Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.4.
4.1. Installer and image creation
Support to add customized files for SCAP security profile to a blueprint
With this enhancement, you can now add customized tailoring options for a profile to the osbuild-composer
blueprint customizations by using the following options:
-
selected
for the list of rules that you want to add -
unselected
for the list of rules that you want to remove
With the default org.ssgproject.content
rule namespace, you can omit the prefix for rules under this namespace. For example: the org.ssgproject.content_grub2_password
and grub2_password
are functionally equivalent.
When you build an image from that blueprint, it creates a tailoring file with a new tailoring profile ID and saves it to the image as /usr/share/xml/osbuild-oscap-tailoring/tailoring.xml
. The new profile ID will have _osbuild_tailoring
appended as a suffix to the base profile. For example, if you use the cis
base profile, xccdf_org.ssgproject.content_profile_cis_osbuild_tailoring
.
Jira:RHELDOCS-17792[1]
Minimal RHEL installation now installs only the s390utils-core
package
In RHEL 8.4 and later, the s390utils-base
package is split into an s390utils-core
package and an auxiliary s390utils-base
package. As a result, setting the RHEL installation to minimal-environment
installs only the necessary s390utils-core
package and not the auxiliary s390utils-base
package. If you want to use the s390utils-base
package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base
using a Kickstart file.
Bugzilla:1932480[1]
4.2. Security
Keylime verifier and registrar containers available
You can now configure Keylime server components, the verifier and registrar, as containers. When configured to run inside a container, the Keylime registrar monitors the tenant systems from the container without any binaries on the host. The container deployment provides better isolation, modularity, and reproducibility of Keylime components.
Jira:RHELDOCS-16721[1]
libkcapi
now provides an option for specifying target file names in hash-sum calculations
This update of the libkcapi
(Linux kernel cryptographic API) packages introduces the new option -T
for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c
option, for example:
$ sha256hmac -c <hmac_file> -T <target_file>
Jira:RHEL-15298[1]
Finer control over MACs in SSH with crypto-policies
You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (crypto-policies
). With this update, the crypto-policies
option ssh_etm
has been converted into a tri-state etm@SSH
option. The previous ssh_etm
option has been deprecated.
You can now set ssh_etm
to one of the following values:
ANY
-
Allows both
encrypt-then-mac
andencrypt-and-mac
MACs. DISABLE_ETM
-
Disallows
encrypt-then-mac
MACs. DISABLE_NON_ETM
-
Disallows MACs that do not use
encrypt-then-mac
.
Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.
The semanage fcontext
command no longer reorders local modifications
The semanage fcontext -l -C
command lists local file context modifications stored in the file_contexts.local
file. The restorecon
utility processes the entries in the file_contexts.local
from the most recent entry to the oldest. Previously, semanage fcontext -l -C
listed the entries in an incorrect order. This mismatch between processing order and listing order caused problems when managing SELinux rules. With this update, semanage fcontext -l -C
displays the rules in the correct and expected order, from the oldest to the newest.
Jira:RHEL-24462[1]
Additional services confined in the SELinux policy
This update adds additional rules to the SELinux policy that confine the following systemd
services:
-
nvme-stas
-
rust-afterburn
-
rust-coreos-installer
-
bootc
As a result, these services do not run with the unconfined_service_t
SELinux label anymore, and run successfully in SELinux enforcing mode.
Jira:RHEL-12591[1]
New SELinux policy module for the SAP HANA service
This update adds additional rules to the SELinux policy for the SAP HANA service. As a result, the service now runs successfully in SELinux enforcing mode in the sap_unconfined_t
domain.
The glusterd
SELinux module moved to a separate glusterfs-selinux
package
With this update, the glusterd
SELinux module is maintained in the separate glusterfs-selinux
package. The module is therefore no longer part of the selinux-policy
package. For any actions that concern the glusterd
module, install and use the glusterfs-selinux
package.
The fips.so
library for OpenSSL provided as a separate package
OpenSSL uses the fips.so
shared library as a FIPS provider. With this update, the latest version of fips.so
submitted to the National Institute of Standards and Technology (NIST) for certification is in a separate package to ensure that future versions of OpenSSL use certified code or code undergoing certification.
Jira:RHEL-23474[1]
The chronyd-restricted
service is confined by the SELinux policy
This update adds additional rules to the SELinux policy that confine the new chronyd-restricted
service. As a result, the service now runs successfully in SELinux.
OpenSSL adds a drop-in directory for provider configuration
The OpenSSL TLS toolkit supports provider APIs for installation and configuration of modules that provide cryptographic algorithms. With this update, you can place provider-specific configuration in separate .conf
files in the /etc/pki/tls/openssl.d
directory without modifying the main OpenSSL configuration file.
SELinux user-space components rebased to 3.6
The SELinux user-space components libsepol
, libselinux
, libsemanage
, policycoreutils
, checkpolicy
, and mcstrans
library package have been rebased to 3.6. This version provides various bug fixes, optimizations and enhancements, most notably:
-
Added support for
deny
rules in CIL. -
Added support for
notself
andother
keywords in CIL. -
Added the
getpolicyload
binary that prints the number of policy reloads performed on the current system.
GnuTLS rebased to 3.8.3
The GnuTLS package has been rebased to upstream version 3.8.3 This version provides various bug fixes and enhancements, most notably:
-
The
gnutls_hkdf_expand
function now accepts only arguments with lengths less than or equal to 255 times hash digest size, to comply with RFC 5869 2.3. -
Length limit for
TLS PSK
usernames has been increased to 65535 characters. -
The
gnutls_session_channel_binding
API function performs additional checks whenGNUTLS_CB_TLS_EXPORTER
is requested accordingly to RFC 9622 4.2. -
The
GNUTLS_NO_STATUS_REQUEST
flag and the%NO_STATUS_REQUEST
priority modifier have been added to allow disabling of thestatus_request
TLS extension on the client side. - GnuTLS now checks the contents of the Change Cipher Spec message to be equal to 1 when the TLS version is older than 1.3.
- ClientHello extensions order is randomized by default.
- GnuTLS now supports EdDSA key generation on PKCS #11 tokens, which previously did not work.
Jira:RHEL-14891[1]
nettle
rebased to 3.9.1
The nettle
library package has been rebased to 3.9.1. This version provides various bug fixes, optimizations and enhancements, most notably:
- Added balloon password hashing
- Added SIV-GCM authenticated encryption mode
- Added Offset Codebook Mode authenticated encryption mode
- Improved performance of the SHA-256 hash function on 64-bit IBM Z, AMD and Intel 64-bit architectures
- Improved performance of the Poly1305 hash function on IBM Power Systems, Little Endian, AMD and Intel 64-bit architectures
Jira:RHEL-14890[1]
p11-kit
rebased to 0.25.3
The p11-kit
packages have been updated to upstream version 0.25.3. The packages contain the p11-kit
tool for managing PKCS #11 modules, the trust
tool for operating on the trust policy store, and the p11-kit
library. Notable enhancements include the following:
- Added support for PKCS #11 version 3.0
The
pkcs11.h
header file:- Added ChaCha20/Salsa20, Poly1305 and IBM-specific mechanisms and attributes
- Added AES-GCM mechanism parameters for message-based encryption
The
p11-kit
tool:-
Added utility commands to list and manage objects of a token (
list-tokens
,list-mechanisms
,list-objects
,import-object
,export-object
,delete-object
, andgenerate-keypair
) -
Added utility commands to manage PKCS#11 profiles of a token (
list-profiles
,add-profile
, anddelete-profile
) -
Added the
print-config
command for printing merged configuration
-
Added utility commands to list and manage objects of a token (
The
trust
tool:-
Added the
check-format
command to validate the format of.p11-kit
files
-
Added the
Jira:RHEL-14834[1]
libkcapi
rebased to 1.4.0
The libkcapi
library, which provides access to the Linux kernel crypto API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:
-
Added the
sm3sum
andsm3hmac
tools. -
Added the
kcapi_md_sm3
andkcapi_md_hmac_sm3
APIs. - Added SM4 convenience functions.
- Fixed support for link-time optimization (LTO).
- Fixed LTO regression testing.
-
Fixed support for AEAD encryption of an arbitrary size with
kcapi-enc
.
Jira:RHEL-5367[1]
User and group creation in OpenSSH uses the sysusers.d
format
Previously, OpenSSH used static useradd
scripts. With this update, OpenSSH uses the sysusers.d
format to declare system users, which makes it possible to introspect system users.
OpenSSH limits artificial delays in authentication
OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit on such delays when remote authentication takes too long, for example in privilege access management (PAM) processing.
Jira:RHEL-2469[1]
stunnel
rebased to 5.71
The stunnel
TLS/SSL tunneling service has been rebased to upstream version 5.71.
Notable new features include:
- Added support for modern PostgreSQL clients.
-
You can use the
protocolHeader
service-level option to insert customconnect
protocol negotiation headers. -
You can use the
protocolHost
option to control the client SMTP protocol negotiation HELO/EHLO value. -
Added client-side support for Client-side
protocol = ldap
. -
You can now configure session resumption by using the service-level
sessionResume
option. -
Added support to request client certificates in server mode with
CApath
(previously, onlyCAfile
was supported). - Improved file reading and logging performance.
-
Added support for configurable delay for the
retry
option. -
In client mode, OCSP stapling is requested and verified when
verifyChain
is set. - In server mode, OCSP stapling is always available.
-
Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting
OCSPrequire = no
.
Jira:RHEL-2468[1]
New options for dropping capabilities in Rsyslog
You can now configure Rsyslog’s behavior when dropping capabilities by using the following global options:
libcapng.default
-
Determines Rsyslog’s actions when it encounters errors while dropping capabilities. The default value is
on
, which caused Rsyslog to exit if an error related tolibcapng-related
occurs. libcapng.enable
-
Determines whether Rsyslog drops capabilities during startup. If this option is disabled,
libcapng.default
has no impact.
Jira:RHEL-943[1]
audit
rebased to 3.1.2
The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:
-
The
auparse
library now interprets unnamed and anonymous sockets. -
You can use the new keyword
this-hour
in thestart
andend
options of theausearch
andaureport
tools. -
Support for the
io_uring
asynchronous I/O API has been added. -
User-friendly keywords for signals have been added to the
auditctl
program. -
Handling of corrupt logs in
auparse
has been improved. -
The
ProtectControlGroups
option is now disabled by default in theauditd
service. - Rule checking for the exclude filter has been fixed.
-
The interpretation of
OPENAT2
fields has been enhanced. -
The
audispd af_unix
plugin has been moved to a standalone program. - The Python binding has been changed to prevent setting Audit rules from the Python API. This change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).
Jira:RHEL-14896[1]
Rsyslog rebased to 8.2310
The Rsyslog log processing system has been rebased to upstream version 8.2310. This update introduces significant enhancements and bug fixes. Most notable enhancements include:
- Customizable TLS/SSL encryption settings
-
In previous versions, configuring TLS/SSL encryption settings for separate connections was limited to global settings. With the latest version, you can now define unique TLS/SSL settings for each individual connection in Rsyslog. This includes specifying different CA certificates, private keys, public keys, and CRL files for enhanced security and flexibility. For detailed information and usage, see documentation provided in the
rsyslog-doc
package. - Refined capability dropping feature
-
You can now set additional options that relate to capability dropping. You can disable capability dropping by setting the
libcapng.enable
global option tooff
. For more information, see RHEL-943.
Jira:RHEL-937, Jira:RHEL-943
SCAP Security Guide rebased to 0.1.72
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:
- CIS profiles are updated to align with the latest benchmarks.
- The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
- STIG profiles are aligned with the latest DISA STIG policies.
For additional information, see the SCAP Security Guide release notes.
4.3. RHEL for Edge
Support for building FIPS enabled RHEL for Edge images
This enhancement adds support for building FIPS enabled RHEL for Edge images for the following images types:
-
edge-installer
-
edge-simplified-installer
-
edge-raw-image
-
edge-ami
-
edge-vsphere
You can enable FIPS mode only during the image provisioning process. You cannot change to FIPS mode after the non-FIPS image build starts.
Jira:RHELDOCS-17263[1]
4.4. Shells and command-line tools
openCryptoki rebased to version 3.22.0
The opencryptoki
package has been updated to version 3.22.0. Notable changes include:
-
Added support for the
AES-XTS
key type by using theCPACF
protected keys. - Added support for managing certificate objects.
-
Added support for public sessions with the
no-login
option. - Added support for logging in as the Security Officer (SO).
-
Added support for importing and exporting the
Edwards
andMontgomery
keys. -
Added support for importing the
RSA-PSS
keys and certificates. - For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update adds checks to the key generation and import process to ensure this.
- Various bug fixes have been implemented.
Jira:RHEL-11412[1]
4.5. Infrastructure services
synce4l
rebased to version 1.0.0
The synce4l
protocol has been updated to version 1.0.0. This update adds support for kernel Digital Phase Locked Loop (DPLL) interface.
Jira:RHEL-10089[1]
chrony
rebased to version 4.5
The chrony
suite has been updated to version 4.5. Notable changes include:
- Added support for the AES-GCM-SIV cipher to shorten Network Time Security (NTS) cookies to improve reliability of NTS over the internet, where some providers block or limit the rate of longer Network Time Protocol (NTP) messages.
-
Added periodic refresh of IP addresses of NTP sources specified by hostname. The default interval is two weeks and it can be disabled by adding
refresh 0
parameter to thechrony.conf
file. - Improved automatic replacement of unreachable NTP sources.
-
Improved logging of important changes made by the
chronyc
utility. - Improved logging of source selection failures and falsetickers.
-
Added the
hwtstimeout
directive to configure timeout for late hardware transmit timestamps. - Added experimental support for corrections provided by Precision Time Protocol (PTP) transparent clocks to reach accuracy of PTP with hardware timestamping.
-
Added the
chronyd-restricted
service as an alternative service for minimal client-only configurations where thechronyd
service can be started withoutroot
privileges. -
Fixed the
presend
option ininterleaved
mode. -
Fixed reloading of modified sources specified by IP address from the
sourcedir
directories.
linuxptp
rebased to version 4.2
The linuxptp
protocol has been updated to version 4.2. Notable changes include:
-
Added support for multiple domains in the
phc2sys
utility. - Added support for notifications on clock updates and changes in the Precision Time Protocol (PTP) parent dataset, for example, clock class.
- Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.
4.6. Networking
The nft
utility can now reset nftables
rule-contained states
With this enhancement, you can use the nft reset
command to reset nftables
rule-contained states. For example, use this feature to reset counter and quota statement values.
Jira:RHEL-5980[1]
Marvell Octeon PCIe Endpoint Network Interface Controller driver is available
This enhancement has added the octeon_ep
driver. You can use it for networking of Marvell’s Octeon PCIe Endpoint network interface cards. The host drivers act as PCI Express (PCIe) endpoint network interface (NIC) to support Marvell OCTEON TX2 CN106XX, a 24 N2 cores Infrastructure Processor Family. By using OCTEON TX2 driver as a PCIe NIC, you can use OCTEON TX2 as a PCIe endpoint in various products: security firewalls, 5G Open Radio Access Network (ORAN) and Virtual RAN (VRAN) applications and data processing offloading applications.
Currently, you can use it with the following devices:
- Network controller: Cavium, Inc. Device b100
- Network controller: Cavium, Inc. Device b200
- Network controller: Cavium, Inc. Device b400
- Network controller: Cavium, Inc. Device b900
- Network controller: Cavium, Inc. Device ba00
- Network controller: Cavium, Inc. Device bc00
- Network controller: Cavium, Inc. Device bd00
Jira:RHEL-9308[1]
NetworkManager now supports configuring the switchdev
mode for advanced hardware offload
With this enhancement, you can configure the following new properties in NetworkManager connection profiles:
-
sriov.eswitch-mode
-
sriov.eswitch-inline-mode
-
sriov.eswitch-encap-mode
With these properties, you can configure the eSwitch of smart network interface controllers (Smart NICs). For example, use the sriov.eswitch-mode
setting to change the mode from legacy SR-IOV
to switchdev
to use advanced hardware offload features.
NetworkManager supports changing ethtool
channel settings
A network interface can have multiple interrupt request (IRQs) and associated packet queues called channels
. With this enhancement, NetworkManager connection profiles can specify the number of channels to assign to an interface through connection properties ethtool.channels-rx
,ethtool.channels-tx
,ethtool.channels-other
, and ethtool.channels-combined
.
Jira:RHEL-1471[1]
Nmstate can now create a YAML file to revert settings
With this enhancement, Nmstate can create a "revert configuration file" that contains the differences between the current network settings and a YAML file with the new configuration that you want to apply. If the settings do not work as expected after you applied the YAML file, you can use the revert configuration file to restore the previous settings:
-
Create a YAML file, for example,
new.yml
with the configuration that you want to apply. Create a revert configuration file that contains the differences between intended settings in
new.yml
and the current state:# nmstatectl gr new.yml > revert.yml
-
Apply the configuration from
new.yml
. -
If you want now to switch back to the previous state, apply
revert.yml
.
Alternatively, you can use the NetworkState::generate_revert(current)
call if you use the Nmstate API to create a revert configuration.
Nmstate API configures VPN connection based on IPsec configuration
The Libreswan utility is an implementation of IPsec for configuring VPNs. With this update, by using nmstatectl
, you can configure IPsec-based authentication types along with configuration modes (tunnel and transport) and network layouts (host-to-subnet
, host-to-host
, subnet-to-subnet
).
nmstate
now supports the priority
bond property
With this update, you can set the priority of bond ports in the nmstate
framework by using the priority
property in the ports-config
section of the configuration file. An example YAML file can look as follows:
--- interfaces: - name: bond99 type: bond state: up link-aggregation: mode: active-backup ports-config: - name: eth2 priority: 15
When an active port within the bonded interface is down, the RHEL kernel elects the next active port that has the highest numerical value in the priority
property from the pool of all backup ports.
The priority
property is relevant for the following modes of the bond interface:
-
active-backup
-
balance-tlb
-
balance-alb
Jira:RHEL-1438[1]
NetworkManager wifi connections support a new MAC address-based privacy option
With this enhancement, you can configure NetworkManager to associate a random-generated MAC address with the Service Set Identifier (SSID) of a wifi network. This enables you to permanently use a random but consistent MAC address for a wifi network even if you delete a connection profile and re-create it. To use this new feature, set the 802-11-wireless.cloned-mac-address
property of a wifi connection profile to stable-ssid
.
Introduction of new nmstate
attributes for the VLAN interface
With this update of the nmstate
framework, the following VLAN attributes were introduced:
-
registration-protocol
: VLAN Registration Protocol. The valid values aregvrp
(GARP VLAN Registration Protocol),mvrp
(Multiple VLAN Registration Protocol), andnone
. -
reorder-headers
: reordering of output packet headers. The valid values aretrue
andfalse
. -
loose-binding
: loose binding of the interface to the operating state of its primary device. The valid values aretrue
andfalse
.
Your YAML configuration file can look similar to the following example:
--- interfaces: - name: eth1.101 type: vlan state: up vlan: base-iface: eth1 id: 101 registration-protocol: mvrp loose-binding: true reorder-headers: true
ipv4.dhcp-client-id
set to none
prevents sending a client-identifier
If the client-identifier
option is not set in NetworkManager, then the actual value depends on the type of DHCP clients in use, such as NetworkManager internal
DHCP client or dhclient
. Generally, DHCP clients send a client-identifier
. Therefore, in almost all cases, you do not need to set the none
option. As a result, this option is only useful in case of some unusual DHCP server configurations that require clients to not send a client-identifier
.
nmstate
now supports creating MACsec interfaces
With this update, the users of the nmstate
framework can configure MACsec interfaces to protect their communication on Layer 2 of the Open Systems Interconnection (OSI) model. As a result, there is no need to encrypt individual services later on Layer 7. Also, the feature eliminates associated challenges such as managing large amounts of certificates for each endpoint.
For more information, see Configuring a MACsec connection using nmstatectl.
netfilter
update
The kernel
package has been upgraded to version 5.14.0-405 in RHEL 9. As a result, the rebase also provided multiple enhancements and bug fixes in the netfilter
component of the RHEL kernel. The most notable change includes:
-
The
nftables
subsystem is able to match various inner header fields of the tunnel packets. This enables more granular and effective control over network traffic, especially in environments where tunneling protocols are used.
Jira:RHEL-16630[1]
firewalld
now avoids unnecessary firewall rule flushes
The firewalld
service does not remove all existing rules from the iptables
configuration if both following conditions are met:
-
firewalld
is using thenftables
backend. -
There are no firewall rules created with the
--direct
option.
This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration with other software.
Jira:RHEL-427[1]
The ss
utility adds visibility improvement to TCP bound-inactive sockets
The iproute2
suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss
) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:
-
ss --all
: to dump all sockets including TCP bound-inactive ones -
ss --bound-inactive
: to dump only bound-inactive sockets
Jira:RHEL-21223[1]
The Nmstate API now supports SR-IOV VLAN 802.1ad tagging
With this enhancement, you can now use the Nmstate API to enable hardware-accelerated Single-Root I/O Virtualization (SR-IOV) Virtual Local Area Network (VLAN) 802.1ad tagging on cards whose firmware supports this feature.
The TCP Illinois congestion algorithm kernel module is re-enabled
TCP Illinois is a variant of the TCP protocol. Customers such as Internet Service Providers (ISP) experience sub-optimal performance without TCP Illinois algorithm and network traffic does not scale well even when using Bandwidth and Round-trip propagation time (BBR) algorithm that results into high latency. As a result, TCP Illinois algorithm can produce slightly higher average throughput, fairer network resources allocation, and compatibility.
Jira:RHEL-5736[1]
The iptables
utility rebased to version 1.8.10
The iptables
utility defines rules for packet filtering to manage firewall. This utility has been rebased. Notable changes include:
Notable features:
-
Add support for newer chunk types in
sctp
match -
Align ip6tables opt-in column if empty helps when piping output to
jc --iptables
-
Print numeric protocol numbers with
--numeric
for a more stable output -
More translations for
*tables-translate
utilities with improved output formatting - Several manual page improvements
Notable fixes:
-
iptables-restore
error messages incorrectly pointing at the COMMIT line -
Broken
-p Length
match in ebtables -
Broken ebtables among match when used in multiple rules restored through
ebtables-restore
- Program could crash when renaming a chain depending on the number of chains already present
- Non-critical memory leaks
- Missing broute table support in ebtables after the switch to nft-variants
- Broken ip6tables rule counter setting with '-c' option
- Unexpected error message when listing a non-existent chain
- Potential false-positive ebtables rule comparison if among match is used
- Prohibit renaming a chain to an invalid name
- Stricter checking of "chain lines" in iptables-restore input to detect invalid chain names
- Non-functional built-in chain policy counters
nftables
rebased to version 1.0.9
The nftables
utility has been upgraded to version 1.0.9, which provides multiple bug fixes and enhancements. Notable changes include:
-
Improvements to the
--optimize
command option - Extended the Python nftables class
-
Improved behavior when dealing with rules created by
iptables-nft
- Support accessing fields of vxlan-encapsulated headers
- Initial support for GRE, Geneve, and GRETAP protocols
-
New
reset rule(s)
commands to reset rule counters, quotas -
New
destroy
command deletes things only if they exist -
New
last
statement recording when it has seen a packet for the last time - Add and remove devices from netdev-family chains
-
New
meta broute
expression to emulate ebtables' broute functionality - Fixed miscellaneous memory leaks
- Fixed wrong location in error messages in corner-cases
- Set and map statements missing in JSON output
firewalld
rebased to version 1.3
The firewalld
package has been upgraded to version 1.3, which provides multiple bug fixes and enhancements. Notable changes include:
-
New
reset-to-defaults
CLI option: This option resets configuration of thefirewalld
service to defaults. This allows users to erasefirewalld
configuration and start over with the default settings. -
Enable the
--add-masquerade
CLI option for policies withingress-zone=ZONE
, whereZONE
has interfaces assigned with the--add-interface
CLI option. This removes a restriction and enables usage of interfaces (instead of sources) in common scenarios.
The reasons to introduce these features:
-
reset-to-defaults
was implemented to reset the firewall to the default configuration. - Using interfaces allows change of IP address without impacting firewall configuration.
As a result, users can perform the following actions:
- Reset the configuration
-
Combine
--add-maquerade
with--add-interface
while using policies
4.7. Kernel
Kernel version in RHEL 9.4
Red Hat Enterprise Linux 9.4 is distributed with the kernel version 5.14.0-427.13.1.
rteval
now supports adding and removing arbitrary CPUs from the default measurement CPU list
With the rteval
utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist
parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus
is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This option covers the most common use case of a real-time application running on isolated CPUs. Other use cases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus
.
Jira:RHEL-9912[1]
rtla
rebased to version 6.6 of the upstream kernel
source code
The rtla
utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added the
-C
option to specify additional control groups forrtla
threads to run in, apart from the mainrtla
thread. -
Added the
--house-keeping
option to placertla
threads on a housekeeping CPU and to put measurement threads on different CPUs. -
Added support to the
timerlat
tracer so that you can runtimerlat hist
andtimerlat top
threads in user space.
Jira:RHEL-10079[1]
cyclicdeadline
now supports generating a histogram of latencies
With this release, the cyclicdeadline
utility supports generating a histogram of latencies. You can use this feature to get more insight into the frequency of latency spikes of different sizes, rather than getting just one worst-case number.
Jira:RHEL-9910[1]
SGX is now fully supported
Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.
The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:
- Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
- Dynamic addition of regular enclave pages to an initialized enclave.
- Expanding an initialized enclave to accommodate more threads.
- Removing regular and TCS pages from an initialized enclave.
In this release, SGX moves from Technology Preview to a fully supported feature.
Bugzilla:2041883[1]
The Intel data streaming accelerator driver is now fully supported
The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid
) submission and shared virtual memory (SVM).
In this release, IDXD moves from a Technology Preview to a fully supported feature.
Jira:RHEL-10097[1]
The eBPF facility has been rebased to Linux kernel version 6.6
Notable changes and enhancements include:
-
New dynamic pointers (
dynptrs
) of theskb
andxdp
type, which enable for more ergonomic and less brittle iteration through data and variable-sized accesses in BPF programs. -
A new BPF
netfilter
program type and minimal support to hook BPF programs tonetfilter
hooks, such as prerouting or forward. Multiple improvements to kernel pointers (
kptrs
):-
You can use
kptrs
in more map types. -
RCU semantics are enabled for task
kptrs
. -
New reference-counted local
kptrs
useful for adding a node to both the BPFlist
andrbtree
.
-
You can use
-
At load time, BPF programs can detect whether a particular
kfunc
exists or not. -
Several new
kfuncs
for working withdynptrs
,cgroups
,sockets
, andcpumasks
. -
New BPF links for attaching multiple
uprobes
andusdt
probes, which is significantly faster and saves extra file descriptors (FDs). -
The BPF
map
element count is enabled for all program types. -
The memory usage reporting for all BPF
map
types is more precise. -
The
bpf_fib_lookup
BPF helper includes the routing table ID. -
The
BPF_OBJ_PIN
andBPF_OBJ_GET
commands supportO_PATH
FDs.
Jira:RHEL-10691[1]
The libbpf-tools package is now available on IBM Z
The libbpf-tools
package, which provides command line tools for the BPF Compiler Collection (BCC), is now available on the IBM Z architecture. As a result, you can now use commands from libbpf-tools
on IBM Z.
Jira:RHEL-16325[1]
4.8. Boot loader
DEP/NX support in the pre-boot stage
The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.
This release adds DEP/NX support in the GRUB and shim
boot loaders. This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might start certain attacks without the DEP/NX protection.
Jira:RHEL-10288[1]
4.9. File systems and storage
Setting a filesystem size limit is now supported
With this update, users can now set a filesystem size limit when creating or modifying a filesystem. The stratisd
service enables dynamic filesystem growth, but excessive expansion of an XFS filesystem can cause significant performance issues. The addition of this feature addresses potential performance issues that might occur when growing XFS filesystems beyond a certain threshold. By setting a filesystem size limit, users can prevent such issues and ensure optimal performance. Additionally, this feature enables better pool monitoring and maintenance by allowing users to impose an upper limit on a filesystem’s size, ensuring efficient resource allocation.
Converting a standard LV to a thin LV by using lvconvert
is now possible
By specifying a standard logical volume (LV) as a thin pool data, you can now convert a standard LV to a thin LV by using the lvconvert
command. With this update, you can convert existing LVs to use the thin provisioning facility.
multipathd
now supports detecting FPIN-Li events for NVMe devices
Previously, the multipathd
command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd
could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd
was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.
With this update, multipathd
supports detecting FPIN-Li events for both SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric connection, while other paths are available. This helps to avoid IO delays in such situations.
max_retries
option is now added to the defaults
section of multipath.conf
This enhancement adds the max_retries
option to the defaults
section of the multipath.conf
file. By default this option is unset, and uses the SCSI layer’s default value of 5 retries. The valid values for this option is from 0
to 5
. When this option is set, it overrides the default value of the max_retries
sysfs
attribute for SCSI devices. This attribute controls the number of times the SCSI layer retries I/O commands before returning failure when it encounters certain error types.
If users encounter an issue where multipath’s path checkers return success but I/O to a device is hanging, they can set this option to decrease the time before the I/O will be retried down another path.
Jira:RHEL-1729[1]
auto_resize
option is now added to the defaults
section of multipath.conf
Previously, to resize a multipath device, you had to manually run the multipathd resize map <name>
command. With this update, the auto_resize
option is now added to the defaults
section of the multipath.conf
file. This option controls when the multipathd
command can automatically resize a multipath device. The following are the different values for auto_resize
:
-
By default,
auto_resize
is set tonever
. In this case,multipathd
works without any change. -
If
auto_resize
is set togrow_only
,multipathd
automatically resizes the multipath device when the device’s paths have grown in size. -
If
auto_resize
is set togrow_shrink
,multipathd
automatically shrinks the multipath device when the device’s paths are decreased in size.
As a result, when this option is enabled, you no longer need to manually resize your multipath devices.
Jira:RHEL-986[1]
Changes to Arcus NVMeoFC multipath.conf
settings are now included in kernel
Device-mapper-multipath now has a built-in configuration for the HPE Alletra 9000 NVMeFC array. Arcus added support for ANA (Asymmetric Namespace Access) for NVMeoFC. This is similar to ALUA for SCSI. A change in the multipath.conf
is required for a RHEL host to use this feature and send only I/O to ANA optimized paths when available. Without this change, device mapper was sending I/O to both ANA optimized and ANA non-optimized paths.
This change is only for NVMeoFC. FCP multipath.conf
content already had this setting for supporting ALUA previously.
stratis-cli
rebased to version 3.6.0
The stratis-cli
package has been upgraded to version 3.6.0. Notable bug fixes and enhancements include:
-
The
stratis-cli
command-line interface supports an additional option to set the file system size limit on creation. Theset-size-limit
andunset-size-limit
are two new file system commands, which sets or unsets the file system size limit after creating a file system. -
stratis-cli
now incorporates password verification when it is used to set a key in the kernel keyring by using a manual entry. -
stratis-cli
now supports specifying a pool either by name or by UUID when stopping a pool. -
stratis-cli
also gets updates with various internal improvements, and now enforces a requirement of at least the python 3.9 version in its package configuration.
Jira:RHEL-2265[1]
boom
rebased to version 1.6.0
The boom
package has been upgraded to version 3.6.0. Notable enhancements include:
-
Support for multi-volume snapshot boot syntax supported by the
systemd
command. -
The
new --mount
and--no-fstab
options are added to specify additional volumes to mount at the boot entry.
NVMe-FC Boot from SAN is now fully supported
The Non-volatile Memory Express (NVMe) over Fibre Channel (NVMe/FC) Boot, which was introduced in Red Hat Enterprise Linux 9.2 as a Technology Preview, is now fully supported. Some NVMe/FC host bus adapters support a NVMe/FC boot capability. For more information on programming a Host Bus Adapter (HBA) to enable NVMe/FC boot capability, see the NVMe/FC host bus adapter manufacturer’s documentation.
Jira:RHEL-1492[1]
4.10. High availability and clusters
pcs
support for ISO 8601 duration specification for time properties
The pcs
command-line interface now allows you to specify values for Pacemaker time properties according to the ISO 8601 duration specification standard.
Support for new pscd
Web UI features
The pscd
Web UI now supports the following features:
- Moving a cluster resource off the node on which it is currently running
- Banning a resource from running on a node
- Displaying cluster status that shows the age of the cluster status and when the cluster state is being reloaded
- Requesting a reload of the cluster status display
Jira:RHEL-7582, Jira:RHEL-7739
TLS cipher list now defaults to system-wide crypto policy
Previously, the pcsd
TLS cipher list was set to DEFAULT:!RC4:!3DES:@STRENGTH
by default. With this update, the cipher list is defined by the system-wide crypto policy by default. The TLS ciphers accepted by the pcsd
daemon might change with this upgrade, depending on the currently set crypto policy. For more information about the crypto policies framework, see the crypto-policies
(7) man page.
4.11. Dynamic programming languages, web and database servers
Python 3.12 available in RHEL 9
RHEL 9.4 introduces Python 3.12, provided by the new package python3.12
and a suite of packages built for it, and the ubi9/python-312
container image.
Notable enhancements compared to the previously released Python 3.11 include:
-
Python introduces a new
type
statement and new type parameter syntax for generic classes and functions. - Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
- Python now provides a unique per-interpreter global interpreter lock (GIL).
- You can now use the buffer protocol from Python code.
-
To improve security, the built-in
hashlib
implementations of the SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code from the HACL* project. The built-in implementations remain available as fallback if OpenSSL does not provide them. -
Dictionary, list, and set comprehensions in
CPython
are now inlined. This significantly increases the speed of a comprehension execution. -
CPython
now supports the Linuxperf
profiler. -
CPython
now provides stack overflow protection on supported platforms.
Python 3.12 and packages built for it can be installed in parallel with Python 3.9 and Python 3.11 on the same system.
To install packages from the python3.12
stack, use, for example:
# dnf install python3.12 # dnf install python3.12-pip
To run the interpreter, use, for example:
$ python3.12 $ python3.12 -m pip --help
See Installing and using Python for more information.
For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new environment variable in Python to control parsing of email addresses
To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.
This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING
environment variable. When you set this variable to true
, the previous, less strict parsing behavior is the default for the entire system:
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
However, individual calls to the affected functions can still enable stricter behavior.
You can achieve the same result by creating the /etc/python/email.cfg
configuration file with the following content:
[email_addr_parsing] PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.
Jira:RHELDOCS-17369[1]
A new module stream: ruby:3.3
RHEL 9.4 introduces Ruby 3.3.0 in a new ruby:3.3
module stream. This version provides several performance improvements, bug and security fixes, and new features over Ruby 3.1
distributed with RHEL 9.1.
Notable enhancements include:
-
You can use the new
Prism
parser instead ofRipper
.Prism
is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language. - YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it provides major performance improvements.
-
The
Regexp
matching algorithm has been improved to reduce the impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities. - The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
- A new M:N thread scheduler is now available.
Other notable changes:
-
You must now use the
Lrama
LALR parser generator instead ofBison
. - Several deprecated methods and constants have been removed.
-
The
Racc
gem has been promoted from a default gem to a bundled gem.
To install the ruby:3.3
module stream, use:
# dnf module install ruby:3.3
If you want to upgrade from an earlier ruby
module stream, see Switching to a later stream.
For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-17089[1]
A new module stream: php:8.2
RHEL 9.4 adds PHP 8.2 as a new php:8.2
module stream.
Improvements in this release include:
- Readonly classes
- Several new stand-alone types
-
A new
Random
extension - Constraints in traits
To install the php:8.2
module stream, use the following command:
# dnf module install php:8.2
If you want to upgrade from the php:8.1
stream, see Switching to a later stream.
For details regarding PHP usage on RHEL 9, see Using the PHP scripting language.
For information about the length of support for the php
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-14699[1]
The name()
method of the perl-DateTime-TimeZone
module now returns the time zone name
The perl-DateTime-TimeZone
module has been updated to version 2.62, which changed the value that is returned by the name()
method from the time zone alias to the main time zone name.
For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API related to time zone name and alias.
A new module stream: nginx:1.24
The nginx 1.24 web and proxy server is now available as the nginx:1.24
module stream. This update provides several bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.
New features and changes related to Transport Layer Security (TLS):
-
Encryption keys are now automatically rotated for TLS session tickets when using shared memory in the
ssl_session_cache
directive. - Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
-
You can now disable looking up IPv4 addresses while resolving by using the
ipv4=off
parameter of theresolver
directive. -
nginx now supports the
$proxy_protocol_tlv_*
variables, which store the values of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol. -
The
ngx_http_gzip_static_module
module now supports byte ranges.
Other changes:
- Header lines are now represented as linked lists in the internal API.
-
nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and uwsgi back ends in the
$r->header_in()
method of thengx_http_perl_module
, and during lookups of the$http_...
,$sent_http_...
,$sent_trailer_...
,$upstream_http_...
, and$upstream_trailer_...
variables. - nginx now displays a warning if protocol parameters of a listening socket are redefined.
- nginx now closes connections with lingering if pipelining was used by the client.
-
The logging level of various SSL errors has been lowered, for example, from
Critical
toInformational
.
To install the nginx:1.24
stream, use:
# dnf module install nginx:1.24
To upgrade from the nginx 1.22
stream, switch to a later stream.
For more information, see Setting up and configuring NGINX.
For information about the length of support for the nginx
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-14713[1]
A new module stream: mariadb:10.11
MariaDB 10.11 is now available as a new module stream, mariadb:10.11
. Notable enhancements over the previously available version 10.5 include:
-
A new
sys_schema
feature. - Atomic Data Definition Language (DDL) statements.
-
A new
GRANT ... TO PUBLIC
privilege. -
Separate
SUPER
andREAD ONLY ADMIN
privileges. -
A new
UUID
database data type. - Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires correctly configured SSL to start.
-
Support for the natural sort order through the
natural_sort_key()
function. -
A new
SFORMAT
function for arbitrary text formatting. - Changes to the UTF-8 charset and the UCA-14 collation.
-
systemd
socket activation files available in the/usr/share/
directory. Note that they are not a part of the default configuration in RHEL as opposed to upstream. -
Error messages containing the
MariaDB
string instead ofMySQL
. - Error messages available in the Chinese language.
- Changes to the default logrotate file.
-
For MariaDB and MySQL clients, the connection property specified on the command line (for example,
--port=3306
), now forces the protocol type of communication between the client and the server, such astcp
,socket
,pipe
, ormemory
.
For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5 and MariaDB 10.11.
For more information about MariaDB, see Using MariaDB.
To install the mariadb:10.11
stream, use:
# dnf module install mariadb:10.11
If you want to upgrade from MariaDB 10.5, see Upgrading from MariaDB 10.5 to MariaDB 10.11.
For information about the length of support for the mariadb
module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new module stream: postgresql:16
RHEL 9.4 introduces PostgreSQL 16 as the postgresql:16
module stream. PostgreSQL 16 provides several new features and enhancements over version 15.
Notable enhancements include:
- Enhanced bulk loading improves performance.
-
The
libpq
library now supports connection-level load balancing. You can use the newload_balance_hosts
option for more efficient load balancing. -
You can now create custom configuration files and include them in the
pg_hba.conf
andpg_ident.conf
files. -
PostgreSQL now supports regular expression matching on database and role entries in the
pg_hba.conf
file.
Other changes include:
-
PostgreSQL is no longer distributed with the
postmaster
binary. Users who start thepostgresql
server by using the providedsystemd
unit file (thesystemctl start postgres
command) are not affected by this change. If you previously started thepostgresql
server directly through thepostmaster
binary, you must now use thepostgres
binary instead. - PostgreSQL no longer provides documentation in PDF format within the package. Use the online documentation instead.
See also Using PostgreSQL.
To install the postgresql:16
stream, use the following command:
# dnf module install postgresql:16
If you want to upgrade from an earlier postgresql
stream within RHEL 9, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 9 version of PostgreSQL.
For information about the length of support for the postgresql
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Git rebased to version 2.43.0
The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.
Notable enhancements include:
-
You can now use the new
--source
option with thegit check-attr
command to read the.gitattributes
file from the provided tree-ish object instead of the current working directory. -
Git can now pass information from the
WWW-Authenticate
response-type header to credential helpers. -
In case of an empty commit, the
git format-patch
command now writes an output file containing a header of the commit instead of creating an empty file. -
You can now use the
git blame --contents=<file> <revision> -- <path>
command to find the origins of lines starting at<file>
contents through the history that leads to<revision>
. -
The
git log --format
command now accepts the%(decorate)
placeholder for further customization to extend the capabilities provided by the--decorate
option.
Jira:RHEL-17100[1]
Git LFS rebased to version 3.4.1
The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.
Notable changes include:
-
The
git lfs push
command can now read references and object IDs from standard input. - Git LFS now handles alternative remotes without relying on Git.
-
Git LFS now supports the
WWW-Authenticate
response-type header as a credential helper.
Jira:RHEL-17101[1]
4.12. Compilers and development tools
LLVM Toolset rebased to version 17.0.6
LLVM Toolset has been updated to version 17.0.6.
Notable enhancements include:
- The opaque pointers migration is now completed.
- Removed support for the legacy pass manager in middle-end optimization.
Clang changes:
- C++20 coroutines are no longer considered experimental.
-
Improved code generation for the
std::move
function and similar in unoptimized builds.
For more information, see the LLVM and Clang upstream release notes.
Rust Toolset rebased to version 1.75.0
Rust Toolset has been updated to version 1.75.0.
Notable enhancements include:
- Constant evaluation time is now unlimited
- Cleaner panic messages
- Cargo registry authentication
-
async fn
and opaque return types in traits
Go Toolset rebased to version 1.21.0
Go Toolset has been updated to version 1.21.0.
Notable enhancements include:
-
min
,max
, andclear
built-ins have been added. - Official support for profile guided optimization has been added.
- Package initialization order is now more precisely defined.
- Type inferencing is improved.
- Backwards compatibility support is improved.
For more information, see the Go upstream release notes.
Jira:RHEL-11871[1]
Clang resource directory moved
The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17
to /usr/lib/clang/17
.
elfutils
rebased to version 0.190
The elfutils
package has been updated to version 0.190. Notable improvements include:
-
The
libelf
library now supports relative relocation (RELR). -
The
libdw
library now recognizes.debug_[ct]u_index
sections. -
The
eu-readelf
utility now supports a new-Ds
,--use-dynamic --symbol
option to show symbols through the dynamic segment without using ELF sections. -
The
eu-readelf
utility can now show.gdb_index
version 9. -
A new
eu-scrlines
utility compiles a list of source files associated with a specified DWARF or ELF file. -
A
debuginfod
server schema has changed for a 60% compression in file name representation (this requires reindexing).
systemtap
rebased to version 5.0
The systemtap
package has been updated to version 5.0. Notable enhancements include:
- Faster and more reliable kernel-user transport.
- Extended DWARF5 debuginfo format support.
Updated GCC Toolset 13
GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
Notable changes introduced in RHEL 9.4 include:
- The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
-
binutils
now support AMD CPUs based on theznver5
core through the-march=znver5
compiler switch. -
annobin
has been updated to version 12.32. -
The
annobin
plugin for GCC now defaults to using a more compressed format for the notes that it stores in object files, resulting in smaller object files and faster link times, especially in large, complex programs.
The following tools and versions are provided by GCC Toolset 13:
Tool | Version |
---|---|
GCC | 13.2.1 |
GDB | 12.1 |
binutils | 2.40 |
dwz | 0.14 |
annobin | 12.32 |
To install GCC Toolset 13, run the following command as root:
# dnf install gcc-toolset-13
To run a tool from GCC Toolset 13:
$ scl enable gcc-toolset-13 tool
To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:
$ scl enable gcc-toolset-13 bash
For more information, see GCC Toolset 13 and Using GCC Toolset.
Jira:RHEL-23798[1]
Compiling with GCC and the -fstack-protector
flag no longer fails to guard dynamic stack allocations on 64-bit ARM
Previously, on the 64-bit ARM architecture, the system GCC compiler with the -fstack-protector
flag failed to detect a buffer overflow in functions containing a C99 variable-length array or an alloca()
-allocated object. Consequently, an attacker could overwrite saved registers on the stack. With this update, the buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled with the system GCC are more secure.
Jira:RHEL-17638[1]
GCC Toolset 13: Compiling with GCC and the -fstack-protector
flag no longer fails to guard dynamic stack allocations on 64-bit ARM
Previously, on the 64-bit ARM architecture, the GCC compiler with the -fstack-protector
flag failed to detect a buffer overflow in functions containing a C99 variable-length array or an alloca()
-allocated object. Consequently, an attacker could overwrite saved registers on the stack. With this update, the buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled with GCC are more secure.
pcp
updated to version 6.2.0
The pcp
package has been updated to version 6.2.0. Notable improvements include:
-
pcp-htop
now supports user-defined tabs. -
pcp-atop
now supports a new bar graph visualization mode. - OpenMetrics PMDA metric labels and logging are improved.
- Additional Linux kernel virtual memory metrics have been added.
New tools:
-
pmlogredact
-
pcp-buddyinfo
-
pcp-meminfo
-
pcp-netstat
-
pcp-slabinfo
-
pcp-zoneinfo
-
Jira:RHEL-2317[1]
A new grafana-selinux
package
Previously, the default installation of grafana-server
ran as an unconfined_service_t
SELinux type. This update adds the new grafana-selinux
package, which contains an SELinux policy for grafana-server
and which is installed by default with grafana-server
. As a result, grafana-server
now runs as grafana_t
SELinux type.
papi
supports new processor microarchitectures
With this enhancement, you can access performance monitoring hardware using papi
events presets on the following processor microarchitectures:
- AMD Zen 4
- 4th Generation Intel® Xeon® Scalable Processors
Jira:RHEL-9333[1], Jira:RHEL-9335, Jira:RHEL-9334
New package: maven-openjdk21
The maven:3.8
module stream now includes the maven-openjdk21
subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.
Jira:RHEL-13046[1]
New package: libzip-tools
RHEL 9.4 introduces the libzip-tools
package, which provides utilities such as zipcmp
, zipmerge
, and ziptool
.
cmake
rebased to version 3.26
The cmake
package has been updated to version 3.26. Notable improvements include:
- Added support for the C17 and C18 language standards.
-
cmake
can now query the/etc/os-release
file for operating system identification information. -
Added support for the CUDA 20 and
nvtx3
libraries. - Added support for the Python stable application binary interface.
- Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.
valgrind
updated to 3.22
The valgrind
package has been updated to version 3.22. Notable improvements include:
-
valgrind
memcheck
now checks that the values given to the C functionsmemalign
,posix_memalign
, andaligned_alloc
, and the C++17 alignednew
operator are valid alignment values. -
valgrind
memcheck
now supports mismatch detection for C++14 sized and C++17 alignednew
anddelete
operators. -
Added support for lazy reading of DWARF debugging information, resulting in faster startup when
debuginfo
packages are installed.
libabigail
rebased to version 2.4
The libabigail
package has been updated to version 2.4.
Notable enhancements include:
-
The
abidiff
tool now supports comparing two sets of binaries. - Added support for suppressing harmless change reports related to flexible array data members.
-
Improved support for suppressing harmless change reports about
enum
types. - Improved representation of changes to anonymous enum, union, and struct types.
4.13. Identity Management
A new passwordless authentication method is available in SSSD
With this update, you can enable and configure passwordless authentication in SSSD to use a biometric device that is compatible with the FIDO2 specification, for example a YubiKey. You must register the FIDO2 token in advance and store this registration information in the user account in RHEL IdM, Active Directory, or an LDAP store. RHEL implements FIDO2 compatibility with the libfido2
library, which currently only supports USB-based tokens.
Jira:RHELDOCS-17841[1]
The ansible-freeipa
ipauser
and ipagroup
modules now support a new renamed
state
With this update, you can use the renamed
state in ansible-freeipa
ipauser
module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa
ipagroup
module to change the group name of an existing IdM group.
Identity Management users can now use external identity providers to authenticate to IdM
With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.
If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 9.1 or later.
Jira:RHELPLAN-169666[1]
ipa
rebased to version 4.11
The ipa
package has been updated from version 4.10 to 4.11. Notable changes include:
- Support for FIDO2-based passkeys.
- Initial implementation of resource-based constrained delegation (RBCD) for Kerberos services.
-
Context manager for
ipalib.api
to automatically configure, connect, and disconnect. - The installation of an IdM replica now occurs against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests.
-
The
ansible-freeipa
package has been rebased from version 1.11 to 1.12.1. -
The
ipa-healthcheck
package has been rebased from version 0.12 to 0.16.
For more information, see the upstream release notes.
Deleting expired KCM Kerberos tickets
Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches
configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy
command.
IdM now supports the idoverrideuser
, idoverridegroup
and idview
Ansible modules
With this update, the ansible-freeipa
package now contains the following modules:
idoverrideuser
- Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP server, for example, the user login name, home directory, certificate, or SSH keys.
idoverridegroup
- Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of the group, its GID, or description.
idview
- Allows you to organize user and group ID overrides and apply them to specific IdM hosts.
In the future, you will be able to use these modules to enable AD users to use smart cards to log in to IdM.
The idp
Ansible module allows associating IdM users with external IdPs
With this update, you can use the idp
ansible-freeipa
module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user.
After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.
getcert add-ca
returns a new return code if a certificate is already present or tracked
With this update, the getcert
command returns a specific return code, 2
, if you try to add or track a certificate that is already present or tracked. Previously, the command returned return code 1
on any error condition.
The delegation of DNS zone management is now enabled in ansible-freeipa
You can now use the dnszone
ansible-freeipa
module to delegate DNS zone management. Use the permission
or managedby
variable of the dnszone
module to configure a per-zone access delegation permission.
Enforcing OTP usage for all LDAP clients
With the release of the RHBA-2024:2558 advisory, in RHEL IdM, you can now set the default behavior for LDAP server authentication of user accounts with two-factor (OTP) authentication configured. If OTP is enforced, LDAP clients cannot authenticate against an LDAP server using single factor authentication (a password) for users that have associated OTP tokens. This method is already enforced through the Kerberos backend by using a special LDAP control with OID 2.16.840.1.113730.3.8.10.7 without any data.
To enforce OTP usage for all LDAP clients, administrators can use the following command:
$ ipa config-mod --addattr ipaconfigstring=EnforceLDAPOTP
To change back to the previous OTP behavior for all LDAP clients, use the following command:
$ ipa config-mod --delattr ipaconfigstring=EnforceLDAPOTP
Jira:RHEL-23377[1]
The runasuser_group
parameter is now available in ansible-freeipa
ipasudorule
With this update, you can set Groups of RunAs Users for a sudo
rule by using the ansible-freeipa ipasudorule
module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.
389-ds-base
rebased to version 2.4.5
The 389-ds-base
package has been updated to version 2.4.5. Notable bug fixes and enhancements over version 2.3.4 include:
- https://www.port389.org/docs/389ds/releases/release-2-3-5.html
- https://www.port389.org/docs/389ds/releases/release-2-3-6.html
- https://www.port389.org/docs/389ds/releases/release-2-3-7.html
- https://www.port389.org/docs/389ds/releases/release-2-4-0.html
- https://www.port389.org/docs/389ds/releases/release-2-4-1.html
- https://www.port389.org/docs/389ds/releases/release-2-4-2.html
- https://www.port389.org/docs/389ds/releases/release-2-4-3.html
- https://www.port389.org/docs/389ds/releases/release-2-4-4.html
- https://www.port389.org/docs/389ds/releases/release-2-4-5.html
Transparent Huge Pages are now disabled by default for the ns-slapd
process
When large database caches are used, Transparent Huge Pages (THP) can have a negative effect on Directory Server performance under heavy load, for example, high memory footprint, high CPU usage and latency spikes. With this enhancement, a new THP_DISABLE=1
configuration option was added to the /usr/lib/systemd/system/dirsrv@.service.d/custom.conf
drop-in configuration file for the dirsrv
systemd
unit to disable THP for the ns-slapd
process.
In addition, the Directory Server health check tool now detects the THP settings. If you enabled THP system-wide and for the Directory Server instance, the health check tool informs you about the enabled THP and prints recommendations on how to disable them.
The new lastLoginHistSize
configuration attribute is now available for the Account Policy plug-in
Previously, when a user did a successful bind, only the time of the last login was available. With this update, you can use the new lastLoginHistSize
configuration attribute to manage a history of successful logins. By default, the last five successful logins are saved.
Note that for the lastLoginHistSize
attribute to collect statistics of successful logins, you must enable the alwaysRecordLogin
attribute for the Account Policy plug-in.
For more details, see lastLoginHistSize.
Jira:RHEL-5133[1]
The new notes=M
message in the access log to identify MFA binds
With this update, when you configure the two-factor authentication for user accounts by using a pre-bind authentication plug-in, such as MFA plug-in, the Directory Server log files record the following messages during BIND
operations:
The access log records the new
notes=M
note message:[time_stamp] conn=1 op=0 BIND dn="uid=jdoe,ou=people,dc=example,dc=com" method=128 version=3 [time_stamp] conn=1 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000111632 optime=0.006612223 etime=0.006722325 notes=M details="Multi-factor Authentication" dn="uid=jdoe,ou=people,dc=example,dc=com"
The security log records the new
SIMPLE/MFA
bind method:{ "date": "[time_stamp] ", "utc_time": "1709327649.232748932", "event": "BIND_SUCCESS", "dn": "uid=djoe,ou=people,dc=example,dc=com", "bind_method": "SIMPLE\/MFA", "root_dn": false, "client_ip": "::1", "server_ip": "::1", "ldap_version": 3, "conn_id": 1, "op_id": 0, "msg": "" }
Note that for the access and security logs to record such messages, the pre-bind authentication plug-in must set the flag by using the SLAPI API if a bind was part of this plug-in.
Jira:RHELDOCS-17838[1]
The new inchainMatch
matching rule is now available
With this update, a client application can use the new inchainMatch
matching rule to search for the ancestry of an LDAP entry. The member
, manager
, parentOrganization
, and memberof
attributes can be used with the inchainMatch
matching rule and the following searches can be performed:
- Find all direct or indirect groups in which a user is a member.
- Find all direct or indirect users whose manager is a certain user.
- Find all direct or indirect organizations an entry belongs to.
- Finds all direct or indirect members of a certain group.
Note that for performance reasons, you must index the member
, manager
, parentOrganization
, and memberof
attributes if the client application performs searches against these attributes by using the inchainMatch
matching rule.
Directory Server uses the In Chain plug-in that is enabled by default to implement the inchainMatch
matching rule. However, because inchainMatch
is expensive to compute, an access control instruction (ACI) limits the matching rule usage.
For more details, refer to Using inchainMatch
matching rule to find the ancestry of an LDAP entry.
Jira:RHELDOCS-17256[1]
The HAProxy protocol is now supported for the 389-ds-base
package
Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip
multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip
is configured under the cn=config
entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.
If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
For more details, see nsslapd-haproxy-trusted-ip.
samba
rebased to version 4.19.4
The samba
packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:
-
Command-line options in the
smbget
utility have been renamed and removed for a consistent user experience. However, this can break existing scripts or jobs that use the utility. See thesmbget --help
command andsmbget(1)
man page for further details about the new options. If the
winbind debug traceid
option is enabled, thewinbind
service now logs, additionally, the following fields:-
traceid
: Tracks the records belonging to the same request. -
depth
: Tracks the request nesting level.
-
- Samba no longer uses its own cryptography implementations and, instead, now fully uses cryptographic functionality provided by the GnuTLS library.
-
The
directory name cache size
option was removed.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Red Hat does not support downgrading tdb
database files.
After updating Samba, use the testparm
utility to verify the /etc/samba/smb.conf
file.
Identity Management API is now fully supported
The Identity Management (IdM) API was available as a Technology Preview in RHEL 9.2. Since RHEL 9.3, it has been fully supported.
Users can use existing tools and scripts even if the IdM API is enhanced to enable multiple versions of API commands. These enhancements do not change the behavior of a command in an incompatible way. This has the following benefits:
- Administrators can use previous or later versions of IdM on the server than on the managing client.
- Developers can use a specific version of an IdM call, even if the IdM version changes on the server.
The communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.
- NOTE
- While IdM API provides a JSON-RPC interface, this type of access is not supported. Red Hat recommends accessing the API with Python instead. Using Python automates important parts such as the metadata retrieval from the server, which allows listing all available commands.
4.14. The web console
RHEL web console can now generate Ansible and shell scripts
In the web console, you can now easily access and copy automation scripts on the kdump
configuration page. You can then use the generated script to implement a specific kdump
configuration on multiple systems.
Jira:RHELDOCS-17060[1]
Simplified managing storage and resizing partitions on Storage
The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.
Jira:RHELDOCS-17056[1]
4.15. Red Hat Enterprise Linux system roles
The ad_integration
RHEL system role now supports configuring dynamic DNS update options
With this update, the ad_integration
RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:
- When the identity provider comes online (always).
- At a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours.
You can change these and other settings using the new variables in ad_integration
. For example, you can set ad_dyndns_refresh_interval
to 172800
to change the DNS record refresh interval to 48 hours. For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/
directory.
Jira:RHELDOCS-17372[1]
The Storage RHEL system roles now support shared LVM device management
The RHEL system roles now support the creation and management of shared logical volumes and volume groups.
Microsoft SQL Server 2022 available on RHEL 9
The mssql-server
system role is now available on RHEL 9. The role adds two variables:
-
mssql_run_selinux_confined
to control whether to run SQL Server as a confined application or not. If set totrue
, the role installs themssql-server-selinux
package. If set tofalse
, the role removes themssql-server-selinux
package. Default setting istrue
for RHEL 9 managed nodes andfalse
for other managed nodes. -
mssql_manage_selinux
to control whether to configure SELinux. When set totrue
, the variable configures the enforcing or permissive mode based on the value of themssql_run_selinux_confined
variable.
The rhc
system role now supports RHEL 7 systems
You can now manage RHEL 7 systems by using the rhc
system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc
system role.
Using the rhc_insights.remediation
parameter has no impact on RHEL 7 systems as the Insights Remediation feature is currently not available on RHEL 7.
New RHEL system role for configuring fapolicyd
With the new fapolicyd
RHEL system role, you can use Ansible playbooks to manage and configure the fapolicyd
framework. The fapolicyd
software framework controls the execution of applications based on a user-defined policy.
The RHEL system roles now support LVM snapshot management
With this enhancement, you can use the new snapshot
RHEL system role to create, configure, and manage LVM snapshots.
The Nmstate API and the network
RHEL system role now support new route types
With this enhancement, you can use the following route types with the Nmstate API and the network
RHEL system role:
-
blackhole
-
prohibit
-
unreachable
Jira:RHEL-19579[1]
The ad_integration
RHEL system role now supports custom SSSD domain configuration settings
Previously, when using the ad_integration
RHEL system role, it was not possible to add custom settings to the domain configuration section in the sssd.conf
file using the role. With this enhancement, the ad_integration
role can now modify the sssd.conf
file and, as a result, you can use custom SSSD settings.
The ad_integration
RHEL system role now supports custom SSSD settings
Previously, when using the ad_integration
RHEL system role, it was not possible to add custom settings to the [sssd]
section in the sssd.conf
file using the role. With this enhancement, the ad_integration
role can now modify the sssd.conf
file and, as a result, you can use custom SSSD settings.
New rhc_insights.display_name
option in the rhc
role to set display names
You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name
parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.
New RHEL system role for configuring fapolicyd
With the new fapolicyd
RHEL system role, you can use Ansible playbooks to manage and configure the fapolicyd
framework. The fapolicyd
software framework controls the execution of applications based on a user-defined policy.
New logging_preserve_fqdn
variable for the logging
RHEL system role
Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging
system role. This update adds the optional logging_preserve_fqdn
variable, which you can use to set the preserveFQDN
configuration option in rsyslog
to use the full FQDN instead of a short name in syslog entries.
The logging
role supports general queue and general action parameters in output modules
Previously, it was not possible to configure general queue parameters and general action parameters with the logging
role. With this update, the logging
RHEL system role supports configuration of general queue parameters and general action parameters in output modules.
The postgresql
RHEL system role now supports PostgreSQL 16
The postgresql
RHEL system role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.
For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.
Support for creation of volumes without creating a file system
With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted
option.
Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode is disabled.
Support for new ha_cluster
system role features
The ha_cluster
system role now supports the following features:
-
Enablement of the repositories containing resilient storage packages, such as
dlm
orgfs2
. A Resilient Storage subscription is needed to access the repository. - Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
- Configuration of node attributes.
For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL system role.
Jira:RHEL-15876[1], Jira:RHEL-22106, Jira:RHEL-15910
ForwardToSyslog
flag is now supported in the journald
system role
In the journald
RHEL system role, the journald_forward_to_syslog
variable controls whether the received messages should be forwarded to the traditional syslog
daemon or not. The default value of this variable is false
. With this enhancement, you can now configure the ForwardToSyslog
flag by setting journald_forward_to_syslog
to true
in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log
files.
New rhc_insights.ansible_host
option in the rhc
role to set Ansible hostnames
You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host
parameter. When set, the parameter changes the ansible_host
configuration in the /etc/insights-client/insights-client.conf
file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.
New mssql_ha_prep_for_pacemaker
variable
Previously, the microsoft.sql.server
RHEL system role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker
. Set the variable to false
if you do not want to configure your system for Pacemaker and you want to use another HA solution.
The sshd
role now configures certificate-based SSH authentications
With the sshd
RHEL system role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.
Use the logging_max_message_size
parameter instead of rsyslog_max_message_size
in the logging
system role
Previously, even though the rsyslog_max_message_size
parameter was not supported, the logging
RHEL system role was using rsyslog_max_message_size
instead of using the logging_max_message_size
parameter. This enhancement ensures that logging_max_message_size
is used and not rsyslog_max_message_size
to set the maximum size for the log messages.
ratelimit_burst
variable is only used if ratelimit_interval
is set in logging
system role
Previously, in the logging
RHEL system role, when the ratelimit_interval
variable was not set, the role would use the ratelimit_burst
variable to set the rsyslog ratelimit.burst
setting. But it had no effect because it is also required to set ratelimit_interval
.
With this enhancement, if ratelimit_interval
is not set, the role does not set ratelimit.burst
. If you want to set ratelimit.burst
, you must set both ratelimit_interval
and ratelimit_burst
variables.
selinux
role now prints a message when specifying a non-existent module
With this release, the selinux
RHEL system role prints an error message when you specify a non-existent module in the selinux_modules.path
variable.
selinux
role now supports configuring SELinux in disabled mode
With this update, the selinux
RHEL system role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
The metrics
RHEL system role now supports configuring PMIE webhooks
With this update, you can automatically configure the`global webhook_endpoint` PMIE variable using the metrics_webhook_endpoint
variable for the metrics
RHEL system role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.
The bootloader
RHEL system role
This update introduces the bootloader
RHEL system role. You can use this feature for stable and consistent configuration of bootloaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/
directory.
4.16. Virtualization
Virtualization is now supported on ARM 64
This update introduces support for creating KVM virtual machines on systems that use ARM 64 (also known as AArch64) CPUs. Note, however, that certain virtualization features and functionalities that are available on AMD64 and Intel 64 systems might work differently or be unsupported on ARM 64.
For details, see How virtualization on ARM 64 differs from AMD 64 and Intel 64.
External snapshots for virtual machines
This update introduces the external snapshot mechanism for virtual machines (VMs), which replaces the previously deprecated internal snapshot mechanism. As a result, you can create, delete, and revert to VM snapshots that are fully supported. External snapshots work more reliably both in the command-line interface and in the RHEL web console. This also applies to snapshots of running VMs, known as live snapshots.
Note, however, that some commands and utilities might still create internal snapshots. To verify that your snapshot is fully supported, ensure that it is configured as external
. For example:
# virsh snapshot-dumpxml VM-name snapshot-name | grep external <disk name='vda' snapshot='external' type='file'>
RHEL now supports Multi-FD migration of virtual machines
With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.
It is recommended to use this feature on high-speed networks (20 Gbps and higher).
Jira:RHELDOCS-16970[1]
VM migration now supports post-copy preemption
Post-copy live migrations of virtual machines (VM) now use the postcopy-preempt
feature, which improves the performance and stability of these migrations.
Jira:RHEL-13004[1], Jira:RHEL-7100
Secure Execution VMs on IBM Z now support cryptographic coprocessors
With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.
By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now use hardware encryption without compromising the security of the VM.
Jira:RHEL-11597[1]
4th Generation AMD EPYC processors supported on KVM guests
Support for 4th Generation AMD EPYC processors (also known as AMD Genoa) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use 4th Generation AMD EPYC processors.
New virtualization features in the RHEL web console
With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:
-
Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the
~/.ssh/authorized_keys
file of the designated non-root user on the newly created VM, which provides you with an immediate SSH access to the specified user account. -
Select a
pre-formatted block device
type when creating a new storage pool. This is a more robust alternative to aphysical disk device
type, as it prevents unintentional reformatting of a raw disk device.
This update also changes some default behavior in the Virtual Machines page:
-
In the
Add disk
dialog, theAlways attach
option is now set by default. -
The
Create snapshot
action now uses an external snapshot insted of an internal snapshot, which is deprecated in RHEL 9. External snapshots are more reliable and also work forraw
images, not just forqcow2
images. You can also select a memory snapshot file location if you want to retain the memory state of the running VM.
Jira:RHELDOCS-17000[1]
virtio-mem
is now supported on AMD64 and Intel 64 systems
With this update, RHEL 9 introduces support for the virtio-mem
feature on AMD64 and Intel 64 systems. With virtio-mem
, you can dynamically add or remove host memory in virtual machines (VMs).
For more information on virtio-mem
, see: Adding and removing virtual machine memory by using virtio-mem
Jira:RHELDOCS-17053[1]
You can now replace SPICE with VNC in the web console
With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).
Because the support for the SPICE protocol has been removed in RHEL 9, VMs that use the SPICE protocol fail to start on a RHEL 9 host. For example, RHEL 8 VMs use SPICE by default, so you must switch from SPICE to VNC for a successful migration to RHEL 9.
Improved I/O performance for virtio-blk
disk devices
With this update, you can configure a separate IOThread for each virtqueue in a virtio-blk
disk device. This configuration improves performance for virtual machines with multiple CPUs during intensive I/O workloads.
VNC viewer correctly initializes a VM display after live migration of ramfb
This update enhances the ramfb
framebuffer device, which you can configure as a primary display for a virtual machine (VM). Previously, ramfb
was unable to migrate, which resulted in VMs that use ramfb
showing a blank screen after live migration. Now, ramfb
is compatible with live migration. As a result, you see the VM desktop display when the migration completes.
4.17. RHEL in cloud environments
RHEL instances on EC2 now support IPv6 IMDS connections
With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init
on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init
in IPv6-only subnet.
New cloud-init clean option for deleting generated configuration files
The cloud-init clean --configs
option has been added for the cloud-init
utility. You can use this option to delete unnecessary configuration files generated by cloud-init
on your instance. For example, to delete cloud-init
configuration files that define network setup, use the following command:
cloud-init clean --configs network
Jira:RHEL-7311[1]
4.18. Containers
Podman now supports containers.conf modules
You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf
files in the TOML format.
These modules are located in the following directories, or their subdirectories:
-
For rootless users:
$HOME/.config/containers/containers.conf.modules
-
For root users:
/etc/containers/containers.conf.modules
, or/usr/share/containers/containers.conf.modules
You can load the modules on-demand with the podman --module <your_module_name>
command to override the system and user configuration files. Working with modules involve the following facts:
-
You can specify modules multiple times by using the
--module
option. -
If
<your_module_name>
is the absolute path, the configuration file will be loaded directly. - The relative paths are resolved relative to the three module directories mentioned previously.
-
Modules in
$HOME
override those in the/etc/
and/usr/share/
directories.
For more information, see the upstream documentation.
Jira:RHELPLAN-167829[1]
The Container Tools packages have been updated
The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:
Notable changes in Podman v4.9:
-
You can now use Podman to load the modules on-demand by using the
podman --module <your_module_name>
command and to override the system and user configuration files. -
A new
podman farm
command with a set of thecreate
,set
,remove
, andupdate
subcommands has been added. With these commands, you can farm out builds to machines running podman for different architectures. -
A new
podman-compose
command has been added, which runs Compose workloads by using an external compose provider such as Docker compose. -
The
podman build
command now supports the--layer-label
and--cw
options. -
The
podman generate systemd
command is deprecated. Use Quadlet to run containers and pods undersystemd
. -
The
podman build
command now supportsContainerfiles
with the HereDoc syntax. -
The
podman kube play
command now supports a new--publish-all
option. Use this option to expose all containerPorts on the host.
For more information about notable changes, see upstream release notes.
Jira:RHELPLAN-167796[1]
The Podman v4.9 RESTful API now displays data of progress
With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.
Jira:RHELPLAN-167823[1]
Toolbx is now available
With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi9.4/toolbox:latest
image.
Jira:RHELDOCS-16241[1]
SQLite is now fully supported as a default database backend for Podman
With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 9.4. If you upgrade from a previous RHEL version, the default backend is BoltDB.
If you have explicitly configured the database backend by using the database_backend
option in the containers.conf
file, then Podman will continue to use the specified backend.
Jira:RHELPLAN-168180[1]
Administrators can set up isolation for firewall rules by using nftables
You can use Netavark, a Podman container networking stack, on systems without iptables
installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables
installed. With this enhancement, the Netavark network stack works on systems with only nftables
installed and improves isolation of automatically generated firewall rules.
Jira:RHELDOCS-16955[1]
Containerfile
now supports multi-line instructions
You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile
file to simplify this file and reduce the number of image layers caused by performing multiple RUN
directives.
For example, the original Containerfile
can contain the following RUN
directives:
RUN dnf update RUN dnf -y install golang RUN dnf -y install java
Instead of multiple RUN directives, you can use the HereDoc notation:
RUN <<EOF dnf update dnf -y install golang dnf -y install java EOF
Jira:RHELPLAN-168185[1]
The gvisor-tap-vsock
package is now available
The gvisor-tap-vsock
package is an alternative to the libslirp
user-mode networking library and VPNKit tools and services. It is written in Go and based on the network stack of gVisor. Compared to libslirp
, the gvisor-tap-vsock
librarysupports a configurable DNS server and dynamic port forwarding. You can use the gvisor-tap-vsock
networking library for podman-machine virtual machines. The podman machine
command for managing virtual machines is currently unsupported on Red Hat Enterprise Linux.
Jira:RHELPLAN-167396[1]