Oracle is pleased to announce the general availability of the Unbreakable Enterprise Kernel Release 6 for Oracle Linux.
The Unbreakable Enterprise Kernel (UEK) for Oracle Linux provides the latest open source innovations and business-critical performance and security optimizations for cloud and on-premise deployment. It is the Linux kernel that powers Oracle Gen 2 Cloud and Oracle Engineered Systems such as Oracle Exadata Database Machine. Oracle Linux with UEK is available on the x86-64 and 64-bit Arm (aarch64) architectures.
Notable UEK6 new features and enhancements:
- Linux 5.4 kernel: Based on the mainline Linux kernel version 5.4, this release includes many upstream enhancements.
- Arm: Enhanced support for the Arm (aarch64) platform, including improvements in the areas of security and virtualization.
- Cgroup v2: Cgroup v2 functionality was first introduced in UEK R5 to enable the CPU controller functionality. UEK R6 includes all Cgroup v2 features, along with several enhancements.
- ktask: ktask is a framework for parallelizing CPU-intensive work in the kernel. It can be used to speed up large tasks on systems with available CPU power, where a task is single-threaded in user space.
- Parallelized kswapd: Page replacement is handled in the kernel asynchronously by kswapd, and synchronously by direct reclaim. When free pages within the zone free list are low, kswapd scans pages to determine if there are unused pages that can be evicted to free up space for new pages. This optimization improves performance by avoiding direct reclaims, which can be resource intensive and time consuming.
- Kexec firmware signing: The option to check and validate a kernel image signature is enabled in UEK R6. When kexec is used to load a kernel from within UEK R6, kernel image signature checking and validation can be implemented to ensure that a system only loads a signed and validate kernel image.
- Memory management: Several performance enhancements have been implemented in the kernel's memory management code to improve the efficiency of clearing pages and cache, as well as enhancements to fault management and reporting.
- NVDIMM: NVDIMM feature updates have been implemented so that persistent memory can be used as traditional RAM.
- DTrace: DTrace support is enabled and has been re-implemented to use the Berkeley Packet Filter (BPF) that is integrated into the Linux kernel.
- OCFS2: Support for the OCFS2 file system is enabled.
- Btrfs: Support for the Btrfs file system is enabled and support to select Btrfs as a file system type when formatting devices is available
Important UEK6 changes in this release:
The following sections describe the important changes in the Unbreakable Enterprise Kernel Release 6 (UEK R6) relative to UEK R5.
Core Kernel Functionality
- High-performance asynchronous I/O with io_uring: The io_uring is a fast, scalable asynchronous I/O interface for both buffered and unbuffered I/Os. It also supports asynchronous polled I/O. A user space library, liburing, provides basic functionality for applications with helpers to allow applications to easily set up an io_uring instance and submit/complete I/O.
- NVDIMM: Persistent memory can now be used as traditional RAM. Furthermore fixes, were implemented around the security-related commands within libnvdimm that allowed the use of keys where payload data was filled with zero values to allow secure operations to continue to take place where a zero-key is in use.
- Simplified key description management: Keys and keyrings are more namespace aware.
- Zstandard compression: Zstandard compression (zstd) is added to crypto and compress.
- Brtfs: Btrfs continues to be supported. Several improvements and patches have been applied in this update, including support for swap files, ZStandard compression, and various performance improvements.
- ext4: 64-bit timestamps have been added to the superblock fields.
- OCFS2: OCFS2 continues to be supported. Several improvements and patches have been applied in this update, including support for the 'nowait' AIO feature and support on Arm platforms.
- XFS: A new online health reporting infrastructure with user space ioctl provide metadata health status after online fsck. Added support for fallocate swap files and swap files on real-time devices. Various performance improvements have also been made.
- NFS: Performance improvements and enhancements have been made to RPC and the NFS client and server components.
- TLB flushing code is improved to avoid unnecessary flushes and to reduce TLB shootdowns.
- Memory management is enhanced to improve throughput by leveraging clearing of huge pages more optimally.
- Page cache efficiency is improved by using the more efficient Xarray data type.
- Fragmentation avoidance algorithms are improved and compaction and defragmentation times are faster.
- Improvements have been implemented to the handling of Transparent Huge Page faults and to provide better reporting on Transparent Huge Page status.
- TCP Early Departure Time: The TCP stack now uses the Early Departure Time model, instead of the As Fast As Possible model, for sending packets. This brings several performance gains as it resolves a limitation in the original TCP/IP framework, and introduces the scheduled release of packets, to overcome hardware limitations and bottlenecks.
- Generic Receive Offload (GRO): GRO is enabled for the UDP protocol.
- TLS Receive: UEK R5 enabled the kernel to send TLS messages. This release enables the kernel to also receive TLS messages.
- Zero-copy TCP Receive: UEK R5 introduced a zero-copy TCP feature for sending packets to the network. The UEK R6 release enables receive functionality for zero-copy TCP.
- Packet Filtering: nftables is now the default backend for firewall rules. BPF-based networking filtering (bpfilter) is also added in this release.
- Express data path (XDP): XDP is a flexible, minimal, kernel-based packet transport for high speed networking has been added.
- Lockdown mode: Lockdown mode is improved. This release distinguishes between the integrity and confidentiality modes. When Secure Boot is enabled in UEK R6, lockdown integrity mode is enforced by default.
- IBRS: Indirect Branch Restricted Speculation (IBRS) continues to be supported for processors that do not have built-in hardware mitigations for Speculative Execution Side Channel Vulnerabilities.
- Improved protection in world writable directories: UEK R6 discourages spoofing attacks by disallowing the opening of FIFOs or regular files not owned by the user in world writable sticky directories, such as /tmp.
- Arm KASLR: Kernel virtual address randomization is enabled by default for Arm platforms.
- aarch64 pointer authentication: Adds primitives that can be used to mitigate certain classes of memory stack corruption attacks on Arm platforms.
Storage, Virtualization, and Driver Updates
- NVMe: NVMe over Fabrics TCP host and the target drivers have been added. Support for multi-path and passthrough commands has been added.
- VirtIO: The VirtIO PMEM feature adds a VirtIO-based asynchronous flush mechanism and simulates persistent memory to a guest, allowing it to bypass a guest page cache. A VirtIO-IOMMU para-virtualized driver is also added in this release, allowing IOMMU requests over the VirtIO transport without emulating page tables.
- Arm platform: Guests on Arm aarch64 platform systems include pointer authentication (ARM v8.3) and Scalable Vector Extension (SVE) support.
Device drivers: UEK R6 supports a large number of hardware server platforms and devices. In close cooperation with hardware and storage vendors, Oracle has updated several device drivers from the versions in mainline Linux 5.4. A complete list of the driver modules/versions included in UEK R6 is provided in the Release Notes appendix, "Appendix B, Driver Modules in Unbreakable Enterprise Kernel Release 6 (x86_64)".
Security (CVE) Fixes
A full list of CVEs fixed in this release can be found in the Release Notes for the UEK R6.
Supported Upgrade Path
Customers can upgrade existing Oracle Linux 7 and Oracle Linux 8 servers using the Unbreakable Linux Network or the Oracle Linux yum server by pointing to "UEK Release 6" Yum Channel.
Oracle Linux can be downloaded, used, and distributed free of charge and updates and errata are freely available. This allows organizations to decide which systems require a support subscription and makes Oracle Linux an ideal choice for development, testing, and production systems. The user decides which support coverage is the best for each system individually, while keeping all systems up-to-date and secure. Customers with Oracle Linux Premier Support also receive access to zero-downtime kernel updates using Oracle Ksplice.
About Oracle Linux
The Oracle Linux operating environment delivers leading performance, scalability and reliability for business-critical workloads deployed on premise or in the cloud. Oracle Linux is the basis of Oracle Autonomous Linux and runs Oracle Gen 2 Cloud. Unlike many other commercial Linux distributions, Oracle Linux is easy to download and completely free to use, distribute, and update.
Oracle Linux Support offers access to award-winning Oracle support resources and Linux support specialists; zero-downtime updates using Ksplice; additional management tools such as Oracle Enterprise Manager and Spacewalk; and lifetime support, all at a low cost.