Blog

EuroLinux 9 has been with us for quite a while now. Today we will take a closer look at the important changes it brings with regard to the previous release.

EuroLinux 9 is designed to meet the needs of a hybrid cloud environment. Therefore, it can run code efficiently, whether it is deployed on physical infrastructure, in a virtual machine or in containers.

It’s also worth mentioning that based on EuroLinux 9 is EuroLinux Desktop, a user-friendly and easy-to-use system for people who use Windows^® or macOS^® on a daily basis.

Programming languages

• Python 3.9 will be supported for the entire lifecycle of EuroLinux 9, that is at least until June 30, 2032. It includes many new features, including timestamps, new methods of string prefix and suffix, powerful parsers, multiprocessing improvements and much more. These features help developers easily modernize their applications
• Node.js 16 provides changes that include an update of the V8 engine to version 9.2, a new Timer Promises API, a new web streams API and support for the npm package manager version 7.20.3. To meet the highest security standards, this software is compatible with OpenSSL 3.0
• Ruby 3.0.3 includes several performance improvements, as well as bug and security fixes. Some of the important improvements include concurrency and parallelism, static analysis, pattern matching using case/in expressions, redesigned single-line pattern matching, and find pattern matching
• Perl 5.32 includes a number of bug fixes and enhancements, including Unicode version 13, a new infix operator or faster functionality checking
• PHP 8.0 includes bug fixes and improvements, such as the use of structured metadata syntax, newly named arguments that are order-independent, improved performance for Just In Time compilation, and much more.

Runtimes and compilers

EuroLinux 9 is built on top of the latest runtimes and compilers, including GCC 11.2.1 and updated versions: LLVM 13.0.1, Rust 1.58 and Go 1.17, allowing developers to modernize their applications.

The system includes updated versions of core developer tools such as GCC 11.2.1, glibc 2.34 and binutils 2.35. The new GCC compiler functionalities help users better track code flow, improve debugging options and write optimized code for efficient use of hardware. The new GCC compiler includes modifications for compiling C and C++ code, along with new debugging messages for logs. Programmers therefore have better insight into how their code is performing.

With next-generation Application Streams (AppStreams), developers have a wider choice of versions of popular programming languages and tools. They can also choose from multiple versions of user space components as application streams, which are easy to update. This provides greater flexibility in customizing EuroLinux to fit their own work environment. The contents of application streams also include tools and programs that are rapidly released and frequently updated. These application streams, called rolling streams, are fully supported throughout the whole life of EuroLinux 9.

EuroLinux 9 extends the modularity functionality from EuroLinux 8. In the new version of the system, all packaging methods such as Software Collections, Flatpaks and traditional RPMs have been incorporated into application streams, making it easier for developers to use their preferred packages.

Monitoring and maintenance

The EuroLinux 9 web console (Cockpit) has an improved performance metrics page that helps identify potential causes of spikes in CPU, memory, disk and network resource usage. Furthermore, subsystem metrics can be easily exported to a Grafana server.

Security

In EuroLinux 9, SSH password authentication of the root user has been disabled by default. The OpenSSH configuration disables root user login by password, thus preventing attackers from gaining access through brute-force password attacks. Instead of using the root password, developers can access remote development environments using SSH keys to log in.

OpenSSL 3.0 adds a provider concept, a new versioning scheme and improved HTTPS. Providers are collections of algorithm implementations. Developers can programmatically invoke any provider based on application requirements. EuroLinux’s built-in tools have been recompiled to take advantage of OpenSSL 3.0, allowing users to take advantage of new encryption and information protection mechanisms.

Kernel

EuroLinux 9.0 is distributed with kernel version 5.14.0-70.

eBPF enabled only for privileged users

Extended Berkeley Packet Filter (eBPF) is a complex technology that allows users to execute custom code inside the Linux kernel. Due to its nature, eBPF code must pass through a verifier and other security mechanisms. There have been cases of Common Vulnerabilities and Exposures (CVEs), where bugs in this code could be exploited for unauthorized operations. To reduce this risk, eBPF was enabled in EuroLinux for privileged users only. It is possible to enable eBPF for unprivileged users by using the kernel command line parameter unprivileged_bpf_disabled=0. It is recommended to treat processes with the CAP_BPF capability as if this capability was equal to CAP_SYS_ADMIN.

cgroup-v2 enabled by default in EuroLinux 9

Control groups version 2 (cgroup-v2) implements a single hierarchy model that simplifies the management of control groups. In addition, this version ensures that a process can only be a member of one control group at a time. Deep integration with systemd improves the end-user experience when configuring resource controls in EuroLinux 9.

The development of new features is mainly for cgroup-v2 having some features that are missing in cgroup-v1. Similarly, cgroup-v1 contains some older features that are missing in cgroup-v2. The control interfaces are also different. Therefore, third-party software that is directly dependent on cgroup-v1 may not work properly in the cgroup-v2 environment.

To use cgroup-v1, add the following parameters to the kernel command line:

systemd.unified_cgroup_hierarchy=0
systemd.legacy_systemd_cgroup_controller

Kernel changes potentially affecting third-party kernel modules

Linux distributions with kernel versions earlier than 5.9 supported exporting GPL functions as unlicensed functions. As a result, users were able to combine proprietary functions with GPL kernel functions through the shim mechanism. In this release, the EuroLinux kernel includes changes that enhance the system’s ability to enforce the GPL by rejecting shim.

64-bit ARM architecture has a page size of 4 KB in EuroLinux 9

It has been decided to set a page size of 4 KB of physical memory for the 64-bit ARM architecture in EuroLinux 9. This size fits well with the workloads and amount of memory present in most ARM-based systems. To make effective use of large page sizes, use the huge pages option to address more memory or workloads with large data sets.

The tool strace displays SELinux context mismatches

The existing --secontext option of the strace program has been extended with the mismatch parameter. It allows to output the expected context along with the real one only in case of a mismatch. The output is separated by double exclamation marks (!!) – first the actual context and then the expected context. The full,mismatch parameters output the expected full context along with the actual, since some of the user contexts are mismatched. However, when using mismatch alone, it only checks part of the context type. The expected context is not printed because part of the context type matches.

SELinux context mismatches can cause SELinux-related access control problems. Mismatches printed in system call traces can greatly speed up SELinux context validation. System call traces can also explain specific kernel behavior with respect to access control.

perf-top can sort by a specific column

With this update to the perf-top system profiling tool, samples can be sorted by any column of events. Previously, events were sorted by the first column when multiple events in a group were sampled. To sort samples, use the --group-sort-idx command line option and press the number key to sort the table by the matching data column. It’s worth noting that the column numbering starts at 0.

New package: jigawatts

Checkpoint/Restore In Userspace (CRIU) is a Linux utility that enables checkpointing and restoration of processes. The jigawatts package includes a Java library designed to enhance the usability of CRIU mechanisms from within Java applications.

New behavior of the command: trace-cmd reset

Previously, the trace-cmd reset command restored the tracing_on configuration to 0. The new behavior of trace-cmd reset is to restore the tracing_on configuration to the default value of 1.

makedumpfile

makedumpfile supports improved zstd compression

With this enhancement, makedumpfile now includes Zstandard (zstd) compression capability, which provides a high compression ratio. This enhancement helps especially on systems with large amounts of memory.

Zstd compression now has a good balance between vmcore dump size and compression time compared to previous compression ratios. As a result, the improved compression mechanism now creates a smaller vmcore file with an acceptable good compression time.

Note that a good compression ratio also depends on how the system is used and what type of data is stored in RAM.

makedumpfile includes improved options to get an estimate of vmcore size

With this implementation, the makedumpfile tool now includes the following options to help print an estimated dump size for the currently running kernel:

• --dry-run performs all the operations specified by the other options, but does not save the output file
• --show-stats prints out report messages. This is an alternative to including bit 4 in the level specified in the ---message-level option.

It’s vital that one note the size of the dump file may vary depending on the state of the system at the time of failure, and the estimate given by the options may differ from the actual state.

numatop enabled on scalable Intel Xeon server processors

numatop is a tool that tracks and analyzes the behavior of processes and threads running on NUMA systems. It displays metrics that can identify NUMA-related performance bottlenecks.

numatop uses Intel’s performance counter sampling technologies and associates performance data with runtime Linux information to provide analysis on production systems.

kexec_file_load has been added as the default option for EuroLinux 9

EuroLinux 9.0 adds the kexec_file_load system call for the 64-bit ARM architecture. It provides kexec file loading in the kernel for kdump. Previously, the kernel prevented unsigned kernel images from loading when Secure Boot was enabled. The kdump mechanism first tried to detect whether Secure Boot was enabled, and then selected the boot interface to run. As a result, the unsigned kernel could not be loaded with Secure Boot enabled and the kexec_file_load() function specified.

This update fixes the problem and the unsigned kernel works correctly in the described scenario.

The kexec-tools package supports the default crashkernel memory reservation values for EuroLinux 9

The kexec-tools package now maintains default values for crashkernel memory reservations. The kdump service uses the default value to reserve crashkernel memory for each kernel. This implementation also improves memory allocation for kdump when the system has less than 4GB of available memory.

Note that the crashkernel=auto option on the boot command line is no longer supported in EuroLinux 9 and later releases.

Core scheduling

Thanks to the core scheduling functionality, users can prevent tasks that should not trust each other from sharing the same CPU core. Similarly, users can define groups of tasks that can share a CPU core.

Improved performance on 64-bit ARM architecture using non-strict iommu mode as default

With this update, the 64-bit ARM architecture defaults to using lazy direct memory access (DMA) domain for the system memory management unit (SMMU). While this brings significant performance gains, it can introduce a window between address unmapping and Translation Lookaside Buffer (TLB) overflow in the SMMU. In previous versions, the 64-bit ARM architecture configured strict DMA domains by default, resulting in performance degradation due to the 4KB page size.

Support for CPU hotplug in hv_24x7 and hv_gpci PMU

With this update, PMU counters respond correctly to CPU hot-plugging. As a result, if the hv_gpci event counter runs on a CPU that is shut down, the counts redirect to another CPU.

IRDMA driver has been implemented in EuroLinux 9

IRDMA driver enables RDMA functionality on Intel^® network devices that support RDMA.

EuroLinux 9 delivers an updated Intel^® Ethernet Protocol Driver for RDMA (IRDMA) for the X722 Internet Wide-area RDMA Protocol (iWARP) device. EuroLinux 9 also introduces the new E810 device, which supports iWARP and RDMA over Converged Ethernet (RoCEv2). The IRDMA module replaces the older i40iw module for the X722 and extends the Application Binary Interface (ABI) defined for i40iw. The change is backward compatible with the older X722 RDMA-Core provider (libi40iw).

New parameter for kernel bonding module: lacp_active

EuroLinux 9 introduces the lacp_active parameter for the bonding module in the kernel. This parameter determines whether to send Link Aggregation Control Protocol Data Unit (LACPDU) frames at specified intervals.

Note that LACPDU status frames are still sent during port initialization or unbinding.

GNOME 40

The GNOME desktop environment has been upgraded from GNOME 3.28 to GNOME 40 and includes many new features.

It provides a new and improved look for the Activities viewer. It gives a more consistent look and provides a better experience when navigating the system and launching programs. Workspaces are now arranged horizontally, and the window overview and program grid are available vertically.

Other GNOME improvements:

• performance and resource utilization has been significantly improved
• visual style, including user interface, icons and desktop has been refreshed
• GNOME applications no longer use the application menu, which was accessible from the top panel. The functionality is now located in the main menu in the application window
• the Settings application has been redesigned
• screen sharing and remote desktop sessions have been improved
• when using NVIDIA’s proprietary drivers, you can now run applications using the discrete GPU:
  • 1. Open the Activities application.
  • 2. Right-click the application icon on the desktop.
  • 3. Select the Run on discrete GPU option in the menu.
• The Power Off/Log Out menu now includes a Suspend option and a new Restart option that can reboot the system to the bootloader menu when Alt is held down
• Flatpak applications are now updated automatically
• application icons in the Overview can now be grouped into folders using drag and drop
• the Terminal application now supports right-to-left text and bidirectional text
• the Pointer Location accessibility feature now works in Wayland session. When the function is enabled, pressing the Ctrl key highlights the pointer location on the screen
• GNOME Shell extensions are now managed by the Extensions program, rather than Software. The Extensions program handles the updating of extensions, configuring extension preferences, and removing and disabling extensions
• The notification box now includes a Do Not Disturb button. When the button is enabled, notifications are not displayed on the screen
• system dialogs that require a password now have the option to reveal the password text by clicking the eye icon
• the Software application now automatically detects mobile data networks, among others. When the current network is a metered network, the Software application pauses updates to reduce data consumption
• each connected display can now use a different refresh rate in a Wayland session
• fractional display scaling is available as an experimental option. It includes several pre-configured fractional ratios.

Power profiles are now available

In the Power panel of GNOME Settings, you can now switch between several power profiles. Power profiles optimize different system settings for the selected purpose.

The following power profiles are available:

Performance – optimizes for high system performance and reduced battery life. This profile is only available on certain selected system configurations.

Balanced – provides standard system performance and power consumption. This is the default profile.

Power Saver – increases battery life and reduces system performance. This profile activates automatically when the battery level is low.

Power profiles functionality is available from the power-profiles-daemon package, which is installed by default.

Lightweight environment for a standalone application

A lightweight user interface is now available for graphical applications where only a single application is used.

Users can run GNOME in a single-application session, also known as kiosk mode. In this session, GNOME displays only the full-screen window of the configured application.

A single application session uses significantly less resources than a standard GNOME session.

Security classification banners at login and in desktop session

You can now configure classification banners to determine the overall security classification level of the system. This is useful in deployments where the user needs to know the security classification level of the system they are logged into.

Classification banners can be displayed in the following contexts, depending on the configuration:

• as part of a running session
• on the lock screen
• on the login screen.

Classification banners can be in the form of a notification that can be dismissed or a permanent banner.

Summary

EuroLinux 9 introduces groundbreaking changes from Release 8. In this article, we have described the most important noticeable technical, visual and environment delivery differences for developers.

EuroLinux 9, of course, contains many more changes. We encourage you to learn about them as you use the system. Link to download the ISO image: https://fbi.cdn.euro-linux.com/isos/EL-9.0-x86_64-20220613-appstream.iso.