Chapter 4. New Features
This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.
4.1. General Updates
Smart-card sharing is now supported on Windows guests with ActivClient drivers
This update adds support for smart-card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart-card authentication for user logins using emulated or shared smart cards on these VMs.
4.2. Authentication and Interoperability
ipa-client-automount utility now supports setting an NFS domain that differs from the IdM domain
This enhancement adds the
--idmap-domain option to the
ipa-client-automount utility. Previously,
ipa-client-automount assumed that the NFS domain is the same as the Identity Management (IdM) domain, but this is not always the case. As a result, you can now specify an NFS domain that is different from the IdM domain.
ipa-client-automount utility now behaves as follows:
--idmap-domainoption is not set,
ipa-client-automountuses the IdM domain as the NIS domain.
If the domain passed to
--idmap-domainis set to
ipa-client-automountremoves the value specified in the
Domainparameter in the
/etc/idmapd.conffile, and the
idmapdservice auto-detects the domain.
If the domain passed to
--idmap-domaindoes not match the DNS domain,
ipa-client-automountsets the specified value in the
Domainparameter in the
samba rebased to version 4.10.4
The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:
- Samba 4.10 fully supports Python 3. Note that future Samba versions will not have any runtime support for Python 2.
vfs_glusterfs_fusefile system in user space (FUSE) module improves the performance when Samba accesses a GlusterFS volume. To enable this module, add
vfs_objectsparameter of the share in the
/etc/samba/smb.conffile. Note that
vfs_glusterfs_fusedoes not replace the existing
- The server message block (SMB) client Python bindings are now deprecated and will be removed in a future Samba release. This only affects users who use the Samba Python bindings to write their own utilities.
Samba automatically updates its
tdb database files when the
winbind service starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading
tdb database files.
For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.10.0.html
Default value of Pacemaker
concurrent-fencing cluster property now set to
Pacemaker now defaults the
concurrent-fencing cluster property to
true. If multiple nodes need to be fenced at the same time and they use different configured fence devices, Pacemaker will execute the fencing simultaneously rather than serialized as before. This can greatly speed up recovery in a large cluster when multiple nodes must be fenced.
Pacemaker support for configuring resources to remain stopped on clean node shutdown
When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the
shutdown-lock-limit cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see Configuring Resources to Remain Stopped on Clean Node Shutdown.
4.4. Compiler and Tools
Optimized implementation of SHA-2 operations on IBM PowerPC systems
This update adds an assembly code implementation of SHA-2 operations on IBM PowerPC systems, which significantly improves performance.
OpenJDK now supports also secp256k1
Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.
Modified workspace switcher in GNOME Classic
Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails.
Switching between workspaces is possible by clicking on the required thumbnail. Alternatively, you can also use the kbd:[Ctrl + Alt + ↑] and kbd:[Ctrl + Alt + ↓] keyboard shortcuts to switch between workspaces. The content of the active workspace is shown in the left part of the bottom bar in form of the window list.
When you press the kbd:[Super] key within the particular workspace, you can see the window picker, which includes all windows that are open in this workspace. However, the window picker no longer displays the following elements that were available in the previous release of RHEL:
- dock (vertical bar on the left side of the screen)
- workspace switcher (vertical bar on the right side of the screen)
- search entry
For particular tasks that were previously achieved with the help of these elements, adopt the following approaches:
To launch applications, instead of using dock, you can:
- Use the Applications menu on the top bar
- Press the kdb:[Alt + F2] keys to make the Enter a Command screen appear, and write the name of the executable into this screen.
- To switch between workspaces, instead of using the vertical workspace switcher, use the horizontal workspace switcher in the right bottom bar.
- If you require the search entry or the vertical workspace switcher, use the GNOME Standard environment instead of GNOME Classic.
GNOME now warns against a root graphical login
With this update, GNOME now displays a warning notification if you log into a graphical session as the root user.
Logging into a graphical session as root causes serious and unexpected issues, is non-secure, and is against Unix principles.
4.6. Hardware Enablement
Aero adapters are now fully supported
The following Aero adapters, previously available as a Technology Preview, are now fully supported:
PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the
PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the
4.7. Installation and Booting
RHEL 7.8 now supports blueprint customizations
With this enhancement, RHEL 7.8 now supports a set of image customizations within blueprints when using the CLI. To make use of these customizations, you must configure them in the blueprint and import (push) to Image Builder. As a result, you are able to add specifications for your system.
Kernel version in RHEL 7.9 Beta
Red Hat Enterprise Linux 7.9 Beta is distributed with the kernel version 3.10.0-1136.
FUSE file system can be used inside of a user namespace
RHEL 7 now enables users to mount the Filesystem in Userspace (FUSE) based filesystems inside of the user namespace. As a result, users are able to use the
fuse-overlayfs command inside of rootless containers that were created with Buildah or Podman utilities.
ipcmin_extend increases the number of unique System V IPC identifiers
A new kernel command line parameter
ipcmin_extend increases the number of unique System V Interprocess Communication (IPC) identifiers from 32,768 to 16,777,216. As a result, users with applications that exceed 32,768 of unique System V IPC identifiers can add
ipcmin_extend to port the relevant applications to RHEL without a major redesign.
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.8. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on installing Intel Omni-Path Architecture documentation, see: https://cdrdv2.intel.com/v1/dl/getContent/620007
4.9. Real-Time Kernel
kernel-rt source tree now matches the latest RHEL 7 tree
The kernel-rt sources have been upgraded to the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
4.10. Red Hat Enterprise Linux System Roles
storage role added to RHEL System Roles
storage role has been added to RHEL System Roles provided by the
rhel-system-roles package, which is available in the RHEL 7 Extras repository.
storage role can be used to manage local storage using Ansible. Currently, the
storage role supports the following types of tasks:
- Managing file systems on whole disks
- Managing LVM volume groups
- Managing logical volumes and their file systems
For more information, see the Knowledgebase article about RHEL System Roles.
SCAP Security Guide now provides OSPP 4.2.1 and NCP Profiles
The OSPP (Protection Profile for General Purpose Operating Systems) profile has been updated, and it now conforms to OSPP 4.2.1 baseline. The profile with the
ospp42 ID has been merged to the OSPP profile. Administrators should switch systems using the
ospp42 profile to
ospp42 is no longer a valid ID.
Additionally, the NCP (NIST National Checklist Program Security Guide) profile with the
ncp ID has been introduced. The NCP profile conforms to the OSPP 4.2.1 and implements configuration requirements of additional policies. In particular CNSSI 1253, NIST 800-171, NIST 800-53, USGCB, and OS SRG.
SCAP Security Guide now supports ACSC Essential Eight
scap-security-guide packages now provides the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.
SCAP Security Guide now correctly disables services
With this update, the
SCAP Security Guide (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
SCAP Security Guide rebased to version 0.1.46
SCAP Security Guide (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably:
- SSG now provides content that follows guidelines conforming to the SCAP 1.3 standard. The 1.3 data streams are compatible with OpenSCAP and used by default.
Note that you can still use content suffixed with
-1.2 if you require the use of SCAP 1.2 data streams, as this data moved to the "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml" path. The new 1.3 data stream is located in the usual path.
SCAP Security Guide now supports scanning RHEL 8 systems from RHEL 7
scap-security-guide package now contains SCAP content and Ansible playbooks for RHEL 8. This enables you to scan RHEL 8 systems and containers from a RHEL 7 environment.
selinux-policy now allows
tomcat processes to connect to
This update of
selinux-policy packages introduces rules that allow the
tomcat_t domain to connect to ports labeled
redis_port_t when the
tomcat_can_network_connect_db SELinux boolean is enabled. You can now use this boolean to allow
tomcat_t to access several databases, which was not previously supported for
sysadm_u users can now log in to graphical sessions
Previously, Linux users mapped to the
sysadm_u SELinux user were unable to log in to graphical sessions. The SELinux policy has been updated to allow these users to use graphical sessions while conforming to DISA STIG requirements. If the
xdm_sysadm_login Boolean is enabled, the
sysadm_u user can now successfully log in to X Window System session from the GNOME Display Manager.
4.12. Servers and Services
An option for
rsyslog to preserve case of
imtcp is available
This update to the
rsyslog service introduces the option to manage letter-case preservation of the
FROMHOST property for the
imtcp modules. Setting the
preservecase value to
on means the
FROMHOST property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
NVMe/FC is now fully supported in Qlogic HBAs
The NVMe over Fibre Channel (NVMe/FC) transport type is now fully supported in Qlogic Fibre Channel (FC) host bus adapters (HBAs), which use the
NVMe/FC is an additional fabric transport type for the Nonvolatile Memory Express (NVMe) protocol, in addition to the Remote Direct Memory Access (RDMA) protocol that was previously introduced in Red Hat Enterprise Linux.
NVMe/FC provides a higher-performance, lower-latency I/O protocol over existing FC infrastructure. This is especially important with solid-state storage arrays, because it allows the performance benefits of NVMe storage to be passed through the fabric transport, rather than being encapsulated in a different protocol, SCSI.
Note that since Red Hat Enterprise Linux 7.6, NVMe/FC is also fully supported with Broadcom Emulex Fibre Channel 32Gbit adapters using the
4.14. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.
4.15. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM Z, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the
scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
scl utility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.