Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.10.
4.1. Installer and image creation
Ability to use partitioning mode on the blueprint filesystem customization
With this update, while using RHEL image builder, you can customize your blueprint with the chosen filesystem customization. You can choose one of the following partition modes while you create an image:
-
Default:
auto-lvm
- LVM: the image uses Logical Volume Manager (LVM) even without extra partitions
- Raw: the image uses raw partitioning even with extra partitions
Jira:RHELDOCS-16337[1]
Filesystem customization policy changes in image builder
The following policy changes are in place when using the RHEL image builder filesystem customization in blueprints:
Currently, mountpoint
and minimum partition minsize
can be set. The following image types do not support filesystem customizations: image-installer
edge-installer
edge-simplified-installer
The following image types do not create partitioned operating systems images. Customizing their filesystem is meaningless: edge-commit
edge-container
tar
container
The blueprint now supports the mountpoint
customization for tpm
and its sub-directories.
Jira:RHELDOCS-17261[1]
4.2. Security
SCAP Security Guide rebased to 0.1.72
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:
- CIS profiles are updated to align with the latest benchmarks.
- The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
- STIG profiles are aligned with the latest DISA STIG policies.
For additional information, see the SCAP Security Guide release notes.
Jira:RHEL-25250[1]
OpenSSL now contains protections against Bleichenbacher-like attacks
This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.
You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")
function on the RSA decryption context, but this makes your system more vulnerable.
Jira:RHEL-17689[1]
librdkafka
rebased to 1.6.1
The librdkafka
implementation of the Apache Kafka protocol has been rebased to upstream version 1.6.1. This is the first major feature release for RHEL 8. The rebase provides many important enhancements and bug fixes. For all relevant changes, see the CHANGELOG.md
document provided in the librdkafka
package.
This update changes configuration defaults and deprecates some configuration properties. Read the Upgrade considerations section in CHANGELOG.md
for more details. The API (C & C++) and ABI © in this version are compatible with older versions of librdkafka
, but some changes to the configuration properties might require changes to existing applications.
Jira:RHEL-12892[1]
libkcapi
rebased to 1.4.0
The libkcapi
library, which provides access to the Linux kernel cryptographic API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:
-
Added the
sm3sum
andsm3hmac
tools. -
Added the
kcapi_md_sm3
andkcapi_md_hmac_sm3
APIs. - Added SM4 convenience functions.
- Fixed support for link-time optimization (LTO).
- Fixed LTO regression testing.
-
Fixed support for AEAD encryption of an arbitrary size with
kcapi-enc
.
Jira:RHEL-5366[1]
stunnel
rebased to 5.71
The stunnel
TLS/SSL tunneling service has been rebased to upstream version 5.71. This update changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. If OpenSSL is in FIPS mode and stunnel
default FIPS configuration is set to no
, stunnel
adapts to OpenSSL and FIPS mode is enabled.
Additional new features include:
- Added support for modern PostgreSQL clients.
-
You can use the
protocolHeader
service-level option to insert customconnect
protocol negotiation headers. -
You can use the
protocolHost
option to control the client SMTP protocol negotiation HELO/EHLO value. -
Added client-side support for Client-side
protocol = ldap
. -
You can now configure session resumption by using the service-level
sessionResume
option. -
Added support to request client certificates in server mode with
CApath
(previously, onlyCAfile
was supported). - Improved file reading and logging performance.
-
Added support for configurable delay for the
retry
option. -
In client mode, OCSP stapling is requested and verified when
verifyChain
is set. - In server mode, OCSP stapling is always available.
-
Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting
OCSPrequire = no
.
Jira:RHEL-2340[1]
OpenSSH limits artificial delays in authentication
OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit so that such artificial delays do not become excessively long when remote authentication takes too long, for example in privilege access management (PAM) processing.
libkcapi
now provides an option for specifying target file names in hash-sum calculations
This update of the libkcapi
(Linux kernel cryptographic API) packages introduces the new option -T
for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c
option, for example:
$ sha256hmac -c <hmac_file> -T <target_file>
Jira:RHEL-15300[1]
audit
rebased to 3.1.2
The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:
-
The
auparse
library now interprets unnamed and anonymous sockets. -
You can use the new keyword
this-hour
in thestart
andend
options of theausearch
andaureport
tools. -
User-friendly keywords for signals have been added to the
auditctl
program. -
Handling of corrupt logs in
auparse
has been improved. -
The
ProtectControlGroups
option is now disabled by default in theauditd
service. - Rule checking for the exclude filter has been fixed.
-
The interpretation of
OPENAT2
fields has been enhanced. -
The
audispd af_unix
plugin has been moved to a standalone program. - The Python binding has been changed to prevent setting Audit rules from the Python API. This change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).
Jira:RHEL-15001[1]
4.3. Shells and command-line tools
openCryptoki
rebased to version 3.22.0
The opencryptoki
package has been updated to version 3.22.0. Notable changes include:
-
Added support for the
AES-XTS
key type by using theCPACF
protected keys. - Added support for managing certificate objects.
-
Added support for public sessions with the
no-login
option. - Added support for logging in as the Security Officer (SO).
-
Added support for importing and exporting the
Edwards
andMontgomery
keys. -
Added support for importing the
RSA-PSS
keys and certificates. - For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update adds checks to the key generation and import process to ensure this.
- Various bug fixes have been implemented.
Jira:RHEL-11413[1]
4.4. Infrastructure services
chrony
rebased to version 4.5
The chrony
suite has been updated to version 4.5. Notable changes include:
-
Added periodic refresh of IP addresses of Network Time Protocol (NTP) sources specified by hostname. The default interval is two weeks and it can be disabled by adding
refresh 0
to thechrony.conf
file. - Improved automatic replacement of unreachable NTP sources.
-
Improved logging of important changes made by the
chronyc
utility. - Improved logging of source selection failures and falsetickers.
-
Added the
hwtstimeout
directive to configure timeout for late hardware transmit timestamps. - Added experimental support for corrections provided by Precision Time Protocol (PTP) transparent clocks to reach accuracy of PTP with hardware timestamping.
-
Fixed the
presend
option ininterleaved
mode. -
Fixed reloading of modified sources specified by IP address from the
sourcedir
directories.
linuxptp
rebased to version 4.2
The linuxptp
protocol has been updated to version 4.2. Notable changes include:
-
Added support for multiple domains in the
phc2sys
utility. - Added support for notifications on clock updates and changes in the Precision Time Protocol (PTP) parent dataset, for example, clock class.
- Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.
Jira:RHEL-21326[1]
4.5. Networking
firewalld
now avoids unnecessary firewall rule flushes
The firewalld
service does not remove all existing rules from the iptables
configuration if both following conditions are met:
-
firewalld
is using thenftables
backend. -
There are no firewall rules created with the
--direct
option.
This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration with other software.
The ss
utility adds visibility improvement to TCP bound-inactive sockets
The iproute2
suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss
) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:
-
ss --all
: to dump all sockets including TCP bound-inactive ones -
ss --bound-inactive
: to dump only bound-inactive sockets
Jira:RHEL-6113[1]
nispor
rebased to version 1.2.10
The nispor
packages have been upgraded to upstream version 1.2.10, which provides several enhancements and bug fixes over the previous version:
-
Added support for
NetStateFilter
to use the kernel filter on network routes and interfaces. - Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
-
Newly supported bonding options:
lacp_active
,arp_missed_max
, andns_ip6_target
.
4.6. Kernel
Kernel version in RHEL 8.10
Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553.
rtla
rebased to version 6.6 of the upstream kernel
source code
The rtla
utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added the
-C
option to specify additional control groups forrtla
threads to run in, apart from the mainrtla
thread. -
Added the
--house-keeping
option to placertla
threads on a housekeeping CPU and to put measurement threads on different CPUs. -
Added support to the
timerlat
tracer so that you can runtimerlat hist
andtimerlat top
threads in user space.
Jira:RHEL-10081[1]
rteval
was upgraded to the upstream version 3.7
With this update, the rteval
utility has been upgraded to the upstream version 3.7. The most significant feature in this update concerns the isolcpus
kernel parameter. This includes the ability to detect and use the isolcpus
mechanism for measurement modules in rteval
. As a result, it is easier for isolcpus
users to use rteval
to get accurate latency numbers and to achieve best latency results measured on a realtime kernel.
Jira:RHEL-8967[1]
SGX is now fully supported
Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.
The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:
- Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
- Dynamic addition of regular enclave pages to an initialized enclave.
- Expanding an initialized enclave to accommodate more threads.
- Removing regular and TCS pages from an initialized enclave.
In this release, SGX moves from Technology Preview to a fully supported feature.
Bugzilla:2041881[1]
The Intel data streaming accelerator driver is now fully supported
The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid
) submission and shared virtual memory (SVM).
In this release, IDXD moves from a Technology Preview to a fully supported feature.
Jira:RHEL-10097[1]
rteval
now supports adding and removing arbitrary CPUs from the default measurement CPU list
With the rteval
utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist
parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus
is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This options covers the most common usecase of a real-time application running on isolated CPUs. Other usecases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus
.
Jira:RHEL-21926[1]
4.7. Boot loader
DEP/NX support in the pre-boot stage
The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.
This release adds DEP/NX support in the GRUB and shim
boot loaders. This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might execute certain attacks without the DEP/NX protection.
Jira:RHEL-15856[1]
Support for TD RTMR measurement in GRUB and shim
Intel® Trust Domain Extension (Intel® TDX) is a confidential computing technology that deploys hardware-isolated virtual machines (VMs) called Trust Domains (TDs).
TDX extends the Virtual Machine Extensions (VMX) instructions and the Multi-key Total Memory Encryption (MKTME) feature with the TD VM guest. In a TD guest VM, all components in the boot chain, such as grub2
and shim
, must log the event and measurement hash to runtime measurement registers (RTMR).
TD guest runtime measurement in RTMR is the base for attestation applications. Applications on the TD guest rely on TD measurement to provide trust evidence to get confidential information, such as the key from the relaying part through the attestation service.
With this release, the GRUB and shim
boot loaders now support the TD measurement protocol.
For more information about Intel® TDX, see Documentation for Intel® Trust Domain Extensions.
Jira:RHEL-15583[1]
4.8. File systems and storage
The Storage RHEL System Roles now support shared LVM device management
The RHEL System Roles now support the creation and management of shared logical volumes and volume groups.
multipathd
now supports detecting FPIN-Li events for NVMe devices
Previously, the multipathd
command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd
could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd
was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.
With this update, multipathd
supports detecting FPIN-Li events for both SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric connection, while other paths are available. This helps to avoid IO delays in such situations.
4.9. Dynamic programming languages, web and database servers
Python 3.12 available in RHEL 8
RHEL 8.10 introduces Python 3.12, provided by the new package python3.12
and a suite of packages built for it, and the ubi8/python-312
container image.
Notable enhancements compared to the previously released Python 3.11 include:
-
Python introduces a new
type
statement and new type parameter syntax for generic classes and functions. - Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
- Python now provides a unique per-interpreter global interpreter lock (GIL).
- You can now use the buffer protocol from Python code.
-
To improve security, the built-in
hashlib
implementations of the SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code from the HACL* project. The built-in implementations remain available as fallback if OpenSSL does not provide them. -
Dictionary, list, and set comprehensions in
CPython
are now inlined. This significantly increases the speed of a comprehension execution. -
CPython
now supports the Linuxperf
profiler. -
CPython
now provides stack overflow protection on supported platforms.
To install packages from the python3.12
stack, use, for example:
# yum install python3.12 # yum install python3.12-pip
To run the interpreter, use, for example:
$ python3.12 $ python3.12 -m pip --help
See Installing and using Python for more information.
For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new environment variable in Python to control parsing of email addresses
To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.
This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING
environment variable. When you set this variable to true
, the previous, less strict parsing behavior is the default for the entire system:
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
However, individual calls to the affected functions can still enable stricter behavior.
You can achieve the same result by creating the /etc/python/email.cfg
configuration file with the following content:
[email_addr_parsing] PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.
Jira:RHELDOCS-17369[1]
A new module stream: ruby:3.3
RHEL 8.10 introduces Ruby 3.3.0 in a new ruby:3.3
module stream. This version provides several performance improvements, bug and security fixes, and new features over Ruby 3.1
distributed with RHEL 8.7.
Notable enhancements include:
-
You can use the new
Prism
parser instead ofRipper
.Prism
is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language. - YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it provides major performance improvements.
-
The
Regexp
matching algorithm has been improved to reduce the impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities. - The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
- A new M:N thread scheduler is now available.
Other notable changes:
-
You must now use the
Lrama
LALR parser generator instead ofBison
. - Several deprecated methods and constants have been removed.
-
The
Racc
gem has been promoted from a default gem to a bundled gem.
To install the ruby:3.3
module stream, use:
# yum module install ruby:3.3
If you want to upgrade from an earlier ruby
module stream, see Switching to a later stream.
For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-17090[1]
A new module stream: php:8.2
RHEL 8.10 adds PHP 8.2, which provides several bug fixes and enhancements over version 8.0.
With PHP 8.2
, you can:
- Define a custom type that is limited to one of a discrete number of possible values using the Enumerations (Enums) feature.
-
Declare a property with the
readonly
modifier to prevent modification of the property after initialization. - Use fibers, full-stack, and interruptible functions.
- Use readonly classes.
- Declare several new standalone types.
-
Use a new
Random
extension. - Define constraints in traits.
To install the php:8.2
module stream, use the following command:
# yum module install php:8.2
If you want to upgrade from an earlier php
stream, see Switching to a later stream.
For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.
For information about the length of support for the php
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-14705[1]
The name()
method of the perl-DateTime-TimeZone
module now returns the time zone name
The perl-DateTime-TimeZone
module has been updated to version 2.62, which changed the value that is returned by the name()
method from the time zone alias to the main time zone name.
For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API related to time zone name and alias.
A new module stream: nginx:1.24
The nginx 1.24 web and proxy server is now available as the nginx:1.24
module stream. This update provides several bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.
New features and changes related to Transport Layer Security (TLS):
-
Encryption keys are now automatically rotated for TLS session tickets when using shared memory in the
ssl_session_cache
directive. - Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
-
You can now disable looking up IPv4 addresses while resolving by using the
ipv4=off
parameter of theresolver
directive. -
nginx now supports the
$proxy_protocol_tlv_*
variables, which store the values of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol. -
The
ngx_http_gzip_static_module
module now supports byte ranges.
Other changes:
- Header lines are now represented as linked lists in the internal API.
-
nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and uwsgi back ends in the
$r->header_in()
method of thengx_http_perl_module
, and during lookups of the$http_...
,$sent_http_...
,$sent_trailer_...
,$upstream_http_...
, and$upstream_trailer_...
variables. - nginx now displays a warning if protocol parameters of a listening socket are redefined.
- nginx now closes connections with lingering if pipelining was used by the client.
-
The logging level of various SSL errors has been lowered, for example, from
Critical
toInformational
.
To install the nginx:1.24
stream, use:
# yum module install nginx:1.24
To upgrade from an earlier nginx
stream, switch to a later stream.
For more information, see Setting up and configuring NGINX.
For information about the length of support for the nginx
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle article.
Jira:RHEL-14714[1]
A new module stream: mariadb:10.11
MariaDB 10.11 is now available as a new module stream, mariadb:10.11
. Notable enhancements over the previously available version 10.5 include:
-
A new
sys_schema
feature. - Atomic Data Definition Language (DDL) statements.
-
A new
GRANT ... TO PUBLIC
privilege. -
Separate
SUPER
andREAD ONLY ADMIN
privileges. -
A new
UUID
database data type. - Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires correctly configured SSL to start.
-
Support for the natural sort order through the
natural_sort_key()
function. -
A new
SFORMAT
function for arbitrary text formatting. - Changes to the UTF-8 charset and the UCA-14 collation.
-
systemd
socket activation files available in the/usr/share/
directory. Note that they are not a part of the default configuration in RHEL as opposed to upstream. -
Error messages containing the
MariaDB
string instead ofMySQL
. - Error messages available in the Chinese language.
- Changes to the default logrotate file.
-
For MariaDB and MySQL clients, the connection property specified on the command line (for example,
--port=3306
), now forces the protocol type of communication between the client and the server, such astcp
,socket
,pipe
, ormemory
.
For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5 and MariaDB 10.11.
For more information about MariaDB, see Using MariaDB.
To install the mariadb:10.11
stream, use:
# yum module install mariadb:10.11
If you want to upgrade from the mariadb:10.5
module stream, see Upgrading from MariaDB 10.5 to MariaDB 10.11.
For information about the length of support for the mariadb
module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new module stream: postgresql:16
RHEL 8.10 introduces PostgreSQL 16, which provides several new features and enhancements over version 15.
Notable enhancements include:
- Enhanced bulk loading improves performance.
-
The
libpq
library now supports connection-level load balancing. You can use the newload_balance_hosts
option for more efficient load balancing. -
You can now create custom configuration files and include them in the
pg_hba.conf
andpg_ident.conf
files. -
PostgreSQL now supports regular expression matching on database and role entries in the
pg_hba.conf
file.
Other changes include:
-
PostgreSQL is no longer distributed with the
postmaster
binary. Users who start thepostgresql
server by using the providedsystemd
unit file (thesystemctl start postgres
command) are not affected by this change. If you previously started thepostgresql
server directly through thepostmaster
binary, you must now use thepostgres
binary instead. - PostgreSQL no longer provides documentation in PDF format within the package. Use the online documentation instead.
See also Using PostgreSQL.
To install the postgresql:16
stream, use the following command:
# yum module install postgresql:16
If you want to upgrade from an earlier postgresql
stream within RHEL 8, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 8 version of PostgreSQL.
For information about the length of support for the postgresql
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Git rebased to version 2.43.0
The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.
Notable enhancements include:
-
You can now use the new
--source
option with thegit check-attr
command to read the.gitattributes
file from the provided tree-ish object instead of the current working directory. -
Git can now pass information from the
WWW-Authenticate
response-type header to credential helpers. -
In case of an empty commit, the
git format-patch
command now writes an output file containing a header of the commit instead of creating an empty file. -
You can now use the
git blame --contents=<file> <revision> -- <path>
command to find the origins of lines starting at<file>
contents through the history that leads to<revision>
. -
The
git log --format
command now accepts the%(decorate)
placeholder for further customization to extend the capabilities provided by the--decorate
option.
Jira:RHEL-17103[1]
Git LFS rebased to version 3.4.1
The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.
Notable changes include:
-
The
git lfs push
command can now read references and object IDs from standard input. - Git LFS now handles alternative remotes without relying on Git.
-
Git LFS now supports the
WWW-Authenticate
response-type header as a credential helper.
Jira:RHEL-17102[1]
Increased performance of the Python interpreter
All supported versions of Python in RHEL 8 are now compiled with the -O3
optimization flag, which is the default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter itself.
The change is available with the release of the following advisories:
-
python3.12
- RHSA-2024:6961 -
python3.11
- RHSA-2024:6962 -
python3
- RHSA-2024:6975 -
the
python39
module - RHSA-2024:5962
Jira:RHEL-49614[1], Jira:RHEL-49636, Jira:RHEL-49644, Jira:RHEL-49638
4.10. Compilers and development tools
New GCC Toolset 14
GCC Toolset 14 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
The following tools and versions are provided by GCC Toolset 14 available with the release of the RHEA-2024:8851 advisory:
- GCC 14.2
- GDB 14.2
-
binutils
2.41 -
annobin
12.70 -
dwz
0.14
To install GCC Toolset 14, run the following command as root:
# yum install gcc-toolset-14
To run a tool from GCC Toolset 14:
$ scl enable gcc-toolset-14 <tool>
To run a shell session where tool versions from GCC Toolset 14 override system versions of these tools:
$ scl enable gcc-toolset-14 bash
GCC Toolset 14 components are also available in the gcc-toolset-14-toolchain
container image.
For more information, see GCC Toolset 14 and Using GCC Toolset.
Jira:RHEL-34596[1], Jira:RHEL-30411
GCC Toolset 14: GCC rebased to version 14.2
In GCC Toolset 14, the GNU Compiler Collection (GCC) has been updated to version 14.2 with the release of the RHEA-2024:8864 advisory.
Notable changes include:
- Optimization and diagnostic improvements
-
A new
-fhardened
umbrella option, which enables a set of hardening flags -
A new
-fharden-control-flow-redundancy
option to detect attacks that transfer control into the middle of functions -
A new
strub
type attribute to control stack scrubbing properties of functions and variables -
A new
-finline-stringops
option to force inline expansion of certainmem*
functions - Support for new OpenMP 5.1, 5.2, and 6.0 features
- Several new C23 features
- Multiple new C++23 and C++26 features
- Several resolved C++ defect reports
- New and improved experimental support for C++20, C++23, and C++26 in the C++ library
- Support for new CPUs in the 64-bit ARM architecture
- Multiple new instruction set architecture (ISA) extensions in the 64-bit Intel architecture, for example: AVX10.1, AVX-VNNI-INT16, SHA512, and SM4
- New warnings in the GCC’s static analyzer
- Certain warnings changed to errors; for details, see Porting to GCC 14
- Various bug fixes
For more information about changes in GCC 14, see the upstream GCC release notes.
Jira:RHEL-30412[1]
GCC Toolset 14: GDB rebased to version 14.2
In GCC Toolset 14, GDB has been updated to version 14.2 with the release of the RHBA-2024:8862 advisory. The following paragraphs list notable changes since GDB 12.1.
General:
-
The
info breakpoints
command now displays enabled breakpoint locations of disabled breakpoints as in they-
state. -
Added support for debug sections compressed with Zstandard (
ELFCOMPRESS_ZSTD
) for ELF. -
The Text User Interface (TUI) no longer styles the source and assembly code highlighted by the current position indicator by default. To re-enable styling, use the new command
set style tui-current-position
. -
A new
$_inferior_thread_count
convenience variable contains the number of live threads in the current inferior. -
For breakpoints with multiple code locations, GDB now prints the code location using the
<breakpoint_number>.<location_number>
syntax. -
When a breakpoint is hit, GDB now sets the
$_hit_bpnum
and$_hit_locno
convenience variables to the hit breakpoint number and code location number. You can now disable the last hit breakpoint by using thedisable $_hit_bpnum
command, or disable only the specific breakpoint code location by using thedisable $_hit_bpnum.$_hit_locno
command. -
Added support for the
NO_COLOR
environment variable. - Added support for integer types larger than 64 bits.
-
You can use new commands for multi-target feature configuration to configure remote target feature sets (see the
set remote <name>-packet
andshow remote <name>-packet
in Commands). - Added support for the Debugger Adapter Protocol.
-
You can now use the new
inferior
keyword to make breakpoints inferior-specific (seebreak
orwatch
in Commands). -
You can now use the new
$_shell()
convenience function to execute a shell command during expression evaluation.
Changes to existing commands:
break
,watch
-
Using the
thread
ortask
keywords multiple times with thebreak
andwatch
commands now results in an error instead of using the thread or task ID of the last instance of the keyword. -
Using more than one of the
thread
,task
, andinferior
keywords in the samebreak
orwatch
command is now invalid.
-
Using the
printf
,dprintf
-
The
printf
anddprintf
commands now accept the%V
output format, which formats an expression the same way as theprint
command. You can also modify the output format by using additional print options in brackets[…]
following the command, for example:printf "%V[-array-indexes on]", <array>
.
-
The
list
-
You can now use the
.
argument to print the location around the point of execution in the current frame, or around the beginning of themain()
function if the inferior has not started yet. -
Attempting to list more source lines in a file than are available now issues a warning, referring the user to the
.
argument.
-
You can now use the
document user-defined
- It is now possible to document user-defined aliases.
New commands:
-
set print nibbles [on|off]
(default:off
),show print nibbles
- controls whether theprint/t
command displays binary values in groups of four bits (nibbles). -
set debug infcall [on|off]
(default:off
),show debug infcall
- prints additional debug messages about inferior function calls. -
set debug solib [on|off]
(default:off
),show debug solib
- prints additional debug messages about shared library handling. -
set print characters <LIMIT>
,show print characters
,print -characters <LIMIT>
- controls how many characters of a string are printed. -
set debug breakpoint [on|off]
(default:off
),show debug breakpoint
- prints additional debug messages about breakpoint insertion and removal. -
maintenance print record-instruction [ N ]
- prints the recorded information for a given instruction. -
maintenance info frame-unwinders
- lists the frame unwinders currently in effect in the order of priority (highest first). -
maintenance wait-for-index-cache
- waits until all pending writes to the index cache are completed. -
info main
- prints information on the main symbol to identify an entry point into the program. -
set tui mouse-events [on|off]
(default:on
),show tui mouse-events
- controls whether mouse click events are sent to the TUI and Python extensions (whenon
), or the terminal (whenoff
).
Machine Interface (MI) changes:
- MI version 1 has been removed.
-
MI now reports
no-history
when reverse execution history is exhausted. -
The
thread
andtask
breakpoint fields are no longer reported twice in the output of the-break-insert
command. - Thread-specific breakpoints can no longer be created on non-existent thread IDs.
-
The
--simple-values
argument to the-stack-list-arguments
,-stack-list-locals
,-stack-list-variables
, and-var-list-children
commands now considers reference types as simple if the target is simple. -
The
-break-insert
command now accepts a new-g thread-group-id
option to create inferior-specific breakpoints. -
Breakpoint-created notifications and the output of the
-break-insert
command can now include an optionalinferior
field for the main breakpoint and each breakpoint location. -
The async record stating the
breakpoint-hit
stopped reason now contains an optional fieldlocno
giving the code location number in case of a multi-location breakpoint.
Changes in the GDB Python API:
Events
-
A new
gdb.ThreadExitedEvent
event. -
A new
gdb.executable_changed
event registry, which emits theExecutableChangedEvent
objects that haveprogspace
andreload
attributes. -
New
gdb.events.new_progspace
andgdb.events.free_progspace
event registries, which emit theNewProgpspaceEvent
andFreeProgspaceEvent
event types. Both of these event types have a single attributeprogspace
to specify thegdb.Progspace
program space that is being added to or removed from GDB.
-
A new
The
gdb.unwinder.Unwinder
class-
The
name
attribute is now read-only. -
The name argument of the
__init__
function must be of thestr
type, otherwise aTypeError
is raised. -
The
enabled
attribute now accepts only thebool
type.
-
The
The
gdb.PendingFrame
class-
New methods:
name
,is_valid
,pc
,language
,find_sal
,block
, andfunction
, which mirror similar methods of thegdb.Frame
class. -
The
frame-id
argument of thecreate_unwind_info
function can now be either an integer or agdb.Value
object for thepc
,sp
, andspecial
attributes.
-
New methods:
-
A new
gdb.unwinder.FrameId
class, which can be passed to thegdb.PendingFrame.create_unwind_info
function. -
The
gdb.disassembler.DisassemblerResult
class can no longer be sub-classed. -
The
gdb.disassembler
module now includes styling support. -
A new
gdb.execute_mi(COMMAND, [ARG]…)
function, which invokes a GDB/MI command and returns result as a Python dictionary. -
A new
gdb.block_signals()
function, which returns a context manager that blocks any signals that GDB needs to handle. -
A new
gdb.Thread
subclass of thethreading.Thread
class, which calls thegdb.block_signals
function in itsstart
method. -
The
gdb.parse_and_eval
function has a newglobal_context
parameter to restrict parsing on global symbols. The
gdb.Inferior
class-
A new
arguments
attribute, which holds the command-line arguments to the inferior, if known. -
A new
main_name
attribute, which holds the name of the inferior’smain
function, if known. -
New
clear_env
,set_env
, andunset_env
methods, which can modify the inferior’s environment before it is started.
-
A new
The
gdb.Value
class-
A new
assign
method to assign a value of an object. -
A new
to_array
method to convert an array-like value to an array.
-
A new
The
gdb.Progspace
class-
A new
objfile_for_address
method, which returns thegdb.Objfile
object that covers a given address (if exists). -
A new
symbol_file
attribute holding thegdb.Objfile
object that corresponds to theProgspace.filename
variable (orNone
if the filename isNone
). -
A new
executable_filename
attribute, which holds the string with a filename that is set by theexec-file
orfile
commands, orNone
if no executable file is set.
-
A new
The
gdb.Breakpoint
class-
A new
inferior
attribute, which contains the inferior ID (an integer) for breakpoints that are inferior-specific, orNone
if no such breakpoints are set.
-
A new
The
gdb.Type
class-
New
is_array_like
andis_string_like
methods, which reflect whether a type might be array- or string-like regardless of the type’s actual type code.
-
New
-
A new
gdb.ValuePrinter
class, which can be used as the base class for the result of applying a pretty-printer. -
A newly implemented
gdb.LazyString.__str__
method. The
gdb.Frame
class-
A new
static_link
method, which returns the outer frame of a nested function frame. -
A new
gdb.Frame.language
method that returns the name of the frame’s language.
-
A new
The
gdb.Command
class-
GDB now reformats the doc string for the
gdb.Command
class and thegdb.Parameter
sub-classes to remove unnecessary leading whitespace from each line before using the string as the help output.
-
GDB now reformats the doc string for the
The
gdb.Objfile
class-
A new
is_file
attribute.
-
A new
-
A new
gdb.format_address(ADDRESS, PROGSPACE, ARCHITECTURE)
function, which uses the same format as when printing address, symbol, and offset information from the disassembler. -
A new
gdb.current_language
function, which returns the name of the current language. -
A new Python API for wrapping GDB’s disassembler, including
gdb.disassembler.register_disassembler(DISASSEMBLER, ARCH)
,gdb.disassembler.Disassembler
,gdb.disassembler.DisassembleInfo
,gdb.disassembler.builtin_disassemble(INFO, MEMORY_SOURCE)
, andgdb.disassembler.DisassemblerResult
. -
A new
gdb.print_options
function, which returns a dictionary of the prevailing print options, in the form accepted by thegdb.Value.format_string
function. The
gdb.Value.format_string
function-
gdb.Value.format_string
now uses the format provided by theprint
command if it is called during aprint
or other similar operation. -
gdb.Value.format_string
now accepts thesummary
keyword.
-
-
A new
gdb.BreakpointLocation
Python type. -
The
gdb.register_window_type
method now restricts the set of acceptable window names.
Architecture-specific changes:
AMD and Intel 64-bit architectures
-
Added support for disassembler styling using the
libopcodes
library, which is now used by default. You can modify how the disassembler output is styled by using theset style disassembler *
commands. To use the Python Pygments styling instead, use the newmaintenance set libopcodes-styling off
command.
-
Added support for disassembler styling using the
The 64-bit ARM architecture
- Added support for dumping memory tag data for the Memory Tagging Extension (MTE).
- Added support for the Scalable Matrix Extension 1 and 2 (SME/SME2). Some features are still considered experimental or alpha, for example, manual function calls with ZA state or tracking Scalable Vector Graphics (SVG) changes based on DWARF.
- Added support for Thread Local Storage (TLS) variables.
- Added support for hardware watchpoints.
The 64-bit IBM Z architecture
-
Record and replay support for the new
arch14
instructions on IBM Z targets, except for the specialized-function-assist instructionNNPA
.
-
Record and replay support for the new
IBM Power Systems, Little Endian
- Added base enablement support for POWER11.
Jira:RHELDOCS-18598[1], Jira:RHEL-36225, Jira:RHEL-36518
GCC Toolset 14: annobin
rebased to version 12.70
In GCC Toolset 14, annobin
has been updated to version 12.70 with the release of the RHBA-2024:8863 advisory. The updated set of the annobin
tools for testing binaries provides various bug fixes, introduces new tests, and updates the tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers. With the enhanced tools, you can detect new issues in programs that are built in a non-standard way.
Jira:RHEL-30409[1]
GCC Toolset 13: GCC supports AMD Zen 5
With the release of the RHBA-2024:8829 advisory, the GCC Toolset 13 version of GCC adds support for the AMD Zen 5 processor microarchitecture. To enable the support, use the -march=znver5
command-line option.
Jira:RHEL-36524[1]
LLVM Toolset updated to 18.1.8
LLVM Toolset has been updated to version 18.1.8 with the release of the RHBA-2024:8828 advisory.
Notable LLVM updates:
-
The constant expression variants of the following instructions have been removed:
and
,or
,lshr
,ashr
,zext
,sext
,fptrunc
,fpext
,fptoui
,fptosi
,uitofp
,sitofp
. -
The
llvm.exp10
intrinsic has been added. -
The
code_model
attribute for global variables has been added. - The backend for the AArch64, AMDGPU, PowerPC, RISC-V, SystemZ and x86 architectures has been improved.
- LLVM tools have been improved.
Notable Clang enhancements:
C++20 feature support:
-
Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the
-Xclang -fno-skip-odr-check-in-gmf
option.
-
Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the
C++23 feature support:
-
A new diagnostic flag
-Wc++23-lambda-attributes
has been added to warn about the use of attributes on lambdas.
-
A new diagnostic flag
C++2c feature support:
-
Clang now allows using the
_
character as a placeholder variable name multiple times in the same scope. - Attributes now expect unevaluated strings in attribute parameters that are string literals.
- The deprecated arithmetic conversion on enumerations from C++26 has been removed.
- The specification of template parameter initialization has been improved.
-
Clang now allows using the
- For a complete list of changes, see the upstream release notes for Clang.
ABI changes in Clang:
-
Following the SystemV ABI for x86_64, the
__int128
arguments are no longer split between a register and a stack slot. - For more information, see the list of ABI changes in Clang.
Notable backwards incompatible changes:
- A bug fix in the reversed argument order for templated operators breaks code in C++20 that was previously accepted in C++17.
-
The
GCC_INSTALL_PREFIX
CMake variable (which sets the default--gcc-toolchain=
) is deprecated and will be removed. Specify the--gcc-install-dir=
or--gcc-triple=
option in a configuration file instead. -
The default extension name for precompiled headers (PCH) generation (
-c -xc-header
and-c -xc++-header
) is now.pch
instead of.gch
. -
When
-include a.h
probes thea.h.gch
file, the include now ignoresa.h.gch
if it is not a Clang PCH file or a directory containing any Clang PCH file. -
A bug that caused
__has_cpp_attribute
and__has_c_attribute
to return incorrect values for certain C++-11-style attributes has been fixed. -
A bug in finding a matching
operator!=
while adding a reversedoperator==
has been fixed. - The name mangling rules for function templates have been changed to accept that functions can be overloaded on their template parameter lists or requires-clauses.
-
The
-Wenum-constexpr-conversion
warning is now enabled by default on system headers and macros. It will be turned into a hard (non-downgradable) error in the next Clang release. - A path to the imported modules for C++20 named modules can no longer be hardcoded. You must specify all the dependent modules from the command line.
-
It is no longer possible to import modules by using
import <module>
; Clang uses explicitly-built modules. - For more details, see the list of potentially breaking changes.
For more information, see the LLVM release notes and Clang release notes.
LVM Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-30907[1]
Rust Toolset rebased to version 1.79.0
Rust Toolset has been updated to version 1.79.0 with the release of the RHBA-2024:8827 advisory. Notable enhancements since the previously available version 1.75.0 include:
-
A new
offset_of!
macro - Support for C-string literals
-
Support for inline
const
expressions - Support for bounds in associated type position
- Improved automatic temporary lifetime extension
-
Debug assertions for
unsafe
preconditions
Rust Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-30073[1]
Go Toolset rebased to version 1.22
Go Toolset has been updated to version 1.22 with the release of the RHSA-2024:8876 advisory.
Notable enhancements include:
- Variables in for loops are now created per iteration, preventing accidental sharing bugs. Additionally, for loops can now range over integers.
- Commands in workspaces can now use a vendor directory for the dependencies of the workspace.
-
The
go get
command no longer supports the legacyGOPATH
mode. This change does not affect thego build
andgo test
commands. -
The
vet
tool has been updated to match the new behavior of the for loops. - CPU performance has been improved by keeping type-based garbage collection metadata nearer to each heap object.
- Go now provides improved inlining optimizations and better profile-guided optimization support for higher performance.
-
A new
math/rand/v2
package is available. - Go now provides enhanced HTTP routing patterns with support for methods and wildcards.
For more information, see the Go upstream release notes.
Go Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-46972[1]
elfutils
rebased to version 0.190
The elfutils
package has been updated to version 0.190. Notable improvements include:
-
The
libelf
library now supports relative relocation (RELR). -
The
libdw
library now recognizes.debug_[ct]u_index
sections. -
The
eu-readelf
utility now supports a new-Ds
,--use-dynamic --symbol
option to show symbols through the dynamic segment without using ELF sections. -
The
eu-readelf
utility can now show.gdb_index
version 9. -
A new
eu-scrlines
utility compiles a list of source files associated with a specified DWARF or ELF file. -
A
debuginfod
server schema has changed for a 60% compression in file name representation (this requires reindexing).
valgrind
updated to 3.22
The valgrind
package has been updated to version 3.22. Notable improvements include:
-
valgrind
memcheck
now checks that the values given to the C functionsmemalign
,posix_memalign
, andaligned_alloc
, and the C++17 alignednew
operator are valid alignment values. -
valgrind
memcheck
now supports mismatch detection for C++14 sized and C++17 alignednew
anddelete
operators. -
Added support for lazy reading of DWARF debugging information, resulting in faster startup when
debuginfo
packages are installed.
Clang resource directory moved
The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17
to /usr/lib/clang/17
.
A new grafana-selinux
package
Previously, the default installation of grafana-server
ran as an unconfined_service_t
SELinux type. This update adds the new grafana-selinux
package, which contains an SELinux policy for grafana-server
and which is installed by default with grafana-server
. As a result, grafana-server
now runs as grafana_t
SELinux type.
Updated GCC Toolset 13
GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
Notable changes introduced in RHEL 8.10 include:
- The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
-
binutils
now support AMD CPUs based on theznver5
core through the-march=znver5
compiler switch. -
annobin
has been updated to version 12.32. -
The
annobin
plugin for GCC now defaults to using a more compressed format for the notes that it stores in object files, resulting in smaller object files and faster link times, especially in large, complex programs.
The following tools and versions are provided by GCC Toolset 13:
Tool | Version |
---|---|
GCC | 13.2.1 |
GDB | 12.1 |
binutils | 2.40 |
dwz | 0.14 |
annobin | 12.32 |
To install GCC Toolset 13, run the following command as root:
# yum install gcc-toolset-13
To run a tool from GCC Toolset 13:
$ scl enable gcc-toolset-13 tool
To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:
$ scl enable gcc-toolset-13 bash
For more information, see GCC Toolset 13 and Using GCC Toolset.
Jira:RHEL-25405[1]
LLVM Toolset rebased to version 17.0.6
LLVM Toolset has been updated to version 17.0.6.
Notable enhancements include:
- The opaque pointers migration is now completed.
- Removed support for the legacy pass manager in middle-end optimization.
Clang changes:
- C++20 coroutines are no longer considered experimental.
-
Improved code generation for the
std::move
function and similar in unoptimized builds.
For more information, see the LLVM and Clang upstream release notes.
Rust Toolset rebased to version 1.75.0
Rust Toolset has been updated to version 1.75.0.
Notable enhancements include:
- Constant evaluation time is now unlimited
- Cleaner panic messages
- Cargo registry authentication
-
async fn
and opaque return types in traits
Go Toolset rebased to version 1.21.0
Go Toolset has been updated to version 1.21.0.
Notable enhancements include:
-
min
,max
, andclear
built-ins have been added. - Official support for profile guided optimization has been added.
- Package initialization order is now more precisely defined.
- Type inferencing is improved.
- Backwards compatibility support is improved.
For more information, see the Go upstream release notes.
Jira:RHEL-11872[1]
papi
supports new processor microarchitectures
With this enhancement, you can access performance monitoring hardware using papi
events presets on the following processor microarchitectures:
- AMD Zen 4
- 4th Generation Intel® Xeon® Scalable Processors
Jira:RHEL-9336[1], Jira:RHEL-9320, Jira:RHEL-9337
Ant rebased to version 1.10.9
The ant:1.10
module stream has been updated to version 1.10.9. This version provides support for code signing, using a provider class and provider argument.
The updated ant:1.10
module stream provides only the ant
and ant-lib
packages. Remaining packages related to Ant are distributed in the javapackages-tools
module in the unsupported CodeReady Linux Builder (CRB) repository and have not been updated.
Packages from the updated ant:1.10
module stream cannot be used in parallel with packages from the javapackages-tools
module. If you want to use the complete set of Ant-related packages, you must uninstall the ant:1.10
module and disable it, enable the CRB repository, and install the javapackages-tools
module.
New package: maven-openjdk21
The maven:3.8
module stream now includes the maven-openjdk21
subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.
Jira:RHEL-17126[1]
cmake
rebased to version 3.26
The cmake
package has been updated to version 3.26. Notable improvements include:
- Added support for the C17 and C18 language standards.
-
cmake
can now query the/etc/os-release
file for operating system identification information. -
Added support for the CUDA 20 and
nvtx3
libraries. - Added support for the Python stable application binary interface.
- Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.
4.11. Identity Management
Identity Management users can now use external identity providers to authenticate to IdM
With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.
If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.
Jira:RHELPLAN-123140[1]
ipa
rebased to version 4.9.13
The ipa
package has been updated from version 4.9.12 to 4.9.13. Notable changes include:
- The installation of an IdM replica now occurs against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests.
-
The performance of the
cert-find
command has been improved dramatically for situations with a large number of certificates. -
The
ansible-freeipa
package has been rebased from version 1.11 to 1.12.1.
For more information, see the upstream release notes.
Deleting expired KCM Kerberos tickets
Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches
configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy
command.
Support for bcrypt
password hashing algorithm for local users
With this update, you can enable the bcrypt
password hashing algorithm for local users. To switch to the bcrypt
hashing algorithm:
-
Edit the
/etc/authselect/system-auth
and/etc/authselect/password-auth
files by changing thepam_unix.so sha512
setting topam_unix.so blowfish
. Apply the changes:
# authselect apply-changes
-
Change the password for a user by using the
passwd
command. -
In the
/etc/shadow
file, verify that the hashing algorithm is set to$2b$
, indicating that thebcrypt
password hashing algorithm is now used.
The idp
Ansible module allows associating IdM users with external IdPs
With this update, you can use the idp
ansible-freeipa
module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user.
After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.
IdM now supports the idoverrideuser
, idoverridegroup
and idview
Ansible modules
With this update, the ansible-freeipa
package now contains the following modules:
idoverrideuser
- Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP server, for example, the user login name, home directory, certificate, or SSH keys.
idoverridegroup
- Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of the group, its GID, or description.
idview
- Allows you to organize user and group ID overrides and apply them to specific IdM hosts.
In the future, you will be able to use these modules to enable AD users to use smart cards to log in to IdM.
The delegation of DNS zone management enabled in ansible-freeipa
You can now use the dnszone
ansible-freeipa
module to delegate DNS zone management. Use the permission
or managedby
variable of the dnszone
module to set a per-zone access delegation permission.
The ansible-freeipa
ipauser
and ipagroup
modules now support a new renamed
state
With this update, you can use the renamed
state in ansible-freeipa
ipauser
module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa
ipagroup
module to change the group name of an existing IdM group.
The runasuser_group
parameter is now available in ansible-freeipa
ipasudorule
With this update, you can set Groups of RunAs Users for a sudo
rule by using the ansible-freeipa ipasudorule
module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.
389-ds-base
rebased to version 1.4.3.39
The 389-ds-base
package has been updated to version 1.4.3.39.
The HAProxy protocol is now supported for the 389-ds-base
package
Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip
multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip
is configured under the cn=config
entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.
If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
samba
rebased to version 4.19.4
The samba
packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:
-
Command-line options in the
smbget
utility have been renamed and removed for a consistent user experience. However, this can break existing scripts or jobs that use the utility. See thesmbget --help
command andsmbget(1)
man page for further details about the new options. If the
winbind debug traceid
option is enabled, thewinbind
service now logs, additionally, the following fields:-
traceid
: Tracks the records belonging to the same request. -
depth
: Tracks the request nesting level.
-
- Samba no longer uses its own cryptography implementations and, instead, now fully uses cryptographic functionality provided by the GnuTLS library.
-
The
directory name cache size
option was removed.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Red Hat does not support downgrading tdb
database files.
After updating Samba, use the testparm
utility to verify the /etc/samba/smb.conf
file.
Jira:RHEL-16483[1]
4.12. The web console
RHEL web console can now generate Ansible and shell scripts
In the web console, you can now easily access and copy automation scripts on the kdump
configuration page. You can then use the generated script to implement a specific kdump
configuration on multiple systems.
Jira:RHELDOCS-17060[1]
Simplified managing storage and resizing partitions on Storage
The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.
Jira:RHELDOCS-17056[1]
4.13. Red Hat Enterprise Linux System Roles
The ad_integration
RHEL system role now supports configuring dynamic DNS update options
With this update, the ad_integration
RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:
- When the identity provider comes online (always).
- At a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours.
You can change these and other settings using the new variables in ad_integration
. For example, you can set ad_dyndns_refresh_interval
to 172800
to change the DNS record refresh interval to 48 hours. For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/
directory.
Jira:RHELDOCS-17372[1]
The metrics
RHEL System Role now supports configuring PMIE webhooks
With this update, you can automatically configure the global webhook_endpoint
PMIE variable using the metrics_webhook_endpoint
variable for the metrics
RHEL System Role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.
The bootloader
RHEL system role
This update introduces the bootloader
RHEL system role. You can use this feature for stable and consistent configuration of boot loaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/
directory.
The logging
role supports general queue and general action parameters in output modules
Previously, it was not possible to configure general queue parameters and general action parameters with the logging
role. With this update, the logging
RHEL System Role supports configuration of general queue parameters and general action parameters in output modules.
Support for new ha_cluster
System Role features
The ha_cluster
System Role now supports the following features:
-
Enablement of the repositories containing resilient storage packages, such as
dlm
orgfs2
. A Resilient Storage subscription is needed to access the repository. - Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
- Configuration of node attributes.
For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL System Role.
Jira:RHEL-4624[1], Jira:RHEL-22108, Jira:RHEL-14090
New RHEL System Role for configuring fapolicyd
With the new fapolicyd
RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd
framework. The fapolicyd
software framework controls the execution of applications based on a user-defined policy.
The network
RHEL System role now supports new route types
With this enhancement, you can now use the following route types with the network
RHEL System Role:
-
blackhole
-
prohibit
-
unreachable
Jira:RHEL-21491[1]
New rhc_insights.display_name
option in the rhc
role to set display names
You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name
parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.
The RHEL system roles now support LVM snapshot management
With this enhancement, you can use the new snapshot
RHEL system roles to create, configure, and manage LVM snapshots.
The postgresql
RHEL System Role now supports PostgreSQL 16
The postgresql
RHEL System Role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.
For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL System Role.
New rhc_insights.ansible_host
option in the rhc
role to set Ansible hostnames
You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host
parameter. When set, the parameter changes the ansible_host
configuration in the /etc/insights-client/insights-client.conf
file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.
ForwardToSyslog
flag is now supported in the journald
system role
In the journald
RHEL System Role, the journald_forward_to_syslog
variable controls whether the received messages should be forwarded to the traditional syslog
daemon or not. The default value of this variable is false
. With this enhancement, you can now configure the ForwardToSyslog
flag by setting journald_forward_to_syslog
to true
in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log
files.
ratelimit_burst
variable is only used if ratelimit_interval
is set in logging
system role
Previously, in the logging
RHEL System Role, when the ratelimit_interval
variable was not set, the role would use the ratelimit_burst
variable to set the rsyslog ratelimit.burst
setting. But it had no effect because it is also required to set ratelimit_interval
.
With this enhancement, if ratelimit_interval
is not set, the role does not set ratelimit.burst
. If you want to set ratelimit.burst
, you must set both ratelimit_interval
and ratelimit_burst
variables.
Use the logging_max_message_size
parameter instead of rsyslog_max_message_size
in the logging
system role
Previously, even though the rsyslog_max_message_size
parameter was not supported, the logging
RHEL System Role was using rsyslog_max_message_size
instead of using the logging_max_message_size
parameter. This enhancement ensures that logging_max_message_size
is used and not rsyslog_max_message_size
to set the maximum size for the log messages.
The ad_integration
RHEL System Role now supports custom SSSD settings
Previously, when using the ad_integration
RHEL System Role, it was not possible to add custom settings to the [sssd]
section in the sssd.conf
file using the role. With this enhancement, the ad_integration
role can now modify the sssd.conf
file and, as a result, you can use custom SSSD settings.
The ad_integration
RHEL System Role now supports custom SSSD domain configuration settings
Previously, when using the ad_integration
RHEL System Role, it was not possible to add custom settings to the domain configuration section in the sssd.conf
file using the role. With this enhancement, the ad_integration
role can now modify the sssd.conf
file and, as a result, you can use custom SSSD settings.
New logging_preserve_fqdn
variable for the logging
RHEL System Role
Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging
system role. This update adds the optional logging_preserve_fqdn
variable, which you can use to set the preserveFQDN
configuration option in rsyslog
to use the full FQDN instead of a short name in syslog entries.
Support for creation of volumes without creating a file system
With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted
option.
Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode is disabled.
The rhc
system role now supports RHEL 7 systems
You can now manage RHEL 7 systems by using the rhc
system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc
system role.
Using the rhc_insights.remediation
parameter has no impact on RHEL 7 systems as the Insights Remediation feature is currently not available on RHEL 7.
New mssql_ha_prep_for_pacemaker
variable
Previously, the microsoft.sql.server
RHEL System Role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker
. Set the variable to false
if you do not want to configure your system for Pacemaker and you want to use another HA solution.
The sshd
role now configures certificate-based SSH authentications
With the sshd
RHEL System Role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.
selinux
role now supports configuring SELinux in disabled mode
With this update, the selinux
RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
selinux
role now prints a message when specifying a non-existent module
With this release, the selinux
RHEL System Role prints an error message when you specify a non-existent module in the selinux_modules.path
variable.
4.14. Virtualization
RHEL now supports Multi-FD migration of virtual machines
With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.
It is recommended to use this feature on high-speed networks (20 Gbps and higher).
Jira:RHELDOCS-16970[1]
Secure Execution VMs on IBM Z now support cryptographic coprocessors
With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.
By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now use hardware encryption without compromising the security of the VM.
Jira:RHEL-11597[1]
You can now replace SPICE with VNC in the web console
With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).
Because the support for the SPICE protocol is deprecated in RHEL 8 and will be removed in RHEL 9, VMs that use the SPICE protocol fail to migrate to RHEL 9. However, RHEL 8 VMs use SPICE by default, so you must switch from SPICE to VNC for a successful migration.
Jira:RHELDOCS-18289[1]
New virtualization features in the RHEL web console
With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:
-
Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the
~/.ssh/authorized_keys
file of the designated non-root user on the newly created VM, which provides you with an immediate SSH access to the specified user account. -
Select a
pre-formatted block device
type when creating a new storage pool. This is a more robust alternative to aphysical disk device
type, as it prevents unintentional reformatting of a raw disk device.
This update also changes some default behavior in the Virtual Machines page:
-
In the
Add disk
dialog, theAlways attach
option is now set by default.
Jira:RHELDOCS-18323[1]
4.15. RHEL in cloud environments
New cloud-init clean option for deleting generated configuration files
The cloud-init clean --configs
option has been added for the cloud-init
utility. You can use this option to delete unnecessary configuration files generated by cloud-init
on your instance. For example, to delete cloud-init
configuration files that define network setup, use the following command:
cloud-init clean --configs network
Jira:RHEL-7312[1]
RHEL instances on EC2 now support IPv6 IMDS connections
With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init
on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init
in IPv6-only subnet.
4.16. Containers
The Container Tools packages have been updated
The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:
Notable changes in Podman v4.9:
-
You can now use Podman to load the modules on-demand by using the
podman --module <your_module_name>
command and to override the system and user configuration files. -
A new
podman farm
command with a set of thecreate
,set
,remove
, andupdate
subcommands has been added. With these commands, you can farm out builds to machines running podman for different architectures. -
A new
podman-compose
command has been added, which runs Compose workloads by using an external compose provider such as Docker compose. -
The
podman build
command now supports the--layer-label
and--cw
options. -
The
podman generate systemd
command is deprecated. Use Quadlet to run containers and pods undersystemd
. -
The
podman build
command now supportsContainerfiles
with the HereDoc syntax. -
The
podman machine init
andpodman machine set
commands now support a new--usb
option. Use this option to allow USB passthrough for the QEMU provider. -
The
podman kube play
command now supports a new--publish-all
option. Use this option to expose all containerPorts on the host.
For more information about notable changes, see upstream release notes.
Jira:RHELPLAN-167794[1]
Podman now supports containers.conf
modules
You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf
files in the Tom’s Obvious Minimal Language (TOML) format.
These modules are located in the following directories, or their subdirectories:
-
For rootless users:
$HOME/.config/containers/containers.conf.modules
-
For root users:
/etc/containers/containers.conf.modules
, or/usr/share/containers/containers.conf.modules
You can load the modules on-demand with the podman --module <your_module_name>
command to override the system and user configuration files. Working with modules involve the following facts:
-
You can specify modules multiple times by using the
--module
option. -
If
<your_module_name>
is the absolute path, the configuration file will be loaded directly. - The relative paths are resolved relative to the three module directories mentioned previously.
-
Modules in
$HOME
override those in the/etc/
and/usr/share/
directories.
For more information, see the upstream documentation.
Jira:RHELPLAN-167830[1]
The Podman v4.9 RESTful API now displays data of progress
With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.
Jira:RHELPLAN-167822[1]
SQLite is now fully supported as a default database backend for Podman
With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 8.10. If you upgrade from a previous RHEL version, the default backend is BoltDB.
If you have explicitly configured the database backend by using the database_backend
option in the containers.conf
file, then Podman will continue to use the specified backend.
Jira:RHELPLAN-168179[1]
Administrators can set up isolation for firewall rules by using nftables
You can use Netavark, a Podman container networking stack, on systems without iptables
installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables
installed. With this enhancement, the Netavark network stack works on systems with only nftables
installed and improves isolation of automatically generated firewall rules.
Jira:RHELDOCS-16955[1]
Containerfile
now supports multi-line instructions
You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile
file to simplify this file and reduce the number of image layers caused by performing multiple RUN
directives.
For example, the original Containerfile
can contain the following RUN
directives:
RUN dnf update RUN dnf -y install golang RUN dnf -y install java
Instead of multiple RUN directives, you can use the HereDoc notation:
RUN <<EOF dnf update dnf -y install golang dnf -y install java EOF
Jira:RHELPLAN-168184[1]
Toolbx is now available
With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi8.10/toolbox:latest
image.
Jira:RHELDOCS-16241[1]