Last week we celebrated the 25th anniversary of Red Hat’s inaugural Halloween release. This week? We’ve got Red Hat Enterprise Linux 8.1 hitting the streets on schedule and ready to take on your toughest workloads. In RHEL 8.1 we have some new tools, live kernel patching, a new system role, and more. Here’s a quick preview of the highlights in RHEL 8.1.
Live Patching updates for 8.1 and 7.7
RHEL 8.1 marks the first release of RHEL 8 that will receive live kernel patches for critical and selected important CVEs, and no premium subscription is required. They will be delivered via the regular content stream and can be consumed via Yum updates. (Previously, these were on request for premium subscription customers and "hand delivered.") The goal of the program is to minimize the need to reboot systems in order to get the latest critical security updates.
The live patches will be issued for releases with a current or planned EUS stream, and for kernels that are up to one year old. As of this writing, that’s going to be 7.6, 7.7, 8.1, and are planned to include 8.2 when released. Live patches will remain available during the EUS and E4S extended support periods, as long as the kernels are less than a year old.
Note that this is kernel patching only at this time. We are looking at userspace patching for glibc and OpenSSL libraries, but that isn’t currently available.
When we ask customers about their priorities, security floats towards the top of the list with great regularity. It's a fundamental consideration that seems obvious, but we can't take it for granted--and we continue to think about ways that we can help you make your systems more secure.
Whether that's through new features to harden systems, more aggressive security policies, or tools to help you avoid security pitfalls, we take an aggressive approach to improving security in RHEL.
One way to boost security is to limit the applications a system can run. With RHEL 8.1 we're introducing application whitelisting so that admins can add specific applications to be allowed to run, and deny anything else.
Whitelisting in RHEL 8.1 uses the RPM database and an administrator-supplied list of approved applications.
Updated CVE Policy
Technically this change isn't specific to RHEL 8.1, but in case you missed it when we announced it earlier it's worth calling out. On October 2nd we announced that we have expanded the scope of coverage for CVEs to help reduce the risk profile of customers and help maintain greater stability of their deployments. For more, check out Mark Thacker's coverage of this on the Red Hat Blog.
SELinux for Containers
If you’ve been watching the blog for RHEL news, you probably caught Lukas Vrabec’s post in September on generating SELinux policies for containers using Udica. For situations when the default container SELinux policy for containers is too strict or otherwise needs modification we’re providing Udica to help generate a custom policy for the containers.
Udica detects which Linux capabilities are required by the container and works to create a SELinux rule allowing all these capabilities. It supports generating policies for containers using Podman and Docker, and support for CRI-O is expected in the near future. Be sure to read Lukas’ post for the full picture on Udica and how you can make use of it in RHEL 8.1.
In addition to Udica, with RHEL 8.1 we have several other updates related to containers to call your attention to. First up, we have new tools for container management in the web console as part of our ongoing efforts to simplify RHEL management.
Another feature that we're very excited about in 8.1 is full support of rootless containers. We've been talking about this for a while, but with 8.1 it's going to be much easier for users to get their hands on. Why do you want rootless containers? The short version is that it's better to run containers with fewer privileges, just as you would any other process. See Scott McCarty's post on rootless containers for more on how to use them and why you'd want to.
Ideally you only install the tools and applications you need on a system when it's put into production. But sometimes you need to troubleshoot a system, and need additional tools that weren't rolled out with the system. That's why we are adding Toolbox to RHEL 8.1. We've added a toolbox container for one-off troubleshooting that you can zip onto a system when you need to fix it without altering the overall state of the system.
And we've made that easy to do by using `yum install toolbox` as a method to add this container to your system with the necessary tools to run it. Look for a blog in the next few weeks that will walk through running toolbox in greater detail.
One of the improvements in RHEL 8.1 is expanded options for in-place upgrades from RHEL 7 to RHEL 8. With the GA of 8.1 we now support in-place upgrades for 64-bit ARM, pseries, and zseries architectures, along with x86_64 systems.
One of the major features in the 8.1 release isn’t a what, it’s a when. As in "when is the next RHEL release coming?" In about six months. When’s the next one? About six months after that. And so on.
Why does this matter? Because our users, customers, partners, and others need to make plans around RHEL releases. They need to have a good picture of when releases are coming, how long they have to wait for new features, our vendor friends want to know when they can expect hardware support to land in RHEL for their customers, and so forth.
We also know that the time-based model works well for development. Features that aren’t going to make the cut get held back for the next release. And the next release is only six months out, so it’s okay to hold off when needed.
At Red Hat Summit this year we talked about our plans to deliver RHEL on a six-month cycle, and to have a predictable and simpler cadence with RHEL releases. And here we are, six months later with RHEL 8.1. In addition, RHEL 8.1 will be the first RHEL 8 minor release to offer Extended Update Support (24 months from the minor release general availability). In addition to RHEL 8.1, EUS will be available on even numbered RHEL minor releases through the 5 year Full Support Phase. (Please see the Red Hat Enterprise Linux Life Cycle Overview page for all the details on the RHEL LIfe Cycle and EUS policy) We should add that in keeping with this, RHEL 7.8 Beta is also now available for download in the customer portal.
With the release of RHEL 8.1 we are also announcing a bevy of new rules for Red Hat Insights, an important part of the RHEL subscription. We have added more than 400 new rules since May, which expands on the value that Insights adds to your RHEL subscription.
The new rules we're announcing today include workload-specific rules for things like SAP or Microsoft SQL Server running on RHEL, or are associated with improving performance, stability, and (of course) security across different versions of RHEL from RHEL 6.4 onwards. Read the Insights blog for more information on what's new and what you gain from Insights.
Watch this space
This is a high-level overview of what’s new in RHEL 8.1, but we know our customers want deeper dives too. Watch the RHEL channel on the Red Hat Blog in the coming weeks and months for more in-depth looks at the best of RHEL 8.1, as well as sneak peeks at features planned for 8.2 and beyond.