesource command replaces the previous timezone --ntpservers command, which has been deprecated.
The following commands are deprecated:
timezone --nontp
logging --level
%packages --excludeWeakdeps
%packages --instLangs
%anaconda
pwpolicy
The following kickstart commands and options are removed and generate errors if used::
device
deviceprobe
dmraid
multipath
bootloader --upgrade
ignoredisk --interactive
partition --active
harddrive --biospart
autostep
Changes to boot options implemented. The following changes were applied to some boot options:
inst.zram
and
inst.singlelang
options are not
supported in Oracle Linux 9.
inst.loglevel
is always set to debug.
Other log levels in previous Oracle Linux releases have
been removed.
The following notable features, enhancements, and changes apply to the Red Hat Compatible Kernel (RHCK) that is shipped with Oracle Linux 9.
RHCK kernel is signed with trusted Secure Boot certificates. This feature eliminates the need to enroll a separate public key to use the kernel versions on systems that have UEFI Secure Boot enabled. Previous releases required you to enroll a separate public key by using the Machine Owner Key (MOK) facility.
cgroup-v2 enabled by default.
Version 2 of the control groups
(
cgroup-v2
) is enabled together with
version 1 (
cgroup-v1
).
cgroup-v2
implements a single hierarchy
model to simplify the management of control groups. The
model ensures that a process can only be a member of a
single control group at a time. The feature is integrated
with
systemd
and improves resource
control configuration on an Oracle Linux system.
Note that feature incompatibilities exist between
cgroup-v2
and
cgroup-v1
. Moreover, control interfaces
are different between the two versions. Consequently,
third-party software that has a direct dependency on
cgroup-v1
might not run properly in the
cgroup-v2
environment.
While both versions are enabled in the kernel, no default
control group version is set in the kernel. Instead, the
version that mounts at startup is determined by
systemd
.
To use
cgroup-v1
, add the following
parameters to the kernel command line:
systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller
Kernel changes might affect third-party kernel modules. Linux distributions with a kernel version prior to 5.9 included support for exporting GPL functions as non-GPL functions. This support enabled users to link proprietary functions to GPL kernel functions by using the shim mechanism. In this release, upstream changes have been incorporated into the kernel that enable Oracle Linux to enforce GPL more strictly. Accordingly, shim is now rebuffed.
Partners and independent software vendors (ISVs) should test their kernel modules with an early version of Oracle Linux 9 to ensure compliance with GPL.
Fixes to strace utility implemented.
In this release, the
strace
utility
correctly displays SELinux context mismatches through the
extension of the utilities
--secontext
option. This extension is the
mismatch
parameter. See the following example:
[...] $ strace --secontext=full,mismatch -e statx stat /home/user/file statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ... $ strace --secontext=mismatch -e statx stat /home/user/file statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...
perf-top capable of sorting by a specific column.
The
perf-top
system profiling tool can
sort samples by an arbitrary event column instead of just
the first column when multiple events in the group are
sampled. Samples are sorted through the
--group-sort-idx
option, where you
press a number key to sort the table by the data column
that corresponds to that key. Column numbering starts from
0
.
New jigawatts package added.
The new
jigawatts
package includes a
Java library that works to improve the functionality of
the Checkpoint/Restore in Userspace (CRIU) utility
specifically on Java applications.
trace-cmd reset behavior change implemented.
Instead of disabling,
trace-cmd reset
now resets settings of the
ftrace
framework to their default values. This behavior
specifically affects
tracing_on
,
trace_clock
,
set_event_pid
, and
tracing_max_latency
.
Support for Extended Berkeley Packet Filter. The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that enables code execution in the kernel space in a restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.
crash utility 8.0.0.
This version of the utility has a new
offset
parameter in the
add-symbol-file
command that helps to
set the
kaslr-offset
to
gdb
. The parameter also upgrades
gdb-7.6
to
gdb-10.2
.
Changes implemented on makedumpfile utility. The following enhancements and improvements are in the utility:
Support for the Zstandard compression capability.
The utility is thus able to take advantage of
zstd
's high compression ratios
which improve compression efficiency especially in
large memory systems. The improved compression
mechanism creates a smaller
vmcore
file within a reasonable compression time.
New options improve ways to obtain an estimate of the vmcore size.
The following options can be used with the
makedump
command:
--dry-run
performs all operations
specified by the command without writing the output
file.
--show-stats
prints the report
messages. This option is an alternative to enabling
bit 4 that is provided to the
--message-level
option.
The following shows an example in the use of these options:
sudo makedumpfile --dry-run --show-stats -l --message-level 7 -d 31 /proc/kcore dump.dummy
numatop utility for Intel Xeon scalable processors supported.
numatop
monitors and analyzes threads
and processes running on Numa systems. It uses Intel
performance counter sampling technologies and associates
the performance data with Linux system
runtime
information for better analysis
of Numa systems deployed in production.
New crashkernel.default file for kdump memory allocation.
In the
kexec-tools
package, the new
crashkernel.default
file for
kdump
contains a default crash kernel
value for the corresponding kernel build.
kdump
uses the value to control the
default crash kernel memory value of each kernel.
crashkernel.default
serves as a good
reference for
kdump
memory reservation.
By basing on this value, you can configure the desired
setting for
crashkernel=
. Consequently,
memory allocation for
kdump
is improved
for systems that have less than 4 GB of available memory.
To query the default crashkernel value, type:
sudo kdumpctl get-default-crashkernel
In Oracle Linux 9, the
crashkernel=auto
option
in the boot command line is no longer supported for both
UEK and RHCK.
For more details, refer to the
/usr/share/doc/kexec-tools/crashkernel-howto.txt
file.
Core scheduling functionality added. The core scheduling functionality enables you to define groups of tasks that can share a CPU core, and thereby exclude tasks that should not trust each other from sharing the same resource. This feature enhances security by mitigating some cross-Symmetric Multithreading (SMT) attacks. It also isolates tasks that need a whole core, such as those that are performed in real-time environments or those that rely on specific processor features, such as Single Instruction, Multiple Data (SIMD) processing.
CPU hot-plug in the hv_24x7 and hv_gpci PMUs.
PMU counters can correctly react to the hot plugging of a
CPU, such that if an
hv_gpci
event
counter is running on a CPU that becomes disabled, the
counting redirects to another CPU.
IRDMA driver added. The IRDMA driver enables RDMA functionality on the following RDMA-capable Intel network devices:
Ethernet Network Adapter X722: an Internet Wide-area RDMA Protocol (iWARP) device.
This device supports only iWARP and a more limited set of configuration parameters.
Ethernet Controller E810: a device that supports iWARP and RDMA over Converged Ethernet (RoCEv2)
This device iWARP and RoCEv2 RDMA transports, Priority Flow Control (PFC), and Explicit Congestion Notification (ECN).
The IRDMA module replaces as well as extends the Application
Binary Interface (ABI) defined for the legacy i40iw module
for X722. The change is backward compatible with legacy X722
RDMA-Core provider (
libi40iw
).
The following software management features and enhancements are introduced in Oracle Linux 9:
RPM updated to version 4.16. The updated version includes notable changes such as the following:
Support for new SPEC features such as caret version
operator,
%autopatch
for specifying
patch ranges, meta or unordered dependencies, generation
of dynamic build dependencies through the
%generate_buildrequires
section, and
so on.
RPM is fully based on the sqlite library. For Berkeley DB databases, Read-only support is provided.
rpm-audit-plugin
is a new plugin for
recording audit log events on transactions.
Validation of UTF-8 headers is performed at build time.
Increased parallelism is applied in package builds.
New RPM plugin notifies fapolicyd about changes during RPM transactions.
Updated
rpm
packages include a new RPM
plugin that integrates the
fapolicyd
framework with the RPM database. By informing
fapolicyd
about any installed and
changed files during an RPM transaction, the plugin
enables
fapolicyd
to support integrity
checking. The plugin's functionality extends its coverage
beyond just Yum transactions to changes made by RPM as a
whole. Thus, the plugin is effectively a replacement to
the Yum plugin.
Support for signing keys using EdDSA public key algorithm added to the rpm command. This added support to the rpm command enables you to use EdDSA-generated keys for signing and verifying packages. However, RSA continues to be the default public key algorithm in GnuPG.
RPM supports Zstd algorithm.
RPM supports the Zstandard (
zstd
)
compression algorithm, which makes package installations
faster, especially in large transactions. Oracle Linux 9
uses Zstandard as the default compression algorithm.
New options available for DNF. The following are new DNF options:
exclude_from_weak_autodetect
automatically detects unwanted weak dependencies of
packages being installed. Thus, providers of the weak
dependencies are not installed as weak dependencies.
However, if pulled in, these weak dependencies are
installed as regular dependencies. The option is enabled
by default.
exclude_from_weak
prevents the
installation of packages as weak dependencies.
libmodulemd packages updated to version 2.13.0.
This version of
libmodulemd
packages
includes the following features and changes:
Support for delisting demodularized packages from a module.
Support for validating
modulemd-packager-v3
documents by
using
modulemd-validator --type
,
where
--type
is a new option.
Fortified parsing integers.
The following shells and command-line tools features and improvements are introduced in Oracle Linux 9:
bash
readline
library version 8.1
is supported.
In this library, bracketed paste mode is enabled by
default. This mode causes text that you paste on your
terminal to be highlighted and requires you to press Enter
to execute the command in the text. This feature prevents
you from executing malicious commands.
To disable the feature, add the following line to either
~/.inputrc
or
/etc/inputrc
:
set enabled-bracketed-paste off
If added to
~/.inputrc
, the feature
is disabled for a specific user.
If added to
/etc/inputrc
, the feature
is disabled for all users.
Disabling the feature causes pasted commands on the terminal to be immediately executed.
Additional shell related packages are available with updated versions
opal-prd 6.7.1
lvspd 1.7.12
Fetchmail 6.4.24
Eigen 3.4
New cdrskin package is introduced.
The package replaces the
cdrecord
executable. However, the
cdrskin
package includes the
cdrecord
command
as a symbolic link to the
cdrskin
binary so that existing user scripts need not be revised.
util-linux-core added as a package.
The
util-linux-core
is added as a
subpackage to the
util-linux
package to
manage scenarios where the size of installed package is a
critical issue, such as in buildroots, some containers,
and boot images.
However, for standard installations, install the
util-linux
package, which automatically
includes the
util-linux-core
package.
Oracle Linux 9 introduces the following features, enhancements, and changes to compilers and development toolsets.
System toolchain components
GCC 11.2.1
glibc 2.34
binutils 2.35.2
Performance tools and debuggers
GDB 10.2
Valgrind 3.18.1
SystemTap 4.6
Dyninst 11.0.0
elfutils 0.186
Performance monitoring tools
PCP 5.3.5
Grafana 7.5.11
Compiler toolsets
LLVM Toolset 13.0.1
Rust Toolset 1.58.1
Go Toolset 1.17.7
python-jsonpointer
is rebased to
version 2.0
grafana-pcp
is rebased to 3.2.0
The following are brief descriptions of some of the tools and compilers:
GCC 11.2. This version includes notable changes such as the following:
DWARF Version 5 is used as the default debugging format.
Diagnostics column numbers represent real column numbers by default and recognizes multicolumn numbers.
The straight-line code vectorizer considers the whole function when vectorizing.
A series of conditional expressions that compare the same variable can be transformed into a switch statement if each of them contains a comparison expression.
Procedural optimizations have been implemented through a new IPS-modref pass which tracks side effects of function calls and improves the precision of points-to analysis, and the identical code folding pass, which is improved to increase the number of unified functions and reduce compile-time memory use.
Memory allocation during linking is improved to reduce peak memory use.
Through the new
GCC_EXTRA_DIAGNOSTIC_OUTPUT
environment variable in IDEs, you can request
machine-readable "fix-it-hints" without adjusting
build flags.
Go Toolset 1.17.7. This version includes notable changes such as the following:
The
GO111MODULE
environment
variable is set to
on
by default.
To revert this setting, set the variable to
auto
.
The Go linker uses less resources and improves code robustness and maintainability in all supported CPU architectures and operating systems.
The new
embed
package enables you
to access embedded files while compiling.
All functions of the
io/ioutil
package have been moved to the
io
and
os
packages, both of which
provide better definitions.
The Delve debugger 1.6.0 supports Go Toolset 1.16.6.
Go FIPS mode is supported with OpenSSL 3. With this support, you can use the OpenSSL library while on Go FIPS mode.
Rust Toolset updated to version 1.54.0. This version includes notable changes such as the following:
The Rust standard library is available for the
wasm32-unknown-unknown
target and
enables you to generate WebAssembly binaries,
including newly stabilized intrinsics.
You can use constant-value parameters to define
generics. This change enables you to write functions
completely generic over the values of any integer,
boolean, or character type, and arrays generic over
their element type as well as their length.
Additionally, you can also iterate items from an array
by value by using the new standard library’s array
type API
std::array::IntoIter
.
Rust includes the
IntoIterator
implementation for arrays. Use the
IntoIterator
trait to iterate over
arrays by value and pass arrays to methods. However,
array.into_iter()
still iterates
values by reference until the 2021 edition of Rust.
The syntax for
or
patterns allows
nesting anywhere in the pattern. For example:
Pattern(1|2)
instead of
Pattern(1)|Pattern(2)
.
Unicode identifiers can contain all valid identifier characters as defined in the Unicode Standard Annex #31.
Methods and trait implementations have been stabilized.
LLVM Toolset updated to version 12.0.1. This version includes notable changes such as the following:
New compiler flag
-march=x86-64-v[234]
introduced.
Compiler flag
-fasynchronous-unwind-tables
of the
clang
compiler is the default on
Oracle Linux aarch64 systems in this release.
The
clang
compiler supports the
C++20
[[likely]]
and
[[unlikely]]
attributes.
With the newly added function attribute
tune-cpu
, microarchitectural
optimizations can be applied independently from the
target-cpu
attribute or
TargetMachine CPU.
The
-fsanitize=unsigned-shift-base
sanitizer is added to the integer sanitizer
-fsanitizer=integer
to improve
security.
The WebAssembly backend is now enabled in LLVM. when enables you to generate WebAssembly binaries with LLVM and Clang.
CMake updated to version 3.20.2. This version includes notable changes such as the following:
C++ compiler modes can be specified through the target
properties
CXX_STANDARD
,
CUDA_STANDARD
, and
OBJCXX_STANDARD
or, alternatively,
the
cxx_std_23
metafeature of the
compile features section.
The NVIDIA CUDA compiler as a symbolic link is supported.
The Intel oneAPI NextGen LLVM compilers are supported
with the
IntelLLVM
compiler ID.
CMake now facilitates cross compiling for Android by merging with the Android NDK’s toolchain file.
When generating a project build system, the cmake command rejects unknown arguments that start with a hyphen.
To use CMake on projects that require this or an earlier version, use the command cmake_minimum_required (version 3.20.2) .
Java in Oracle Linux 9. In this release, Java includes the following packages:
java-17-openjdk
java-11-openjdk
java-1.8.0-openjdk
Java tools implementation. In this release, Java tools include the following:
Maven 6.3.6
Ant 1.10.9
You can install these tools as non-modular RPM packages from AppStream.
SWIG 4.0 is available in CodeReady Builder repository. Version 4.0 of Simplified Wrapper and Interface Generator (SWIG), which includes support for PHP 8, can be installed as an RPM package from the CRB repository.
pcp 5.3.5.
The Performance Co-Pilot (PCP) package
(
pcp
) includes bug fixes,
enhancements, and new features, including the following:
Large number of hosts can have performance metrics
centrally logged (
pmlogger
farms)
and automatically monitored with performance rules
(
pmie
farms).
New
pcp-ss
tool for historical
socket statistics is supported.
php-htop
tool is improved.
Extensions have been added to the over-the-wire PCP protocol, which support higher resolution timestamps.
Oracle Linux 9 is distributed with the MySQL 8.0 database software. For this software's documentation, see https://dev.mysql.com/doc/relnotes/mysql/8.0/en/ .
The following desktop features are included with Oracle Linux 9:
GNOME desktop environment updated to version 40. This version includes numerous new and improved features, including a redesigned Activities Overview that provides for better navigation of the system and the launching of applications. Note that workspaces are now arranged horizontally and the window overview, as well as the application grid, are accessed vertically.
Pipewire is the default audio service. Pipewire replaces both the PulseAudio and Jack audio services that was used in previous releases. All audio applications that use these earlier services are redirected to Pipewire. Jack applications work well with default Oracle Linux configurations and therefore do not require additional configurations.
Power profiles provided in GNOME. Power profiles enable you to optimize power usage of your system. The selected profile persists across system reboots. You can select from the following:
Performance
sets the system for peak
performance but reduces battery life. The profile is not
available in all system configurations.
Balanced
is the default profile which
provides standard performance and power consumption.
Power Saver
prioritizes battery life
and can impact system performance. The system switches
to this profile automatically if low battery level is
detected.
Boot loader introduces changes.
Configuration files are unified across CPU architectures.
These files are stored in
/boot/grub2
,
regardless of the platform. The
grub.cfg
file that GRUB previously used
on UEFI systems is now a symbolic link to
/boot/grub2/grub.cfg
. This change
provides benefits, such as improved user experience,
simplified GRUB layout configuration, the ability to boot
the same installation with either EFI or legacy BIOS, and
so on.
Langpacks have replaced comps language groups.
Previously, language support was provided by
comps
language groups, which required
you to install the corresponding
package. In this release, you would install the
code
-support
langpacks-
package instead.
code
Single-application GNOME sessions supported. This support enables users to use a lightweight UI for single applications. Also described as the kiosk mode of a GNOME session, this feature displays a full-screen window only of the application that you have configured. In this mode, use of resources is less intensive than in a standard GNOME session.
Oracle Linux 9 includes several notable feature changes and improvements for dynamic programming languages, and web and database servers. This release also introduces new and improved module streams, which are described in the following list:
Python 3.9. Python 3.9 is the default version in Oracle Linux 9, and is also installed by default. Python 3.9 will be supported for the entire Oracle Linux 9 life cycle. However, additional versions of Python 3 are also distributed as RPM packages with a shorter life cycle through the AppStream repository. These versions can be installed in parallel.
The /usr/bin/python command and other Python-related commands, such as pip , are made available in an unversioned form and point to the default Python 3.9 version.
Python 2 is excluded in Oracle Linux 9.
Node.js 16. The following are notable changes:
The
V8
engine is updated to version
9.2.
The
npm
package manager is updated to
version 7.20.3.
A new
Timers Promises
API that
provides an alternative set of timer functions that
return
Promise
objects is included.
A new experimental
Web Streams
API is
included.
Node.js is compatible with OpenSSL version 3.0.
Node.js 16 is the initial version of this Application Stream. However, additional Node.js versions will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.
Ruby 3.0.3. The following are notable changes:
Concurrency and parallelism features, such as Ractor and Fiber Scheduler.
Static analysis features, such as the RBS language and the Typeprof utility,
Pattern matching with the
case/in
expression is no longer experimental.
The experimental one-line pattern matching feature is redesigned.
The Find pattern is added as an experimental feature.
Ruby 3.0 is the initial version of this Application Stream. Additional versions of Ruby will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.
Perl 5.32. This version includes numerous enhancements and bug fixes, some of which are the following:
Support for Unicode 13.0
Enhanced
qr
quote-like operator
Alpha assertions and script runs no longer experimental
Faster feature checks
Ability to dump compiled patterns prior to optimization
Perl 5.32 is the initial version of this Application Stream. Additional versions of Perl will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.
PHP 8.0. This version includes numerous enhancements and bug fixes, some of which are the following:
New self-documented and order-independent named arguments so you can specify only required parameters
New attributes for using structured metadata with PHP's native syntax
New union types for using native union types in place of PHPDoc annotations for a combination of types. These types are validated at runtime.
Error exception is consistently generated when parameter validation fails.
Improved
Just-In-Time
compilation
performance
PHP 8.0 is the initial version of this Application Stream. Additional versions of Ruby will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.
Git 2.31 and Git LFS 2.13. Git 2.31 includes numerous enhancements, some of which are the following:
Status of sparse checkout is included in the output of git status .
git archive --add-file includes untracked files in a snapshot from a tree-like identifier.
clone.remotedefaultname
enables you
to customize nickname for a source remote repository.
Maximum length of output file names is now configurable beyond the previous 64 byte limit.
Deprecated PCRE1 library no longer supported.
In addition, the Git Large File Storage (LFS) extension 2.13 includes numerous enhancements, some of which are the following:
SHA-256 repositories, as well as the
socks5h
protocol, are supported.
The
git lfs install|uninstall
commands include a new
--worktree
option.
The
git lfs migrate import
command
includes a new
--above
option.
Subversion 1.14. Subversion 1.14 is the initial version of this Application Stream. Additional versions of Subversion will be provided as modules with a shorter life cycle in future minor releases of Oracle Linux 9.
Apache HTTP Server 2.4.51. The following are notable changes:
Changes to the Apache HTTP Server Control Interface
(
apachectl
)
In the apachectl status output, systemctl pager is disabled.
Instead of the previous behavior of issuing warnings, the apachectl fails if you include additional arguments to the command.
The graceful-stop subcommand returns immediately.
The configtest subcommand runs httpd -t without changing the SELinux context.
The Apache eXtenSion tool (
apxs
) does
not use or expose compiler optimization flags in the
process of building the
httpd
package.
The
mod_lua
Apache module is provided
in a separate package.
The
mod_access_compat
module's
Allow
directive is deprecated and the
use of the comment character (
#
)
generates a syntax error.
Kernel thread IDs are directly used in error log messages for accuracy and conciseness.
Apache HTTP Server 2.4 is the initial version of this Application Stream, which you can install easily as an RPM package.
nginx 1.20. The following are notable changes:
Support for client SSL certificate validation using the Online Certificate Status Protocol (OCSP).
Through the
min_free
parameter of the
proxy_cache_path
directive, the
driver now supports cache clearing.
A new
ngx_stream_set_module
module is
introduced.
New directives as well as directive variables are supported.
Support for HTTP/2 is improved.
Varnish Cache 6.6. Varnish Cache 6.5, which is a high-performance HTTP reverse proxy, provides a number of enhancements and bug fixes version 6.0 available.
Varnish Cache 6 is the initial version of this Application Stream.
Squid 5.2. Squid 5.1 is a high-performance proxy caching server for web clients. Squid 5.1 includes support for FTP, Gopher, and HTTP data objects as well as the following additional features:
Uses a received IP address immediately when request forwarding requires it.
New directive have been introduced.
dns_v4_first
directive no longer
included in this version.
Uses the
CDN-Loop
header for loop
detection in Content Delivery Networks (CDN).
Internet Content Adaptation Protocol (ICAP) trailers introduced as a new feature to enable ICAP agents to reliably send message metadata after the message body.
New configuration options are introduced to replace
existing ones, such as
mark_client_packet
for
clientside_mark
and
shared_transient_entries_limit
for
collapsed_forwarding_shared_entries_limit
.
Squid 5.1 is the initial version of this Application Stream.
MySQL 8.0. Oracle Linux 9 includes MySQL version 8.0. MySQL 8.0 is the initial version of this Application Stream.
Redis 6.2.
Among enhancements and fixes in this version, the most
notable is that the paths of Redis server configuration
files are dedicated directories
/etc/redis/redis.conf
and
/etc/redis/sentinel.conf
. In Oracle
Linux 8, these files were located in
/etc/redis.conf
and
/etc/redis-sentinel.conf
.
Redis 6 is the initial version of this Application Stream. In future minor releases of Oracle Linux 9, additional Redis versions will be provided as modules with a shorter life cycle.
MariaDB. MariaDB is updated to version 10.5
PostgreSQL. PostgreSQL is updated to version 13.
Deprecated dynamic programming languages, web, and database server features. The following features related to dynamic programming languages, web, and database servers are deprecated:
Berkeley DB (
libdb
) package,
including cryptographic algorithms and multiple
libdb
dependencies. Users of the
Berkeley DB (
libdb
) should migrate to
a different key-value database.
python3-pytx
and
mcpp
packages.
The following file system features are included in Oracle Linux 9:
XFS file system includes new features.
The XFS file system supports two new options for the
mkfs.xfs
command:
bigtime
that supports timestamps beyond
the year 2038 and
inobtcount
that
reduces mount time on large file systems.
These options are enabled by default. Consequently, in Oracle Linux 9, the mkfs.xfs command creates an XFS file system that is unmountable by previous kernels where these options are not supported. To disable these options, type the mkfs.xfs command as follows:
mkfs.xfs -m bigtime=0,inobtcount=0
For more information about file systems in Oracle Linux, see Oracle ® Linux 9: Managing Local File Systems .
ext4 file systems support 2038 or later timestamps. The ext4 file system supports timestamps beyond the year 2038. This feature is enabled automatically and requires only that the file system size is not lower than the default 128 bytes size.
nfsv4-client-utils package available.
The new package contains daemons and tools to support only
NFSv4 and replaces the
nfs-utils
package.
exFAT support. The newly supported Extensible File Allocation Table (exFAT) file system enables you to use this file system, which is typically used by default on flash memory.
GFS2 use format version 1802. In this release, GFS2 file systems are created with format version 1802, which provides the following benefits:
Extended attributes in the
trusted
namespace are recognized by
gfs2
and
gfs2-utils
.
The
rgrplvb
option is active by
default. Thus,
gfs2
can attach
updated resource group data to DLM lock requests. The
node that acquires the lock does not need to update the
resource group information from disk. The overall result
is performance improvement.
File systems that are created with the new format version cannot be mounted under previous Oracle Linux versions. Likewise, these file systems cannot be checked by previous versions of the fsck.gfs2 utility.
To create a file system with the older format version, use the following syntax:
sudo mkfs.gfs2 -o format=1801
To upgrade file systems that use the previous format, unmount the file system, then run the following command:
sudo tunegfs2 -r 1802 device
Note that downgrading from the new format is not supported.
The following high availability and clustering features are included in Oracle Linux 9:
resource-stickiness meta-attribute default is 1 instead of 0 for newly-created clusters. The change is in response to user preference that resources are not automatically moved in the process of a cluster balancing operation. Only newly-created clusters are affected by this change. The behavior does not change for existing clusters.
This new default value of
1
keeps the
resources in place during balancing. However, a possible
consequence might be that newly added nodes become
resourceless and would require the administrator to manually
intervene to allot resources to the nodes. Both resource
stickiness (
1
) and non-stickiness
(
0
) can produce unexpected behavior.
However, user preference is to implement stickiness for
resources.
If you prefer the old behavior for your cluster, delete the
resource-stickiness
entry from resource
defaults.
New LVM volume group flag for controlling autoactivation.
The
setautoactivation
flag controls
whether logical volumes that are created from a volume
group are automatically activated upon startup. When
creating a volume group to be managed by Pacemaker in a
cluster, you can set this flag to
n
by
using the
vgcreate --setautoactivation
n
command for the volume group. Running this
command prevents possible data corruption. If you have an
existing volume group that is used in a Pacemaker cluster,
set the flag by using the
vgchange
--setautoactivation n
command.
New command options for pcs resource status and pcs stonith status. The pcs resource status and the pcs stonith status commands include support for the following new options:
The
pcs resource status
node=
node_id
and
pcs stonith status
node=
node_id
options display the status of resources that are
configured on a specific node.
The
pcs resource status
resource_id
and
pcs
stonith status
resource_id
options display the status of a single
resource.
The
pcs resource status
tag_id
and
pcs
stonith status
tag_id
options display the status of all of the
resources with a specified tag.
pcs resource safe-disable command includes a new reduced output display
option.
To print errors only in a report instead of including
lengthy simulation results, you can use the
--brief
option in some
pcs
resource
subcommands as follows:
pcs resource safe-disable --brief
pcs resource disable --safe --brief
The error report now always contains resource IDs of affected resources.
New pcs command introduced for updating SCSI fencing device. The new pcs stonith update-scsi-devices command enables you to update SCSI devices without causing a restart of other cluster resources. The pcs stonith update command causes a restart of all of the resources that are running on the same node that the stonith resource was running.
fence_watchdog agent for configuring watchdog-only SBD setup.
Use the new
fence_watchdog
agent to
configure a watchdog-only SBD setup. This setup enables
cluster configurations where only some nodes use
watchdog-only SBD for fencing, while other nodes use other
fencing types. Note that a cluster may only have a single
such device, and it must be named
watchdog
. Previous watchdog-only SBD
configurations had no such flexibility and required that
all of the nodes in the cluster use SBD.
Local mode version of pcs cluster setup command supported.
The
--corosync-conf
option switches the
pcs cluster setup command to local mode. In this mode, the
pcs
command creates a
corosync.conf
file and saves on the
local node only without communicating with any other node.
You can thus create a
corosync.conf
file in a script and handle that file by using a script.
Automatic removal of location constraint following resource move. The pcs resource move command adds a constraint to the resource to prevent it from running on its original node. By default, the location constraint is automatically removed when the resource has been moved. The removal does not necessarily move the resource back to the original node. Where resources can run at that point depends on how your resources are initially configured. To move a resource and leave the resulting constraint in place, use the pcs resource move-with-constraint command.
pcs command accepts Promoted and Unpromoted roles.
The
pcs
command accepts the
Promoted
and
Unpromoted
anywhere roles that are
specified in Pacemaker configuration. Note that these role
names are the functional equivalent of the
Master
and
Slave
Pacemaker roles that was used in previous releases. Also,
these role names are visible in configuration displays and
help pages.
Oracle Linux 9 introduces several version updates to infrastructure and command-line tools, as well as other notable improvements, including the following:
chrony updated to version 4.1.
This updated
chrony
package includes
notable changes including the following:
Additional support for Network Time Security (NTS) authentication.
In Oracle Linux 9, Authenticated Network Time Protocol (NTP)
sources are trusted over non-authenticated NTP sources.
To restore the previous behavior, add the
autoselectmode ignore
argument to the
chrony.conf
file.
Removal of support for authentication with the following
RIPEMD keys:
RMD128
,
RMD160
,
RMD256
,
RMD320
.
Removal of support for long non-standard MACs in NTPv4
packets. If you are using
chrony 2.x
non-MD5/SHA1
keys, you will need to
configure
chrony
by using the
version 3
option.
The following differences exist between this release's
version of
chrony
from the version in
Oracle Linux 8:
The
seccomp
filter is enabled by
default.
The
-F Z
option is set in
/etc/sysconfig/chronyd
.
The
seccomp
filter conflicts with the
mailonchange
directive. If you set
this directive in
/etc/chrony.conf
,
then disable the filter by removing the
-F
Z
setting.
Oracle Linux 9 introduces the following networking features, enhancements, and changes:
WireGuard is available on UEK. WireGuard is a Virtual Private Network (VPN) implementation with advanced security features, but is also designed to be simple to use and can be a replacement for earlier tunneling protocols. WireGuard has been in production support in the UEK release since UEK R6U3 and continues to be a supported feature in Oracle Linux 9, with UEK R7. For more details, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 . To configure WireGuard, see Oracle ® Linux: Configuring Virtual Private Networks .
Note, however, that in RHCK, WireGuard is available only as a Technology Preview. See Section 2.17, “Technology Preview” .
diag modules available with kernel image.
The kernel image includes the following
diag
modules:
CONFIG_INET_DIAG CONFIG_INET_RAW_DIAG CONFIG_INET_TCP_DIAG CONFIG_INET_UDP_DIAG CONFIG_INET_MPTCP_DIAG CONFIG_NETLINK_DIAG CONFIG_PACKET_DIAG CONFIG_UNIX_DIAG
Being part of the kernel, these modules no longer need to be
dynamically loaded with the
ss
command.
The change facilitates debugging of networking issues
regardless of customer policy in the kernel modules.
Core and IPv4-related networking kernel parameters added to sysctl.
For a list of these parameters and their descriptions,
install the
kernel-doc
package and
refer to the following files:
/usr/share/doc/kernel-doc-
version
/Documentation/admin-guide/sysctl/net.rst
/usr/share/doc/kernel-doc-
version
/Documentation/networking/ip-sysctl.rst
Nmstate API uses more inclusive terminology.
As part of an ongoing effort to make terms more inclusive,
the term
slave
term has been replaced
with the term
port
in the
nmstate
API.
NetworkManager support for queue_id in a bond port.
NetworkManager
ports that are in a bond
include support for the setting the
queue_id
parameter.
For example, if
eth1
is a port of a bond
interface, you can enable the
queue_id
parameter for that bond port by using the following command:
sudo nmcli connection modify eth1 bond-port.queue-id 1 sudo nmcli connection up eth1
A network interface that needs to use this option should
configure it with multiple calls until the appropriate
priorities are set for all interfaces. For more
information, see the
/usr/share/docs/kernel-doc-_
file, which is provided in the
version
/Documentation/networking/bonding.rst
kernel-docs
package.
Oracle-provided RDMA packages. Oracle provides Remote Direct Memory Access (RDMA) packages for use with UEK R7 to enable direct memory access between two systems that are connected by a network. For more details, see Unbreakable Enterprise Kernel: Release Notes for Unbreakable Enterprise Kernel Release 7 .
Deprecated networking features. The following networking features are deprecated:
The
iptables-nft
and
ipset
packages.
As a result of this chagne, the
iptables
backend and
direct
interface
in
firewalld
are
also deprecated.
network-scripts
package.
In this release, network configurations are stored in
/etc/NetworkManager/system-connections
.
The
teamd
service and network teaming
in general. Configure a network bond instead.
The
network-scripts
package that
provided legacy network scripts is no longer included in
Oracle Linux 9.
Oracle Linux 9 introduces the following security features, enhancements, and changes:
System-wide crypto-policies are more secure.
System wide cryptographic policies are more secure through
the disabling of older cryptographic algorithms and
increased minimum RSA key size. Using SHA-1 is restricted
in the
DEFAULT
crypto policy. With the
exception of HMAC and DNSSec usage, SHA-1 is not allowed
in TLS, DTLS, SSH, IKEv2 and Kerberos protocols. As part
of this change, some algorithms have been disabled.
If you require that some of the disabled algorithms and ciphers be enabled, use policy modifiers or customize the policy.
OpenSSL version 3.0.1 is supported. This version contains enhancements and fixes such as new versioning schemes, support for new algorithms, new HTTP(S) client that supports GET and POST, and many others. The following are features related to OpenSSL:
OpenSSL supports new concept of providers.
The OpenSSL 3.0.1 toolkit introduces the concept of
providers
, which are collections
of algorithms from which you can choose for different
applications. The following providers are provided:
base
,
default
,
FIPS
,
legacy
,
and
null
.
By default, OpenSSL loads and activates the default
provider, which is comprised of commonly used algorithms
such as RSA, DSA, DH, CAMELLIA, SHA-1, and SHA-2. If the
FIPS flag is set in the kernel, the FIPS provider is
automatically loaded, and no manual switching to FIPS
mode is required. To change the provider on the system
level, edit the
openssl.cnf
configuration file.
Explicitly activating a provider overrides the default provider selection, which might make the system remotely inaccessible.
OpenSSL random bit generator includes CPACF support.
The
openssl
packages provide
support for the CP Assist for Cryptographic Functions
(CPACF) in the OpenSSL NIST SP800-90A-compliant
AES-based deterministic random bit generator (DRBG).
openssl-spkac can create SPKAC files signed with SHA-1 and SHA-256. You can use the openssl-spkac utility to create Netscape signed public key and challenge (SPKAC) files that are signed with hashes different from MD5. Likewise, you can also create and verify SPKAC files that are signed with SHA-1 and SHA-256 hashes.
To use FIPS-approved only algorithms, you need only to set the FIPS flag in the kernel. OpenSSL then opens the FIPS provider that contains the approved algorithms. Thus, you no longer need to switch OpenSSL to FIPS mode.
openCryptoki 3.17.0 is supported.
Some differences exist between this version and what is
provided upstream. Although
opencryptoki
supports the old data
format that uses non-FIPs approved algorithms, the FIPS
provider no longer allows those algorithms. Thus, you must
migrate your existing tokens to the new format before
enabling FIPS mode on your system. To migrate tokens using
the old data format, use the
pkcstok_migrate
utility. See
https://www.ibm.com/docs/en/linux-on-systems?topic=tools-pkcstok-migrate
.
GnuTLS version 3.7.3 provided.
gnutls
3.7.3 packages include numerous
improvements and bug fixes over previous versions,
including the following: Fixed timing of the early date
(zero round trip data, 0-RTT) exchange; the
cerutil
tool no longer inherits the CRL
(Certificate Revocation List) distribution point from the
certificate authority (CA) when signing a certificate
signing request (CSR).
Network Security Service 3.71. The Network Security Services (NSS) libraries 3.71 support only the SQLite format. Support for legacy DBM format has been removed.
System Roles support VPN management. With the availability of VPN support, the Oracle Linux System Role can be used to more easily create VPN tunnels for host-to-host and mesh connections that involve large numbers of hosts. Consequently, you obtain a VPN configuration interface as well as tunneling configuration s that are more stable and constant within the System Roles project.
OpenSSH updated to version 8.7p1.
OpenSSH 8.7p1 includes notable features and enhancements
such as
LogVerbose
configuration,
client address-based rate-limiting through new directives,
support for Universal 2nd Factor (U2F) hardware
authenticators specified by the FIDO Alliance, and others.
This version also includes the following fixes:
A bug fix to address an exploitable integer overflow
issue in the private key parsing code for the XMSS key
type. This key type is still experimental and support
for it is not compiled by default. No user-facing
autoconf
option exists in portable
OpenSSH to enable it.
A bug fix to clarify the semantics of the
ClientAliveCountMax=0
keyword has
been implemented in Oracle Linux 9. Instead of the previous
behavior of instantly killing the connection after the
first liveness test, regardless of its success, the
mechanism entirely disables connection killing.
Added protection is provided for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown, and Rambleed. Oracle Linux 9 encrypts private keys when not in use with a symmetric key that is derived from a relatively large “prekey” that consists of random data (currently 16 KB).
Libreswan 4.6 is supported.
This version of Libreswan contains enhancements and fixes.
Notably, because IKEv2 is now generally deployed, IKEv1
packets are no longer supported by default. If your setup
requires the use of IKEv1 packets, you can enable support
for these packets by adding the
ikev1-policy=accept
line to the
/etc/ipsec.conf
file.
stunnel 5.62 is supported.
This package version includes bug fixes and enhancements
such as enabling or disabling the resumption of a session
through the
sessionResume
option and
the availability of a Bash-completion script.
nettle updated to version 3.7.3. This new version contains the following enhancements:
New algorithms and modes are supported, such as
Ed448
,
SHAKE256
,
AES-XTS
, and
SIV-CMAC
.
Support is provided for architecture-specific optimizations for existing algorithms.
pk11-kit updated to version 0.24.
In this package version, the subdirectory for the location
of distrusted Certificate Authorities is renamed
blocklist
for easier identification.
cyrus-sasl uses GDBM instead of Berkeley DB.
The
cyrus-sasl
package no longer has
the
libdb
dependency. Further, the
sasldb
plugin uses the GDBM (GNU
dbm
) database format instead of
Berkeley DB.
To migrate existing SASL databases that are stored in the old Berkeley DB format, use the following command:
cyrusbdb2current sasldb-path new-path
SELinux policy is up to date with the current kernel. Performance of SELinux has improved through faster loading of SELinux policy to the kernel, reduction of memory overhead, and efficient disk space use. Additionally, the SELinux policy integrates well with the current kernel and can use the current's permissions, classes, and capabilities. which improves security. Better granularity in defining permissions enables systems to run with the MLS SELinuxpolicy, which can prevent systems with permissions undefined in the policy from starting.
Additionally, you can only disable SELinux by using the
selinux=0
parameter in the kernel command
line. Using the older method of disabling SELinux in the
/etc/selinux/config
does not disable
SELinux; but rather, SELinux stays enabled, but no policy is
loaded.
By default, SELinux policy prohibits commands with text
relocation libraries. SELinux can enter commands that use
libraries requiring text relocation provided that the
library files have the
textrel_shlib_t
label.
scap-security-guide 0.1.60 changes.
In this version, rules for hardening PAM stack use
authselect
as the configuration tool.
fapolicyd version 1.1 is supported. The following are notable features in this version:
/etc/fapolicyd/rules.d/
replaces
/etc/fapolicyd/fapolicyd.rules
to
store files that allow or deny execution rules.
The new
/etc/fapolicyd/trust.d
directory supports separating a list of trusted files
into more files. You can also add an entry for a file by
using the
fapolicyd-cli -f
command
syntax enables you to add an entry for a file with the
--trust-file
directive to these
files.
White spaces in file names are supported through the
fapolicyd
trust database.
fapolicyd
stores the correct path to
an executable file when it adds the file to the trust
database.
Rsyslog package includes rsyslog-mmfields subpackage.
The subpackage provides the
mmfields
module as an alternative to the property replacer field
extraction. The module extracts all the fields at once and
stores them inside the structured data part. Thus,
mmfields
enables you to process field
based log formats such as the Common Event Format (CEF).
You can also use the module in cases where you need a
large number of fields, or reuse specific fields.
logrotate provided in a separate rsyslog-logrotate package.
In this release, the
logrotate
configuration has been removed from the main
rsyslog
package and is included in a
new
rsyslog-logrotate
package. This
change is useful in certain minimal environments for
preventing the installation of unnecessary dependencies,
for example, where log rotation is not required.
sudo program includes Python plugins.
The
sudo 1.9
program provides
capability for writing
sudo
plugins in
Python. This capability makes it easier to enhance the
sudo
program to more precisely suit
specific scenarios.
libseccomp 2.5.2 is supported. This version contains bug fixes and enhancements such as an updated syscall table for Linux v5.14-rc7, consolidated multiplexed syscall handling for all architectures into a single location, clarification of the maintainers' GPG keys, and so on.
Clevis includes support for SHA-256.
The Clevis framework is in compliance with the
recommendations of
RFC 7638
and
supports the
SHA-256
algorithm as the
default hash for JSON Web Key (JWK) thumbprints. The older
thumbprints (
SHA-1
) continue to be
supported so you can still decrypt previously encrypted
data.
Deprecated security features. The following features are deprecated:
OpenSSL cryptographic algorithms, specifically, MD2, MD4, MDC2, Whirlpool, RIPEMD160, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1.
SSSD implicit files provider is disabled by default.
The SHA1 algorithm for cryptographic purposes.
SCP
utility.
Digest-MD5 in SASL
/etc/system-fips
file for indicating
FIPS mode.
fapolicyd.rules
file
The following virtualization features, enhancements, and changes are introduced in Oracle Linux 9:
QEMU uses Clang. In Oracle Linux 9, the QEMU emulator is built by using the Clang compiler. This improvement enables the KVM hypervisor to use several advanced security and debugging features, which provides better opportunities for future feature development.
Capability for using SafeStack on VMs added. As of Oracle Linux 9, the QEMU machine emulator on x86_64 and AMD64 hardware can use the SafeStack feature. SafeStack is a enhanced compiler-based stack protection feature that reduces the ability of an attacker to exploit a stack- based buffer overflow to change return pointers in the stack and create Return-Oriented Programming (ROP) attacks. This change makes virtual machines (VMs) that are hosted on Oracle Linux 9 significantly more secure against ROP-based vulnerabilities.
Deprecated virtualization features. The following virtualization features are deprecated.
The use of SHA1-based signatures to perform SecureBoot image verification.
Virtual Machine Manager
(
virt-manager
).
Internal virtual machine snapshots. Use external snapshots instead.
Virtual floppy (
isa-fdc
) driver.
qcow2-v2
format for virtual disk
images. Switch to using
qcow2-v3
instead.
The following containers features, enhancements, and changes are introduced in Oracle Linux 9:
Podman supports short names.
The
registries.conf
file now accepts
configuration of short-name aliases for images in the
[aliases]
table. The short-names modes
are:
Enforcing
: If no
matching alias is found during the image pull, Podman
prompts the user to choose one of the unqualified-search
registries. If the selected image is pulled
successfully, Podman automatically records a new
short-name alias in the
$HOME/.cache/containers/short-name-aliases.conf
file (rootless user) and in the
/var/cache/containers/short-name-aliases.conf
(root user). If the user cannot be prompted (for
example,
stdin
or
stdout
are not a TTY), Podman fails.
Note that the
short-name-aliases.conf
file has precedence over
registries.conf
file if both specify
the same alias.
Permissive : Similar to enforcing mode, but Podman does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded.
Changes implemented on container-tools module.
The
container-tools
module contains the
Podman, Buildah, Skopeo, and
runc
tools. The rolling stream, represented by the
container-tools:ol8
stream in Oracle
Linux 8, is named
container-tools:latest
in Oracle Linux
9. Similarly to Oracle Linux 8, stable versions of
container tools are going to be available in numbered
streams (for example, 3.0).
containers-common package available in the containers-tools:latest
module.
The
containers-common
package has been
added to the
container-tools:latest
module. The
containers-common
package
contains common configuration files and documentation for
the container tools' ecosystem, such as Podman, Buildah,
and Skopeo.
podman-py package is available.
The
podman-py
package has been added to
the
container-tools:3.0
stable module
stream and the
container-tools:latest
module. The
podman-py
package is a
library of bindings to use the RESTful API of Podman.
Improvements from control groups version 2.
With the availability of
cgroupv2
,
system administrators can limit resources for any
application without causing performance problems that were
encountered in the previous version.
For additional information about notable changes in
cgroupv2
, see
Section 2.2, “Kernel”
.
container-tools meta-package is available. This RPM meta-package includes Podman, Buildah, Skopeo, CRIU, Udica, and all required libraries, and are in Oracle Linux 9. To install the container-tools meta-package, run the following command:
sudo dnf install container-tools
Podman supports auto-building and auto-running pods using a YAML file. The podman play kube command automatically builds and runs multiple pods with multiple containers in the pods using a YAML file.
Oracle Linux 9 containers on Oracle Linux 7 host is unsupported. Running Oracle Linux 9 containers on an Oracle Linux 7 host is not supported. Such a setup might work, but cannot be guaranteed.
The following changes and features apply to Oracle Linux used in cloud environments.
WALinuxAgent updated to 2.3.0.2. The Windows Azure Linux Agent (WALinuxAgent) has been upgraded to upstream version 2.3.0.2, which introduces a number of bug fixes and enhancement, most notably the following:
Support has been added for RequiredFeatures and GoalStateAggregateStatus APIs.
Fallback locations for extension manifests have been added.
Missing calls to
str.format()
have
been added when creating exceptions.
For RHCK, the following features are currently under technology preview.
KTLS:
The Linux Kernel
TLS (KTLS) handles TLS records for the AES-GCM cipher. KTLS
also provides the interface for offloading TLS record
encryption to NICs that support this functionality. OpenSSL
3.0 supports KTLS if the
enable-ktls
configuration option is used during compiling.
SGX : Software Guard Extensions (SGX) from Intel protects software code and data from disclosure and modification. Presently, the current kernel supports SGX v1 and v1.5.
DAX
: Direct Access (DAX)
is available for the
ext4
and XFS file
systems. It enables an application to directly map
persistent memory into its address space. DAX can be used on
systems that have available persistent memory, typically
NVDIMMs.
SEV and SEV-ES : Secure Encrypted Virtualization (SEV) feature is provided for AMD EPYC host machines that use the KVM hypervisor. It encrypts a virtual machine's memory and protects the VM from access by the host. SEV's enhanced Encrypted State version (SEV-ES) encrypts all CPU register contents when a VM stops running, thus preventing the host from modifying the VM’s CPU registers or reading any information from them.
WireGuard is a VPN solution that has improved security features and is easily configurable. Note, however, that this technology is fully supported as a production feature in UEK since UEKR6.
Table of Contents
This chapter describes known issues that you may encounter when installing and using the Oracle Linux 9 software. Information that pertains to a specific platform is noted accordingly.
The following are known installation and upgrade issues for Oracle Linux 9.
While using a PXE boot server to perform a network
installation on a UEFI client where Secure Boot is enabled,
the installation might fail because the
grubx64.efi
file cannot load the
grub
configuration file. The
grub
bootloader switches to the command
line mode and the installation process stops at the
grub
prompt.
To work around this issue, configure the
tftpd
service to run with the
-r
blksize
option enabled.
If you are using
dnsmasq
for TFTP services,
uncomment the
tftp-no-blocksize
line in the
/etc/dnsmasq.conf
file. Then restart the
dnsmasq
service.
(Bug ID 32433445)
The following are known virtualization issues for Oracle Linux 9
The
glibc
version that is included with
Oracle Linux 9 checks for compatibility between a system's CPU and new
architectures that are supported. A system might pass the
compatibility check. However, the CPU flags that are set on
the system after passing the check might be unknown to the KVM
virtual machines that are hosted on that system. Consequently,
the VMs panic when they are booted.
To work around this issue, run the following command:
virsh edit vm-name
Then, add the following declaration in the virtual machine's XML file:
<cpu mode='host-model' check='partial'/>
The
check
parameter's
partial
setting sets
libvirt
to check the VM's CPU specification
before starting a domain. However, the rest of the checking is
left on the hypervisor, which can still provide a different
virtual CPU.
(Bug ID 34224821)
After reboot, the virbr0 network interface may be missing and this can prevent virtual machines from automatically starting up after boot.
The libvirt daemons on Oracle Linux 9 are modular to handle
atomic features within the virtualization environment and are
started and run as required, and stopped after two minutes of
inactivity. The daemon responsible for setting up the
networking interfaces for libvirt is
virtnetworkd
. This service is currently not
automatically started when a virtual machine is started.
To work around this issue, enable the
virtnetworkd
service so that it starts at
boot:
sudo systemctl enable --now virtnetworkd
(Bug ID 34237540)
The following are known kernel issues in Oracle Linux 9.
Kdump might fail on some AMD hardware that is running Oracle Linux 9 with the default RHCK kernel. Impacted hardware includes the AMD EPYC CPU (codename Naples and Rome) servers.
To work around this issue, modify the
/etc/sysconfig/kdump
configuration file and
remove the
iommu=off
command-line option
from the
KDUMP_COMMANDLINE_APPEND
variable.
Then, restart the
kdump
service for the
changes to take effect.
Note that the issue does not occur on this particular hardware if you are running Oracle Linux 9 with UEK R7.
(Bug ID 34312626)
Table of Contents
As indicated in Section 1.3, “Shipped Kernels” , the Oracle Linux 9 (aarch64) release ships with Unbreakable Enterprise Kernel Release 7 (UEK R7).
Oracle Linux 9 for the aarch64 platform is also made available as full ISO and boot ISO images. These ISOs are engineered for use with Ampere ™ eMAG ™-based EVK platform and the Marvell ThunderX2® processor. However, you should check the Hardware Certification List ( https://linux.oracle.com/hardware-certifications ) for more updated information, in case other validated hardware are added to the list.
To download ISO images for aarch64 platforms, see Section 1.4, “Obtaining Installation Images” .
The following new features are specific to the 64-bit Arm (aarch64) platform.
Default page size on Arm platform has changed to 4 KB. Based on UEKR7 implementation, the default page size on the 64-bit Arm platform has changed from 64 KB to 4 KB. This new size pairs well with the workloads and memory amounts that exist on the majority of Arm-based systems. To use large page sizes efficiently, ensure that you specify the huge pages option, which addresses a greater amount of memory for workloads with large data sets.
kexec_file_load is enabled by default.
For systems using the 64-bit Arm architecture, the added
kexec_file_load
system call provides an
in-kernel
kexec
loader for
kdump
which enables an unsigned kernel
to work correctly. Prior to this update, an unsigned
kernel failed to load with secure boot enabled and
kexec_file_load()
specified.
Armv8-R architecture is supported.
The architecture is supported through the
-march=armv8-r
option of the improved
GCC 11.2.1
Table of Contents
The following sections list the changes to binary and source packages from the upstream release.
This section contains information about the removed, modified, and new binary packages in this release. For information about the source package changes, see Section A.2, “Changes to Source Packages” .
The following binary packages have been added to the BaseOS by Oracle:
bcache-tools
btrfs-progs
dtrace
iwl3945-firmware
iwl4965-firmware
iwl6000-firmware
iwlax2xx-firmware
kernel-uek
kernel-uek-core
kernel-uek-debug
kernel-uek-debug-core
kernel-uek-debug-devel
kernel-uek-debug-modules
kernel-uek-debug-modules-extra
kernel-uek-devel
kernel-uek-doc
kernel-uek-modules
kernel-uek-modules-extra
libertas-sd8686-firmware
libertas-usb8388-firmware
libertas-usb8388-olpc-firmware
linux-firmware-core
liquidio-firmware
NetworkManager-config-connectivity-oracle
ocfs2-tools
oracle-backgrounds
oracle-indexhtml
oraclelinux-release
oraclelinux-release-el9
oracle-logos
oracle-logos-httpd
oracle-logos-ipa
The following binary packages have been added to AppStream by Oracle:
dnf-plugin-spacewalk
dtrace-devel
dtrace-testsuite
libblockdev-btrfs
python3-dnf-plugin-spacewalk
python3-dnf-plugin-ulninfo
python3-hwdata
python3-pyOpenSSL
python3-rhn-check
python3-rhn-client-tools
python3-rhnlib
python3-rhn-setup
python3-rhn-setup-gnome
rhn-check
rhn-client-tools
rhnlib
rhnsd
rhn-setup
rhn-setup-gnome
The following binary packages from the BaseOS upstream release have been modified:
alternatives
autofs
binutils
binutils-gold
chkconfig
chrony
cockpit
cockpit-bridge
cockpit-doc
cockpit-system
cockpit-ws
coreutils
coreutils-common
coreutils-single
dbus
dbus-common
dbus-libs
dbus-tools
dnf
dnf-automatic
dnf-data
dnf-plugins-core
dracut
dracut-config-generic
dracut-config-rescue
dracut-network
dracut-squash
dracut-tools
efibootmgr
efi-filesystem
firewalld
firewalld-filesystem
fwupd
glibc
glibc-all-langpacks
glibc-common
glibc-gconv-extra
glibc-langpack-aa
glibc-langpack-af
glibc-langpack-agr
glibc-langpack-ak
glibc-langpack-am
glibc-langpack-an
glibc-langpack-anp
glibc-langpack-ar
glibc-langpack-as
glibc-langpack-ast
glibc-langpack-ayc
glibc-langpack-az
glibc-langpack-be
glibc-langpack-bem
glibc-langpack-ber
glibc-langpack-bg
glibc-langpack-bhb
glibc-langpack-bho
glibc-langpack-bi
glibc-langpack-bn
glibc-langpack-bo
glibc-langpack-br
glibc-langpack-brx
glibc-langpack-bs
glibc-langpack-byn
glibc-langpack-ca
glibc-langpack-ce
glibc-langpack-chr
glibc-langpack-ckb
glibc-langpack-cmn
glibc-langpack-crh
glibc-langpack-cs
glibc-langpack-csb
glibc-langpack-cv
glibc-langpack-cy
glibc-langpack-da
glibc-langpack-de
glibc-langpack-doi
glibc-langpack-dsb
glibc-langpack-dv
glibc-langpack-dz
glibc-langpack-el
glibc-langpack-en
glibc-langpack-eo
glibc-langpack-es
glibc-langpack-et
glibc-langpack-eu
glibc-langpack-fa
glibc-langpack-ff
glibc-langpack-fi
glibc-langpack-fil
glibc-langpack-fo
glibc-langpack-fr
glibc-langpack-fur
glibc-langpack-fy
glibc-langpack-ga
glibc-langpack-gd
glibc-langpack-gez
glibc-langpack-gl
glibc-langpack-gu
glibc-langpack-gv
glibc-langpack-ha
glibc-langpack-hak
glibc-langpack-he
glibc-langpack-hi
glibc-langpack-hif
glibc-langpack-hne
glibc-langpack-hr
glibc-langpack-hsb
glibc-langpack-ht
glibc-langpack-hu
glibc-langpack-hy
glibc-langpack-ia
glibc-langpack-id
glibc-langpack-ig
glibc-langpack-ik
glibc-langpack-is
glibc-langpack-it
glibc-langpack-iu
glibc-langpack-ja
glibc-langpack-ka
glibc-langpack-kab
glibc-langpack-kk
glibc-langpack-kl
glibc-langpack-km
glibc-langpack-kn
glibc-langpack-ko
glibc-langpack-kok
glibc-langpack-ks
glibc-langpack-ku
glibc-langpack-kw
glibc-langpack-ky
glibc-langpack-lb
glibc-langpack-lg
glibc-langpack-li
glibc-langpack-lij
glibc-langpack-ln
glibc-langpack-lo
glibc-langpack-lt
glibc-langpack-lv
glibc-langpack-lzh
glibc-langpack-mag
glibc-langpack-mai
glibc-langpack-mfe
glibc-langpack-mg
glibc-langpack-mhr
glibc-langpack-mi
glibc-langpack-miq
glibc-langpack-mjw
glibc-langpack-mk
glibc-langpack-ml
glibc-langpack-mn
glibc-langpack-mni
glibc-langpack-mnw
glibc-langpack-mr
glibc-langpack-ms
glibc-langpack-mt
glibc-langpack-my
glibc-langpack-nan
glibc-langpack-nb
glibc-langpack-nds
glibc-langpack-ne
glibc-langpack-nhn
glibc-langpack-niu
glibc-langpack-nl
glibc-langpack-nn
glibc-langpack-nr
glibc-langpack-nso
glibc-langpack-oc
glibc-langpack-om
glibc-langpack-or
glibc-langpack-os
glibc-langpack-pa
glibc-langpack-pap
glibc-langpack-pl
glibc-langpack-ps
glibc-langpack-pt
glibc-langpack-quz
glibc-langpack-raj
glibc-langpack-ro
glibc-langpack-ru
glibc-langpack-rw
glibc-langpack-sa
glibc-langpack-sah
glibc-langpack-sat
glibc-langpack-sc
glibc-langpack-sd
glibc-langpack-se
glibc-langpack-sgs
glibc-langpack-shn
glibc-langpack-shs
glibc-langpack-si
glibc-langpack-sid
glibc-langpack-sk
glibc-langpack-sl
glibc-langpack-sm
glibc-langpack-so
glibc-langpack-sq
glibc-langpack-sr
glibc-langpack-ss
glibc-langpack-st
glibc-langpack-sv
glibc-langpack-sw
glibc-langpack-szl
glibc-langpack-ta
glibc-langpack-tcy
glibc-langpack-te
glibc-langpack-tg
glibc-langpack-th
glibc-langpack-the
glibc-langpack-ti
glibc-langpack-tig
glibc-langpack-tk
glibc-langpack-tl
glibc-langpack-tn
glibc-langpack-to
glibc-langpack-tpi
glibc-langpack-tr
glibc-langpack-ts
glibc-langpack-tt
glibc-langpack-ug
glibc-langpack-uk
glibc-langpack-unm
glibc-langpack-ur
glibc-langpack-uz
glibc-langpack-ve
glibc-langpack-vi
glibc-langpack-wa
glibc-langpack-wae
glibc-langpack-wal
glibc-langpack-wo
glibc-langpack-xh
glibc-langpack-yi
glibc-langpack-yo
glibc-langpack-yue
glibc-langpack-yuw
glibc-langpack-zh
glibc-langpack-zu
glibc-minimal-langpack
grub2-common
grub2-efi-aa64-modules
grub2-efi-x64
grub2-efi-x64-cdboot
grub2-efi-x64-modules
grub2-pc
grub2-pc-modules
grub2-tools
grub2-tools-efi
grub2-tools-extra
grub2-tools-minimal
grubby
ima-evm-utils
iproute
iproute-tc
iscsi-initiator-utils
iscsi-initiator-utils-iscsiuio
iwl1000-firmware
iwl100-firmware
iwl105-firmware
iwl135-firmware
iwl2000-firmware
iwl2030-firmware
iwl3160-firmware
iwl3945-firmware
iwl4965-firmware
iwl5000-firmware
iwl5150-firmware
iwl6000-firmware
iwl6000g2a-firmware
iwl6000g2b-firmware
iwl6050-firmware
iwl7260-firmware
iwlax2xx-firmware
kexec-tools
kmod
kmod-kvdo
kmod-libs
krb5-libs
krb5-pkinit
krb5-server
krb5-server-ldap
krb5-workstation
libatomic
libdnf
libertas-sd8686-firmware
libertas-sd8787-firmware
libertas-usb8388-firmware
libertas-usb8388-olpc-firmware
libgcc
libgfortran
libgomp
libipa_hbac
libkadm5
libkcapi
libkcapi-hmaccalc
libnsl
libquadmath
libreport-filesystem
libsss_autofs
libsss_certmap
libsss_idmap
libsss_nss_idmap
libsss_simpleifp
libsss_sudo
libstdc++
libtirpc
linux-firmware
linux-firmware-core
linux-firmware-whence
liquidio-firmware
mcelog
microcode_ctl
netronome-firmware
NetworkManager
NetworkManager-adsl
NetworkManager-bluetooth
NetworkManager-config-connectivity-oracle
NetworkManager-config-server
NetworkManager-initscripts-updown
NetworkManager-libnm
NetworkManager-team
NetworkManager-tui
NetworkManager-wifi
NetworkManager-wwan
nscd
nvmetcli
os-prober
polkit
polkit-libs
python3-configshell
python3-dnf
python3-dnf-plugin-post-transaction-actions
python3-dnf-plugins-core
python3-dnf-plugin-versionlock
python3-firewall
python3-hawkey
python3-libdnf
python3-libipa_hbac
python3-libsss_nss_idmap
python3-rpm
python3-sss
python3-sssdconfig
python3-sss-murmur
redhat-release
rpm
rpm-build-libs
rpm-libs
rpm-plugin-audit
rpm-plugin-selinux
rpm-sign
rpm-sign-libs
selinux-policy
selinux-policy-doc
selinux-policy-mls
selinux-policy-sandbox
selinux-policy-targeted
shim-x64
sos
sos-audit
sssd
sssd-ad
sssd-client
sssd-common
sssd-common-pac
sssd-dbus
sssd-ipa
sssd-kcm
sssd-krb5
sssd-krb5-common
sssd-ldap
sssd-nfs-idmap
sssd-polkit-rules
sssd-proxy
sssd-tools
sssd-winbind-idmap
systemd
systemd-container
systemd-libs
systemd-oomd
systemd-pam
systemd-resolved
systemd-rpm-macros
systemd-udev
tuned
tuned-profiles-cpu-partitioning
vim-filesystem
vim-minimal
yum
yum-utils
The following binary packages have been added to CodeReady Linux Builder by Oracle:
oraclelinux-sb-certs
The following binary packages to CodeReady Linux Builder by Oracle have been modified:
crash-devel
cups-filters-devel
dotnet-sdk-6.0-source-built-artifacts
fwupd-devel
gcc-plugin-devel
glibc-benchtests
glibc-nss-devel
glibc-static
ima-evm-utils-devel
iproute-devel
kmod-devel
libdnf-devel
libguestfs-devel
libguestfs-gobject
libguestfs-gobject-devel
libguestfs-man-pages-ja
libguestfs-man-pages-uk
librados-devel
libradospp-devel
librbd-devel
libreoffice-sdk
libreoffice-sdk-doc
libsss_nss_idmap-devel
libstdc++-static
libtirpc-devel
libvirt-devel
libvirt-docs
libvirt-lock-sanlock
lua-guestfs
mpich
munge-devel
NetworkManager-libnm-devel
nginx-mod-devel
nss_db
nss_hesiod
ocaml-libguestfs
ocaml-libguestfs-devel
OpenIPMI-devel
openscap-engine-sce-devel
PackageKit-glib-devel
python3-ipatests
python3-mpich
ruby-libguestfs
sanlock-devel
sendmail-milter
sendmail-milter-devel
tog-pegasus-devel
virt-v2v-man-pages-ja
virt-v2v-man-pages-uk
The following binary packages from the AppStream upstream release have been modified:
aardvark-dns
anaconda
anaconda-core
anaconda-dracut
anaconda-gui
anaconda-install-env-deps
anaconda-install-img-deps
anaconda-tui
anaconda-user-help
anaconda-widgets
aspnetcore-runtime-6.0
aspnetcore-targeting-pack-6.0
autocorr-af
autocorr-bg
autocorr-ca
autocorr-cs
autocorr-da
autocorr-de
autocorr-dsb
autocorr-el
autocorr-en
autocorr-es
autocorr-fa
autocorr-fi
autocorr-fr
autocorr-ga
autocorr-hr
autocorr-hsb
autocorr-hu
autocorr-is
autocorr-it
autocorr-ja
autocorr-ko
autocorr-lb
autocorr-lt
autocorr-mn
autocorr-nl
autocorr-pl
autocorr-pt
autocorr-ro
autocorr-ru
autocorr-sk
autocorr-sl
autocorr-sr
autocorr-sv
autocorr-tr
autocorr-vi
autocorr-vro
autocorr-zh
binutils-devel
blivet-data
boom-boot
boom-boot-conf
boom-boot-grub2
buildah
buildah-tests
clang
clang-analyzer
clang-devel
clang-libs
clang-resource-filesystem
clang-tools-extra
cloud-init
cockpit-composer
cockpit-packagekit
cockpit-pcp
cockpit-session-recording
cockpit-storaged
compat-libgfortran-48
containers-common
container-tools
cpp
crash
cups-filters
cups-filters-libs
dbus-daemon
dbus-devel
dbus-x11
ddiskit
delve
dotnet-apphost-pack-6.0
dotnet-host
dotnet-hostfxr-6.0
dotnet-runtime-6.0
dotnet-sdk-6.0
dotnet-targeting-pack-6.0
dotnet-templates-6.0
dracut-caps
dracut-live
efi-srpm-macros
eth-tools-basic
eth-tools-fastfabric
fapolicyd
fapolicyd-dnf-plugin
fapolicyd-selinux
firefox
firewall-applet
firewall-config
fwupd-plugin-flashrom
galera
gcc
gcc-c++
gcc-gfortran
gcc-offload-nvptx
gcc-plugin-annobin
gdb
gdb-doc
gdb-gdbserver
gdb-headless
gdb-minimal
git-clang-format
glibc-devel
glibc-doc
glibc-headers
glibc-locale-source
glibc-utils
gnome-shell-extension-background-logo
httpd
httpd-devel
httpd-filesystem
httpd-manual
httpd-tools
initial-setup
initial-setup-gui
ipa-client
ipa-client-common
ipa-client-epn
ipa-client-samba
ipa-common
ipa-selinux
ipa-server
ipa-server-common
ipa-server-dns
ipa-server-trust-ad
krb5-devel
ksh
libasan
libblockdev
libblockdev-btrfs
libblockdev-crypto
libblockdev-dm
libblockdev-fs
libblockdev-kbd
libblockdev-loop
libblockdev-lvm
libblockdev-lvm-dbus
libblockdev-mdraid
libblockdev-mpath
libblockdev-nvdimm
libblockdev-part
libblockdev-plugins-all
libblockdev-swap
libblockdev-tools
libblockdev-utils
libgccjit
libgccjit-devel
libgomp-offload-nvptx
libguestfs
libguestfs-appliance
libguestfs-bash-completion
libguestfs-inspect-icons
libguestfs-rescue
libguestfs-rsync
libguestfs-xfs
libitm
libitm-devel
liblsan
libquadmath-devel
librados2
librbd1
libreoffice-base
libreoffice-calc
libreoffice-core
libreoffice-data
libreoffice-draw
libreoffice-emailmerge
libreoffice-filters
libreoffice-gdb-debug-support
libreoffice-graphicfilter
libreoffice-gtk3
libreoffice-help-ar
libreoffice-help-bg
libreoffice-help-bn
libreoffice-help-ca
libreoffice-help-cs
libreoffice-help-da
libreoffice-help-de
libreoffice-help-dz
libreoffice-help-el
libreoffice-help-en
libreoffice-help-eo
libreoffice-help-es
libreoffice-help-et
libreoffice-help-eu
libreoffice-help-fi
libreoffice-help-fr
libreoffice-help-gl
libreoffice-help-gu
libreoffice-help-he
libreoffice-help-hi
libreoffice-help-hr
libreoffice-help-hu
libreoffice-help-id
libreoffice-help-it
libreoffice-help-ja
libreoffice-help-ko
libreoffice-help-lt
libreoffice-help-lv
libreoffice-help-nb
libreoffice-help-nl
libreoffice-help-nn
libreoffice-help-pl
libreoffice-help-pt-BR
libreoffice-help-pt-PT
libreoffice-help-ro
libreoffice-help-ru
libreoffice-help-si
libreoffice-help-sk
libreoffice-help-sl
libreoffice-help-sv
libreoffice-help-ta
libreoffice-help-tr
libreoffice-help-uk
libreoffice-help-zh-Hans
libreoffice-help-zh-Hant
libreoffice-impress
libreofficekit
libreoffice-langpack-af
libreoffice-langpack-ar
libreoffice-langpack-as
libreoffice-langpack-bg
libreoffice-langpack-bn
libreoffice-langpack-br
libreoffice-langpack-ca
libreoffice-langpack-cs
libreoffice-langpack-cy
libreoffice-langpack-da
libreoffice-langpack-de
libreoffice-langpack-dz
libreoffice-langpack-el
libreoffice-langpack-en
libreoffice-langpack-eo
libreoffice-langpack-es
libreoffice-langpack-et
libreoffice-langpack-eu
libreoffice-langpack-fa
libreoffice-langpack-fi
libreoffice-langpack-fr
libreoffice-langpack-fy
libreoffice-langpack-ga
libreoffice-langpack-gl
libreoffice-langpack-gu
libreoffice-langpack-he
libreoffice-langpack-hi
libreoffice-langpack-hr
libreoffice-langpack-hu
libreoffice-langpack-id
libreoffice-langpack-it
libreoffice-langpack-ja
libreoffice-langpack-kk
libreoffice-langpack-kn
libreoffice-langpack-ko
libreoffice-langpack-lt
libreoffice-langpack-lv
libreoffice-langpack-mai
libreoffice-langpack-ml
libreoffice-langpack-mr
libreoffice-langpack-nb
libreoffice-langpack-nl
libreoffice-langpack-nn
libreoffice-langpack-nr
libreoffice-langpack-nso
libreoffice-langpack-or
libreoffice-langpack-pa
libreoffice-langpack-pl
libreoffice-langpack-pt-BR
libreoffice-langpack-pt-PT
libreoffice-langpack-ro
libreoffice-langpack-ru
libreoffice-langpack-si
libreoffice-langpack-sk
libreoffice-langpack-sl
libreoffice-langpack-sr
libreoffice-langpack-ss
libreoffice-langpack-st
libreoffice-langpack-sv
libreoffice-langpack-ta
libreoffice-langpack-te
libreoffice-langpack-th
libreoffice-langpack-tn
libreoffice-langpack-tr
libreoffice-langpack-ts
libreoffice-langpack-uk
libreoffice-langpack-ve
libreoffice-langpack-xh
libreoffice-langpack-zh-Hans
libreoffice-langpack-zh-Hant
libreoffice-langpack-zu
libreoffice-math
libreoffice-ogltrans
libreoffice-opensymbol-fonts
libreoffice-pdfimport
libreoffice-pyuno
libreoffice-ure
libreoffice-ure-common
libreoffice-wiki-publisher
libreoffice-writer
libreoffice-x11
libreoffice-xsltfilter
libreport
libreport-anaconda
libreport-cli
libreport-gtk
libreport-plugin-bugzilla
libreport-plugin-reportuploader
libreport-web
libreswan
libstdc++-devel
libstdc++-docs
libtsan
libubsan
libvirt
libvirt-client
libvirt-daemon
libvirt-daemon-config-network
libvirt-daemon-config-nwfilter
libvirt-daemon-driver-interface
libvirt-daemon-driver-network
libvirt-daemon-driver-nodedev
libvirt-daemon-driver-nwfilter
libvirt-daemon-driver-qemu
libvirt-daemon-driver-secret
libvirt-daemon-driver-storage
libvirt-daemon-driver-storage-core
libvirt-daemon-driver-storage-disk
libvirt-daemon-driver-storage-iscsi
libvirt-daemon-driver-storage-logical
libvirt-daemon-driver-storage-mpath
libvirt-daemon-driver-storage-rbd
libvirt-daemon-driver-storage-scsi
libvirt-daemon-kvm
libvirt-libs
libvirt-nss
libxslt
libxslt-devel
lorax
lorax-docs
lorax-lmc-novirt
lorax-lmc-virt
lorax-templates-generic
lorax-templates-rhel
mecab-ipadic
mecab-ipadic-EUCJP
mod_ldap
mod_lua
mod_proxy_html
mod_session
mod_ssl
mpich
mpich-autoload
mpich-devel
mpich-doc
munge
munge-libs
netavark
netstandard-targeting-pack-2.1
NetworkManager-cloud-setup
NetworkManager-dispatcher-routing-rules
NetworkManager-ovs
NetworkManager-ppp
nginx
nginx-all-modules
nginx-filesystem
nginx-mod-http-image-filter
nginx-mod-http-perl
nginx-mod-http-xslt-filter
nginx-mod-mail
nginx-mod-stream
ntsysv
opa-address-resolution
opa-basic-tools
opa-fastfabric
opa-fm
opa-libopamgt
OpenIPMI
OpenIPMI-lanserv
OpenIPMI-libs
openscap
openscap-devel
openscap-engine-sce
openscap-python3
openscap-scanner
openscap-utils
open-vm-tools
open-vm-tools-desktop
open-vm-tools-sdmp
open-vm-tools-test
osbuild-composer
osbuild-composer-core
osbuild-composer-dnf-json
osbuild-composer-worker
oscap-anaconda-addon
osinfo-db
PackageKit
PackageKit-command-not-found
PackageKit-glib
PackageKit-gstreamer-plugin
PackageKit-gtk3-module
perl-Sys-Guestfs
perl-XML-Parser
pesign
pki-acme
pki-base
pki-base-java
pki-ca
pki-kra
pki-server
pki-symkey
pki-tools
plymouth
plymouth-core-libs
plymouth-graphics-libs
plymouth-plugin-fade-throbber
plymouth-plugin-label
plymouth-plugin-script
plymouth-plugin-space-flares
plymouth-plugin-two-step
plymouth-scripts
plymouth-system-theme
plymouth-theme-charge
plymouth-theme-fade-in
plymouth-theme-script
plymouth-theme-solar
plymouth-theme-spinfinity
plymouth-theme-spinner
podman
podman-catatonit
podman-docker
podman-gvproxy
podman-plugins
podman-remote
podman-tests
polkit-devel
polkit-docs
pykickstart
python3-blivet
python3-blockdev
python3-boom
python3-clang
python3-ipaclient
python3-ipalib
python3-ipaserver
python3-iscsi-initiator-utils
python3-kickstart
python3-libguestfs
python3-libreport
python3-pki
python3-rtslib
python3-sanlock
rear
rhel-system-roles
rpm-apidocs
rpm-build
rpm-cron
rpm-devel
rpmdevtools
rpm-plugin-fapolicyd
rpm-plugin-ima
rpm-plugin-syslog
rpm-plugin-systemd-inhibit
sanlock
sanlock-lib
scap-security-guide
scap-security-guide-doc
selinux-policy-devel
sendmail
sendmail-cf
sendmail-doc
setroubleshoot
setroubleshoot-plugins
setroubleshoot-server
systemd-devel
systemd-journal-remote
systemtap
systemtap-client
systemtap-devel
systemtap-exporter
systemtap-initscript
systemtap-runtime
systemtap-runtime-java
systemtap-runtime-python3
systemtap-runtime-virtguest
systemtap-runtime-virthost
systemtap-sdt-devel
systemtap-server
target-restore
thunderbird
tog-pegasus
tog-pegasus-libs
tuned-gtk
tuned-profiles-atomic
tuned-profiles-mssql
tuned-profiles-oracle
tuned-profiles-spectrumscale
tuned-utils
vim-common
vim-enhanced
vim-X11
virt-install
virt-manager
virt-manager-common
virt-p2v
virt-v2v
virt-v2v-bash-completion
WALinuxAgent
WALinuxAgent-udev
xsane
xsane-common
The following binary packages from the BaseOS upstream release have been removed:
kpatch
kpatch-dnf
libdnf-plugin-subscription-manager
python3-cloud-what
python3-subscription-manager-rhsm
redhat-release-eula
rhsm-icons
subscription-manager
subscription-manager-cockpit
subscription-manager-plugin-ostree
subscription-manager-rhsm-certificates
The following binary packages from the AppStream upstream release have been removed:
ansible-collection-microsoft-sql
ansible-collection-redhat-rhel_mgmt
insights-client
libreport-rhel-anaconda-bugzilla
NetworkManager-config-connectivity-redhat
nmap
nmap-ncat
realtime-tests
redhat-backgrounds
redhat-indexhtml
redhat-logos
redhat-logos-httpd
redhat-logos-ipa
rhc
rhc-worker-playbook
toolbox
toolbox-tests
virtio-win
virt-who
This section contains information about the removed, modified, and new source packages in this release. For information about the binary package changes, see Section A.1, “Changes to Binary Packages” .
The following source packages have been added to the BaseOS by Oracle:
bcache-tools
btrfs-progs
dtrace
kernel-uek
ocfs2-tools
oracle-indexhtml
oraclelinux-release
oraclelinux-release-el9
oracle-logos
The following source packages have been added to AppStream by Oracle:
dnf-plugin-spacewalk
dtrace
pyOpenSSL
python3-dnf-plugin-ulninfo
python-hwdata
rhn-client-tools
rhnlib
rhnsd
The following source packages from the BaseOS upstream release have been modified:
autofs
binutils
chkconfig
chrony
cockpit
coreutils
dbus
dnf
dnf-plugins-core
dracut
efibootmgr
efi-rpm-macros
firewalld
fwupd
gcc
glibc
grub2
grubby
ima-evm-utils
iproute
iscsi-initiator-utils
kexec-tools
kmod
kmod-kvdo
krb5
libdnf
libkcapi
libreport
libtirpc
linux-firmware
mcelog
microcode_ctl
NetworkManager
nvmetcli
os-prober
polkit
python-configshell
redhat-release
rpm
selinux-policy
shim
sos
sssd
systemd
tuned
vim
The following source packages from the AppStream upstream release have been modified:
anaconda
anaconda-user-help
binutils
boom-boot
buildah
ceph
chkconfig
clang
cloud-init
cockpit
cockpit-composer
cockpit-session-recording
compat-libgfortran-48
containers-common
container-tools
crash
cups-filters
dbus
ddiskit
delve
dotnet6.0
dracut
efi-rpm-macros
eth-tools
fapolicyd
firefox
firewalld
fwupd
galera
gcc
gdb
glibc
gnome-shell-extension-background-logo
httpd
initial-setup
ipa
iscsi-initiator-utils
krb5
ksh
libblockdev
libguestfs
libreoffice
libreport
libreswan
libvirt
libxslt
lorax
lorax-templates-rhel
mecab-ipadic
mpich
munge
NetworkManager
nginx
opa-ff
opa-fm
OpenIPMI
openscap
open-vm-tools
osbuild-composer
oscap-anaconda-addon
osinfo-db
PackageKit
perl-XML-Parser
pesign
pki-core
plymouth
podman
polkit
pykickstart
python-blivet
python-rtslib
rear
rhel-system-roles
rpm
rpmdevtools
sanlock
scap-security-guide
selinux-policy
sendmail
setroubleshoot
setroubleshoot-plugins
systemd
systemtap
thunderbird
tog-pegasus
tuned
vim
virt-manager
virt-p2v
virt-v2v
WALinuxAgent
xsane
The following source packages from the BaseOS upstream release have been removed:
kpatch
subscription-manager
The following source packages from the AppStream upstream release have been removed:
ansible-collection-microsoft-sql
ansible-collection-redhat-rhel_mgmt
insights-client
libica
nmap
realtime-tests
redhat-indexhtml
redhat-logos
rhc
rhc-worker-playbook
toolbox
virtio-win
virt-who
, Oracle and/or its affiliates. Legal Notices