Chapter 3. New Features
This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.9.
3.1. Authentication and Interoperability
The Certificate Profiles extension no longer has a maximum number of policies per certificate
Previously, administrators could not add more than 20 policies to a certificate because of a hardcoded limit within the Certificate Profiles extension. This update removes the restriction, so you can add an unlimited number of policies to a certificate. In addition, the extension requires at least one policy, otherwise the
pkiconsole interface shows an error. If you modify the profile, the extension creates one empty policy. For example:
Identifier: Certificate Policies: - 220.127.116.11 Critical: no Certificate Policies:
SSSD rebased to version 1.16.5
The sssd packages have been upgraded to upstream version 1.16.5, which provides a number of bug fixes and enhancements over the previous version.
pacemaker rebased to version 1.1.23
The Pacemaker cluster resource manager has been upgraded to upstream version 1.1.23, which provides a number of bug fixes.
3.3. Compiler and Tools
per-thread metrics is now available for historical analysis
Optionally, enable logging of the
per-process performance metric values in the Performance Co-Pilot (PCP) using the
pcp-zeroconf package and
pmieconf utility. Previously, only the
per-process metric values were logged by
pmlogger through the
pcp-zeroconf package, but some analysis situation also requires
per-thread values. As a result, the
per-thread metrics are now available for historical analysis, after executing the following command:
# pmieconf -c enable zeroconf.all_threads
FreeRDP has been updated to 2.1.1
This release updates the FreeRDP implementation of the Remote Desktop Protocol (RDP) from version 2.0.0 to 2.1.1. FreeRDP 2.1.1 supports new RDP options for the current Microsoft Windows terminal server version and fixes several security issues.
For detailed information about FreeRDP 2.1.1, see the upstream release notes: https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog.
Kernel version in RHEL 7.9
Red Hat Enterprise Linux 7.9 is distributed with the kernel version 3.10.0-1160.
A new kernel parameter:
The page owner tracking is a new functionality, which enables users to observe the kernel memory consumption at the page allocator level. Users can employ this functionality to debug the kernel memory leaks, or to discover the kernel modules that consume excessive amounts of memory. To enable the feature, add the
page_owner=on parameter to the kernel command-line. For more information on how to set the kernel command-line parameters, see the Configuring kernel command-line parameters on Customer Portal.
Regardless of the
page_owner parameter setting (
off) to the kernel command-line, usage of the page owner tracking adds approximately 2.14% additional memory requirement on RHEL 7.9 systems (impacts the kernel, VM, or
cgroup). For further details on this topic, see the Why Kernel-3.10.0-1160.el7 consumes double amount of memory compared to kernel-3.10.0-1127.el7? Solution.
For more information about important changes to kernel parameters, see the New kernel parameters section.
EDAC driver support is now added to Intel ICX systems
This update adds the Error Detection and Correction (EDAC) driver to Intel ICX systems. As a result, memory errors can be detected on these systems and reported to the EDAC subsystem.
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.9. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on installing Intel Omni-Path Architecture documentation, see: https://cdrdv2.intel.com/v1/dl/getContent/630393
The Mellanox ConnectX-6 Dx network adapter is now fully supported
This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the
mlx5_core driver. On hosts that use this adapter, RHEL loads the
mlx5_core driver automatically. This feature, previously available as a technology preview, is now fully supported in RHEL 7.9.
3.6. Real-Time Kernel
kernel-rt source tree now matches the latest RHEL 7 tree
kernel-rt sources have been updated to use the latest RHEL kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
3.7. Red Hat Enterprise Linux System Roles
rhel-system-roles package has been updated to provide multiple bug fixes and enhancements. Notable changes include:
802.1Xauthentication with EAP-TLS was added for the
networkRHEL System Role when using the
NetworkManagerprovider. As a result, now customers can configure their machines to use
802.1Xauthentication with EAP-TLS using the
networkRHEL System Role instead of having to use the
networkRHEL System Role tries to modify a link or network attributes without disrupting the connectivity, when possible.
The logging in
networkmodule logs has been fixed so that informative messages are no longer printed as warnings, but as debugging information.
networkRHEL System Role now uses
NetworkManagerscapability to revert changes, if an error occurs, when applying the configuration to avoid partial changes.
SCAP Security Guide now provides a profile aligned with the CIS RHEL 7 Benchmark v2.2.0
With this update, the
scap-security-guide packages provide a profile aligned with the CIS Red Hat Enterprise Linux 7 Benchmark v2.2.0. The profile enables you to harden the configuration of the system using the guidelines by the Center for Internet Security (CIS). As a result, you can configure and automate compliance of your RHEL 7 systems with CIS by using the CIS Ansible Playbook and the CIS SCAP profile.
Note that the
rpm_verify_permissions rule in the CIS profile does not work correctly. See the known issue description
rpm_verify_permissions fails in the CIS profile.
SCAP Security Guide now correctly disables services
With this update, the
SCAP Security Guide (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
The RHEL 7 STIG security profile updated to version V3R1
With the RHBA-2020:5451 advisory, the
DISA STIG for Red Hat Enterprise Linux 7 profile in the SCAP Security Guide has been updated to the latest version
V3R1. This update adds more coverage and fixes reference problems. The profile is now also more stable and better aligns with the RHEL7 STIG benchmark provided by the Defense Information Systems Agency (DISA).
You should use only the current version of this profile because the older versions of this profile are no longer valid. The OVAL checks for several rules have changed, and scans using the
V3R1 version will fail for systems that were hardened using older versions of SCAP Security Guide. You can fix the rules automatically by running the remediation with the new version of SCAP Security Guide.
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
The following rules have been changed:
The default value of this SSHD configuration has changed from
yes. You must now provide a value according to recommendations. Check the rule description for information about fixing this problem or run the remediation to fix it automatically.
3.9. Servers and Services
compat-unixODBC234 for SAP
compat-unixODBC234 package provides version 2.3.4 of
unixODBC, a framework that supports accessing databases through the ODBC protocol. This new package is available in the RHEL 7 for SAP Solutions
sap-hana repository to enable streaming backup of an SAP HANA database using the SAP
backint interface. For more information, see Overview of the Red Hat Enterprise Linux for SAP Solutions subscription.
compat-unixODBC234 package conflicts with the base RHEL 7
unixODBC package. Therefore, uninstall
unixODBC prior to installing
This package is also available for Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.6 Extended Update Support, and Red Hat Enterprise Linux 7.7 Extended Update Support through the RHEA-2020:2178 advisory.
MariaDB rebased to version 5.5.68
With RHEL 7.9, the
MariaDB database server has been updated to version 5.5.68. This release provides multiple security and bug fixes from the recent upstream maintenance releases.
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
3.11. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.
Red Hat Enterprise Linux Atomic Host is retired as of August 6, 2020 and active support is no longer provided.
3.12. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM Z, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the
scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
scl utility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.