Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.4.
4.1. Installer and image creation
Anaconda replaces the original boot device NVRAM variable list with new values
Previously, booting from NVRAM could lead to boot system failure due to the entries with the incorrect values in the boot device list.
With this update the problem is fixed, but the previous list of devices is cleared when updating the boot device NVRAM variable.
(BZ#1854307)
Graphical installation of KVM virtual machines on IBM Z is now available
When using the KVM hypervisor on IBM Z hardware, you can now use the graphical installation when creating virtual machines (VMs).
Now, when a user executes the installation in KVM, and QEMU provides a virtio-gpu
driver, the installer automatically starts the graphical console. The user can switch to text or VNC mode by appending the inst.text
or inst.vnc
boot parameters in the VM’s kernel command line.
(BZ#1609325)
Warnings for deprecated kernel boot arguments
Anaconda boot arguments without the inst.
prefix (for example, ks
, stage2
, repo
and so on) are deprecated starting RHEL7. These arguments will be removed in the next major RHEL release.
With this release, appropriate warning messages are displayed when the boot arguments are used without the inst
prefix. The warning messages are displayed in dracut
when booting the installation and also when the installation program is started on a terminal.
Following is a sample warning message that is displayed on a terminal:
Deprecated boot argument %s
must be used with the inst.
prefix. Please use inst.%s
instead. Anaconda boot arguments without inst.
prefix have been deprecated and will be removed in a future major release.
Following is a sample warning message that is displayed in dracut
:
$1
has been deprecated. All usage of Anaconda boot arguments without the inst.
prefix have been deprecated and will be removed in a future major release. Please use $2
instead.
4.2. RHEL for Edge
Support to specify the kernel name as customization for RHEL for Edge image types
When creating OSTree commits for RHEL for Edge
images, only one kernel package can be installed at a time, otherwise the commit creation fails in rpm-ostree
. This prevents RHEL for Edge from adding alternative kernels, in particular, the real-time kernel (kernel-rt
). With this enhancement, when creating a blueprint for RHEL for Edge image using the CLI, you can define the name of the kernel to be used in an image, by setting the customizations.kernel.name
key. If you do not specify any kernel name, the image include the default kernel package.
4.3. Software management
New fill_sack_from_repos_in_cache
function is now supported in DNF API
With this update, the new DNF API fill_sack_from_repos_in_cache
function has been introduced which allows to load repositories only from the cached solv
, solvx
files, and the repomd.xml
file. As a result, if the user manages dnf
cache, it is possible to save resources without having duplicate information (xml
and solv
), and without processing xml
into solv
.
createrepo_c
now automatically adds modular metadata to repositories
Previously, running the createrepo_c
command on RHEL8 packages to create a new repository did not include modular repodata in this repository. Consequently, it caused various problems with repositories. With this update, createrepo_c
:
- scans for modular metadata
-
merges the found module YAML files into a single modular document
modules.yaml
- automatically adds this document to the repository.
As a result, adding modular metadata to repositories is now automatic and no longer has to be done as a separate step using the modifyrepo_c
command.
The ability to mirror a transaction between systems within DNF is now supported
With this update, the user can store and replay a transaction within DNF.
-
To store a transaction from DNF history into a JSON file, run the
dnf history store
command. -
To replay the transaction later on the same machine, or on a different one, run the
dnf history replay
command.
Comps groups operations storing and replaying is supported. Module operations are not yet supported, and consequently, are not stored or replayed.
createrepo_c
rebased to version 0.16.2
The createrepo_c
packages have been rebased to version 0.16.2 which provides the following notable changes over the previous version:
-
Added module metadata support for
createrepo_c
. - Fixed various memory leaks
(BZ#1894361)
The protect_running_kernel
configuration option is now available.
With this update, the protect_running_kernel
configuration option for the dnf
and microdnf
commands has been introduced. This option controls whether the package corresponding to the running version of the kernel is protected from removal. As a result, the user can now disable protection of the running kernel.
4.4. Shells and command-line tools
OpenIPMI
rebased to version 2.0.29
The OpenIPMI
packages have been upgraded to version 2.0.29. Notable changes over the previous version include:
- Fixed memory leak, variable binding, and missing error messages.
-
Added support for
IPMB
. -
Added support for registration of individual group extension in the
lanserv
.
(BZ#1796588)
freeipmi
rebased to version 1.6.6
The freeipmi
packages have been upgraded to version 1.6.6. Notable changes over the previous version include:
- Fixed memory leaks and typos in the source code.
Implemented workarounds for the following known issues:
- unexpected completion code.
- Dell Poweredge FC830.
-
out of order packets with
lan/rmcpplus ipmb
.
- Added support for new Dell, Intel, and Gigabyte devices.
- Added support for the interpretation of system information and events.
(BZ#1861627)
opal-prd
rebased to version 6.6.3
The opal-prd
package has been rebased to version 6.6.3. Notable changes include:
-
Added an offline worker process handle page for
opal-prd
daemon. -
Fixed the bug for
opal-gard
onPOWER9P
so that the system can identify the chip targets forgard
records. -
Fixed false negatives in
wait_for_all_occ_init()
ofocc
command. -
Fixed
OCAPI_MEM BAR
values inhw/phys-map
. -
Fixed warnings for
Inconsistent MSAREA
inhdata/memory.c
. For sensors in occ:
- Fixed sensor values zero bug.
- Fixed the GPU detection code.
-
Skipped
sysdump
retrieval inMPIPL
boot. -
Fixed
IPMI
double-free in theMihawk
platform. -
Updated
non-MPIPL scenario
infsp/dump
. For hw/phb4:
- Verified AER support before initialising AER regs.
- Enabled error reporting.
-
Added new
smp-cable-connector
VPD keyword inhdata
.
(BZ#1844427)
opencryptoki
rebased to version 3.15.1
The opencryptoki
packages have been rebased to version 3.15.1. Notable changes include:
-
Fixed segfault in
C_SetPin
. -
Fixed usage of
EVP_CipherUpdate
andEVP_CipherFinal
. -
Added utility to migrate the token repository to
FIPS
compliant encryption. For
pkcstok_migrate
tool:-
Fixed
NVTOK.DAT
conversion on Little Endian platforms. - Fixed private and public token object conversion on Little Endian platforms.
-
Fixed
- Fixed storing of public token objects in the new data format.
-
Fixed the parameter checking mechanism in
dh_pkcs_derive
. - Corrected soft token model name.
-
Replaced deprecated OpenSSL interfaces in
mech_ec.c
file and inICA
,TPM
, and Soft tokens. -
Replaced deprecated OpenSSL AES/3DES interfaces in
sw_crypt.c
file. - Added support for ECC mechanism in Soft token.
- Added IBM specific SHA3 HMAC and SHA512/224/256 HMAC mechanisms in the Soft token.
-
Added support for key wrapping with
CKM_RSA_PKCS
in CCA. For EP11 crypto stack:
-
Fixed
ep11_get_keytype
to recognizeCKM_DES2_KEY_GEN
. -
Fixed error trace in
token_specific_rng
. - Enabled specific FW version and API in HSM simulation.
-
Fixed
-
Fixed Endian bug in
X9.63 KDF
. -
Added an error message for handling
p11sak remove-key command
. - Fixed compiling issues with C++.
-
Fixed the problem with
C_Get/SetOperationState
and digest contexts. -
Fixed
pkcscca
migration fails withusr/sb2
.
(BZ#1847433)
powerpc-utils
rebased to version 1.3.8
The powerpc-utils
packages have been rebased to version 1.3.8. Notable changes include:
-
Commands that do not depend on
Perl
are now moved to the core subpackage. - Added support for Linux Hybrid Network Virtualization.
- Updated safe bootlist.
-
Added
vcpustat
utility. -
Added support for
cpu-hotplug
inlparstat
command. -
Added switch to print Scaled metrics in
lparstat
command. -
Added
helper
function to calculate the delta, scaled timebase, and to derivePURR/SPURR
values. For
ofpathname
utility:-
Improved the speed for
l2of_scsi()
. -
Fixed the
udevadm
location. -
Added partition to support
l2od_ide()
andl2of_scsi()
. -
Added support for the plug ID of a
SCSI/SATA
host.
-
Improved the speed for
-
Fixed the
segfault
condition on the unsupported connector type. -
Added tools to support migration of
SR_IOV
to a hybrid virtual network. -
Fixed the
format-overflow
warnings. -
Fixed the bash command substitution warning using the
lsdevinfo
utility. - Fixed boot-time bonding interface cleanup.
(BZ#1853297)
New kernel cmdline option now generates network device name
The net_id
built-in from systemd-udevd
service gains a new kernel cmdline option net.naming-scheme=SCHEME_VERSION
. Based on the value of the SCHEME_VERSION
, a user can select a version of the algorithm that will generate the network device name.
For example, to use the features of net_id
built-in in RHEL 8.4, set the value of the SCHEME_VERSION
to rhel-8.4
.
Similarly, you can set the value of the SCHEME_VERSION
to any other minor release that includes the required change or fix.
(BZ#1827462)
4.5. Infrastructure services
Difference in default postfix-3.5.8
behavior
For better RHEL-8 backward compatibility, the behavior of the postfix-3.5.8
update differs from the default upstream postfix-3.5.8
behavior. For the default upstream postfix-3.5.8
behavior, run the following commands:
# postconf info_log_address_format=external
# postconf smtpd_discard_ehlo_keywords=
# postconf rhel_ipv6_normalize=yes
For details, see the /usr/share/doc/postfix/README-RedHat.txt
file. If the incompatible functionalities are not used or RHEL-8 backward compatibility is the priority, no steps are necessary.
BIND rebased to version 9.11.26
The bind
packages have been updated to version 9.11.26. Notable changes include:
- Changed the default EDNS buffer size from 4096 to 1232 bytes. This change will prevent the loss of fragmented packets in some networks.
- Increased the default value of max-recursion-queries from 75 to 100. Related to CVE-2020-8616.
-
Fixed the problem of reused dead nodes in
lib/dns/rbtdb.c
file innamed
. -
Fixed the crashing problem in the
named
service when cleaning the reused dead nodes in thelib/dns/rbtdb.c
file. -
Fixed the problem of configured multiple forwarders sometimes occurring in the
named
service. -
Fixed the problem of the
named
service of assigning incorrect signed zones with no DS record at the parent as bogus. -
Fixed the missing
DNS cookie response
overUDP
.
unbound
configuration now provides enhanced logging output
With this enhancement, the following three options have been added to the unbound
configuration:
-
log-servfail
enables log lines that explain the reason for theSERVFAIL
error code to clients. -
log-local-actions
enables logging of all local zone actions. -
log-tag-queryreply
enables tagging of log queries and log replies in the log file.
Multiple vulnerabilities fixed with ghostscript-9.27
The
ghostscript-9.27
release contains security fixes for the following vulnerabilities:- CVE-2020-14373
- CVE-2020-16287
- CVE-2020-16288
- CVE-2020-16289
- CVE-2020-16290
- CVE-2020-16291
- CVE-2020-16292
- CVE-2020-16293
- CVE-2020-16294
- CVE-2020-16295
- CVE-2020-16296
- CVE-2020-16297
- CVE-2020-16298
- CVE-2020-16299
- CVE-2020-16300
- CVE-2020-16301
- CVE-2020-16302
- CVE-2020-16303
- CVE-2020-16304
- CVE-2020-16305
- CVE-2020-16306
- CVE-2020-16307
- CVE-2020-16308
- CVE-2020-16309
- CVE-2020-16310
- CVE-2020-17538
Tuned
rebased to version 2.15-1.
Notable changes include:
-
Added
service
plugin for Linux services control. -
Improved
scheduler
plugin.
DNSTAP
now records incoming detailed queries.
DNSTAP
provides an advanced way to monitor and log details of incoming name queries. It also records sent answers from the named
service. Classic query logging of the named service has a negative impact on the performance of the named
service.
As a result, DNSTAP offers a way to perform continuous logging of detailed incoming queries without impacting the performance penalty. The new dnstap-read
utility allows you to analyze the queries running on a different system.
SpamAssassin
rebased to version 3.4.4
The SpamAssassin
package has been upgraded to version 3.4.4. Notable changes include:
-
OLEVBMacro
plugin has been added. -
New functions
check_rbl_ns
,check_rbl_rcvd
,check_hashbl_bodyre
, andcheck_hashbl_uris
have been added.
Key algorithm can be changed using the OMAPI shell
With this enhancement, users can now change the key algorithm. The key algorithm that was hardcoded as HMAC-MD5
is not considered secure anymore. As a result, users can use the omshell
command to change the key algorithm.
Sendmail now supports TLSFallbacktoClear
configuration
With this enhancement, if the outgoing TLS connection fails, the sendmail client will fall back to the plaintext. This overcomes the TLS compatibility problems with the other parties. Red Hat ships sendmail with the TLSFallbacktoClear
option disabled by default.
tcpdump now allows viewing RDMA capable devices
This enhancement enables support for capturing RDMA traffic with tcpdump
. It allows users to capture and analyze offloaded RDMA traffic with the tcpdump
tool. As a result, users can use tcpdump
to view RDMA capable devices, capture RoCE and VMA traffic, and analyze its content.
(BZ#1743650)
4.6. Security
libreswan
rebased to 4.3
The libreswan
packages have been upgraded to version 4.3. Notable changes over the previous version include:
- IKE and ESP over TCP support (RFC 8229)
- IKEv2 Labeled IPsec support
- IKEv2 leftikeport/rightikeport support
- Experimental support for Intermediate Exchange
- Extended Redirect support for loadbalancing
- Default IKE lifetime changed from 1 h to 8 h for increased interoperability
-
:RSA
sections in theipsec.secrets
file are no longer required - Fixed Windows 10 rekeying
- Fixed sending certificate for ECDSA authentication
- Fixes for MOBIKE and NAT-T
IPsec VPN now supports TCP transport
This update of the libreswan
packages adds support for IPsec-based VPNs over TCP encapsulation as described in RFC 8229. The addition helps establish IPsec VPNs on networks that prevent traffic using Encapsulating Security Payload (ESP) and UDP. As a result, administrators can configure VPN servers and clients to use TCP either as a fallback or as the main VPN transport protocol.
(BZ#1372050)
Libreswan now supports IKEv2 for Labeled IPsec
The Libreswan Internet Key Exchange (IKE) implementation now includes Internet Key Exchange version 2 (IKEv2) support of Security Labels for IPsec. With this update, systems that use security labels with IKEv1 can be upgraded to IKEv2.
(BZ#1025061)
libpwquality
rebased to 1.4.4
The libpwquality
package has been rebased to version 1.4.4. This release includes multiple bug fixes and translation updates. Most notably, the following setting options have been added to the pwquality.conf
file:
-
retry
-
enforce_for_root
-
local_users_only
p11-kit
rebased to 0.23.19
The p11-kit
packages have been upgraded from version 0.23.14 to version 0.23.19. The new version fixes several bugs and provides various enhancements, notably:
- Fixed CVE-2020-29361, CVE-2020-29362, CVE-2020-29363 security issues.
-
p11-kit
now supports building through the meson build system.
(BZ#1887853)
pyOpenSSL
rebased to 19.0.0
The pyOpenSSL
packages have been rebased to upstream version 19.0.0. This version provides bug fixes and enhancements, most notably:
-
Improved TLS 1.3 support with
openssl
version 1.1.1. -
No longer raising an error when trying to add a duplicate certificate with
X509Store.add_cert
- Improved handling of X509 certificates containing NUL bytes in components
(BZ#1629914)
SCAP Security Guide rebased to 0.1.54
The scap-security-guide
packages have been rebased to upstream version 0.1.54, which provides several bug fixes and improvements. Most notably:
- The Operating System Protection Profile (OSPP) has been updated in accordance with the Protection Profile for General Purpose Operating Systems for Red Hat Enterprise Linux 8.4.
- The ANSSI family of profiles based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. The content contains profiles implementing rules of the Minimum, Intermediary and Enhanced hardening levels.
- The Security Technical Implementation Guide (STIG) security profile has been updated, and it implements rules from the recently-released version V1R1.
OpenSCAP rebased to 1.3.4
The OpenSCAP packages have been rebased to upstream version 1.3.4. Notable fixes and enhancements include:
- Fixed certain memory issues that were causing systems with large amounts of files to run out of memory.
- OpenSCAP now treats GPFS as a remote file system.
- Proper handling of OVALs with circular dependencies between definitions.
-
Improved
yamlfilecontent
: updatedyaml-filter
, extended the schema and probe to be able to work with a set of values in maps. - Fixed numerous warnings (GCC and Clang).
- Numerous memory management fixes.
- Numerous memory leak fixes.
- Platform elements in XCCDF files are now properly resolved in accordance with the XCCDF specification.
- Improved compatibility with uClibc.
- Local and remote file system detection methods improved.
-
Fixed
dpkginfo
probe to usepkgCacheFile
instead of manually opening the cache. - OpenSCAP scan report is now a valid HTML5 document.
- Fixed unwanted recursion in the file probe.
The RHEL 8 STIG security profile updated to version V1R1
With the release of the RHBA-2021:1886 advisory, the DISA STIG for Red Hat Enterprise Linux 8
profile in the SCAP Security Guide has been updated to align with the latest version V1R1
. The profile is now also more stable and better aligns with the RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense Information Systems Agency (DISA). This first iteration brings approximately 60% of coverage with regards to the STIG.
You should use only the current version of this profile because the draft profile is no longer valid.
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
New DISA STIG profile compatible with Server with GUI installations
A new profile, DISA STIG with GUI
, has been added to the SCAP Security Guide with the release of the RHBA-2021:4098 advisory. This profile is derived from the DISA STIG
profile and is compatible with RHEL installations that selected the Server with GUI
package group. The previously existing stig
profile was not compatible with Server with GUI
because DISA STIG demands uninstalling any Graphical User Interface. However, this can be overridden if properly documented by a Security Officer during evaluation. As a result, the new profile helps when installing a RHEL system as a Server with GUI
aligned with the DISA STIG profile.
Profiles for ANSSI-BP-028 Minimal, Intermediary and Enhanced levels are now available in SCAP Security Guide
With the new profiles, you can harden the system to the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the Minimal, Intermediary and Enhanced hardening levels. As a result, you can configure and automate compliance of your RHEL 8 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles.
scap-workbench
can now scan remote systems using sudo
privileges
The scap-workbench
GUI tool now supports scanning remote systems using passwordless sudo
access. This feature reduces the security risk imposed by supplying root’s credentials.
Be cautious when using scap-workbench
with passwordless sudo
access and the remediate
option. Red Hat recommends dedicating a well-secured user account just for the OpenSCAP scanner.
rhel8-tang
container image is now available
With this release, the rhel8/rhel8-tang
container image is available in the registry.redhat.io
catalog. The container image provides Tang-server decryption capabilities for Clevis clients that run either in OpenShift Container Platform (OCP) clusters or in separate virtual machines.
(BZ#1913310)
Clevis rebased to version 15
The clevis
packages have been rebased to upstream version 15. This version provides many bug fixes and enhancements over the previous version, most notably:
-
Clevis now produces a generic initramfs and no longer automatically adds the
rd.neednet=1
parameter to the kernel command line. -
Clevis now properly handles incorrect configurations that use the
sss
pin, and theclevis encrypt sss
sub-command returns outputs that indicate the error cause.
Clevis no longer automatically adds rd.neednet=1
Clevis now correctly produces a generic initrd
(initial ramdisk) without host-specific configuration options by default. As a result, Clevis no longer automatically adds the rd.neednet=1
parameter to the kernel command line.
If your configuration uses the previous functionality, you can either enter the dracut
command with the --hostonly-cmdline
argument or create the clevis.conf
file in the /etc/dracut.conf.d
and add the hostonly_cmdline=yes
option to the file. A Tang binding must be present during the initrd
build process.
New package: rsyslog-udpspoof
The rsyslog-udpspoof
subpackage has been added back to RHEL 8. This module is similar to the regular UDP forwarder, but permits relaying syslog
between different network segments while maintaining the source IP in the syslog
packets.
fapolicyd
rebased to 1.0.2
The fapolicyd
packages have been rebased to upstream version 1.0.2. This version provides many bug fixes and enhancements over the previous version, most notably:
Added the
integrity
configuration option for enabling integrity checks through:- Comparing file sizes
- Comparing SHA-256 hashes
- Integrity Measurement Architecture (IMA) subsystem
-
The
fapolicyd
RPM plugin now registers any system update that is handled by either the YUM package manager or the RPM Package Manager. - Rules now can contain GID in subjects.
-
You can now include rule numbers in debug and
syslog
messages.
New RPM plugin notifies fapolicyd
about changes during RPM transactions
This update of the rpm
packages introduces a new RPM plugin that integrates the fapolicyd
framework with the RPM database. The plugin notifies fapolicyd
about installed and changed files during an RPM transaction. As a result, fapolicyd
now supports integrity checking.
Note that the RPM plugin replaces the YUM plugin because its functionality is not limited to YUM transactions but covers also changes by RPM.
4.7. Networking
The PTP capabilities output format of the ethtool
utility has changed
Starting with RHEL 8.4, the ethtool
utility uses the netlink
interface instead of the ioctl()
system call to communicate with the kernel. Consequently, when you use the ethtool -T <network_controller>
command, the format of Precision Time Protocol (PTP) values changes.
Previously, with the ioctl()
interface, ethtool
translated the capability bit names by using an ethtool
-internal string table and, the ethtool -T <network_controller>
command displayed, for example:
Time stamping parameters for <network_controller>:
Capabilities:
hardware-transmit (SOF_TIMESTAMPING_TX_HARDWARE)
software-transmit (SOF_TIMESTAMPING_TX_SOFTWARE)
...
With the netlink
interface, ethtool
receives the strings from the kernel. These strings do not include the internal SOF_TIMESTAMPING_*
names. Therefore, ethtool -T <network_controller>
now displays, for example:
Time stamping parameters for <network_controller>:
Capabilities:
hardware-transmit
software-transmit
...
If you use the PTP capabilities output of ethtool
in scripts or applications, update them accordingly.
(JIRA:RHELDOCS-18188)
XDP is conditionally supported
Red Hat supports the eXpress Data Path (XDP) feature only if all of the following conditions apply:
- You load the XDP program on an AMD or Intel 64-bit architecture
-
You use the
libxdp
library to load the program into the kernel - The XDP program does not use the XDP hardware offloading
In RHEL 8.4, XDP_TX
and XDP_REDIRECT
return codes are now supported in XDP programs.
For details about unsupported XDP features, see XDP features that are available as Technology Preview
NetworkManager rebased to version 1.30.0
The NetworkManager
packages have been upgraded to upstream version 1.30.0, which provides a number of enhancements and bug fixes over the previous version:
-
The
ipv4.dhcp-reject-servers
connection property has been added to define from which DHCP server IDs NetworkManager should reject lease offers. -
The
ipv4.dhcp-vendor-class-identifier
connection property has been added to send a custom Vendor Class Identifier DHCP option value. -
The
active_slave
bond option has been deprecated. Instead, set theprimary
option in the controller connection. -
The
nm-initrd-generator
utility now supports MAC addresses to indicate interfaces. -
The
nm-initrd-generator
utility generator now supports creating InfiniBand connections. -
The timeout of the
NetworkManager-wait-online
service has been increased to 60 seconds. -
The
ipv4.dhcp-client-id=ipv6-duid
connection property has been added to be compliant to RFC4361. -
Additional
ethtool
offload features have been added. - Support for the WPA3 Enterprise Suite-B 192-bit mode has been added.
-
Support for virtual Ethernet (
veth
) devices has been added.
For further information about notable changes, read the upstream release notes:
The iproute2
utility introduces traffic control actions to add MPLS headers before Ethernet header
With this enhancement, the iproute2
utility offers three new traffic control (tc
) actions:
-
mac_push
- Theact_mpls
module provides this action to add MPLS labels before the original Ethernet header. -
push_eth
- Theact_vlan
module provides this action to build an Ethernet header at the beginning of the packet. -
pop_eth
- Theact_vlan
module provides this action to drop the outer Ethernet header.
These tc
actions help in implementing layer 2 virtual private network (L2VPN) by adding multiprotocol label switching (MPLS) labels before Ethernet headers. You can use these actions while adding tc filters
to the network interfaces.
Red Hat provides these actions as unsupported Technology Preview, because MPLS itself is a Technology Preview feature.
For more information about these actions and their parameters, refer to the tc-mpls(8)
and tc-vlan(8)
man pages.
(BZ#1861261)
The nmstate
API is now fully supported
Nmstate, which was previously a Technology Preview, is a network API for hosts and fully supported in RHEL 8.4. The nmstate
packages provide a library and the nmstatectl
command-line utility to manage host network settings in a declarative manner. The networking state is described by a predefined schema. Reporting of the current state and changes to the desired state both conform to the schema.
For further details, see the /usr/share/doc/nmstate/README.md
file and the sections about nmstatectl
in the Configuring and managing networking documentation.
(BZ#1674456)
New package: rshim
The rhsim
package provides the Mellanox BlueField rshim user-space driver, which enables accessing the rshim resources on the BlueField SmartNIC target from the external host machine. The current version of the rshim user-space driver implements device files for boot image push and virtual console access. In addition, it creates a virtual network interface to connect to the BlueField target and provides a way to access internal rshim registers.
Note that in order for the virtual console or virtual network interface to be operational, the target must be running a tmfifo
driver.
(BZ#1744737)
iptraf-ng
rebased to 1.2.1
The iptraf-ng
packages have been rebased to upstream version 1.2.1, which provides several bug fixes and improvements. Most notably:
-
The
iptraf-ng
application no longer causes 100% CPU usage when showing the detailed statistics of a deleted interface. -
The unsafe handling arguments of
printf()
functions have been fixed. - Partial support for IP over InfiniBand (IPoIB) interface has been added. Because the kernel does not provide the source address on the interface, you cannot use this feature in the LAN station monitor mode.
-
Packet capturing abstraction has been added to allow
iptraf-ng
to capture packets at multi-gigabit speed. -
You can now scroll using the
Home
,End
,Page up
, andPage down
keyboard keys. - The application now shows the dropped packet count.
4.8. Kernel
Kernel version in RHEL 8.4
Red Hat Enterprise Linux 8.4 is distributed with the kernel version 4.18.0-305.
See also Important Changes to External Kernel Parameters and Device Drivers.
Extended Berkeley Packet Filter for RHEL 8.4
The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.
The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.
Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.4, the following eBPF components are supported:
- The BPF Compiler Collection (BCC) tools package, which provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
- The BCC library which allows the development of tools similar to those provided in the BCC tools package.
- The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
- The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions.
-
The
libbpf
package, which is crucial for bpf related applications likebpftrace
andbpf/xdp
development. -
The
xdp-tools
package, which contains userspace support utilities for the XDP feature, is now supported on the AMD and Intel 64-bit architectures. This includes thelibxdp
library, thexdp-loader
utility for loading XDP programs, thexdp-filter
example program for packet filtering, and thexdpdump
utility for capturing packets from a network interface with XDP enabled.
Note that all other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.
The following notable eBPF components are currently available as Technology Preview:
-
The
bpftrace
tracing language -
The
AF_XDP
socket for connecting the eXpress Data Path (XDP) path to user space
For more information regarding the Technology Preview components, see Technology Previews.
New package: kmod-redhat-oracleasm
This update adds the new kmod-redhat-oracleasm
package, which provides the kernel module part of the ASMLib utility. Oracle Automated Storage Management (ASM) is a data volume manager for Oracle databases. ASMLib is an optional utility that can be used on Linux systems to manage Oracle ASM devices.
(BZ#1827015)
The xmon program changes to support Secure Boot and kernel_lock resilience against attacks
If the Secure Boot mechanism is disabled, you can set the xmon
program into read-write mode (xmon=rw
) on the kernel command-line. However, if you specify xmon=rw
and boot into Secure Boot mode, the kernel_lockdown
feature overrides xmon=rw
and changes it to read-only mode. The additional behavior of xmon
depending on Secure Boot enablement is listed below:
Secure Boot is on:
-
xmon=ro
(default) - A stack trace is printed
- Memory read works
- Memory write is blocked
Secure Boot is off:
-
Possibility to set
xmon=rw
- A stack trace is always printed
- Memory read always works
-
Memory write is permitted only if
xmon=rw
These changes to xmon
behavior aim to support the Secure Boot and kernel_lock
resilience against attackers with root permissions.
For information how to configure kernel command-line parameters, see Configuring kernel command-line parameters on the Customer Portal.
(BZ#1952161)
Cornelis Omni-Path Architecture (OPA) Host Software
Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.4. OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on installing Omni-Path Architecture, see: Cornelis Omni-Path Fabric Software Release Notes file.
SLAB cache merging disabled by default
The CONFIG_SLAB_MERGE_DEFAULT
kernel configuration option has been disabled, and now SLAB caches are not merged by default. This change aims to enhance the allocator’s reliability and traceability of cache usage. If the previous slab-cache merging behavior was desirable, the user can re-enable it by adding the slub_merge
parameter to the kernel command-line. For more information on how to set the kernel command-line parameters, see the Configuring kernel command-line parameters on Customer Portal.
(BZ#1871214)
The ima-evm-utils package rebased to version 1.3.2
The ima-evm-utils
package has been upgraded to version 1.3.2, which provides multiple bug fixes and enhancements. Notable changes include:
- Added support for handling the Trusted Platform Module (TPM2) multi-banks feature
- Extended the boot aggregate value to Platform Configuration Registers (PCRs) 8 and 9
- Preloaded OpenSSL engine through a CLI parameter
- Added support for Intel Task State Segment (TSS2) PCR reading
- Added support for the original Integrity Measurement Architecture (IMA) template
Both the libimaevm.so.0
and libimaevm.so.2
libraries are part of ima-evm-utils
. Users of libimaevm.so.0
will not be affected, when their more recent applications use libimaevm.so.2
.
(BZ#1868683)
Levelling IMA and EVM features across supported CPU architectures
All CPU architectures, except ARM, have a similar level of feature support for Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) technologies. The enabled functionalities are different for each CPU architecture. The following are the most significant changes for each supported CPU architecture:
- IBM Z: IMA appraise and trusted keyring enablement.
- AMD64 and Intel 64: specific architecture policy in secure boot state.
- IBM Power System (little-endian): specific architecture policy in secure and trusted boot state.
- SHA-256 as default hash algorithm for all supported architectures.
-
For all architectures, the measurement template has changed to IMA-SIG The template includes the signature bits when present. Its format is
d-ng|n-ng|sig
.
The goal of this update is to decrease the level of feature difference in IMA and EVM, so that userspace applications can behave equally across all supported CPU architectures.
(BZ#1869758)
Proactive compaction is now included in RHEL 8 as disabled-by-default
With ongoing workload activity, system memory becomes fragmented. The fragmentation can result in capacity and performance problems. In some cases, program errors are also possible. Thereby, the kernel relies on a reactive mechanism called memory compaction. The original design of the mechanism is conservative, and the compaction activity is initiated on demand of allocation request. However, reactive behavior tends to increase the allocation latency if the system memory is already heavily fragmented. Proactive compaction improves the design by regularly initiating memory compaction work before a request for allocation is made. This enhancement increases the chances that memory allocation requests find the physically contiguous blocks of memory without the need of memory compaction producing those on-demand. As a result, latency for specific memory allocation requests is lowered.
Proactive compaction can result in increased compaction activity. This might have serious, system-wide impact, because memory pages that belong to different processes are moved and remapped. Therefore, enabling proactive compaction requires utmost care to avoid latency spikes in applications.
(BZ#1848427)
EDAC support has been added in RHEL 8
With this update, RHEL 8 supports the Error Detection and Correction (EDAC) kernel module set in 8th and 9th generation Intel Core Processors (CoffeeLake). The EDAC kernel module mainly handles Error Code Correction (ECC) memory and detect and report PCI bus parity errors.
(BZ#1847567)
A new package: kpatch-dnf
The kpatch-dnf
package provides a DNF plugin, which makes it possible to subscribe a RHEL system to kernel live patch updates. The subscription will affect all kernels currently installed on the system, including kernels that will be installed in the future. For more details about kpatch-dnf
, see the dnf-kpatch(8)
manual page or the Managing, monitoring, and updating the kernel documentation.
(BZ#1798711)
A new cgroups controller implementation for slab memory
A new implementation of slab memory controller for the control groups technology is now available in RHEL 8. Currently, a single memory slab can contain objects owned by different memory control group. The slab memory controller brings improvement in slab utilization (up to 45%) and enables to shift the memory accounting from the page level to the object level. Also, this change eliminates each set of duplicated per-CPU and per-node slab caches for each memory control group and establishes one common set of per-CPU and per-node slab caches for all memory control groups. As a result, you can achieve a significant drop in the total kernel memory footprint and observe positive effects on memory fragmentation.
Note that the new and more precise memory accounting requires more CPU time. However, the difference seems to be negligible in practice.
(BZ#1877019)
Time namespace has been added in RHEL 8
The time namespace enables the system monotonic and boot-time clocks to work with per-namespace offsets on AMD64, Intel 64, and the 64-bit ARM architectures. This feature is suited for changing the date and time inside Linux containers and for in-container adjustments of clocks after restoration from a checkpoint. As a result, users can now independently set time for each individual container.
(BZ#1548297)
New feature: Free memory page returning
With this update, the RHEL 8 host kernel is able to return memory pages that are not used by its virtual machines (VMs) back to the hypervisor. This improves the stability and resource efficiency of the host. Note that for memory page returning to work, it must be configured in the VM, and the VM must also use the virtio_balloon
device.
(BZ#1839055)
Supports changing the sorting order in perf top
With this update, perf top
can now sort samples by arbitrary event column in case multiple events in a group are sampled, instead of sorting by the first column. As a result, pressing a number key sorts the table by the matching data column.
The column numbering starts from 0
.
Using the --group-sort-idx
command line option, it is possible to sort by the column number.
(BZ#1851933)
The kabi_whitelist package has been renamed to kabi_stablelist
In accordance with Red Hat commitment to replacing problematic language, we renamed the kabi_whitelist
package to kabi_stablelist
in the RHEL 8.4 release.
(BZ#1867910, BZ#1886901)
bpf rebased to version 5.9
The bpf
kernel technology in RHEL 8 has been brought up-to-date with its upstream counterpart from the kernel v5.9.
The update provides multiple bug fixes and enhancements. Notable changes include:
- Added Berkeley Packet Filter (BPF) iterator for map elements and to iterate all BPF programs for efficient in-kernel inspection.
- Programs in the same control group (cgroup) can share the cgroup local storage map.
- BPF programs can run on socket lookup.
-
The
SO_KEEPALIVE
and related options are available to thebpf_setsockopt()
helper.
Note that some BPF programs may need changes to their source code.
(BZ#1874005)
The bcc package rebased to version 0.16.0
The bcc
package has been upgraded to version 0.16.0, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added utilities
klockstat
andfuncinterval
-
Fixes in various parts of the
tcpconnect
manual page -
Fix to make the
tcptracer
tool output show SPORT and DPORT columns for IPv6 addresses - Fix broken dependencies
(BZ#1879411)
bpftrace rebased to version 0.11.0
The bpftrace
package has been upgraded to version 0.11.0, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added utilities
threadsnoop
,tcpsynbl
,tcplife
,swapin
,setuids
, andnaptime
-
Fixed failures to run of the
tcpdrop.bt
andsyncsnoop.bt
tools - Fixed a failure to load the Berkeley Packet Filter (BPF) program on IBM Z architectures
- Fixed a symbol lookup error
(BZ#1879413)
libbpf rebased to version 0.2.0.1
The libbpf
package has been upgraded to version 0.2.0.1, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added support for accessing Berkeley Packet Filter (BPF) map fields in the
bpf_map
struct from programs that have BPF Type Format (BTF) struct access - Added BPF ring buffer
-
Added
bpf
iterator infrastructure -
Improved
bpf_link
observability
perf
now supports adding or removing tracepoints from a running collector without having to stop or restart perf
Previously, to add or remove tracepoints from an instance of perf record
, the perf
process had to be stopped. As a consequence, performance data that occurred during the time the process was stopped was not collected and, therefore, lost. With this update, you can dynamically enable and disable tracepoints being collected by perf record
via the control pipe interface without having to stop the perf record
process.
(BZ#1844111)
The perf
tool now supports recording and displaying absolute timestamps for trace data
With this update, perf script
can now record and display trace data with absolute timestamps.
Note: To display trace data with absolute timestamps, the data must be recorded with the clock ID specified.
To record data with absolute timestamps, specify the clock ID:
# perf record -k CLOCK_MONOTONIC sleep 1
To display trace data recorded with the specified clock ID, execute the following command:
# perf script -F+tod
(BZ#1811839)
dwarves rebased to version 1.19.1
The dwarves
package has been upgraded to version 1.19.1, which provides multiple bug fixes and enhancements. Notably, this update introduces a new way of checking functions from the DWARF debug data with related ftrace
entries to ensure a subset of ftrace
functions is generated.
perf
now supports circular buffers that use specified events to trigger snapshots
With this update, you can create custom circular buffers that write data to a perf.data
file when an event you specify is detected. As a result, perf record
can run continuously in the system background without generating excess overhead by continuously writing data to a perf.data
file, and only recording data you are interested in.
To create a custom circular buffer using the perf
tool that records event specific snapshots, use the following command:
# perf record --overwrite -e _events_to_be_collected_ --switch-output-event _snapshot_trigger_event_
(BZ#1844086)
Kernel DRBG and Jitter entropy source are compliant to NIST SP 800-90A and NIST SP 800-90B
Kernel Deterministic Random Bit Generator (DRBG) and Jitter entropy source are now compliant to recommendation for random number generation using DRBG (NIST SP 800-90A) and recommendation for the entropy sources used for random bit generation (NIST SP 800-90B) specifications. As a result, applications in FIPS mode can use these sources as FIPS-compliant randomness and noise sources.
(BZ#1905088)
kdump now supports Virtual Local Area Network tagged team network interface
This update adds support to configure Virtual Local Area Network tagged team interface for kdump
. As a result, this feature now enables kdump
to use a Virtual Local Area Network tagged team interface to dump a vmcore
file.
(BZ#1844941)
kernel-rt source tree has been updated to RHEL 8.4 tree
The kernel-rt
source has been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.10-rt7. Both of these updates provide a number of bug fixes and enhancements.
(BZ#1858099, BZ#1858105)
The stalld package is now added to RHEL 8.4 distribution
This update adds the stalld
package to RHEL 8.4.0. stalld
is a daemon that monitors threads on a system running low latency applications. It checks for job threads that have been on a run-queue without being scheduled onto a CPU for a specified threshold.
When it detects a stalled thread, stalld
temporarily changes the scheduling policy to SCHED_DEADLINE
and assigns the thread a slice of CPU time to make forward progress. When the time slice completes or the thread blocks, the thread goes back to its original scheduling policy.
(BZ#1875037)
Support for CPU hotplug in the hv_24x7
and hv_gpci
PMUs
With this update, PMU counters correctly react to the hot-plugging of a CPU. As a result, if a hv_gpci
event counter is running on a CPU that gets disabled, the counting redirects to another CPU.
(BZ#1844416)
Metrics for POWERPC hv_24x7
nest events are now available
Metrics for POWERPC hv_24x7
nest events are now available for perf
. By aggregating multiple events, these metrics provide a better understanding of the values obtained from perf
counters and how effectively the CPU is able to process the workload.
(BZ#1780258)
hwloc rebased to version 2.2.0
The hwloc
package has been upgraded to version 2.2.0, which provides the following change:
-
The
hwloc
functionality can report details on Nonvolatile Memory Express (NVMe) drives including total disk size and sector size.
The igc
driver is now fully supported
The igc
Intel 2.5G Ethernet Linux wired LAN driver was introduced in RHEL 8.1 as a Technology Preview. Starting with RHEL 8.4, it is fully supported on all architectures. The ethtool
utility also supports igc
wired LANs.
(BZ#1495358)
4.9. File systems and storage
RHEL installation now supports creating a swap partition of size 16 TiB
Previously, when installing RHEL, the installer created a swap partition of maximum 128 GB for automatic and manual partitioning.
With this update, for automatic partitioning, the installer continues to create a swap partition of maximum 128 GB, but in case of manual partitioning, you can now create a swap partition of 16 TiB.
Surprise removal of NVMe devices
With this enhancement, you can surprise remove NVMe devices from the Linux operating system without notifying the operating system beforehand. This will enhance the serviceability of NVMe devices because no additional steps are required to prepare the devices for orderly removal, which ensures the availability of servers by eliminating server downtime.
Note the following:
-
Surprise removal of NVMe devices requires
kernel-4.18.0-193.13.2.el8_2.x86_64
version or later. - Additional requirements from the hardware platform or the software running on the platform might be necessary for successful surprise removal of NVMe devices.
- Surprise removing an NVMe device that is critical to the system operation is not supported. For example, you cannot remove an NVMe device that contains the operating system or a swap partition.
(BZ#1634655)
Stratis filesystem symlink paths have changed
With this enhancement, Stratis filesystem symlink paths have changed from /stratis/<stratis-pool>/<filesystem-name>
to /dev/stratis/<stratis-pool>/<filesystem-name>
. Consequently, all existing Stratis symlinks must be migrated to utilize the new symlink paths.
Use the included stratis_migrate_symlinks.sh
migration script or reboot your system to update the symlink paths. If you manually changed the systemd
unit files or the /etc/fstab
file to automatically mount Stratis filesystems, you must update them with the new symlink paths.
If you do not update your configuration with the new Stratis symlink paths, or if you temporarily disable the automatic mounts, the boot process might not complete the next time you reboot or start your system.
Stratis now supports binding encrypted pools to a supplementary Clevis encryption policy
With this enhancement, you can now bind encrypted Stratis pools to Network Bound Disk Encryption (NBDE) using a Tang server, or to the Trusted Platform Module (TPM) 2.0. Binding an encrypted Stratis pool to NBDE or TPM 2.0 facilitates automatic unlocking of pools. As a result, you can access your Stratis pools without having to provide the kernel keyring description after each system reboot. Note that binding a Stratis pool to a supplementary Clevis encryption policy does not remove the primary kernel keyring encryption.
New mount options to control when DAX is enabled on XFS and ext4 file systems
This update introduces new mount options which, when combined with the FS_XFLAG_DAX
inode flag, provide finer-grained control of the Direct Access (DAX) mode for files on XFS and ext4 file systems. In prior releases, DAX was enabled for the entire file system using the dax
mount option. Now, the direct access mode can be enabled on a per-file basis.
The on-disk flag, FS_XFLAG_DAX
, is used to selectively enable or disable DAX for a particular file or directory. The dax
mount option dictates whether or not the flag is honored:
-
-o dax=inode
- followFS_XFLAG_DAX
. This is the default when no dax option is specified. -
-o dax=never
- never enable DAX, ignoreFS_XFLAG_DAX
. -
-o dax=always
- always enable DAX, ignoreFS_XFLAG_DAX
. -
-o dax
- is a legacy option which is an alias for "dax=always". This may be removed in the future, so "-o dax=always" is preferred.
You can set FS_XFLAG_DAX
flag by using the xfs_io
utility’s chatter command:
# xfs_io -c "chattr +x" filename
(BZ#1838876, BZ#1838344)
SMB Direct is now supported
With this update, the SMB client now supports SMB Direct.
(BZ#1887940)
New API for mounting filesystems has been added
With this update, a new API for mounting filesystems based on an internal kernel structure called a filesystem context (struct fs_context
) has been added into RHEL 8.4, allowing greater flexibility in communication of mount parameters between userspace, the VFS, and the file system. Along with this, there are following system calls for operating on the file system context:
-
fsopen()
- creates a blank filesystem configuration context within the kernel for the filesystem named in thefsname
parameter, adds it into creation mode, and attaches it to a file descriptor, which it then returns. -
fsmount()
- takes the file descriptor returned byfsopen()
and creates a mount object for the file system root specified there. -
fsconfig()
- supplies parameters to and issues commands against a file system configuration context as set up by thefsopen(2)
orfspick(2)
system calls. -
fspick()
- creates a new file system configuration context within the kernel and attaches a pre-existing superblock to it so that it can be reconfigured. -
move_mount()
- moves a mount from one location to another; it can also be used to attach an unattached mount created byfsmount()
oropen_tree()
with theOPEN_TREE_CLONE
system call. -
open_tree()
- picks the mount object specified by the pathname and attaches it to a new file descriptor or clones it and attaches the clone to the file descriptor.
Note that the old API based on the mount()
system call is still supported.
For additional information, see the Documentation/filesystems/mount_api.txt
file in the kernel source tree.
(BZ#1622041)
Discrepancy in vfat
file system mtime
no longer occurs
With this update, the discrepancy in the vfat
file system mtime
between in-memory and on-disk write times is no longer present. This discrepancy was caused by a difference between in-memory and on-disk mtime
metadata, which no longer occurs.
(BZ#1533270)
RHEL 8.4 now supports close_range()
system call
With this update, the close_range()
system call was backported to RHEL 8.4. This system call closes all file descriptors in a given range effectively, preventing timing problems which are present when closing a wide range of file descriptors sequentially if applications configure very large limits.
(BZ#1900674)
Support for user extended attributes through the NFSv4.2 protocol has been added
This update adds NFSV4.2 client-side and server-side support for user extended attributes (RFC 8276) and newly includes the following protocol extensions:
New operations:
-
- GETXATTR
- get an extended attribute of a file -
- SETXATTR
- set an extended attribute of a file -
- LISTXATTR
- list extended attributes of a file -
- REMOVEXATTR
- remove an extended attribute of a file
New error codes:
-
- NFS4ERR-NOXATTR
-xattr
does not exist -
- NFS4ERR_XATTR2BIG
-xattr
value is too big
New attribute:
-
- xattr_support
- per-fs read-only attribute determines whetherxattrs
are supported. When set toTrue
, the object’s file system supports extended attributes.
(BZ#1888214)
4.10. High availability and clusters
Noncritical resources in colocation constraints are now supported
With this enhancement, you can configure a colocation constraint such that if the dependent resource of the constraint reaches its migration threshold for failure, Pacemaker will leave that resource offline and keep the primary resource on its current node rather than attempting to move both resources to another node. To support this behavior, colocation constraints now have an influence
option, which can be set to true
or false
, and resources have a critical
meta-attribute, which can also be set to true
or false
. The value of the critical
resource meta option determines the default value of the influence
option for all colocation constraints involving the resource as a dependent resource.
When the influence
colocation constraint option has a value of true
Pacemaker will attempt to keep both the primary and dependent resource active. If the dependent resource reaches its migration threshold for failures, both resources will move to another node, if possible.
When the influence
colocation option has a value of false
, Pacemaker will avoid moving the primary resource as a result of the status of the dependent resource. In this case, if the dependent resource reaches its migration threshold for failures, it will stop if the primary resource is active and can remain on its current node.
By default, the value of the critical
resource meta option is set to true
, which in turn determines that the default value of the influence
option is true
. This preserves the previous behavior where Pacemaker attempted to keep both resources active.
New number
data type supported by Pacemaker rules
PCS now supports a data type of number
, which you can use when defining Pacemaker rules in any PCS command that accepts rules. Pacemaker rules implement number
as a double-precision floating-point number and integer
as a 64-bit integer.
(BZ#1869399)
Ability to specify a custom clone ID when creating a clone resource or promotable clone resource
When you create a clone resource or a promotable clone resource, the clone resource is named resource-id -clone
by default. If that ID is already in use, PCS adds the suffix -integer, starting with an integer value of 1
and incrementing by one for each additional clone. You can now override this default by specifying a name for a clone resource ID or promotable clone resource ID with the clone-id option when creating a clone resource with the pcs resource create
or the pcs resource clone
command. For information on creating clone resources, see Creating cluster resources that are active on multiple nodes.
New command to display Corosync configuration
You can now print the contents of the corosync.conf
file in several output formats with the new pcs cluster config [show]
command. By default, the pcs cluster config
command uses the text
output format, which displays the Corosync configuration in a human-readable form, with the same structure and option names as the pcs cluster setup
and pcs cluster config update
commands.
New command to modify the Corosync configuration of an existing cluster
You can now modify the parameters of the corosync.conf
file with the new pcs cluster config update
command. You can use this command, for example, to increase the totem
token to avoid fencing during temporary system unresponsiveness. For information on modifying the corosync.conf
file, see Modifying the corosync.conf file with the pcs command.
Enabling and disabling Corosync traffic encryption in an existing cluster
Previously, you could configure Corosync traffic encryption only when creating a new cluster. With this update:
-
You can change the configuration of the Corosync crypto cipher and hash with the
pcs cluster config update
command. -
You can change the Corosync
authkey
with thepcs cluster authkey corosync
command.
New crypt
resource agent for shared and encrypted GFS2 file systems
RHEL HA now supports a new crypt
resource agent, which allows you to configure a LUKS encrypted block device that can be used to provide shared and encrypted GFS2 file systems. Using the crypt
resource is currently supported only with GFS2 file systems. For information on configuring an encrypted GFS2 file system, see Configuring an encrypted GFS2 file system in a cluster.
(BZ#1471182)
4.11. Dynamic programming languages, web and database servers
A new module: python39
RHEL 8.4 introduces Python 3.9, provided by the new module python39
and the ubi8/python-39
container image.
Notable enhancements compared to Python 3.8 include:
-
The merge (
|
) and update (|=
) operators have been added to thedict
class. - Methods to remove prefixes and suffixes have been added to strings.
-
Type hinting generics have been added to certain standard types, such as
list
anddict
. - The IANA Time Zone Database is now available through the new zoneinfo module.
Python 3.9 and packages built for it can be installed in parallel with Python 3.8 and Python 3.6 on the same system.
To install packages from the python39
module, use, for example:
# yum install python39 # yum install python39-pip
The python39:3.9
module stream will be enabled automatically.
To run the interpreter, use, for example:
$ python3.9 $ python3.9 -m pip --help
See Installing and using Python for more information.
Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8. Similarly to Python 3.8, Python 3.9 will have a shorter life cycle; see Red Hat Enterprise Linux 8 Application Streams Life Cycle.
(BZ#1877430)
Changes in the default separator for the Python urllib
parsing functions
To mitigate the Web Cache Poisoning CVE-2021-23336 in the Python urllib
library, the default separator for the urllib.parse.parse_qsl
and urllib.parse.parse_qs
functions is being changed from both ampersand (&
) and semicolon (;
) to only an ampersand.
This change has been implemented in Python 3.6 with the release of RHEL 8.4, and will be backported to Python 3.8 and Python 2.7 in the following minor release of RHEL 8.
The change of the default separator is potentially backwards incompatible, therefore Red Hat provides a way to configure the behavior in Python packages where the default separator has been changed. In addition, the affected urllib
parsing functions issue a warning if they detect that a customer’s application has been affected by the change.
For more information, see the Mitigation of Web Cache Poisoning in the Python urllib library (CVE-2021-23336).
Python 3.9 is unaffected and already includes the new default separator (&
), which can be changed only by passing the separator parameter when calling the urllib.parse.parse_qsl
and urllib.parse.parse_qs
functions in Python code.
(BZ#1935686, BZ#1928904)
A new module stream: swig:4.0
RHEL 8.4 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.0, available as a new module stream, swig:4.0
.
Notable changes over the previously released SWIG 3.0
include:
-
The only supported
Python
versions are: 2.7 and 3.2 to 3.8. -
The
Python
module has been improved: the generated code has been simplified and most optimizations are now enabled by default. -
Support for
Ruby 2.7
has been added. -
PHP 7
is now the only supported PHP version; support forPHP 5
has been removed. -
Performance has been significantly improved when running
SWIG
on large interface files. - Support for a command-line options file (also referred to as a response file) has been added.
-
Support for JavaScript
Node.js
versions 2 to 10 has been added. -
Support for
Octave
versions 4.4 to 5.1 has been added.
To install the swig:4.0
module stream, use:
# yum module install swig:4.0
If you want to upgrade from the swig:3.0
stream, see Switching to a later stream.
For information about the length of support for the swig
module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.
A new module stream: subversion:1.14
RHEL 8.4 introduces a new module stream, subversion:1.14
. Subversion 1.14
is the most recent Long Term Support (LTS) release.
Notable changes since Subversion 1.10
distributed in RHEL 8.0 include:
-
Subversion 1.14
includesPython 3
bindings for automation and integration ofSubversion
into the customer’s build and release infrastructure. -
A new
svnadmin rev-size
command enables users to determine the total size of a revision. -
A new
svnadmin build-repcache
command enables administrators to populate therep-cache
database with missing entries. - A new experimental command has been added to provide an overview of the current working copy status.
-
Various improvements to the
svn log
,svn info
, andsvn list
commands have been implemented. For example,svn list --human-readable
now uses human-readable units for file sizes. -
Significant improvements to
svn status
for large working copies have been made.
Compatibility information:
-
Subversion 1.10
clients and servers interoperate withSubversion 1.14
servers and clients. However, certain features might not be available unless both client and server are upgraded to the latest version. -
Repositories created under
Subversion 1.10
can be successfully loaded inSubversion 1.14
. -
Subversion 1.14
distributed in RHEL 8 enables users to cache passwords in plain text on the client side. This behaviour is the same asSubversion 1.10
but different from the upstream release ofSubversion 1.14
. -
The experimental
Shelving
feature has been significantly changed, and it is incompatible with shelves created inSubversion 1.10
. See the upstream documentation for details and upgrade instructions. -
The interpretation of path-based authentication configurations with both global and repository-specific rules has changed in
Subversion 1.14
. See the upstream documentation for details on affected configurations.
To install the subversion:1:14
module stream, use:
# yum module install subversion:1.14
If you want to upgrade from the subversion:1.10
stream, see Switching to a later stream.
For information about the length of support for the subversion
module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.
A new module stream: redis:6
Redis 6
, an advanced key-value store, is now available as a new module stream, redis:6
.
Notable changes over Redis 5
include:
-
Redis
now supports SSL on all channels. -
Redis
now supports Access Control List (ACL), which defines user permissions for command calls and key pattern access. -
Redis
now supports a newRESP3
protocol, which returns more semantical replies. -
Redis
can now optionally use threads to handle I/O. -
Redis
now offers server-side support for client-side caching of key values. -
The
Redis
active expire cycle has been improved to enable faster eviction of expired keys.
Redis 6
is compatible with Redis 5
, with the exception of this backward incompatible change:
-
When a set key does not exist, the
SPOP <count>
command no longer returns null. InRedis 6
, the command returns an empty set in this scenario, similar to a situation when it is called with a0
argument.
To install the redis:6
module stream, use:
# yum module install redis:6
If you want to upgrade from the redis:5
stream, see Switching to a later stream.
For information about the length of support for the redis
module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.
(BZ#1862063)
A new module stream: postgresql:13
RHEL 8.4 introduces PostgreSQL 13
, which provides a number of new features and enhancements over version 12. Notable changes include:
- Performance improvements resulting from de-duplication of B-tree index entries
- Improved performance for queries that use aggregates or partitioned tables
- Improved query planning when using extended statistics
- Parallelized vacuuming of indexes
- Incremental sorting
Note that support for Just-In-Time (JIT) compilation, available in upstream since PostgreSQL 11
, is not provided by the postgresql:13
module stream.
See also Using PostgreSQL.
To install the postgresql:13
stream, use:
# yum module install postgresql:13
If you want to upgrade from an earlier postgresql
stream within RHEL 8, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 8 version of PostgreSQL.
For information about the length of support for the postgresql
module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.
(BZ#1855776)
A new module stream: mariadb:10.5
MariaDB 10.5
is now available as a new module stream, mariadb:10.5
. Notable enhancements over the previously available version 10.3 include:
-
MariaDB
now uses theunix_socket
authentication plug-in by default. The plug-in enables users to use operating system credentials when connecting toMariaDB
through the local Unix socket file. -
MariaDB
supports a newFLUSH SSL
command to reload SSL certificates without a server restart. -
MariaDB
addsmariadb-*
named binaries andmysql*
symbolic links pointing to themariadb-*
binaires. For example, themysqladmin
,mysqlaccess
, andmysqlshow
symlinks point to themariadb-admin
,mariadb-access
, andmariadb-show
binaries, respectively. -
MariaDB
supports a newINET6
data type for storing IPv6 addresses. -
MariaDB
now uses the Perl Compatible Regular Expressions (PCRE) library version 2. -
The
SUPER
privilege has been split into several privileges to better align with each user role. As a result, certain statements have changed required privileges. -
MariaDB
adds a new global variable,binlog_row_metadata
, as well as system variables and status variables to control the amount of metadata logged. -
The default value of the
eq_range_index_dive_limit
variable has been changed from0
to200
. -
A new
SHUTDOWN WAIT FOR ALL SLAVES
server command and a newmysqladmin shutdown --wait-for-all-slaves
option have been added to instruct the server to shut down only after the last binlog event has been sent to all connected replicas. -
In parallel replication, the
slave_parallel_mode
variable now defaults tooptimistic
.
The InnoDB
storage engine introduces the following changes:
-
InnoDB
now supports an instantDROP COLUMN
operation and enables users to change the column order. -
Defaults of the following variables have been changed:
innodb_adaptive_hash_index
toOFF
andinnodb_checksum_algorithm
tofull_crc32
. -
Several
InnoDB
variables have been removed or deprecated.
MariaDB Galera Cluster
has been upgraded to version 4 with the following notable changes:
-
Galera
adds a new streaming replication feature, which supports replicating transactions of unlimited size. During an execution of streaming replication, a cluster replicates a transaction in small fragments. -
Galera
now fully supports Global Transaction ID (GTID). -
The default value for the
wsrep_on
option in the/etc/my.cnf.d/galera.cnf
file has changed from1
to0
to prevent end users from startingwsrep
replication without configuring required additional options.
See also Using MariaDB.
To install the mariadb:10.5
stream, use:
# yum module install mariadb:10.5
If you want to upgrade from the mariadb:10.3
module stream, see Upgrading from MariaDB 10.3 to MariaDB 10.5.
For information about the length of support for the mariadb
module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.
(BZ#1855781)
MariaDB 10.5
provides the PAM plug-in version 2.0
MariaDB 10.5
adds a new version of the Pluggable Authentication Modules (PAM) plug-in. The PAM plug-in version 2.0 performs PAM authentication using a separate setuid root
helper binary, which enables MariaDB
to utilize additional PAM modules.
In MariaDB 10.5
, the Pluggable Authentication Modules (PAM) plug-in and its related files have been moved to a new package, mariadb-pam
. This package contains both PAM plug-in versions: version 2.0 is the default, and version 1.0 is available as the auth_pam_v1
shared object library.
Note that the mariadb-pam
package is not installed by default with the MariaDB
server. To make the PAM authentication plug-in available in MariaDB 10.5
, install the mariadb-pam
package manually.
See also known issue PAM plug-in version 1.0 does not work in MariaDB
.
A new package: mysql-selinux
RHEL 8.4 adds a new mysql-selinux
package that provides an SELinux module with rules for the MariaDB
and MySQL
databases. The package is installed by default with the database server. The module’s priority is set to 200
.
(BZ#1895021)
python-PyMySQL
rebased to version 0.10.1
The python-PyMySQL
package, which provides the pure-Python MySQL client library, has been updated to version 0.10.1. The package is included in the python36
, python38
, and python39
modules.
Notable changes include:
-
This update adds support for the
ed25519
andcaching_sha2_password
authentication mechanisms. -
The default character set in the
python38
andpython39
modules isutf8mb4
, which aligns with upstream. Thepython36
module preserves the defaultlatin1
character set to maintain compatibility with earlier versions of this module. -
In the
python36
module, the/usr/lib/python3.6/site-packages/pymysql/tests/
directory is no longer available.
A new package: python3-pyodbc
This update adds the python3-pyodbc
package to RHEL 8. The pyodbc
Python module provides access to Open Database Connectivity (ODBC) databases. This module implements the Python DB API 2.0 specification and can be used with third-party ODBC drivers. For example, you can now use the Performance Co-Pilot (pcp
) to monitor performance of the SQL Server.
(BZ#1881490)
A new package: micropipenv
A new micropipenv
package is now available. It provides a lightweight wrapper for the pip
package installer to support Pipenv
and Poetry
lock files.
Note that the micropipenv
package is distributed in the AppStream repository and is provided under the Compatibility level 4. For more information, see the Red Hat Enterprise Linux 8 Application Compatibility Guide.
(BZ#1849096)
New packages: py3c-devel
and py3c-docs
RHEL 8.4 introduces new py3c-devel
and py3c-docs
packages, which simplify porting C extensions to Python 3. These packages include a detailed guide and a set of macros for easier porting.
Note that the py3c-devel
and py3c-docs
packages are distributed through the unsupported CodeReady Linux Builder (CRB) repository.
(BZ#1841060)
Enhanced ProxyRemote
directive for configuring httpd
The ProxyRemote
configuration directive in the Apache HTTP Server has been enhanced to optionally take user name and password credentials. These credentials are used for authenticating to the remote proxy using HTTP Basic
authentication. This feature has been backported from httpd 2.5
.
(BZ#1869576)
Non-end-entity certificates can be used with the SSLProxyMachineCertificateFile
and SSLProxyMachineCertificatePath
httpd
directives
With this update, you can use non-end-entity (non-leaf) certificates, such as a Certificate Authority (CA) or intermediate certificate, with the SSLProxyMachineCertificateFile
and SSLProxyMachineCertificatePath
configuration directives in the Apache HTTP Server. The Apache HTTP server now treats such certificates as trusted CAs, as if they were used with the SSLProxyMachineCertificateChainFile
directive. Previously, if non-end-entity certificates were used with the SSLProxyMachineCertificateFile
and SSLProxyMachineCertificatePath
directives, httpd
failed to start with a configuration error.
(BZ#1883648)
A new SecRemoteTimeout
directive in the mod_security
module
Previously, you could not modify the default timeout for retrieving remote rules in the mod_security
module for the Apache HTTP Server. With this update, you can set a custom timeout in seconds using the new SecRemoteTimeout
configuration directive.
When the timeout has been reached, httpd
now fails with an error message Timeout was reached
. Note that in this scenario, the error message also contains Syntax error
even if the configuration file is syntactically valid. The httpd
behavior upon timeout depends on the value of the SecRemoteRulesFailAction
configuration directive (the default value is Abort
).
The mod_fcgid
module can now pass up to 1024 environment variables to an FCGI server process
With this update, the mod_fcgid
module for the Apache HTTP Server can pass up to 1024 environment variables to a FastCGI (FCGI) server process. The previous limit of 64 environment variables could cause applications running on the FCGI server to malfunction.
perl-IO-String
is now available in the AppStream repository
The perl-IO-String
package, which provides the Perl IO::String
module, is now distributed through the supported AppStream repository. In previous releases of RHEL 8, the perl-IO-String
package was available in the unsupported CodeReady Linux Builder repository.
(BZ#1890998)
A new package: quota-devel
RHEL 8.4 introduces the quota-devel
package, which provides header files for implementing the quota
Remote Procedure Call (RPC) service.
Note that the quota-devel
package is distributed through the unsupported CodeReady Linux Builder (CRB) repository.
4.12. Compilers and development tools
The glibc
library now supports glibc-hwcaps
subdirectories for loading optimized shared library implementations
On certain architectures, hardware upgrades sometimes caused glibc
to load libraries with baseline optimizations, rather than optimized libraries for the previous hardware generation. Additionally, when running on AMD CPUs, optimized libraries were not loaded at all.
With this enhancement, glibc
supports locating optimized library implementations in the glibc-hwcaps
subdirectories. The dynamic loader checks for library files in the sub-directories based on the CPU in use and its hardware capabilities. This feature is available on following architectures: IBM Power Systems (little endian), IBM Z, 64-bit AMD and Intel.
(BZ#1817513)
The glibc
dynamic loader now activates selected audit modules at run time
Previously, the binutils
link editor ld
supported the --audit
option to select audit modules for activation at run time, but the glibc
dynamic loader ignored the request. With this update, the glib
dynamic loader no longer ignores the request, and loads the indicated audit modules. As a result, it is possible to activate audit modules for specific programs without writing wrapper scripts or using similar mechanisms.
glibc
now provides improved performance on IBM POWER9
This update introduces new implementations of the functions strlen
, strcpy
, stpcpy
, and rawmemchr
for IBM POWER9. As a result, these functions now execute faster on IBM POWER9 hardware which leads to performance gains.
Optimized performance of memcpy
and memset
on IBM Z
With this enhancement, the core library implementation for the memcpy
and memset
APIs were adjusted to accelerate both small (< 64KiB) and larger data copies on IBM Z processors. As a result, applications working with in-memory data now benefit from significantly improved performance across a wide variety of workloads.
GCC now supports the ARMv8.1 LSE atomic instructions
With this enhancement, the GCC compiler now supports Large System Extensions (LSE), atomic instructions added with the ARMv8.1 specification. These instructions provide better performance in multi-threaded applications than the ARMv8.0 Load-Exclusive and Store-Exclusive instructions.
(BZ#1821994)
GCC now emits vector alignment hints for certain IBM Z systems
This update enables the GCC compiler to emit vector load and store alignment hints for IBM z13 processors. To use this enhancement the assembler must support such hints. As a result, users now benefit from improved performance of certain vector operations.
(BZ#1850498)
Dyninst rebased to version 10.2.1
The Dyninst binary analysis and modification tool has been updated to version 10.2.1. Notable bug fixes and enhancements include:
-
Support for the elfutils
debuginfod
client library. - Improved parallel binary code analysis.
- Improved analysis and instrumentation of large binaries.
elfutils
rebased to version 0.182
The elfutils
package has been updated to version 0.182. Notable bug fixes and enhancements include:
-
Recognizes the
DW_CFA_AARCH64_negate_ra_state
instruction. When Pointer Authentication Code (PAC) is not enabled, you can useDW_CFA_AARCH64_negate_ra_state
to unwind code that is compiled for PAC on the 64-bit ARM architecture. -
elf_update
now fixes badsh_addralign
values in sections that have set theSHF_COMPRESSED
flag. -
debuginfod-client
now supports kernel ELF images compressed with ZSTD. -
debuginfod
has a more efficient package traversal, tolerating various errors during scanning. The grooming process is more visible and interruptible, and provides more Prometheus metrics.
SystemTap rebased to version 4.4
The SystemTap instrumentation tool has been updated to version 4.4, which provides multiple bug fixes and enhancements. Notable changes include:
- Performance and stability improvements to user-space probing.
- Users can now access implicit thread local storage variables on these architectures: AMD64, Intel 64, IBM Z, the little-endian variant of IBM Power Systems.
- Initial support for processing of floating point values.
- Improved concurrency for scripts using global variables. The locks required to protect concurrent access to global variables have been optimized so that they span the smallest possible critical region.
- New syntax for defining aliases with both a prologue and an epilogue.
-
New
@probewrite
predicate. -
syscall
arguments are writable again.
For further information about notable changes, read the upstream release notes before updating.
Valgrind now supports IBM z14 instructions
With this update, the Valgrind tool suite supports instructions for the IBM z14 processor. As a result, you can now use the Valgrind tools to debug programs using the z14 vector instructions and the miscellaneous z14 instruction set.
(BZ#1504123)
CMake rebased to version 3.18.2
The CMake build system has been upgraded from version 3.11.4 to version 3.18.2. It is available in RHEL 8.4 as the cmake-3.18.2-8.el8
package.
To use CMake on a project that requires the version 3.18.2 or less, use the command cmake_minimum_required(version x.y.z)
.
For further information on new features and deprecated functionalities, see the CMake Release Notes.
libmpc
rebased to version 1.1.0
The libmpc
package has been rebased to version 1.1.0, which provides several enhancements and bug fixes over the previous version. For details, see GNU MPC 1.1.0 release notes.
Updated GCC Toolset 10
GCC Toolset 10 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream
repository.
Notable changes introduced with RHEL 8.4 include:
- The GCC compiler has been updated to the upstream version, which provides multiple bug fixes.
-
elfutils
has been updated to version 0.182. - Dyninst has been updated to version 10.2.1.
- SystemTap has been updated to version 4.4.
The following tools and versions are provided by GCC Toolset 10:
Tool | Version |
---|---|
GCC | 10.2.1 |
GDB | 9.2 |
Valgrind | 3.16.0 |
SystemTap | 4.4 |
Dyninst | 10.2.1 |
binutils | 2.35 |
elfutils | 0.182 |
dwz | 0.12 |
make | 4.2.1 |
strace | 5.7 |
ltrace | 0.7.91 |
annobin | 9.29 |
To install GCC Toolset 10, run the following command as root:
# yum install gcc-toolset-10
To run a tool from GCC Toolset 10:
$ scl enable gcc-toolset-10 tool
To run a shell session where tool versions from GCC Toolset 10 override system versions of these tools:
$ scl enable gcc-toolset-10 bash
For more information, see Using GCC Toolset.
The GCC Toolset 10 components are available in the two container images:
-
rhel8/gcc-toolset-10-toolchain
, which includes the GCC compiler, the GDB debugger, and themake
automation tool. -
rhel8/gcc-toolset-10-perftools
, which includes the performance monitoring tools, such as SystemTap and Valgrind.
To pull a container image, run the following command as root:
# podman pull registry.redhat.io/<image_name>
Note that only the GCC Toolset 10 container images are now supported. Container images of earlier GCC Toolset versions are deprecated.
For details regarding the container images, see Using the GCC Toolset container images.
(BZ#1918055)
GCC Toolset 10: GCC now supports bfloat16
In GCC Toolset 10, the GCC compiler now supports the bfloat16
extension through ACLE Intrinsics. This enhancement provides high-performance computing.
(BZ#1656139)
GCC Toolset 10: GCC now supports ENQCMD
and ENQCMDS
instructions on Intel Sapphire Rapids processors
In GCC Toolset 10, the GNU Compiler Collection (GCC) now supports the ENQCMD
and ENQCMDS
instructions, which you can use to submit work descriptors to devices automatically. To apply this enhancement, run GCC with the -menqcmd
option.
(BZ#1891998)
GCC Toolset 10: Dyninst rebased to version 10.2.1
In GCC Toolset 10, the Dyninst binary analysis and modification tool has been updated to version 10.2.1. Notable bug fixes and enhancements include:
-
Support for the elfutils
debuginfod
client library. - Improved parallel binary code analysis.
- Improved analysis and instrumentation of large binaries.
GCC Toolset 10: elfutils
rebased to version 0.182
In GCC Toolset 10, the elfutils
package has been updated to version 0.182. Notable bug fixes and enhancements include:
-
Recognizes the
DW_CFA_AARCH64_negate_ra_state
instruction. When Pointer Authentication Code (PAC) is not enabled, you can useDW_CFA_AARCH64_negate_ra_state
to unwind code that is compiled for PAC on the 64-bit ARM architecture. -
elf_update
now fixes badsh_addralign
values in sections that have set theSHF_COMPRESSED
flag. -
debuginfod-client
now supports kernel ELF images compressed with ZSTD. -
debuginfod
has a more efficient package traversal, tolerating various errors during scanning. The grooming process is more visible and interruptible, and provides more Prometheus metrics.
Go Toolset rebased to version 1.15.7
Go Toolset has been upgraded to 1.15.7. Notable enhancements include:
-
Linking is now faster and requires less memory due to the newly implemented object file format and increased concurrency of internal phases. With this enhancement, internal linking is now the default. To disable this setting, use the compiler flag
-ldflags=-linkmode=external
. - Allocating small objects has been improved for high core counts, including worst-case latency.
-
Treating the
CommonName
field on X.509 certificates as a host name when noSubject Alternative Names
are specified is now disabled by default. To enable it, add the valuex509ignoreCN=0
to theGODEBUG
environment variable. -
GOPROXY
now supports skipping proxies that return errors. -
Go now includes the new package
time/tzdata
. It enables you to embed the timezone database into a program even if the timezone database is not available on your local system.
For more information on Go Toolset, go to Using Go Toolset.
(BZ#1870531)
Rust Toolset rebased to version 1.49.0
Rust Toolset has been updated to version 1.49.0. Notable changes include:
- You can now use the path of a rustdoc page item to link to it in rustdoc.
- The rust test framework now hides thread output. Output of failed tests still show in the terminal.
-
You can now use
[T; N]: TryFrom<Vec<T>>
to turn a vector into an array of any length. You can now use
slice::select_nth_unstable
to perform ordered partitioning. This function is also available with the following variants:-
slice::select_nth_unstable_by
provides a comparator function. -
slice::select_nth_unstable_by_key
provides a key extraction function.
-
-
You can now use
ManuallyDrop
as the type of a union field. It is also possible to useimpl Drop for Union
to add the Drop trait to existing unions. This makes it possible to define unions where certain fields need to be dropped manually. - Container images for Rust Toolset have been deprecated and Rust Toolset has been added to the Universal Base Images (UBI) repositories.
For further information, see Using Rust Toolset.
(BZ#1896712)
LLVM Toolset rebased to version 11.0.0
LLVM Toolset has been upgraded to version 11.0.0. Notable changes include:
-
Support for the
-fstack-clash-protection
command-line option has been added to the AMD and Intel 64-bit architectures, IBM Power Systems, Little Endian, and IBM Z. This new compiler flag protects from stack-clash attacks by automatically checking each stack page. -
The new compiler flag
ffp-exception-behavior={ignore,maytrap,strict}
enables the specification of floating-point exception behavior. The default setting isignore
. -
The new compiler flag
ffp-model={precise,strict,fast}
allows the simplification of single purpose floating-point options. The default setting isprecise
. -
The new compiler flag
-fno-common
is now enabled by default. With this enhancement, code written in C using tentative variable definitions in multiple translation units now triggers multiple-definition linker errors. To disable this setting, use the-fcommon
flag. - Container images for LLVM Toolset have been deprecated and LLVM Toolset has been added to the Universal Base Images (UBI) repositories.
For more information, see Using LLVM Toolset.
(BZ#1892716)
pcp
rebased to version 5.2.5
The pcp
package has been upgraded to version 5.2.5. Notable changes include:
- SQL Server metrics support via a secure connection.
-
eBPF/BCC
netproc module with per-process network metrics. -
pmdaperfevent(1)
support for thehv_24x7 core-level
andhv_gpci
event metrics. - New Linux process accounting metrics, Linux ZFS metrics, Linux XFS metric, Linux kernel socket metrics, Linux multipath TCP metrics, Linux memory and ZRAM metrics, and S.M.A.R.T. metric support for NVM Express disks.
-
New
pcp-htop(1)
utility to visualize the system and process metrics. -
New pmrepconf(1) utility to generate the
pmrep/pcp2xxx
configurations. -
New
pmiectl(1)
utility for controlling thepmie
services. -
New
pmlogctl(1)
utility for controlling thepmlogger
services. -
New
pmlogpaste(1)
utility for writing log string metrics. -
New
pcp-atop(1)
utility to process accounting statistics and per-process network statistics reporting. -
New
pmseries(1)
utility to query functions, language extensions, and REST API. -
New
pmie(1)
rules for detecting OOM kills and socket connection saturation. -
Bug fixes in the
pcp-atopsar(1)
,pcp-free(1)
,pcp-dstat(1)
,pmlogger(1)
, andpmchart(1)
utilities. - REST API and C API support for per-context derived metrics.
- Improved OpenMetrics metric metadata (units, semantics).
-
Rearranged installed
/var
file system layouts extensively.
Accessing remote hosts through a central pmproxy
for the Vector data source in grafana-pcp
In some environments, the network policy does not allow connections from the dashboard viewer’s browser to the monitored hosts directly. This update makes it possible to customize the hostspec
in order to connect to a central pmproxy
, which forwards the requests to the individual hosts.
grafana
rebased to version 7.3.6
The grafana
package has been upgraded to version 7.3.6. Notable changes include:
- New panel editor and new data transformations feature
- Improved time zone support
-
Default provisioning path now changed from the
/usr/share/grafana/conf/provisioning
to the/etc/grafana/provisioning
directory. You can configure this setting in the/etc/grafana/grafana.ini
configuration file.
For more information, see What’s New in Grafana v7.0, What’s New in Grafana v7.1, What’s New in Grafana v7.2, and What’s New in Grafana v7.3.
grafana-pcp
rebased to version 3.0.2
The grafana-pcp
package has been upgraded to version 3.0.2. Notable changes include:
Redis:
- Supports creating an alert in Grafana.
-
Using the
label_values(metric, label)
in a Grafana variable query is deprecated due to performance reasons. Thelabel_values(label)
query is still supported.
Vector:
-
Supports derived metrics, which allows the usage of arithmetic operators and statistical functions inside a query. For more information, see the
pmRegisterDerived(3)
man page. -
Configurable hostspec, where you can access remote Performance Metrics Collector Daemon (PMCDs) through a central
pmproxy
. - Automatically configures the unit of the panel.
-
Supports derived metrics, which allows the usage of arithmetic operators and statistical functions inside a query. For more information, see the
Dashboards:
- Detects potential performance issues and shows possible solutions with the checklist dashboards, using the Utilization Saturation and Errors (USE) method.
-
New MS SQL server dashboard,
eBPF/BCC
dashboard, and container overview dashboard with theCGroups v2
. - All dashboards are now located in the Dashboards tab in the Datasource settings pages and are not imported automatically.
Upgrade notes:
Update the Grafana configuration file:
Edit the
/etc/grafana/grafana.ini
Grafana configuration file and make sure that the following option is set:allow_loading_unsigned_plugins = pcp-redis-datasource
Restart the Grafana server:
# systemctl restart grafana-server
Active Directory authentication for accessing SQL Server metrics in PCP
With this update, a system administrator can configure pmdamssql(1)
to connect securely to the SQL Server metrics using Active Directory (AD) authentication.
grafana-container
rebased to version 7.3.6
The rhel8/grafana
container image provides Grafana. Grafana is an open source utility with metrics dashboard, and graphic editor for Graphite, Elasticsearch, OpenTSDB, Prometheus, InfluxDB, and Performance Co-Pilot (PCP). The grafana-container
package has been upgraded to version 7.3.6. Notable changes include:
-
The
grafana
package is now updated to version 7.3.6. -
The
grafana-pcp
package is now updated to version 3.0.2.
The rebase updates the rhel8/grafana
image in the Red Hat Container Registry.
To pull this container image, execute the following command:
# podman pull registry.redhat.io/rhel8/grafana
pcp-container
rebased to version 5.2.5
The rhel8/pcp
container image provides Performance Co-Pilot, which is a system performance analysis toolkit. The pcp-container
package has been upgraded to version 5.2.5. Notable changes include:
-
The
pcp
package is now updated to version 5.2.5. -
Introduced a new
PCP_SERVICES
environment variable, which specifies a comma-separated list of PCP services to start inside the container.
The rebase updates the rhel8/pcp
image in the Red Hat Container Registry.
To pull this container image, execute the following command:
# podman pull registry.redhat.io/rhel8/pcp
JDK Mission Control rebased to version 8.0.0
The JDK Mission Control (JMC) profiler for HotSpot JVMs, provided by the jmc:rhel8
module stream, has been upgraded to version 8.0.0. Notable enhancements include:
-
The
Treemap
viewer has been added to theJOverflow
plug-in for visualizing memory usage by classes. -
The
Threads
graph has been enhanced with more filtering and zoom options. - JDK Mission Control now provides support for opening JDK Flight Recorder recordings compressed with the LZ4 algorithm.
-
New columns have been added to the
Memory
andTLAB
views to help you identify areas of allocation pressure. -
Graph
view has been added to improve visualization of stack traces. -
The
Percentage
column has been added to histogram tables.
JMC in RHEL 8 requires JDK version 8 or later to run. Target Java applications must run with at least OpenJDK version 8 so that JMC can access JDK Flight Recorder features.
The jmc:rhel8
module stream has two profiles:
-
The
common
profile, which installs the entire JMC application -
The
core
profile, which installs only the core Java libraries (jmc-core
)
To install the common
profile of the jmc:rhel8
module stream, use:
# yum module install jmc:rhel8/common
Change the profile name to core
to install only the jmc-core
package.
(BZ#1919283)
4.13. Identity Management
Making Identity Management more inclusive
Red Hat is committed to using conscious language.
In Identity Management, planned terminology replacements include:
- block list replaces blacklist
- allow list replaces whitelist
- secondary replaces slave
The word master is going to be replaced with more precise language, depending on the context:
- IdM server replaces IdM master
- CA renewal server replaces CA renewal master
- CRL publisher server replaces CRL master
- multi-supplier replaces multi-master
(JIRA:RHELPLAN-73418)
The dsidm
utility supports renaming and moving entries
With this enhancement, you can use the dsidm
utility to rename and move users, groups, POSIX groups, roles, and organizational units (OU) in Directory Server. For further details and examples, see the Renaming Users, Groups, POSIX Groups, and OUs section in the Directory Server Administration Guide.
Deleting Sub-CAs in IdM
With this enhancement, if you run the ipa ca-del
command and have not disabled the Sub-CA, an error indicates the Sub-CA cannot be deleted and it must be disabled. First run the ipa ca-disable
command to disable the Sub-CA and then delete it using the ipa ca-del
command.
Note that you cannot disable or delete the IdM CA.
(JIRA:RHELPLAN-63081)
IdM now supports new Ansible management role and modules
RHEL 8.4 provides Ansible modules for automated management of role-based access control (RBAC) in Identity Management (IdM), an Ansible role for backing up and restoring IdM servers, and an Ansible module for location management:
-
You can use the
ipapermission
module to create, modify, and delete permissions and permission members in IdM RBAC. -
You can use the
ipaprivilege
module to create, modify, and delete privileges and privilege members in IdM RBAC. -
You can use the
iparole
module to create, modify, and delete roles and role members in IdM RBAC. -
You can use the
ipadelegation
module to delegate permissions over users in IdM RBAC. -
You can use the
ipaselfservice
module to create, modify, and delete self-service access rules in IdM. -
You can use the
ipabackup
role to create, copy, and remove IdM server backups and restore an IdM server either locally or from the control node. -
You can use the
ipalocation
module to ensure the presence or absence of the physical locations of hosts, such as their data center racks.
(JIRA:RHELPLAN-72660)
IdM in FIPS mode now supports a cross-forest trust with AD
With this enhancement, administrators can establish a cross-forest trust between an IdM domain with FIPS mode enabled and an Active Directory (AD) domain. Note that you cannot establish a trust using a shared secret while FIPS mode is enabled in IdM, see FIPS compliance.
(JIRA:RHELPLAN-58629)
AD users can now log in to IdM with UPN suffixes subordinate to known UPN suffixes
Previously, Active Directory (AD) users could not log into Identity Management (IdM) with a Universal Principal Name (UPN) (for example, sub1.ad-example.com
) that is a subdomain of a known UPN suffix (for example, ad-example.com
) because internal Samba processes filtered subdomains as duplicates of any Top Level Names (TLNs). This update validates UPNs by testing if they are subordinate to the known UPN suffixes. As a result, users can now log in using subordinate UPN suffixes in the described scenario.
IdM now supports new password policy options
With this update, Identity Management (IdM) supports additional libpwquality
library options:
--maxrepeat
- Specifies the maximum number of the same character in sequence.
--maxsequence
- Specifies the maximum length of monotonic character sequences (abcd).
--dictcheck
- Checks if the password is a dictionary word.
--usercheck
- Checks if the password contains the username.
If any of the new password policy options are set, then the minimum length of passwords is 6 characters regardless of the value of the --minlength
option. The new password policy settings are applied only to new passwords.
In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator will not be applied. To ensure consistent behavior, upgrade or update all servers to RHEL 8.4 and later.
Improved Active Directory site discovery process
The SSSD service now discovers Active Directory sites in parallel over connection-less LDAP (CLDAP) to multiple domain controllers to speed up site discovery in situations where some domain controllers are unreachable. Previously, site discovery was performed sequentially and, in situations where domain controllers were unreachable, a timeout eventually occurred and SSSD went offline.
The default value of nsslapd-nagle
has been turned off to increase the throughput
Previously, the nsslapd-nagle
parameter in the cn=config
entry was enabled by default. As a consequence, Directory Server performed a high number of setsocketopt
system calls which slowed down the server. This update changes the default value of nsslapd-nagle
to off
. As a result, Directory Server performs a lower number of setsocketopt
system calls and can handle a higher number of operations per second.
(BZ#1996076)
Enabling or disabling SSSD domains within the [domain] section of the sssd.conf file
With this update, you can now enable or disable an SSSD domain by modifying its respective [domain]
section in the sssd.conf
file.
Previously, if your SSSD configuration contained a standalone domain, you still had to modify the domains
option in the [sssd]
section of the sssd.conf
file. This update allows you to set the enabled=
option in the domain configuration to true or false.
-
Setting the
enabled
option to true enables a domain, even if it is not listed under thedomains
option in the[sssd]
section of thesssd.conf
file. -
Setting the
enabled
option to false disables a domain, even if it is listed under thedomains
option in the[sssd]
section of thesssd.conf
file. -
If the
enabled
option is not set, the configuration in thedomains
option in the[sssd]
section of thesssd.conf
is used.
Added an option to manually control the maximum offline timeout
The offline_timeout
period determines the time incrementation between attempts by SSSD to go back online. Previously, the maximum possible value for this interval was hardcoded to 3600 seconds, which was adequate for general usage but resulted in issues in fast or slow changing environments.
This update adds the offline_timeout_max
option to manually control the maximum length of each interval, allowing you more flexibility to track the server behavior in SSSD.
Note that you should set this value in correlation to the offline_timeout
parameter value. A value of 0 disables the incrementing behavior.
Support for exclude_users
and exclude_groups
with scope=all
in SSSD session recording configuration
Red Hat Enterprise 8.4 now provides new SSSD options for defining session recording for large lists of groups or users:
exclude_users
A comma-separated list of users to be excluded from recording, only applicable with the
scope=all
configuration option.exclude_groups
A comma-separated list of groups, members of which should be excluded from recording. Only applicable with the
scope=all
configuration option.
For more information, refer to the sssd-session-recording
man page.
samba rebased to version 4.13.2
The samba packages have been upgraded to upstream version 4.13.2, which provides a number of bug fixes and enhancements over the previous version:
-
To avoid a security issue that allows unauthenticated users to take over a domain using the
netlogon
protocol, ensure that your Samba servers use the default value (yes
) of theserver schannel
parameter. To verify, use thetestparm -v | grep 'server schannel'
command. For further details, see CVE-2020-1472. - The Samba "wide links" feature has been converted to a VFS module.
- Running Samba as a PDC or BDC is deprecated.
You can now use Samba on RHEL with FIPS mode enabled. Due to the restrictions of the FIPS mode:
- You cannot use NT LAN Manager (NTLM) authentication because the RC4 cipher is blocked.
- By default in FIPS mode, Samba client utilities use Kerberos authentication with AES ciphers.
- You can use Samba as a domain member only in Active Directory (AD) or Red Hat Identity Management (IdM) environments with Kerberos authentication that uses AES ciphers. Note that Red Hat continues supporting the primary domain controller (PDC) functionality IdM uses in the background.
The following parameters for less-secure authentication methods, which are only usable over the server message block version 1 (SMB1) protocol, are now deprecated:
-
client plaintext auth
-
client NTLMv2 auth
-
client lanman auth
-
client use spnego
-
- An issue with the GlusterFS write-behind performance translator, when used with Samba, has been fixed to avoid data corruption.
- The minimum runtime support is now Python 3.6.
-
The deprecated
ldap ssl ads
parameter has been removed.
Samba automatically updates its tdb
database files when the smbd
, nmbd
, or winbind
service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading tdb
database files.
For further information about notable changes, read the upstream release notes before updating.
New GSSAPI PAM module for passwordless sudo
authentication with SSSD
With the new pam_sss_gss.so
Pluggable Authentication Module (PAM), you can configure the System Security Services Daemon (SSSD) to authenticate users to PAM-aware services with the Generic Security Service Application Programming Interface (GSSAPI).
For example, you can use this module for passwordless sudo
authentication with a Kerberos ticket. For additional security in an IdM environment, you can configure SSSD to grant access only to users with specific authentication indicators in their tickets, such as users that have authenticated with a smart card or a one-time password.
For additional information, see Granting sudo access to an IdM user on an IdM client.
Directory Server rebased to version 1.4.3.16
The 389-ds-base
packages have been upgraded to upstream version 1.4.3.16, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:
- https://www.port389.org/docs/389ds/releases/release-1-4-3-16.html
- https://www.port389.org/docs/389ds/releases/release-1-4-3-15.html
- https://www.port389.org/docs/389ds/releases/release-1-4-3-14.html
- https://www.port389.org/docs/389ds/releases/release-1-4-3-13.html
- https://www.port389.org/docs/389ds/releases/release-1-4-3-12.html
- https://www.port389.org/docs/389ds/releases/release-1-4-3-11.html
- https://www.port389.org/docs/389ds/releases/release-1-4-3-10.html
- https://www.port389.org/docs/389ds/releases/release-1-4-3-9.html
Directory Server now logs the work and operation time in RESULT
entries
With this update, Directory Server now logs two additional time values in RESULT
entries in the /var/log/dirsrv/slapd-<instance_name>/access
file:
-
The
wtime
value indicates how long it took for an operation to move from the work queue to a worker thread. -
The
optime
value shows the time the actual operation took to be completed once a worker thread started the operation.
The new values provide additional information about how the Directory Server handles load and processes operations.
For further details, see the Access Log Reference section in the Red Hat Directory Server Configuration, Command, and File Reference.
Directory Server can now reject internal unindexed searches
This enhancement adds the nsslapd-require-internalop-index
parameter to the cn=<database_name>,cn=ldbm database,cn=plugins,cn=config
entry to reject internal unindexed searches. When a plug-in modifies data, it has a write lock on the database. On large databases, if a plug-in then executes an unindexed search, the plug-in sometimes uses all database locks, which corrupts the database or causes the server to become unresponsive. To avoid this problem, you can now reject internal unindexed searches by enabling the nsslapd-require-internalop-index
parameter.
4.14. Desktop
You can configure the unresponsive application timeout in GNOME
GNOME periodically sends a signal to every application to detect if the application is unresponsive. When GNOME detects an unresponsive application, it displays a dialog over the application window that asks if you want to stop the application or wait.
Certain applications cannot respond to the signal in time. As a consequence, GNOME displays the dialog even when the application is working properly.
With this update, you can configure the time between the signals. The setting is stored in the org.gnome.mutter.check-alive-timeout
GSettings key. To completely disable the unresponsive application detection, set the key to 0.
For details on configuring a GSettings key, see Working with GSettings keys on command line.
(BZ#1886034)
4.15. Graphics infrastructures
Intel Tiger Lake GPUs are now supported
This release adds support for the Intel Tiger Lake CPU microarchitecture with integrated graphics. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:
- Intel Core i7-1160G7
- Intel Core i7-1185G7
- Intel Core i7-1165G7
- Intel Core i7-1165G7
- Intel Core i7-1185G7E
- Intel Core i7-1185GRE
- Intel Core i7-11375H
- Intel Core i7-11370H
- Intel Core i7-1180G7
- Intel Core i5-1130G7
- Intel Core i5-1135G7
- Intel Core i5-1135G7
- Intel Core i5-1145G7E
- Intel Core i5-1145GRE
- Intel Core i5-11300H
- Intel Core i5-1145G7
- Intel Core i5-1140G7
- Intel Core i3-1115G4
- Intel Core i3-1115G4
- Intel Core i3-1110G4
- Intel Core i3-1115GRE
- Intel Core i3-1115G4E
- Intel Core i3-1125G4
- Intel Core i3-1125G4
- Intel Core i3-1120G4
- Intel Pentium Gold 7505
- Intel Celeron 6305
- Intel Celeron 6305E
You no longer have to set the i915.alpha_support=1
or i915.force_probe=*
kernel option to enable Tiger Lake GPU support.
(BZ#1882620)
Intel GPUs that use the 11th generation Core microprocessors are now supported
This release adds support for the 11th generation Core CPU architecture (formerly known as Rocket Lake) with Xe gen 12 integrated graphics, which is found in the following CPU models:
- Intel Core i9-11900KF
- Intel Core i9-11900K
- Intel Core i9-11900
- Intel Core i9-11900F
- Intel Core i9-11900T
- Intel Core i7-11700K
- Intel Core i7-11700KF
- Intel Core i7-11700T
- Intel Core i7-11700
- Intel Core i7-11700F
- Intel Core i5-11500T
- Intel Core i5-11600
- Intel Core i5-11600K
- Intel Core i5-11600KF
- Intel Core i5-11500
- Intel Core i5-11600T
- Intel Core i5-11400
- Intel Core i5-11400F
- Intel Core i5-11400T
(BZ#1784246, BZ#1784247, BZ#1937558)
Nvidia Ampere is now supported
This release adds support for the Nvidia Ampere GPUs that use the GA102 or GA104 chipset. That includes the following GPU models:
- GeForce RTX 3060 Ti
- GeForce RTX 3070
- GeForce RTX 3080
- GeForce RTX 3090
- RTX A4000
- RTX A5000
- RTX A6000
- Nvidia A40
Note that the nouveau
graphics driver does not yet support 3D acceleration with the Nvidia Ampere family.
(BZ#1916583)
Various updated graphics drivers
The following graphics drivers have been updated to the latest upstream version:
-
The Matrox
mgag200
driver -
The Aspeed
ast
driver
(JIRA:RHELPLAN-72994, BZ#1854354, BZ#1854367)
4.16. The web console
Software Updates page checks for required restarts
With this update, the Software Updates page in the RHEL web console checks if it is sufficient to only restart some services or running processes for updates to become effective after installation. In these cases this avoids having to reboot the machine.
(JIRA:RHELPLAN-59941)
Graphical performance analysis in the web console
With this update the system graphs page has been replaced with a new dedicated page for analyzing the performance of a machine. To view the performance metrics, click View details and history from the Overview page. It shows current metrics and historical events based on the Utilization Saturation, and Errors (USE) method.
(JIRA:RHELPLAN-59938)
Web console assists with SSH key setup
Previously, the web console allowed logging into remote hosts with your initial login password when Reuse my password for remote connections was selected during login. This option has been removed, and instead of that the web console now helps with setting up SSH keys for users that want automatic and password-less login to remote hosts.
Check Managing remote systems in the web console for more details.
(JIRA:RHELPLAN-59950)
4.17. Red Hat Enterprise Linux system roles
The RELP secure transport support added to the Logging role configuration
Reliable Event Logging Protocol, RELP, is a secure, reliable protocol to forward and receive log messages among rsyslog
servers. With this enhancement, administrators can now benefit from the RELP, which is a useful protocol with high demands from rsyslog
users, as rsyslog
servers are capable of forwarding and receiving log messages over the RELP protocol.
SSH Client RHEL system role is now supported
Previously, there was no vendor-supported automation tooling to configure RHEL SSH in a consistent and stable manner for servers and clients. With this enhancement, you can use the RHEL system roles to configure SSH clients in a systematic and unified way, independently of the operating system version.
An alternative to the traditional RHEL system roles format: Ansible Collection
RHEL 8.4 introduces RHEL system roles in the Collection format, available as an option to the traditional RHEL system roles format.
This update introduces the concept of a fully qualified collection name (FQCN), that consists of a namespace and the collection name. For example, the Kernel role fully qualified name is: redhat.rhel_system_roles.kernel_settings
- The combination of a namespace and a collection name guarantees that the objects are unique.
- The combination of a namespace and a collection name ensures that the objects are shared across the Collections and namespaces without any conflicts.
Install the Collection using an RPM package. Ensure that you have the python3-jmespath
installed on the host on which you execute the playbook:
# yum install rhel-system-roles
The RPM package includes the roles in both the legacy Ansible Roles format as well as the new Ansible Collection format. For example, to use the network role, perform the following steps:
Legacy format:
--- - hosts: all roles: rhel-system-roles.network
Collection format:
--- - hosts: all roles: redhat.rhel_system_roles.network
If you are using Automation Hub and want to install the system roles Collection hosted in Automation Hub, enter the following command:
$ ansible-galaxy collection install redhat.rhel_system_roles
Then you can use the roles in the Collection format, as previously described. This requires configuring your system with the ansible-galaxy command to use Automation Hub instead of Ansible Galaxy. See How to configure the ansible-galaxy
client to use Automation Hub instead of Ansible Galaxy for more details.
Metrics
role supports configuration and enablement of metrics collection for SQL server via PCP
The metrics
RHEL system role now provides the ability to connect SQL Server, mssql
with Performance Co-Pilot, pcp
. SQL Server is a general purpose relational database from Microsoft. As it runs, SQL Server updates internal statistics about the operations it is performing. These statistics can be accessed using SQL queries but it is important for system and database administrators undertaking performance analysis tasks to be able to record, report, visualize these metrics. With this enhancement, users can use the metrics RHEL system role to automate connecting SQL server, mssql
, with Performance Co-Pilot, pcp
, which provides recording, reporting, and visualization functionality for mssql
metrics.
exporting-metric-data-to-elasticsearch
functionality available in the Metrics RHEL system role
Elasticsearch is a popular, powerful and scalable search engine. With this enhancement, by exporting metric values from the Metrics RHEL system role to the Elasticsearch, users are able to access metrics via Elasticsearch interfaces, including via graphical interfaces, REST APIs, between others. As a result, users are able to use these Elasticsearch interfaces to help diagnose performance problems and assist in other performance related tasks like capacity planning, benchmarking and so on.
Support for SSHD RHEL system role
Previously, there was no vendor-supported automation tooling to configure SSH RHEL system roles in a consistent and stable manner for servers and clients. With this enhancement, you can use the RHEL system roles to configure sshd
servers in a systematic and unified way regardless of operating system version.
Crypto Policies RHEL system role is now supported
With this enhancement, RHEL 8 introduces a new feature for system-wide cryptographic policy management. By using RHEL system roles, you now can consistently and easily configure cryptographic policies on any number of RHEL 8 systems.
The Logging RHEL system role now supports rsyslog
behavior
With this enhancement, rsyslog
receives the message from Red Hat Virtualization and forwards the message to the elasticsearch
.
The networking
RHEL system role now supports the ethtool
settings
With this enhancement, you can use the networking
RHEL system role to configure ethtool
coalesce settings of a NetworkManager
connection. When using the interrupt coalescing
procedure, the system collects network packets and generates a single interrupt for multiple packets. As a result, this increases the amount of data sent to the kernel with one hardware interrupt, which reduces the interrupt load, and maximizes the throughput.
4.18. Virtualization
IBM Z virtual machines can now run up to 248 CPUs
Previously, the number of CPUs that you could use in an IBM Z (s390x) virtual machine (VM), with DIAG318
enabled, was limited to 240. Now, using the Extended-Length SCCB, IBM Z VMs can run up to 248 CPUs.
(JIRA:RHELPLAN-44450)
HMAT is now supported on RHEL KVM
With this update, ACPI Heterogeneous Memory Attribute Table (HMAT) is now supported on RHEL KVM. The ACPI HMAT optimizes memory by providing information about memory attributes, such as memory side cache attributes as well as bandwidth and latency details related to the System Physical Address (SPA) Memory Ranges.
(JIRA:RHELPLAN-37817)
Virtual machines can now use features of Intel Atom P5000 Processors
The Snowridge
CPU model name is now available for virtual machines (VMs). On hosts with Intel Atom P5000 processors, using Snowridge
as the CPU type in the XML configuration of the VM exposes new features of these processors to the VM.
(JIRA:RHELPLAN-37579)
virtio-gpu
devices now work better on virtual machines with Windows 10 and later
This update extends the virtio-win
drivers to also provide custom drivers for virtio-gpu
devices on selected Windows platforms. As a result, the virtio-gpu
devices now have improved performance on virtual machines that use Windows 10 or later as their guest systems. In addition, the devices will also benefit from future enhancements to virtio-win
.
Virtualization support for 3rd generation AMD EPYC processors
With this update, virtualization on RHEL 8 adds support for the 3rd generation AMD EPYC processors, also known as EPYC Milan. As a result, virtual machines hosted on RHEL 8 can now use the EPYC-Milan
CPU model and utilise new features that the processors provide.
(BZ#1790620)
4.19. RHEL in cloud environments
Automatic registration for gold images for AWS
With this update, gold images of RHEL 8.4 and later for Amazon Web Services and Microsoft Azure can be configured by the user to automatically register to Red Hat Subscription Management (RHSM) and Red Hat Insights. This makes it faster and easier to configure a large number of virtual machines created from a gold image.
However, if you require consuming repositories provided by RHSM, ensure that the manage_repos
option in /etc/rhsm/rhsm.conf
is set to 1
. For more information, please refer to Red Hat KnowledgeBase.
cloud-init
is now supported on Power Systems Virtual Server in IBM Cloud
With this update, the cloud-init
utility can be used to configure RHEL 8 virtual machines hosted on IBM Power Systems hosts and running in the IBM Cloud Virtual Server service.
4.20. Supportability
sos
rebased to version 4.0
The sos
package has been upgraded to version 4.0. This major version release includes a number of new features and changes.
Major changes include:
-
A new
sos
binary has replaced the former sosreport binary as the main entry point for the utility. -
sos report
is now used to generate sosreport tarballs. Thesosreport
binary is maintained as a redirection point and now invokessos report
. The
/etc/sos.conf
file has been moved to/etc/sos/sos.conf
, and its layout has changed as follows:-
The
[general]
section has been renamed to[global]
, and may be used to specify options that are available to allsos
commands and sub-commands. -
The
[tunables]
section has been renamed to[plugin_options]
. -
Each
sos
component,report
,collect
, andclean
, has its own dedicated section. For example,sos report
loads options fromglobal
and fromreport
.
-
The
-
sos
is now a Python3-only utility. Python2 is no longer supported in any capacity.
sos collect
sos collect
formally brings the sos-collector
utility into the main sos
project, and is used to collect sosreports from multiple nodes simultaneously. The sos-collector
binary is maintained as a redirection point and invokes sos collect
. The standalone sos-collector
project will no longer be independently developed. Enhancements for sos collect
include:
-
sos collect
is now supported on all distributions thatsos
report supports, that is any distribution with a Policy defined. -
The
--insecure-sudo
option has been renamed to--nopasswd-sudo
. -
The
--threads
option, used to connect simultaneously to the number of nodes, has been renamed to--jobs
sos clean
sos clean
formally brings the functionality of the soscleaner
utility into the main sos
project. This subcommand performs further data obfuscation on reports, such as cleaning IP addresses, domain names, and user-provided keywords.
Note: When the --clean
option is used with the sos report
or sos collect
command, sos clean
is applied on a report being generated. Thus, it is not necessary to generate a report and only after then apply the cleaner function on it.
Key enhancements for sos clean
include:
- Support for IPv4 address obfuscation. Note that this will attempt to preserve topological relationships between discovered addresses.
- Support for host name and domain name obfuscation.
- Support for user-provided keyword obfuscations.
The
--clean
or--mask
flag used with thesos report
command obfuscates a report being generated. Alternatively, the following command obfuscates an already existing report:[user@server1 ~]$ sudo sos (clean|mask) $archive
Using the former results in a single obfuscated report archive, while the latter results in two; an obfuscated archive and the un-obfuscated original.
For full information on the changes contained in this release, see sos-4.0.
(BZ#1966838)
4.21. Containers
Podman now supports volume plugins written for Docker
Podman now has support for Docker volume plugins. These volume plugins or drivers, written by vendors and community members, can be used by Podman to create and manage container volumes.
The podman volume create
command now supports creation of the volume using a volume plugin with the given name. The volume plugins must be defined in the [engine.volume_plugins]
section of the container.conf
configuration file.
Example:
[engine.volume_plugins] testvol = "/run/docker/plugins/testvol.sock"
where testvol
is the name of the plugin and /run/docker/plugins/testvol.sock
is the path to the plugin socket.
You can use the podman volume create --driver testvol
to create a volume using a testvol
plugin.
(BZ#1734854)
The ubi-micro
container image is now available
The registry.redhat.io/ubi8/ubi-micro
container image is the smallest base image that uses the package manager on the underlying host to install packages, typically using Buildah or multi-stage builds with Podman. Excluding package managers and all of its dependencies increases the level of security of the image.
(JIRA:RHELPLAN-56664)
Support to auto-update container images is available
With this enhancement, users can use the podman auto-update
command to auto-update containers according to their auto-update policy. The containers have to be labeled with a specified "io.containers.autoupdate=image"
label to check if the image has been updated. If it has, Podman pulls the new image and restarts the systemd unit executing the container. The podman auto-update
command relies on systemd and requires a fully-specified image name to create a container.
(JIRA:RHELPLAN-56661)
Podman now supports secure short names
Short-name aliases for images can now be configured in the registries.conf
file in the [aliases]
table. The short-names modes are:
-
Enforcing: If no matching alias is found during the image pull, Podman prompts the user to choose one of the unqualified-search registries. If the selected image is pulled successfully, Podman automatically records a new short-name alias in the users
$HOME/.config/containers/short-name-aliases.conf
file. If the user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note that theshort-name-aliases.conf
file has precedence overregistries.conf
file if both specify the same alias. - Permissive: Similar to enforcing mode but it does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded.
Example:
unqualified-search-registries=[“registry.fedoraproject.org”, “quay.io”] [aliases] "fedora"="registry.fedoraproject.org/fedora"
(JIRA:RHELPLAN-39843)
container-tools:3.0
stable stream is now available
The container-tools:3.0
stable module stream, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and enhancements over the previous version.
For instructions how to upgrade from an earlier stream, see Switching to a later stream.
(JIRA:RHELPLAN-56782)