Chapter 4. New Features

This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.7.

4.1. Authentication and Interoperability

SSSD now fully supports sudo rules stored in AD

The System Security Services Daemon (SSSD) now fully supports sudo rules stored in Active Directory (AD). This feature was first introduced in Red Hat Enterprise Linux 7.0 as a Technology Preview. Note that the administrator must update the AD schema to support sudo rules.


SSSD no longer uses the fallback_homedir value from the [nss] section as fallback for AD domains

Prior to RHEL 7.7, the SSSD fallback_homedir parameter in an Active Directory (AD) provider had no default value. If fallback_homedir was not set, SSSD used instead the value from the same parameter from the [nss] section in the /etc/sssd/sssd.conf file. To increase security, SSSD in RHEL 7.7 introduced a default value for fallback_homedir. As a consequence, SSSD no longer falls back to the value set in the [nss] section. If you want to use a different value than the default for the fallback_homedir parameter in an AD domain, you must manually set it in the domain’s section.


Directory Server rebased to version

The 389-ds-base packages have been upgraded to upstream version, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating: 1.3.9 Release Notes.


The Directory Server Auto Membership plug-in can now be additionally invoked by modify operations

This update enhances the Auto Membership plug-in in Directory Server to work with modify operations. Previously, the plug-in was only invoked by ADD operations. When an administrator changed a user entry, and that change impacted what Auto Membership groups the user belonged to, the user was not removed from the old group and only added to the new group. With the enhancement provided by this update, users can now configure that Directory Server removes the user from the old group in the mentioned scenario.

To enable the new behavior, set the autoMemberProcessModifyOps attribute in the cn=Auto Membership Plugin,cn=plugins,cn=config entry to on.


The replicaLastUpdateStatusJSON status attribute has been added to replication agreements in Directory Server

This update introduces the replicaLastUpdateStatusJSON status attribute to the cn=<replication_agreement_name>,cn=replica,cn=<suffix_DN>,cn=mapping tree,cn=config entry. The status displayed in the replicaLastUpdateStatus attribute was vague and unclear. The new attribute provides a clear status message and result code and can be parsed by other applications that support the JSON format.


IdM now provides a utility to promote a CA to a CRL generation master

With this enhancement, administrators can promote an existing Identity Management (IdM) certificate authority (CA) to a certificate revocation list (CRL) generation master or remove this feature from a CA. Previously, multiple manual steps were required to configure an IdM CA as CRL generation master, and the procedure was error-prone. As a result, administrators can now use the ipa-crlgen-manage enable and ipa-crlgen-manage disable commands to enable and disable CRL generation on an IdM CA.


A command to detect and remove orphaned automember rules has been added to IdM

Automember rules in Identity Management (IdM) can refer to a hostgroup or a group that has been deleted. Previously, the ipa automember-rebuild command failed unexpectedly and it was difficult to diagnose the reason of the failure. This enhancement adds ipa automember-find-orphans to IdM to IdM to identify and remove such orphaned automember rules.


IdM now supports IP addresses in the SAN extension of certificates

In certain situations, administrators need to issue certificates with an IP address in the Subject Alternative Name (SAN) extension. This update adds this feature. As a result, administrators can set an IP address in the SAN extension if the address is managed in the IdM DNS service and associated with the subject host or service principal.


IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new ipa-cert-fix command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.


pki-core rebased to version 10.5.16

The pki-core packages have been upgraded to upstream version 10.5.16, which provides a number of bug fixes and enhancements over the previous version.


Certificate System can now create CSRs with SKI extension for external CA signing

With this enhancement, Certificate System supports creating a certificate signing request (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority (CA) signing. Certain CAs require this extension either with a particular value or derived from the CA public key. As a result, administrators can now use the pki_req_ski parameter in the configuration file passed to the pkispawn utility to create a CSR with SKI extension.


Uninstalling Certificate System no longer removes all log files

Previously, Certificate System removed all corresponding logs when you uninstalled subsystems. With this update, by default, the pkidestroy utility no longer removes the logs. To remove the logs when you uninstall a subsystem, pass the new --remove-logs parameter to pkidestroy. Additionally, this update adds the --force parameter to pkidestroy. Previously, an incomplete installation left some files and directories, which prevented a complete uninstallation of a Certificate System instance. Pass --force to pkidestroy to completely remove a subsystem and all corresponding files of an instance.


The pkispawn utility now supports using keys created in the NSS database during CA, KRA, and OCSP installations

Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.


Certificate System now preserves the logs of previous installations when reinstalling the service

Previously, the pkispawn utility reported a name collision error when installing a Certificate System subsystem on a server with an existing Certificate System log directory structure. With this enhancement, Certificate System reuses the existing log directory structure to preserve logs of previous installations.


Certificate System now supports additional strong ciphers by default

With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:


For a full list of enabled ciphers, enter:

# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"

If you use a Hardware Security Module (HSM) with Certificate System, see the documentation of the HSM for supported ciphers.


The samba packages have been to version 4.9.1

The samba packages have been upgraded to upstream version 4.9.1, which provides a number of bug fixes and enhancements over the previous version. The most notable changes include:

  • The Clustered Trivial Database (CTDB) configuration has been changed completely. Administrators must now specify parameters for the ctdb service and corresponding utilities in the /etc/ctdb/ctdb.conf file in a format similar to the Samba configuration. For further details, see the ctdb.conf(5) man page. Use the /usr/share/doc/ctdb/examples/ script to migrate the current configuration.
  • The default values of the following parameters in the /etc/samba/smb.conf file have been changed as follows:

    • map readonly: no
    • store dos attributes: yes
    • ea support: yes
    • full_audit:success: Not set
    • full_audit:failure: Not set
  • The net ads setspn command has been added for managing Windows Service Principal Names (SPN) on Active Directory (AD). This command provides the same basic functionality as the setspn.exe utility on Windows. For example, administrators can use it to add, delete, and list Windows SPNs stored in an AD computer object.
  • The net ads keytab add command no longer attempts to convert the service class passed to the command into a Windows SPN, which is then added to the AD computer object. By default, the command now only updates the keytab file. The new net ads add_update_ads command has been added to preserve the previous behavior. However, administrators should use the new net ads setspn add command instead.

Samba automatically updates its tdb database files when the "smbd", "nmbd", or "winbind" daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.

For further information about notable changes, read the upstream release notes before updating:


4.2. Clustering

Maximum size of a supported RHEL HA cluster increased from 16 to 32 nodes

With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes.


Improved status display of fencing actions

The output of the pcs status command now shows failed and pending fence actions.


4.3. Compiler and Tools

New packages: python3

New python3 packages are available in RHEL 7, which provide the Python 3.6 interpreter, as well as the pip and setuptools utilities. Previously, Python 3 versions were available only as a part of Red Hat Software Collections.

When installing, invoking, or otherwise interacting with Python 3, always specify the major version of Python. For example, to install Python 3, use the yum install python3 command. All Python-related commands should also include the version, for example, pip3.

Note that Python 3 is the default Python implementation in RHEL 8, so it is advisable to migrate your Python 2 code to Python 3. For more information on how to migrate large code bases to Python 3, see The Conservative Python 3 Porting Guide.


New packages: compat-sap-c++-8

The compat-sap-c++-8 packages contain the libstdc++ library named, which is a runtime compatibility library needed for SAP applications. The compat-sap-c++-8 packages are based on GCC 8.


The elfutils packages have been rebased to version 0.176

The elfutils packages have been upgraded to upstream version 0.176. Notable changes include:

  • Various bugs related to multiple CVEs have been fixed.
  • The libdw library has been extended with the dwelf_elf_begin() function which is a variant of elf_begin() that handles compressed files.
  • The eu-readelf tool now recognizes and prints out GNU Property notes and GNU Build Attribute ELF Notes with the --notes or -n options.
  • A new --reloc-debug-sections-only option has been added to the eu-strip tool to resolve all trivial relocations between debug sections in place without any other stripping. This functionality is relevant only for ET_REL files in certain circumstances.
  • A new function dwarf_next_lines has been added to the libdw library. This function reads .debug_line data without CU.
  • The dwarf_begin_elf function from the libdw library now accepts ELF files containing only .debug_line or .debug_frame sections.


gcc-libraries rebased to version 8.3.1

The gcc-libraries packages have been updated to the upstream version 8.3.1 which brings a number of bug fixes.


Geolite2 Databases are now available

This update introduces Geolite2 Databases as an addition to the legacy Geolite Databases, provided by the GeoIP package.

Geolite2 Databases are provided by multiple packages. The libmaxminddb package includes the library and the mmdblookup command line tool, which enables manual searching of addresses. The geoipupdate binary from the legacy GeoIP package is now provided by the geoipupdate package, and is capable of downloading both legacy databases and the new Geolite2 databases.

The GeoIP package, together with the legacy database, is no longer supported in upstream, and is not distributed with RHEL 8.

(BZ#1643472, BZ#1643470, BZ#1643464)

Date formatting updates for the Japanese Reiwa era

The GNU C Library now provides correct Japanese era name formatting for the Reiwa era starting on May 1st, 2019. The time handling API data has been updated, including the data used by the strftime and strptime functions. All APIs will correctly print the Reiwa era including when strftime is used along with one of the era conversion specifiers such as %EC, %EY, or %Ey.


SystemTap rebased to version 4.0

The SystemTap instrumentation tool has been upgraded to upstream version 4.0. Notable improvements include:

  • The extended Berkeley Packet Filter (eBPF) backend has been improved, especially for strings and functions. To use this backend, start SystemTap with the --runtime=bpf option.
  • A new export network service for use with the Prometheus monitoring system has been added.
  • The system call probing implementation has been improved to use the kernel tracepoints if necessary.


Valgrind rebased to version 3.14

The Valgrind packages have been upgraded to upstream version 3.14, which provides a number of bug fixes and enhancements over the previous version:

  • Valgrind can now process integer and string vector instructions for the z13 processor of the IBM Z architecture.
  • An option --keep-debuginfo=no|yes has been added to retain debugging information for unloaded code. This allows saved stack traces to include file and line information in more cases. For more information and known limitations, see the Valgrind user manual.
  • The Helgrind tool can now be configured to compute full history stack traces as deltas with the new --delta-stracktrace=yes|no option. As a result, keeping full Helgrind history with the --history-level=full option can be up to 25% faster when --delta-stracktrace=yes is added.
  • False positive rate in the Memcheck tool has been reduced on the AMD64 and 64-bit ARM architectures. Notably, you can use the --expensive-definedness-checks=no|auto|yes option to control analysis for the expensive definedness checks without loss of precision.


Performance Co-Pilot rebased to version 4.3.2

The Performance Co-Pilot (PCP) has been updated to upstream version 4.3.2. Notable improvements include:

  • The pcp-dstat tool now includes historical analysis and Comma-separated Values (CSV) format output.
  • The log utilities can use metric labels and help text records.
  • The pmdaperfevent tool now reports the correct CPU numbers at the lower Simultaneous Multi Threading (SMT) levels.
  • The pmdapostgresql tool now supports Postgres series 10.x.
  • The pmdaredis tool now supports Redis series 5.x.
  • The pmdabcc tool has been enhanced with dynamic process filtering and per-process syscalls, ucalls, and ustat.
  • The pmdammv tool now exports metric labels, and the format version is increased to 3.
  • The pmdagfs2 tool supports additional glock and glock holder metrics.
  • Several fixes have been made to the SELinux policy.
  • The pmcd utility now supports PMDA suspend and resume (fencing) without configuration changes.
  • Pressure-stall information metrics are now reported.
  • Additional VDO metrics are now reported.
  • The pcp-atop tool now reports statistics for pressure stall information, infiniband, perf_event, and NVIDIA GPUs.
  • The pmlogger and pmie tools can now use systemd timers as an alternative to cron jobs.

(BZ#1647308, BZ#1641161)

ptp4l now supports team interfaces in active-backup mode

With this update, support for team interfaces in active-backup mode has been added into the PTP Boundary/Ordinary Clock (ptp4l).


linuxptp rebased to version 2.0

The linuxptp packages have been upgraded to upstream version 2.0, which provides a number of bug fixes and enhancements over the previous version.

The most notable features are as follows:

  • Support for unicast messaging has been added
  • Support for telecom G.8275.1 and G.8275.2 profiles has been added
  • Support for the NetSync Monitor (NSM) protocol has been added
  • Implementation of transparent clock (TC) has been added


The DateTime::TimeZone Perl module is now aware of recent time zone updates

The Olson time zone database has been updated to version 2018i. Previously, applications written in the Perl language that use the DateTime::TimeZone module mishandled time zones that changed their specifications since version 2017b due to the outdated database.


The trace-cmd packages have been updated to version 2.7

The updated packages provide the latest bug fixes and upstream features. As a result, the Red Hat Enterprise Linux users can now use an up-to-date trace-cmd command.


vim rebased to version 7.4.629

The vim packages have been upgraded to upstream version 7.4.629, which is in RHEL 6. This version provides a number of bug fixes and enhancements over the previous version.

Notable enhancements include the breakindent feature. For more information about the feature, see :help breakindent in Vim.


4.4. Desktop

cups-filters updated

The cups-filters packages, distributed in version 1.0.35, have been updated to provide the following enhancements:

  • The cups-browsed daemon, which provides the functionality removed from CUPS since the version 1.5, has been rebased to version 1.13.4, excluding the support for CUPS temporary queues.
  • A new backend, implicitclass, has been introduced to support high availability and load balancing.


Mutter now allows for mass-deployable homogenized display configuration

The Mutter window manager now makes it possible to deploy pre-set display configurations for all users on a system. As a result, Mutter no longer requires that the configuration for each user is copied to its own configuration directory, but it can use a system wide configuration file instead. This feature makes Mutter suitable for mass deployment of homogenized display configuration.

To set the configuration for a single user, create and populate the ~/.config/monitors.xml file. For the login screen in particular, use the ~/gdm/.config/monitors.xml file. For system-wide configurations, use the /etc/xdg/monitors.xml file.


4.5. File Systems

Improved quota reports

The quota tool in non-verbose mode now distinguishes between a file system with no limits and a file system with limits but with no used resources. Previously, none was printed for both use cases, which was confusing.


4.6. Installation and Booting

The graphical installation program now detects if SMT is enabled

Previously, the RHEL 7 graphical installation program did not detect if Simultaneous Multithreading (SMT) was enabled on a system. With this update, the installation program now detects if SMT is enabled on a system. If it is enabled, a warning message is displayed in the Status bar, which is located at the bottom of the Installation Summary window.


New --g-libs option for the script

This update introduces the new --g-libs option for the script. This new option is an alternative to previous -g option, which instructed the script to remove only debugging symbols from both binary and library files. The new --g-libs option works the same way as -g, but only for library files. The binary files are stripped completely.


The Image Builder rebased to version 19.7.33 and fully supported

The Image Builder, provided by the lorax-composer package in the RHEL 7 Extras Channel, has been upgraded to version 19.7.33.

Notable changes in this version include:

  • The Image Builder, previously available as Technology Preview, is now fully supported.
  • Cloud images can be built for Amazon Web Services, VMware vSphere, and OpenStack.
  • A Red Hat Content Delivery Network (CDN) repository mirror is no longer needed.
  • You can now set a host name and create users.
  • Boot loader parameters can be set, such as disabling Simultaneous Multi-Threading (SMT) with the nosmt=force option. This is only possible from composer-cli tool on command line.
  • The web console UI can now edit external repositories ("sources").
  • The Image Builder can now run with SElinux in enforcing mode.

To access the Image Builder functionality, use a command-line interface in the composer-cli utility, or a graphical user interface in the RHEL 7 web console from the cockpit-composer package.

(BZ#1713880, BZ#1656105, BZ#1654795, BZ#1689314, BZ#1688335)

4.7. Kernel

Kernel version in RHEL 7.7

Red Hat Enterprise Linux 7.7 is distributed with the kernel version 3.10.0-1062.


Live patching for the kernel is now available

Live patching for the kernel, kpatch, provides a mechanism to patch a running kernel without rebooting or restarting any processes. Live kernel patches will be provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important CVEs.

To subscribe to the kpatch stream for the RHEL 7.7 version of kernel, install the kpatch-patch-3_10_0-1062 package provided by the RHEA-2019:2011 advisory.

For more information, see Applying patches with kernel live patching in the Kernel Administration Guide.


The IMA and EVM features are now supported on all architectures

The Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) are now fully supported on all available architectures. In RHEL 7.6, they were supported only on the AMD64 and Intel 64 architecture.

IMA and EVM enable the kernel to check the integrity of files at runtime using labels attached to extended attributes. You can use IMA and EVM to monitor if files have been accidentally or maliciously altered.

The ima-evm-utils package provides userspace utilities to interface between user applications and the kernel features.


Spectre V2 mitigation default changed from IBRS to Retpoline in new installations of RHEL 7.7

The default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the 6th Generation Intel Core Processors and its close derivatives [1] has changed from Indirect Branch Restricted Speculation (IBRS) to Retpoline in new installations of RHEL 7.7. Red Hat has implemented this change as a result of Intel’s recommendations to align with the defaults used in the Linux community and to restore lost performance. However, note that using Retpoline in some cases may not fully mitigate Spectre V2. Intel’s Retpoline document [2] describes any cases of exposure. This document also states that the risk of an attack is low.

For installations of RHEL 7.6 and prior, IBRS is still the default mitigation. New installations of RHEL 7.7 and later versions will have "spectre_v2=retpoline" added to the kernel command line. No change will be made for upgrades to RHEL 7.7 from earlier versions of RHEL 7.

Note that users can select which spectre_v2 mitigation will be used. To select Retpoline: a) Add the "spectre_v2=retpoline" flag to the kernel command line, and reboot. b) Alternatively, issue the following command at runtime: "echo 1 > /sys/kernel/debug/x86/retp_enabled"

To select IBRS: a) Remove the "spectre_v2=retpoline" flag from the kernel command line, and reboot. b) Alternatively, issue the following command at runtime: "echo 1 > /sys/kernel/debug/x86/ibrs_enabled"

If one or more kernel modules were not built with Retpoline support, the /sys/devices/system/cpu/vulnerabilities/spectre_v2 file will indicate vulnerability and the /var/log/messages file will identify the offending modules. See How to determine which modules are responsible for spectre_v2 returning "Vulnerable: Retpoline with unsafe module(s)"? for further information.

[1] "6th generation Intel Core Processors and its close derivatives" are what the Intel’s Retpoline document refers to as "Skylake-generation".

[2] Retpoline: A Branch Target Injection Mitigation - White Paper

(BZ#1653428, BZ#1659626)

PMTU discovery and route redirection is now supported with VXLAN and GENEVE tunnels

Previously, the kernel in Red Hat Enterprise Linux (RHEL) did not handle Internet Control Message Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery and route redirection was not supported with VXLAN and GENEVE tunnels. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by adjusting the PMTU and modifying forwarding information. As a result, PMTU discovery and route redirection are now supported with VXLAN and GENEVE tunnels.


A new kernel command-line option to disable hardware transactional memory on IBM POWER

RHEL 7.7 introduces the ppc_tm=off kernel command-line option. When the user passes ppc_tm=off at boot time, the kernel disables hardware transactional memory on IBM POWER systems and makes it unavailable to applications. Previously, the RHEL 7 kernel unconditionally made the hardware transactional memory feature on IBM POWER systems available to applications whenever it was supported by hardware and firmware.


Intel® Omni-Path Architecture (OPA) Host Software

Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.7. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

For instructions on installing Intel Omni-Path Architecture documentation, see:


IBPB cannot be directly disabled

With this RHEL kernel source code update, it is not possible to directly disable the Indirect Branch Prediction Barrier (IBPB) control mechanism. Red Hat does not anticipate any performance issues from this setting.


4.8. Real-Time Kernel

kernel-rt source tree now matches the latest RHEL 7 tree

The kernel-rt sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.


The RHEL 7 kernel-rt timer wheel has been updated to a non-cascading timer wheel

The current timer wheel has been switched to a non-cascading wheel which improves the timer subsystem and reduces the overheads on many operations. With the backport of the non-cascading timer wheel, kernel-rt is very close to the upstream kernel in enabling the backport of future improvements.


4.9. Networking

rpz-drop now prevents BIND for repetitive resolving of unreachable domain

The Berkeley Internet Name Domain (BIND) version distributed with RHEL 7.7 introduces the rpz-drop policy, which enables to mitigate DNS amplification attacks. Previously, if an attacker generated a lot of queries for an irresolvable domain, BIND was constantly trying to resolve such queries, which caused considerable load on CPU. With rpz-drop, BIND does not process the queries when the target domain is unreachable. This behavior significantly saves CPU capacity.


bind rebased to version 9.11

The bind packages have been upgraded to upstream version 9.11, which provides a number of bug fixes and enhancements over the previous version:

New features:

  • A new method of provisioning secondary servers called Catalog Zones has been added.
  • Domain Name System Cookies can now be sent by the named service and the dig utility.
  • The Response Rate Limiting feature can now help with mitigation of DNS amplification attacks.
  • Performance of response-policy zone (RPZ) has been improved.
  • A new zone file format called map has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster.
  • A new tool called delv (domain entity lookup and validation) for sending DNS queries and validating the results has been added. The tool uses the same internal resolver and validator logic as the named daemon.
  • A new mdig command is now available. This command is a version of the dig command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query.
  • A new prefetch option, which improves the recursive resolver performance, has been added.
  • A new in-view zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory.
  • A new max-zone-ttl option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated.
  • New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
  • The nslookup utility now looks up both IPv6 and IPv4 addresses by default.
  • The named service now checks whether other name server processes are running before starting up.
  • When loading a signed zone, named now checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately.
  • Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.

Feature changes:

  • The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version 2 XML schema is still the default format.

(BZ#1640561, BZ#1578128)

ipset rebased to version 7.1

The ipset packages have been upgraded to upstream version 7.1, which provides a number of bug fixes and enhancements over the previous version:

  • The ipset protocol version 7 introduces the IPSET_CMD_GET_BYNAME and IPSET_CMD_GET_BYINDEX operations. Additionally, the user space component can now detect the exact compatibility level that the kernel component supports.
  • A significant number of bugs have been fixed, such as memory leaks and use-after-free bugs.


NetworkManager now supports VLAN filtering on bridge interfaces

With this enhancement, administrators can configure virtual LAN (VLAN) filtering on bridge interfaces in the corresponding NetworkManager connection profiles. This enables administrators to define VLANs directly on bridge ports.


NetworkManager now supports configuring policy routing rules

Previously, users must set up policy routing rules outside of NetworkManager, for example by using the dispatcher script provided by the NetworkManager-dispatcher-routing-rules package. With this update, users can now configure rules as part of a connection profile. As a result, NetworkManager adds the rules when the profile is activated and removes the rules when the profile is deactivated.


4.10. Security

NSS now supports keys restricted to RSASSA-PSS

The Network Security Services (NSS) library now supports keys restricted to Rivest–Shamir–Adleman Signature Scheme with Appendix – Probabilistic Signature Scheme (RSASSA-PSS). The legacy signature scheme, Public Key Cryptography Standard #1 (PKCS#1) v1.5, permits the keys to be reused for encrypting data or keys. This makes those keys vulnerable to signature forging attacks published by Bleichenbacher. Restricting the keys to the RSASSA-PSS algorithm makes them resilient to attacks that utilize decryption.

With this update, NSS can be configured to support keys which are restricted to the RSASSA-PSS algorithm only. This enables the use of such keys included in X.509 certificates for both server and client authentication in TLS 1.2 and 1.3.


NSS now accepts signatures with the NULL object only when correctly included in PKCS#1 v1.5 DigestInfo

The first specification of PKCS#1 v1.5-compatible signatures used text that could be interpreted in two different ways. The encoding of parameters that are encrypted by the signer could include an encoding of a NULL ASN.1 object or omit it. Later revisions of the standard made the requirement to include the NULL object encoding explicit.

Previous versions of Network Security Service (NSS) tried to verify signatures while allowing either encoding. With this version, NSS accepts signatures only when they correctly include the NULL object in the DigestInfo structure in the PKSC#1 v1.5 signature.

This change impacts interoperability with implementations that continue to create signatures that are not PKCS#1 v1.5-compliant.


OpenSC supports HID Crescendo 144K smart cards

With this enhancement, OpenSC supports HID Crescendo 144K smart cards. These tokens are not fully compatible with the Common Access Card (CAC) specification. The token also use some more advanced parts of the specification than CAC tokens issued by the government. The OpenSC driver has been enhanced to manage these tokens and special cases of the CAC specification to support HID Crescendo 144K smart cards.


AES-GCM ciphers are enabled in OpenSSH in FIPS mode

Previously, AES-GCM ciphers were allowed in FIPS mode only in TLS. In the current version, we clarified with NIST that these ciphers can be allowed and certified in OpenSSH, as well.

As a result, the AES-GCM ciphers are allowed in OpenSSH running in FIPS mode.


SCAP Security Guide supports Universal Base Image

SCAP Security Guide security policies have been enhanced to support Universal Base Image (UBI) containers and UBI images, including ubi-minimal images. This enables configuration compliance scanning of UBI containers and images using the atomic scan command. UBI containers and images can be scanned against any profile shipped in SCAP Security Guide. Only the rules that are relevant to secure configuration of UBI are evaluated, which prevents false positives and produces relevant results. The rules that are not applicable to UBI images and containers are skipped automatically.


scap-security-guide rebased to version 0.1.43

The scap-security-guide packages have been upgraded to upstream version 0.1.43, which provides a number of bug fixes and enhancements over the previous version, most notably:

  • Minimum supported Ansible version changed to 2.5
  • New RHEL7 profile: VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)


tangd_port_t allows changes of the default port for Tang

This update introduces the tangd_port_t SELinux type that allows the tangd service run as confined with SELinux enforcing mode. That change helps to simplify configuring a Tang server to listen on a user-defined port and it also preserves the security level provided by SELinux in enforcing mode.


A new SELinux type: boltd_t

A new SELinux type, boltd_t, confines boltd, a system daemon for managing Thunderbolt 3 devices. As a result, boltd now runs as a confined service in SELinux enforcing mode.


A new SELinux policy class: bpf

A new SELinux policy class, bpf, has been introduced. The bpf class enables users to control the Berkeley Packet Filter (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux.


shadow-utils rebased to version 4.6

The shadow-utils packages have been upgraded to upstream version 4.6, which provides a number of bug fixes and enhancements over the previous version, most notably the newuidmap and newgidmap commands for manipulating the UID and GID namespace mapping.


4.11. Servers and Services

chrony rebased to version 3.4

The chrony packages have been upgraded to upstream version 3.4, which provides a number of bug fixes and enhancements over the previous version, notably:

  • The support for hardware time stamping has received improvements.
  • The range of supported polling intervals has been extended.
  • Burst and filter options have been added to NTP sources.
  • A pid file has been moved to prevent the chronyd -q command from breaking the system service.
  • An compatibility with NTPv1 clients has been fixed.


GNU enscript now supports ISO-8859-15 encoding

With this update, support for ISO-8859-15 encoding has been added into the GNU enscript program.


ghostscript rebased to version 9.25

The ghostscript packages have been upgraded to upstream version 9.25, which provides a number of bug fixes and enhancements over the previous version.


libssh2 package rebased to version 1.8.0

This update rebases the libssh2 package to version 1.8.0.

This version includes the following:

  • Added support for HMAC-SHA-256 and HMAC-SHA-512
  • Added support for diffie-hellman-group-exchange-sha256 key exchange
  • Fixed many small bugs in the code


ReaR updates

ReaR has been updated to a later version. Notable bug fixes and enhancements over the previous version include:

  • Shared libraries provided by the system are now correctly added into the ReaR rescue system in cases where additional libraries of the same name are needed by the backup mechanism. Verification of NetBackup binaries is performed using the correct libraries, so the verification no longer fails when creating the rescue image. As a result, you can now use NetBackup as a backup mechanism with ReaR. Note that this applies only for NetBackup versions prior to NetBackup 8.0.0. Note that it is currently impossible to use NetBackup 8.0.0 and later versions due to other unresolved problems.
  • Creation of a rescue image in cases with large number of multipath devices now proceeds faster. Scanning of devices has been improved in the following ways:

    • Scanning uses caching to avoid querying the multipath devices multiple times.
    • Scanning queries only device-mapper devices for device-mapper specific information.
    • Scanning avoids collecting information about FibreChannel devices.
  • Several bugs in ReaR affecting complex network configurations have been fixed:

    • The Link Aggregation Control Protocol (LACP) configuration is now correctly restored in the rescue system in cases when teaming, or bonding with the SIMPLIFY_BONDING option, is used together with LACP.
    • ReaR now correctly restores the configuration of the interface in the rescue system in cases when a network interface is renamed from the standard name, such as ethX, to a custom name.
    • ReaR has been fixed to record a correct MAC address of the network interfaces in cases when bonding or teaming is used.
  • ReaR has been fixed to correctly report errors when saving the rescue image. Previously, such errors resulted only in creation of unusable rescue images. As a result of the fix, ReaR now fails in such cases, so the problem can be properly investigated.
  • The computation of disk layout for disks with a logical sector size different from 512 bytes has been fixed.
  • ReaR now properly sets the bootlist during a restore on IBM Power Systems that use more than one bootable disk.
  • ReaR now properly excludes its temporary directory from backup when an alternate temporary directory is specified using the TMPDIR environment variable.
  • ReaR now depends on the xorriso packages instead of on the genisoimage package for ISO image generation. This makes it possible to create an image with a file larger than 4 GB, which occurs especially when creating an image with an embedded backup.

(BZ#1652828, BZ#1652853, BZ#1631183, BZ#1610638, BZ#1426341, BZ#1655956, BZ#1462189, BZ#1700807)

tuned rebased to version 2.11

The tuned packages have been upgraded to upstream version 2.11, which provides a number of bug fixes and enhancements over the previous version, notably:

  • Support for boot loader specification (BLS) has been added. (BZ#1576435)
  • The mssql profile has been updated. (BZ#1660178)
  • The virtual-host profile has been updated. (BZ#1569375)
  • A range feature for CPU exclusion has been added. (BZ#1533908)
  • Profile configuration now automatically reloads when the tuned service detects the hang-up signal (SIGHUP). (BZ#1631744)

For full list of changes see the upstream git log:


New packages: xorriso

Xorriso is a program for creating and manipulating ISO 9660 images, and for writing CD-ROMs or DVD-ROMs. The program includes the xorrisofs command, which is a recommended replacement for the genisoimage utility. The xorrisofs command has a compatible interface with genisoimage, and provides multiple enhancements over genisoimage. For example, with xorrisofs, maximum file size is no longer limited to 4 GB. Xorriso is suitable for backups, and it is used by Relax-and-Recover (ReaR), a recovery and system migration utility.


4.12. Storage

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

DIF/DIX is not supported on the following configurations:

  • It is not supported for use on the boot device.
  • It is not supported on virtualized guests.
  • Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.

DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.

For further information on the DIF/DIX feature, see What is DIF/DIX.


New scan_lvs configuration setting

A new lvm.conf configuration file setting, scan_lvs, has been added and set to 0 by default. The new default behavior stops LVM from looking for PVs that may exist on top of LVs; that is, it will not scan active LVs for more PVs. The default setting also prevents LVM from creating PVs on top of LVs.

Layering PVs on top of LVs can occur by way of VM images placed on top of LVs, in which case it is not safe for the host to access the PVs. Avoiding this unsafe access is the primary reason for the new default behavior. Also, in environments with many active LVs, the amount of device scanning done by LVM can be significantly decreased.

The previous behavior can be restored by changing this setting to 1.


4.13. System and Subscription Management

The web console rebased to version 195

The web console, provided by the cockpit packages, has been upgraded to version 195, which provides a number of new features and bug fixes.

The cockpit packages distributed in the Base channel of RHEL 7 include the following features:

  • You can now open individual ports for services in the firewall.
  • The firewall page now enables adding and removing firewall zones and adding services to a specific zone.
  • Cockpit can now help you with enabling certain security vulnerability mitigations, starting with the disabling SMT (Simultaneous Multi-Threading) option.

The cockpit packages distributed in the Extras channel of RHEL 7 have been updated to version 151.1, which provides the following additional features:

  • You can now add an iSCSI direct target as a storage pool for your virtual machines.
  • Notifications about virtual machines have been streamlined and use a common presentation now.
  • You can select encryption type separately from the file system.

With this update, support for the Internet Explorer browser has been removed from the RHEL 7 web console. Attempting to open the web console in Internet Explorer now displays an error screen with a list of recommended browsers that can be used instead.


4.14. Virtualization

virt-v2v can now convert SUSE Linux VMs

You can now use the virt-v2v utility to convert virtual machines (VMs) that use SUSE Linux Enterprise Server (SLES) and SUSE Linux Enterprise Desktop (SLED) guest operating systems (OSs) from non-KVM hypervisors to KVM.

Note that the conversion is only supported for SLES or SLED guest OSs version 11 Service Pack 4 or later. In addition, SLES 11 and SLED 11 VMs that use X graphics need to be re-adjusted after the conversion for the graphics to work properly. To do so, use the sax2 distribution tool in the guest OS after the migration is finished.


virt-v2v can now use vmx configuration files to convert VMware guests

The virt-v2v utility now includes the vmx input mode, which enables the user to convert a guest virtual machine from a VMware vmx configuration file. Note that to do this, you also need access to the corresponding VMware storage, for example by mounting the storage using NFS. It is also possible to access the storage using SSH, by adding the -it ssh parameter.


virt-v2v converts VMWare guests faster and more reliably

The virt-v2v utility can now use the VMWare Virtual Disk Development Kit (VDDK) to convert a VMWare guest virtual machine to a KVM guest. This enables virt-v2v to connect directly to the VMWare ESXi hypervisor, which improves the speed and reliability of the conversion.

Note that this conversion import method requires the external nbdkit utility and its VDDK plug-in.


virt-v2v can convert UEFI guests for RHV

Using the virt-v2v utility, it is now possible to convert virtual machines that use the UEFI firmware to run in Red Hat Virtualization (RHV).


virt-v2v removes VMware Tools more reliably

This update makes it more likely that the virt-v2v utility automatically attempts to remove VMware Tools software from a VMware virtual machine that virt-v2v is converting to KVM. Notably, virt-v2v now attempts to remove VMWare Tools in the following scenarios:

  • When converting Windows virtual machines.
  • When VMMware Tools were installed on a Linux virtual machine from a tarball.
  • When WMware Tools were installed as open-vm-tools.


4.15. Atomic Host and Containers

Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.

4.16. Red Hat Software Collections

Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM Z, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.

Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.

Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can choose which package version they want to run at any time.


Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.

See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.

See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.