Chapter 4. New Features

This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.

4.1. General Updates

Smart-card sharing is now supported on Windows guests with ActivClient drivers

This update adds support for smart-card sharing in virtual machines (VMs) that use a Windows guest OS and ActivClient drivers. This enables smart-card authentication for user logins using emulated or shared smart cards on these VMs.

(BZ#917867)

4.2. Authentication and Interoperability

The ipa-client-automount utility now supports setting an NFS domain that differs from the IdM domain

This enhancement adds the --idmap-domain option to the ipa-client-automount utility. Previously, ipa-client-automount assumed that the NFS domain is the same as the Identity Management (IdM) domain, but this is not always the case. As a result, you can now specify an NFS domain that is different from the IdM domain.

The ipa-client-automount utility now behaves as follows:

  • If --idmap-domain option is not set, ipa-client-automount uses the IdM domain as the NIS domain.
  • If the domain passed to --idmap-domain is set to DNS, ipa-client-automount removes the value specified in the Domain parameter in the /etc/idmapd.conf file, and the idmapd service auto-detects the domain.
  • If the domain passed to --idmap-domain does not match the DNS domain, ipa-client-automount sets the specified value in the Domain parameter in the /etc/idmapd.conf file.

(BZ#1733209)

samba rebased to version 4.10.4

The samba packages have been upgraded to upstream version 4.10.4, which provides a number of bug fixes and enhancements over the previous version:

  • Samba 4.10 fully supports Python 3. Note that future Samba versions will not have any runtime support for Python 2.
  • The JavaScript Object Notation (JSON) logging feature now logs the Windows event ID and logon type for authentication messages.
  • The new vfs_glusterfs_fuse file system in user space (FUSE) module improves the performance when Samba accesses a GlusterFS volume. To enable this module, add glusterfs_fuse to the vfs_objects parameter of the share in the /etc/samba/smb.conf file. Note that vfs_glusterfs_fuse does not replace the existing vfs_glusterfs module.
  • The server message block (SMB) client Python bindings are now deprecated and will be removed in a future Samba release. This only affects users who use the Samba Python bindings to write their own utilities.

Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.

For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.10.0.html

(BZ#1724991)

4.3. Clustering

Default value of Pacemaker concurrent-fencing cluster property now set to true

Pacemaker now defaults the concurrent-fencing cluster property to true. If multiple nodes need to be fenced at the same time and they use different configured fence devices, Pacemaker will execute the fencing simultaneously rather than serialized as before. This can greatly speed up recovery in a large cluster when multiple nodes must be fenced.

(BZ#1710422)

Pacemaker support for configuring resources to remain stopped on clean node shutdown

When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the shutdown-lock and shutdown-lock-limit cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see Configuring Resources to Remain Stopped on Clean Node Shutdown.

(BZ#1781820)

4.4. Compiler and Tools

Optimized implementation of SHA-2 operations on IBM PowerPC systems

This update adds an assembly code implementation of SHA-2 operations on IBM PowerPC systems, which significantly improves performance.

(BZ#1498932)

OpenJDK now supports also secp256k1

Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.

(BZ#1746874)

4.5. Desktop

Modified workspace switcher in GNOME Classic

Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails.

Switching between workspaces is possible by clicking on the required thumbnail. Alternatively, you can also use the kbd:[Ctrl + Alt + ↑] and kbd:[Ctrl + Alt + ↓] keyboard shortcuts to switch between workspaces. The content of the active workspace is shown in the left part of the bottom bar in form of the window list.

When you press the kbd:[Super] key within the particular workspace, you can see the window picker, which includes all windows that are open in this workspace. However, the window picker no longer displays the following elements that were available in the previous release of RHEL:

  • dock (vertical bar on the left side of the screen)
  • workspace switcher (vertical bar on the right side of the screen)
  • search entry

For particular tasks that were previously achieved with the help of these elements, adopt the following approaches:

  • To launch applications, instead of using dock, you can:

    • Use the Applications menu on the top bar
    • Press the kdb:[Alt + F2] keys to make the Enter a Command screen appear, and write the name of the executable into this screen.
  • To switch between workspaces, instead of using the vertical workspace switcher, use the horizontal workspace switcher in the right bottom bar.
  • If you require the search entry or the vertical workspace switcher, use the GNOME Standard environment instead of GNOME Classic.

(BZ#1720286)

GNOME now warns against a root graphical login

With this update, GNOME now displays a warning notification if you log into a graphical session as the root user.

Logging into a graphical session as root causes serious and unexpected issues, is non-secure, and is against Unix principles.

(BZ#1539772)

4.6. Hardware Enablement

Aero adapters are now fully supported

The following Aero adapters, previously available as a Technology Preview, are now fully supported:

  • PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the mpt3sas driver
  • PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the megaraid_sas driver

(BZ#1660791, BZ#1660289)

4.7. Installation and Booting

RHEL 7.8 now supports blueprint customizations

With this enhancement, RHEL 7.8 now supports a set of image customizations within blueprints when using the CLI. To make use of these customizations, you must configure them in the blueprint and import (push) to Image Builder. As a result, you are able to add specifications for your system.

(BZ#1718473)

4.8. Kernel

Kernel version in RHEL 7.9 Beta

Red Hat Enterprise Linux 7.9 Beta is distributed with the kernel version 3.10.0-1136.

See also Important Changes to External Kernel Parameters and Device Drivers.

(BZ#1801759)

FUSE file system can be used inside of a user namespace

RHEL 7 now enables users to mount the Filesystem in Userspace (FUSE) based filesystems inside of the user namespace. As a result, users are able to use the fuse-overlayfs command inside of rootless containers that were created with Buildah or Podman utilities.

(BZ#1713642)

ipcmin_extend increases the number of unique System V IPC identifiers

A new kernel command line parameter ipcmin_extend increases the number of unique System V Interprocess Communication (IPC) identifiers from 32,768 to 16,777,216. As a result, users with applications that exceed 32,768 of unique System V IPC identifiers can add ipcmin_extend to port the relevant applications to RHEL without a major redesign.

(BZ#1373519)

Intel® Omni-Path Architecture (OPA) Host Software

Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.8. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

For instructions on installing Intel Omni-Path Architecture documentation, see: https://cdrdv2.intel.com/v1/dl/getContent/620007

(BZ#1808458)

4.9. Real-Time Kernel

kernel-rt source tree now matches the latest RHEL 7 tree

The kernel-rt sources have been upgraded to the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.

(BZ#1708718)

4.10. Red Hat Enterprise Linux System Roles

A new storage role added to RHEL System Roles

The storage role has been added to RHEL System Roles provided by the rhel-system-roles package, which is available in the RHEL 7 Extras repository.

The storage role can be used to manage local storage using Ansible. Currently, the storage role supports the following types of tasks:

  • Managing file systems on whole disks
  • Managing LVM volume groups
  • Managing logical volumes and their file systems

For more information, see the Knowledgebase article about RHEL System Roles.

(BZ#1410996)

4.11. Security

SCAP Security Guide now provides OSPP 4.2.1 and NCP Profiles

The OSPP (Protection Profile for General Purpose Operating Systems) profile has been updated, and it now conforms to OSPP 4.2.1 baseline. The profile with the ospp42 ID has been merged to the OSPP profile. Administrators should switch systems using the ospp42 profile to ospp because ospp42 is no longer a valid ID.

Additionally, the NCP (NIST National Checklist Program Security Guide) profile with the ncp ID has been introduced. The NCP profile conforms to the OSPP 4.2.1 and implements configuration requirements of additional policies. In particular CNSSI 1253, NIST 800-171, NIST 800-53, USGCB, and OS SRG.

(BZ#1691336)

SCAP Security Guide now supports ACSC Essential Eight

The scap-security-guide packages now provides the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.

(BZ#1755192)

SCAP Security Guide now correctly disables services

With this update, the SCAP Security Guide (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.

(BZ#1791583)

SCAP Security Guide rebased to version 0.1.46

The SCAP Security Guide (SSG) packages have been upgraded to version 0.1.46, which provides enhancements and bug fixes over the previous version, most notably:

  • SSG now provides content that follows guidelines conforming to the SCAP 1.3 standard. The 1.3 data streams are compatible with OpenSCAP and used by default.

Note that you can still use content suffixed with -1.2 if you require the use of SCAP 1.2 data streams, as this data moved to the "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml" path. The new 1.3 data stream is located in the usual path.

(BZ#1726698)

SCAP Security Guide now supports scanning RHEL 8 systems from RHEL 7

The scap-security-guide package now contains SCAP content and Ansible playbooks for RHEL 8. This enables you to scan RHEL 8 systems and containers from a RHEL 7 environment.

(BZ#1777862)

selinux-policy now allows tomcat processes to connect to redis database

This update of selinux-policy packages introduces rules that allow the tomcat_t domain to connect to ports labeled redis_port_t when the tomcat_can_network_connect_db SELinux boolean is enabled. You can now use this boolean to allow tomcat_t to access several databases, which was not previously supported for redis processes.

(BZ#1687497)

sysadm_u users can now log in to graphical sessions

Previously, Linux users mapped to the sysadm_u SELinux user were unable to log in to graphical sessions. The SELinux policy has been updated to allow these users to use graphical sessions while conforming to DISA STIG requirements. If the xdm_sysadm_login Boolean is enabled, the sysadm_u user can now successfully log in to X Window System session from the GNOME Display Manager.

(BZ#1727379)

4.12. Servers and Services

An option for rsyslog to preserve case of FROMHOST for imudp and imtcp is available

This update to the rsyslog service introduces the option to manage letter-case preservation of the FROMHOST property for the imudp and imtcp modules. Setting the preservecase value to on means the FROMHOST property is handled in a case sensitive manner. To avoid breaking existing configurations, the default values of preservecase are on for imtcp and off for imudp.

(BZ#1309698)

4.13. Storage

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

DIF/DIX is not supported on the following configurations:

  • It is not supported for use on the boot device.
  • It is not supported on virtualized guests.
  • Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.

DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.

For further information on the DIF/DIX feature, see What is DIF/DIX.

(BZ#1649493)

NVMe/FC is now fully supported in Qlogic HBAs

The NVMe over Fibre Channel (NVMe/FC) transport type is now fully supported in Qlogic Fibre Channel (FC) host bus adapters (HBAs), which use the qla2xxx driver.

NVMe/FC is an additional fabric transport type for the Nonvolatile Memory Express (NVMe) protocol, in addition to the Remote Direct Memory Access (RDMA) protocol that was previously introduced in Red Hat Enterprise Linux.

NVMe/FC provides a higher-performance, lower-latency I/O protocol over existing FC infrastructure. This is especially important with solid-state storage arrays, because it allows the performance benefits of NVMe storage to be passed through the fabric transport, rather than being encapsulated in a different protocol, SCSI.

Note that since Red Hat Enterprise Linux 7.6, NVMe/FC is also fully supported with Broadcom Emulex Fibre Channel 32Gbit adapters using the lpfc driver.

(BZ#1642968)

4.14. Atomic Host and Containers

Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.

4.15. Red Hat Software Collections

Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM Z, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.

Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.

Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can choose which package version they want to run at any time.

Important

Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.

See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.

See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.