Suchen

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 7. Technology previews

download PDF

This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9.

For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.

7.1. Installer and image creation

NVMe over TCP for RHEL installation is now available as a Technology Preview

With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.

Jira:RHEL-10216[1]

Installation of bootable OSTree native containers is now available as a Technology Preview

The ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer:

  • graphical, text, or cmdline
  • ostreecontainer
  • clearpart, zerombr
  • autopart
  • part
  • logvol, volgroup
  • reboot and shutdown
  • lang
  • rootpw
  • sshkey
  • bootloader - Available only with the --append optional parameter.
  • user

When you specify a group within the user command, the user account can be assigned only to a group that already exists in the container image. Kickstart commands not listed here are allowed to be used with ostreecontainer command, however, they are not guaranteed to work as expected with package-based installations.

However, the following Kickstart commands are unsupported together with ostreecontainer:

  • %packages (any necessary packages must be already available in the container image)
  • url (if there is a need to fetch a stage2 image for installation, for example, PXE installations, use inst.stage2= on the kernel instead of providing a url for stage2 inside the Kickstart file)
  • liveimg
  • vnc
  • authconfig and authselect (provide relevant configuration in the container image instead)
  • module
  • repo
  • zipl
  • zfcp

Installation of bootable OSTree native containers is not supported in interactive installations that use partial Kickstart files.

Note: When customizing a mount point, you must define the mount point in the /mnt directory and ensure that the mount point directory exists inside /var/mnt in the container image.

Jira:RHEL-2250[1]

Boot loader installation and configuration via bootupd / bootupctl in Anaconda is now available as a Technology Preview

As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration via the bootupd/bootupctl tool contained within the container image, even without an explicit boot loader configuration in Kickstart.

Jira:RHEL-17205[1]

The bootc image builder tool is available as a Technology Preview

The bootc image builder tool, now available as a Technology Preview, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc image builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc image builder every time a new update is required.

Jira:RHELDOCS-17468[1]

A new rhel9/bootc-image-builder container image is available as a Technology Preview

The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.

Jira:RHELDOCS-17733[1]

7.2. Security

gnutls now uses kTLS as a Technology Preview

The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

[global]
ktls = true

Note that the current version does not support updating traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites. See the RFC 7841 - TLS 1.3 document for more information.

Bugzilla:2108532[1]

OpenSSL clients can use the QUIC protocol as a Technology Preview

OpenSSL can use the QUIC transport layer network protocol on the client side with the rebase to OpenSSL version 3.2.2 as a Technology Preview.

Jira:RHELDOCS-18935[1]

The io_uring interface is available as a Technology Preview

io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:

0
All processes can create io_uring instances as usual.
1
io_uring creation is disabled for unprivileged processes. The io_uring_setup fails with the -EPERM error unless the calling process is privileged by the CAP_SYS_ADMIN capability. Existing io_uring instances can still be used.
2
io_uring creation is disabled for all processes. The io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. This is the default setting.

An updated version of the SELinux policy to enable the mmap system call on anonymous inodes is also required to use this feature.

By using the io_uring command pass-through, an application can issue commands directly to the underlying hardware, such as nvme.

Jira:RHEL-11792[1]

7.3. RHEL for Edge

FDO now provides storing and querying Owner Vouchers from a SQL backend as a Technology Preview

With this Technology Preview, FDO manufacturer-server, onboarding-server, and rendezvous-server are available for storing and querying Owner Vouchers from a SQL backend. As a result, you can select a SQL datastore in the FDO servers options, along with credentials and other parameters, to store the Owner Vouchers.

Jira:RHELDOCS-17752[1]

7.4. Shells and command-line tools

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

In RHEL 9, you can install gimp easily as an RPM package.

Bugzilla:2047161[1]

7.5. Infrastructure services

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

Bugzilla:2113900

7.6. Networking

UDP encapsulation in packet offload mode is now available as a Technology Preview

With IPsec packet offload, the kernel can offload the entire IPsec encapsulation process to a NIC to reduce the workload. With this update, the packet offload has been improved by supporting User Datagram Protocol (UDP) encapsulation of ipsec tunnels when in packet offload mode.

Jira:RHEL-30141[1]

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

For further details, see Setting up a WireGuard VPN.

Bugzilla:1613522[1]

kTLS available as a Technology Preview

RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. kTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

Bugzilla:1570255[1]

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Note that systemd-resolved is an unsupported Technology Preview.

Bugzilla:2020529

The PRP and HSR protocols are now available as a Technology Preview

This update adds the hsr kernel module that provides the following protocols:

  • Parallel Redundancy Protocol (PRP)
  • High-availability Seamless Redundancy (HSR)

The IEC 62439-3 standard defines these protocols, and you can use this feature to configure zero-loss redundancy in Ethernet networks.

Bugzilla:2177256[1]

NetworkManager and the Nmstate API support MACsec hardware offload

You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface card.

Note that this feature is an unsupported Technology Preview.

Jira:RHEL-24337

NetworkManager enables configuring HSR and PRP interfaces

High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.

Jira:RHEL-5852

Offloading IPsec encapsulation to a NIC is now available as a Technology Preview

This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.

Note that offloading the IPsec encapsulation process to a NIC also reduces the ability of the kernel to monitor and filter such packets.

Bugzilla:2178699[1]

Network drivers for modems in RHEL are available as Technology Preview

Device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat Enterprise Linux provides the drivers for the following modems with limited functionality as a Technology Preview:

  • Qualcomm MHI WWAM MBIM - Telit FN990Axx
  • Intel IPC over Shared Memory (IOSM) - Intel XMM 7360 LTE Advanced
  • Mediatek t7xx (WWAN) - Fibocom FM350GL
  • Intel IPC over Shared Memory (IOSM) - Fibocom L860GL modem

Jira:RHELDOCS-16760[1], Bugzilla:2110561, Jira:RHEL-6564, Bugzilla:2222914, Bugzilla:2123542

Segment Routing over IPv6 (SRv6) is available as a Technology Preview

The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

Bugzilla:2186375[1]

kTLS rebased to version 6.3

The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.3, kTLS was rebased to the 6.3 upstream version, and notable changes include:

  • Added the support for 256-bit keys with TX device offload
  • Delivered various bug fixes

Bugzilla:2183538[1]

7.7. Kernel

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

Bugzilla:2023416[1]

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

  • Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
  • Dynamic addition of regular enclave pages to an initialized enclave.
  • Expanding an initialized enclave to accommodate more threads.
  • Removing regular and TCS pages from an initialized enclave.

Bugzilla:1660337[1]

rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

rvu_nicpf
Marvell OcteonTX2 NIC Physical Function driver
rvu_nicvf
Marvell OcteonTX2 NIC Virtual Function driver
rvu_nicvf
Marvell OcteonTX2 RVU Admin Function driver

Bugzilla:2040643[1]

python-drgn available as a Technology Preview

The python-drgn package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.

Jira:RHEL-6973[1]

The IAA crypto driver is now available as a Technology Preview

The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.

The iaa_crypto driver, which offloads compression and decompression operations from the CPU, has been introduced in RHEL 9.4 as a Technology Preview. It supports compression and decompression compatible with the DEFLATE compression standard described in RFC 1951. The iaa_crypto driver is designed to work as a layer underneath higher-level compression devices such as zswap.

For details about the IAA crypto driver, see:

Jira:RHEL-20145[1]

7.8. File systems and storage

NVMe-oF Discovery Service features are now fully supported

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014 was introduced in Red Hat Enterprise Linux 9.0 as a Technology Preview, is now fully supported. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

Bugzilla:2021672[1]

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

This package consists of two daemons, Storage Appliance Finder (stafd) and Storage Appliance Connector (stacd).

Bugzilla:1893841[1]

7.9. Dynamic programming languages, web and database servers

A new nodejs:22 module stream available as a Technology Preview

A new module stream, nodejs:22, is now available as a Technology Preview. A future update will provide a Long Term Support (LTS) version of Node.js 22, which will be fully supported.

Node.js 22 included in RHEL 9.5 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 20 available since RHEL 9.3.

Notable changes include:

  • The V8 JavaScript engine has been upgraded to version 12.4.
  • The V8 Maglev compiler is now enabled by default on architectures where it is available (AMD and Intel 64-bit architectures and the 64-bit ARM architecture).
  • Maglev improves performance for short-lived CLI programs.
  • The npm package manager has been upgraded to version 10.8.1.
  • The node --watch mode is now considered stable. In watch mode, changes in watched files cause the Node.js process to restart.
  • The browser-compatible implementation of WebSocket is now considered stable and enabled by default. As a result, a WebSocket client to Node.js is available without external dependencies.
  • Node.js now includes an experimental feature for execution of scripts from package.json. To use this feature, execute the node --run <script-in-package.json> command.

To install the nodejs:22 module stream, enter:

# dnf module install nodejs:22

If you want to upgrade from the nodejs20 stream, see Switching to a later stream.

For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-35990

7.10. Compilers and development tools

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

jmc-core is a library providing core APIs for Java Development Kit (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, and libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP).

The owasp-java-encoder package provides a collection of high-performance low-overhead contextual encoders for Java.

Note that since RHEL 9.2, jmc-core and owasp-java-encoder are available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See How to enable and make use of content within CodeReady Linux Builder for more information.

Bugzilla:1980981

libabigail: Flexible array conversion warning-suppression available as a Technology Preview

As a Technology Preview, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:

[suppress_type]
       type_kind = struct
       has_size_change = true
       has_strict_flexible_array_data_member_conversion = true

Jira:RHEL-16629[1]

7.11. Identity Management

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:

Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.

Bugzilla:2084180

HSM support is available as a Technology Preview

Hardware Security Module (HSM) support is now available in Identity Management (IdM) as a Technology Preview. You can store your key pairs and certificates for your IdM CA and KRA on an HSM. This adds physical security to the private key material.

IdM relies on the networking features of the HSM to share the keys between machines to create replicas. The HSM provides additional security without visibly affecting most IPA operations. When using low-level tooling the certificates and keys are handled differently but this is seamless for most users.

Note

Migration of an existing CA or KRA to an HSM-based setup is not supported. You need to reinstall the CA or KRA with keys on the HSM.

You need the following:

  • A supported HSM
  • The HSM PKCS #11 library
  • An available slot, token, and the token password

To install a CA or KRA with keys stored on an HSM, you must specify the token name and the path to the PKCS #11 library. For example:

ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra

Jira:RHELDOCS-17465[1]

LMDB database type is available in Directory Server as a Technology Preview

The Lightning Memory-Mapped Database (LMDB) is available in Directory Server as an unsupported Technology Preview.

Currently, you can use only the command line to migrate or install instances with LMDB.

To migrate existing instances from Berkeley Database (BDB) to LMDB, use the dsctl instance_name dblib bdb2mdb command that sets the nsslapd-backend-implement parameter value to mdb. Note that this command does not clean up the old data. You can revert the database type by changing nsslapd-backend-implement back to bdb.

Important
Before migrating existing instances from BDB to LMDB, backup your databases. For more details, see Backing up Directory Server.

To create a new instance with the LMDB, you can use either of the following methods:

Directory Server stores LMDB settings under the cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry that includes with the following new configuration parameters:

  • nsslapd-mdb-max-size sets the database maximum size in bytes.

    Important: Make sure that nsslapd-mdb-max-size is high enough to store all intended data. However, the parameter size must not be too high to impact the performance because the database file is memory-mapped.

  • nsslapd-mdb-max-readers sets the maximum number of read operations that can be opened at the same time. Directory Server autotunes this setting.
  • nsslapd-mdb-max-dbs sets the maximum number of named database instances that can be included within the memory-mapped database file.

Along with the new LMDB settings, you can still use the nsslapd-db-home-directory database configuration parameter.

In case of mixed implementations, you can have BDB and LMDB replicas in your replication topology.

Jira:RHELDOCS-19061[1]

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire IdM deployment.

Important

It is recommended to enable ACME only in an IdM deployment where all servers are running RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause problems in mixed-version deployments. For example, a CA server without ACME can cause client connections to fail, because it uses a different DNS Subject Alternative Name (SAN).

Warning

Currently, RHCS does not remove expired certificates. Because ACME certificates expire after 90 days, the expired certificates can accumulate and this can affect performance.

  • To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command:

    # ipa-acme-manage enable
    The ipa-acme-manage command was successful
  • To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command:

    # ipa-acme-manage disable
    The ipa-acme-manage command was successful
  • To check whether the ACME service is installed and if it is enabled or disabled, use the ipa-acme-manage status command:

    # ipa-acme-manage status
    ACME is enabled
    The ipa-acme-manage command was successful

Bugzilla:2084181[1]

IdM-to-IdM migration is available as a Technology Preview

IdM-to-IdM migration is available in Identity Management as a Technology Preview. You can use a new ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.

Jira:RHELDOCS-18408[1]

7.12. Desktop

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can manage the server using graphical applications.

A limited set of graphical applications is available on 64-bit ARM. For example:

  • The Firefox web browser
  • Red Hat Subscription Manager (subscription-manager-cockpit)
  • Firewall Configuration (firewall-config)
  • Disk Usage Analyzer (baobab)

Using Firefox, you can connect to the Cockpit service on the server.

Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.

Jira:RHELPLAN-27394[1]

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage the server using graphical applications.

A limited set of graphical applications is available on IBM Z. For example:

  • The Firefox web browser
  • Red Hat Subscription Manager (subscription-manager-cockpit)
  • Firewall Configuration (firewall-config)
  • Disk Usage Analyzer (baobab)

Using Firefox, you can connect to the Cockpit service on the server.

Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.

Jira:RHELPLAN-27737[1]

7.13. The web console

The RHEL web console can now manage WireGuard connections

Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.

Jira:RHELDOCS-17520[1]

7.14. Virtualization

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

Jira:RHELDOCS-17040[1]

AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.

RHEL 9.5 and later also provides the Secure Nested Paging (SEV-SNP) feature as Technology Preview. SNP enhances SEV and SEV-ES by improving its memory integrity protection, which helps prevent hypervisor-based attacks, such as data replay or memory re-mapping.

Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Similarly, SEV-SNP works only on 4rd generation AMD EPYC CPUs (codenamed Genoa) or later. Also note that RHEL 9 includes SEV, SEV-ES, and SEV-SNP encryption, but not the SEV, SEV-ES, and SEV-SNP security attestation and live migration.

Jira:RHELPLAN-65217[1]

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

Bugzilla:1955275[1]

A unified kernel image of RHEL is now available as a Technology Preview

As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.

UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong SecureBoot capabilities are required. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.

Currently, the RHEL UKI can only be used in a UEFI boot configuration.

Bugzilla:2142102[1]

CPU clusters on 64-bit ARM

As a Technology Preview, you can now create KVM virtual machines that use multiple 64-bit ARM CPU clusters in their CPU topology.

Jira:RHEL-7043[1]

Live migrating a VM with a Mellanox virtual function is now available as a Technology Preview

As a Technology Preview, you can now live migrate a virtual machine (VM) with an attached virtual function (VF) of a Mellanox networking device.

This feature is currently available only on a Mellanox CX-7 networking device. The VF on the Mellanox CX-7 networking device uses a new mlx5_vfio_pci driver, which adds functionality that is necessary for the live migration, and libvirt binds the new driver to the VF automatically.

Jira:RHEL-13007[1]

7.15. RHEL in cloud environments

RHEL is now available on Azure confidential VMs as a Technology Preview

With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.

Currently, the RHEL UKI can only be used in a UEFI boot configuration.

Jira:RHELPLAN-139800[1]

7.16. Containers

composefs filesystem is available as a Technology Preview

composefs is the default backend for container storage. The key technologies composefs uses are:

  • OverlayFS as the kernel interface
  • Enhanced Read-Only File System (EROFS) for a mountable metadata tree
  • The fs-verity feature (optional) from the lower filesystem

Key advantages of composefs:

  • Separation between metadata and data. composefs does not store any persistent data. The underlying metadata and data files are stored in a valid lower Linux filesystem such as ext4, xfs, btrfs, and so on.
  • Mounting multiple composefs with a shared storage.
  • Data files are shared in the page cache to enable multiple container images to share their memory.
  • Support fs-verity validation of the content files.

Jira:RHEL-52237

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Jira:RHELDOCS-16861[1]

A new rhel9/rhel-bootc container image is available as a Technology Preview

The rhel9/rhel-bootc container image is now available in the Red Hat Container Registry as a Technology Preview. With the RHEL bootable container images, you can build, test, and deploy an operating system exactly as a container. The RHEL bootable container images differ from the existing application Universal Base Images (UBI) thanks to the following enhancements: RHEL bootable container images contain additional components necessary to boot, such as, kernel, initrd, bootloader, firmware, between others. There are no changes to existing container images. For more information, see Red Hat Ecosystem Catalog.

Jira:RHELDOCS-17803[1]

Pushing and pulling images compressed with zstd:chunked is available as a Technology Preview

The zstd:chunked compression is now available as a Technology Preview.

Jira:RHEL-32267

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.