Linux containers and Kubernetes container orchestration have emerged as a key open source application packaging and delivery technology, combining lightweight application isolation with the flexibility of image-based deployment methods. Developers have rapidly embraced Linux containers because they simplify and accelerate application deployment, and many Platform-as-a-Service (PaaS) environments are built around containers and Kubernetes technologies, including Red Hat OpenShift®. Red Hat Enterprise Linux 7 implements Linux containers using core technologies such as control groups (cGroups) for resource management, namespaces for process isolation, and SELinux for security, enabling secure multitenancy and reducing the potential for security exploits. The Red Hat container certification ensures that application containers built using Red Hat Enterprise Linux will operate seamlessly across certified container hosts.
CROSS-REALM KERBEROS TRUST
Identity management in Red Hat Enterprise Linux can now establish cross-realm trust with Microsoft Active Directory. Synchronization between the 2 identity stores is not needed. This capability makes it possible for users with Active Directory credentials to access Linux resources without requiring additional identity authentication so that single sign-on functionality exists across Microsoft Windows and Linux domains.
Realmd discovers information about the domain or realm automatically and simplifies the configuration needed to join it. Realmd works with Microsoft Active Directory and Red Hat Enterprise Linux identity management.
Performance Co-Pilot is a new framework for system-wide performance monitoring, recording, and analysis that provides an application programming interface (API) for importing and exporting sampled and traced data. It also includes tools for interrogating, retrieving, and processing the collected data. Performance Co-Pilot can transmit this data across a network and integrate with subsystems such as rsyslog, sar/sysstat, and systemd. It provides a common graphical user interface for browsing through all collected data as well as interactive text interfaces.
TUNED AND TUNED PROFILES
Tuned is an adaptive system-tuning daemon that tunes system settings dynamically depending on usage. Red Hat Enterprise 7 includes several default tuned profiles, allowing administrators to benefit from better performance and power management for common workloads with very little tweaking. By default, the tuned profile selected is based on the Red Hat Enterprise Linux product variant, though administrators can modify the profile to address intended use cases.
Red Hat Enterprise Linux 7 enhances Tuna beyond process performance monitoring capabilities with additional support for kernel parameter tuning, along with profile customization and management.
Tuna has a unified, easy-to-use graphical user interface for system performance tuning, monitoring, and tuned profile management. It helps customers get the best performance out of their systems by using proactive load balancing and monitoring to eliminate hot spots, prevent performance problems, and avoid potential service calls.
With more and more systems, even at the low end, presenting non-uniform memory access (NUMA) topologies, Red Hat Enterprise Linux 7 addresses the performance irregularities that such systems present. A new, kernel-based NUMA affinity mechanism automates memory and scheduler optimization. It attempts to match processes that consume significant resources with available memory and CPU resources in order to reduce cross-node traffic. The resulting improved NUMA resource alignment improves performance for applications and virtual machines, especially when running memory-intensive workloads.
HARDWARE EVENT REPORTING MECHANISM
Red Hat Enterprise Linux 7 unifies hardware event reporting into a single reporting mechanism. Instead of various tools collecting errors from different sources with different timestamps, a new hardware event reporting mechanism (HERM) will make it easier to correlate events and get an accurate picture of system behavior. HERM reports events in a single location and in a sequential timeline. HERM uses a new userspace daemon, rasdaemon, to catch and log all RAS events coming from the kernel tracing infrastructure.
GUEST INTEGRATION WITH VMWARE
Red Hat Enterprise Linux 7 advances the level of integration and usability between the Red Hat Enterprise Linux guest and VMware vSphere.
Integration now includes:
- Open VM Tools—bundle
- 3D graphics drivers for hardware-accelerated OpenGL and X11 rendering.
- Fast communication mechanisms between VMware ESX and the virtual machine.
Combined, these additions provide a rich, high-performance environment for the Red Hat Enterprise Linux virtual machine running on VMware.
KVM-based virtualization capabilities meet new cryptographic security requirements from both US and UK governments by adding the para-virtualized driver (virtio-rng) to provide the ability for the host to feed entropy to the virtual machine. By alleviating entropy starvation in guests, cryptographic applications running on the guest are more effective. This feature is especially important to highly security-conscious customers such as federal governments, online merchants, financial institutions, and defense contractors.
VIRTUAL FUNCTION I/O DEVICE ASSIGNMENT
The virtual function I/O (VFIO) userspace driver interface improves PCI device assignment for KVM. VFIO enforces device isolation, improves security of device access, and is compatible with features such as secure boot. For example, Red Hat Enterprise Linux 7 uses the VFIO framework for graphic processing unit (GPU) device assignment. Note that VFIO replaces the KVM device assignment mechanism used in Red Hat Enterprise Linux 6.
Red Hat Enterprise Linux 7 includes OpenJDK as the default JavaTM development and runtime environment. OpenJDK 7 is the most current stable version of publicly available Java. It provides more stability, better performance, better support for dynamic languages, and quicker startup times.
All Java 7 packages (java-1.7.0-openjdk, java-1.7.0-ibm) in Red Hat Enterprise Linux 7 let you install multiple versions in parallel, similarly to the kernel. Parallel installation makes it simpler to try out multiple versions of the same JDK simultaneously in order to tune performance and debug problems if needed.
INSTALLATION AND DEPLOYMENT
Red Hat Enterprise Linux 7 provides support that simplifies the task of performing in-place upgrades. A pre-upgrade assistant package is provided in the Red Hat Enterprise Linux 6.5 zstream, which reports what can be upgraded in-place and what will have to be done manually. The report describes the issues and links to knowledgebase articles available in the Red Hat Customer Portal.
The report includes information on configuration files that will be modified and identifies existing user-modified configuration files, recommending some to be manually checked. At that point, the administrator can decide if the end result of an in-place upgrade is sufficient for their needs. Upon executing the in-place upgrade, the administrator can then inspect the final results and decide to complete the upgrade.
PARTITIONING DEFAULTS FOR ROLLBACK
The ability to revert to a known, good system configuration is crucial in a production environment. Using LVM snapshots with ext4 and XFS (or the integrated snapshotting feature in Btrfs described in the “Snapper” section) an administrator can capture the state of a system and preserve it for future use. An example use case would involve an in-place upgrade that does not present a desired outcome and an administrator who wants to restore the original configuration.
ANACONDA KICKSTART FOR ACTIVE DIRECTORY INTEGRATION
A system administrator can now create kickstart installation files that do not require administrative credentials. The installed system can then join an Active Directory domain with a one-time password. This new feature eliminates the need for writing and maintaining large blocks of interdependent code in two domains.