Chapter 8. Technology previews

The RHEL installation program now supports deploying bootable containers in Image Mode on the s390x architectures by using the ostreecontainer Kickstart command as a Technology Preview. This enhancement removes previous limitations and ensures consistent deployment options across supported architectures. Users can now automate installations on s390x systems by using container-based workflows.

Jira:RHEL-63237

As a Technology Preview, this update adds a new FIPS provider that showcases future code before it obtains FIPS certification.

Jira:RHEL-96056^[1]

RHEL 9.7 introduces the Relax and Recover (ReaR) package for the 64-bit ARM architecture (aarch64) as a Technology Preview. ReaR is a disaster recovery tool that produces a bootable image that you can use to restore the system from a backup. You can currently use the following output methods with ReaR on aarch64: ISO, USB, and PXE.

For more information about ReaR, see the article What is Relax and Recover(ReaR) and how to use it for disaster recovery?.

Jira:RHEL-56045^[1]

On systems that boot from SAN over NVMe-TCP, you can use kdump to write crash dumps to an NVMe namespace. This update fixes failures that occurred when kdump attempted to dump to the NVMe namespace. As a result, panic dumps succeed on these systems, improving recovery and reducing downtime in SAN-based environments.

Jira:RHEL-33413^[1]

You can check all the metadata on a mounted XFS file system by using the xfs_scrub utility as a Technology Preview. It functions similarly to the xfs_repair -n command for an unmounted XFS filesystem. For details, see the xfs_scrub(8) man page on your system. Note that currently only the scrub feature is available in RHEL 10 kernels and online repair is not enabled.

Jira:RHELDOCS-21350^[1]

A new nodejs:24 module stream is available as a Technology Preview in Red Hat Enterprise Linux 9.7. This update introduces Node.js 24, which provides new features, bug fixes, security updates, and performance improvements compared to Node.js 22 included in RHEL 9.6.

To install the nodejs:24 module, enter:

# dnf module install nodejs:24

For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-90821

You can now use Ansible to ensure that all DNS queries and responses between DNS clients and Identity Management (IdM) DNS servers are encrypted. Encrypted DNS using DNS over TLS (DoT) has been available as a Technology Preview in IdM deployments since RHEL 10. In RHEL 10.1, the functionality is available as a Technology Preview in the freeipa.ansible_freeipa collection.

To enable DoT during a deployment of IdM by using ansible-freeipa use the following options:

Additionally, you can set the dns_policy variable to enforce DoT-only communication, overriding the default behavior that allows fallback to unencrypted DNS.

Jira:RHELDOCS-20258^[1]

As a Technology Preview, you can enable Trust Domain Extensions (TDX) on RHEL hosts. TDX is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

TDX is available only with Intel CPUs.

Jira:RHEL-111840^[1]

As a Technology Preview, you can enable Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) on RHEL hosts. SEV-SNP is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

SEV-SNP is available only with AMD CPUs, and you must use the snphost package to configure the feature on the host.

Jira:RHELDOCS-19756^[1]

Podman supports the following Docker API versions as a Technology Preview:

Jira:RHEL-88121

You can enable encrypted DNS to secure DNS communication that uses DNS-over-TLS (DoT). Encrypted DNS (eDNS) encrypts all DNS traffic end-to-end, with no fallback to insecure protocols, and aligns with zero trust architecture (ZTA) principles.

To perform a new installation with eDNS, specify the DoT-enabled DNS server by using the kernel command line. This ensures encrypted DNS is active during the installation process, boot time, and on the installed system. If you require a custom CA certificate bundle, you can install it only by using the %certificate section in the Kickstart file. Currently, the custom CA bundle can be installed only through Kickstart installation.

On an existing system, configure NetworkManager to use a new DNS plugin, dnsconfd, which manages the local DNS resolver (unbound) for eDNS. Add kernel arguments to configure eDNS for the early boot process, and optionally install a custom CA bundle.

Additionally, Identity Management (IdM) deployments can also use encrypted DNS, with the integrated DNS server supporting DoT.

See Securing system DNS traffic with encrypted DNS for more details.

Jira:RHELDOCS-20059^[1], Jira:RHEL-67913

The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.6, kTLS was updated to the 6.12 upstream version.

Jira:RHELPLAN-153754^[1]

With this Technology Preview, the Red Hat Enterprise Linux for Real Time is now enabled for ARM64. The ARM64 is enabled on ARM (AARCH64), for both 4k and 64k ARM kernels.

Jira:RHELDOCS-19635^[1]

In RHEL 9.6, the kernel introduces the Neural Processing Unit (NPU) as a Technology Preview. NPUs are special chips used for artificial intelligence (AI) and machine learning (ML) tasks on the systems. The kernel in RHEL 9.6 includes the initial driver for Intel NPUs and support infrastructure required to use the NPUs for AI/ML tasks.

Jira:RHEL-38583^[1]

NVMe/TCP Boot by using the NVM Express Boot Specification (NBFT) is available on select server platforms as a Technology Preview. Consult your server manufacturer for platform-specific details and compatibility information.

Jira:RHELDOCS-21587^[1]

Encrypting Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) network traffic using TLS configured with Pre-Shared Keys (PSK) has been added as a Technology Preview in RHEL 9.6. For instructions, see Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys.

Jira:RHEL-9301^[1]

The eu-stacktrace utility, which has been distributed through the elfutils package since version 0.192, is available as a Technology Preview feature. eu-stacktrace is a prototype utility that uses the elfutils toolkit’s unwinding libraries to support a sampling profiler to unwind frame pointer-less stack sample data.

Jira:RHELDOCS-19072^[1]

Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.

To start using this functionality, install the ipa-server-encrypted-dns package for IdM servers and replicas, and the ipa-client-encrypted-dns package for IdM clients. Administrators can enable DoT during the installation using the --dns-over-tls option.

IdM configures Unbound as a local caching resolver and BIND to receive DoT requests. This functionality is available through the command-line interface (CLI) and non-interactive installations of IdM.

To configure DoT, new options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service:

By default, IdM uses relaxed DNS policy, which allows fallback to unencrypted DNS. You can enforce encrypted-only communication using the new --dns-policy option with the enforced setting.

You can also enable DoT on an existing IdM deployment by reconfiguring the integrated DNS service using ipa-dns-install with the new DoT options.

See Securing DNS with DoT in IdM for more details.

Jira:RHEL-67913^[1], Jira:RHELDOCS-20059

As a Technology Preview, this update adds the trustee-guest-components package. This makes it possible for confidential virtual machines to attest themselves and get confidential resources from a Trustee server.

Jira:RHEL-68141^[1]

The podman artifact command, which you can use to work with OCI artifacts at the command-line level, is available as a Technology Preview. For further information, reference the man page.

Jira:RHEL-70217

OpenSSL can use the QUIC transport layer network protocol on the client side with the rebase to OpenSSL version 3.2.2 as a Technology Preview.

Jira:RHELDOCS-18935^[1]

With IPsec packet offload, the kernel can offload the entire IPsec encapsulation process to a NIC to reduce the workload. With this update, the packet offload has been improved by supporting User Datagram Protocol (UDP) encapsulation of ipsec tunnels when in packet offload mode.

Jira:RHEL-30141^[1]

A new module stream, nodejs:22, is now available as a Technology Preview. A future update will provide a Long Term Support (LTS) version of Node.js 22, which will be fully supported.

Node.js 22 included in RHEL 9.5 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 20 available since RHEL 9.3.

Notable changes include:

To install the nodejs:22 module stream, enter:

# dnf module install nodejs:22

If you want to upgrade from the nodejs20 stream, see Switching to a later stream.

For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-35990

You can pull only the changed parts of the container images compressed with the zstd:chunked format, reducing network traffic and necessary storage. You can enable partial pulls by adding the enable_partial_images = "true" setting to the /etc/containers/storage.conf file. This functionality is available as a Technology Preview.

Jira:RHEL-32267

As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration through the bootupd/bootupctl tool contained within the container image, even without an explicit boot loader configuration in Kickstart.

Jira:RHEL-17205^[1]

The ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer:

When you specify a group within the user command, the user account can be assigned only to a group that already exists in the container image. Kickstart commands not listed here are allowed to be used with ostreecontainer command, however, they are not guaranteed to work as expected with package-based installations.

However, the following Kickstart commands are unsupported together with ostreecontainer:

Installation of bootable OSTree native containers is not supported in interactive installations that use partial Kickstart files.

Note: When customizing a mount point, you must define the mount point in the /mnt directory and ensure that the mount point directory exists inside /var/mnt in the container image.

Jira:RHEL-2250^[1]

With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.

Jira:RHEL-10216^[1]

io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:

An updated version of the SELinux policy to enable the mmap system call on anonymous inodes is also required to use this feature.

By using the io_uring command pass-through, an application can issue commands directly to the underlying hardware, such as nvme.

Jira:RHEL-11792^[1]

With this Technology Preview, FDO Manufacturing, Owner, and Rendezvous servers are available for storing and querying Ownership Vouchers from an SQL backend (SQLite or PostgreSQL). As a result, you can select an SQL datastore in the FDO server’s options, along with credentials and other parameters, to store the Ownership Vouchers.

Jira:RHELDOCS-17752^[1]

As a Technology Preview, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:

[suppress_type]
       type_kind = struct
       has_size_change = true
       has_strict_flexible_array_data_member_conversion = true

Jira:RHEL-16629^[1]

You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface controller.

Note that this feature is an unsupported Technology Preview.

Jira:RHEL-24337

High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.

Jira:RHEL-5852

The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.

The iaa_crypto driver, which offloads compression and decompression operations from the CPU, has been introduced in RHEL 9.4 as a Technology Preview. It supports compression and decompression compatible with the DEFLATE compression standard described in RFC 1951. The iaa_crypto driver is designed to work as a layer underneath higher-level compression devices such as zswap.

For details about the IAA crypto driver, see:

Jira:RHEL-20145^[1]

The python-drgn package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.

Jira:RHEL-6973^[1]

The Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) Boot support is available as a Technology Preview. For more information on how to boot from SAN with NVMe/TCP, consult your Storage manufacturer’s UEFI firmware configuration documentation.

Jira:RHEL-10414^[1]

Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.

Jira:RHELDOCS-17520^[1]

As a Technology Preview, you can now create KVM virtual machines that use multiple 64-bit ARM CPU clusters in their CPU topology.

Jira:RHEL-7043^[1]

The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

Jira:RHELPLAN-154595^[1]

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

Jira:RHELPLAN-108169^[1]

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

Jira:RHELPLAN-129881^[1]

The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

[global]
ktls = true

Note that the current version does not support updating traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites. See the RFC 7841 - TLS 1.3 document for more information.

Jira:RHELPLAN-128129^[1]

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

This package consists of two daemons, Storage Appliance Finder (stafd) and Storage Appliance Connector (stacd).

Jira:RHELPLAN-58357^[1]

This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.

Note that offloading the IPsec encapsulation process to a NIC also reduces the ability of the kernel to monitor and filter such packets.

Jira:RHEL-88552^[1]

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Note that systemd-resolved is an unsupported Technology Preview.

Jira:RHEL-88550

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the Internet Protocol (TCP/IP) network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

Jira:RHELPLAN-102815^[1]

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

Jira:RHELPLAN-102321^[1]

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

jmc-core is a library providing core APIs for Java Development Kit (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, and libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP).

The owasp-java-encoder package provides a collection of high-performance low-overhead contextual encoders for Java.

Note that since RHEL 9.2, jmc-core and owasp-java-encoder are available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See How to enable and make use of content within CodeReady Linux Builder for more information.

Jira:RHELPLAN-88788^[1]

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire IdM deployment.

Jira:RHELPLAN-121754^[1]

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:

Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.

Jira:RHELPLAN-121751^[1]

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

You can now connect to the desktop session on an IBM Z server using RDP. As a result, you can manage the server using graphical applications.

A limited set of graphical applications is available on IBM Z. For example:

Using Mozilla Firefox, you can connect to the Cockpit service on the server.

Jira:RHELPLAN-27737^[1]

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

Jira:RHELDOCS-17040^[1]

The podman-machine command for managing virtual machines is available only as a Technology Preview. Instead, run Podman directly from the command line.

Jira:RHELDOCS-16861^[1]

In RHEL, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

Note that specific uses cases of kernel TLS offload might have a higher support status.

Jira:RHEL-88551^[1]

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

You can now connect to the desktop session on a 64-bit ARM server using RDP. As a result, you can manage the server using graphical applications.

A limited set of graphical applications is available on 64-bit ARM. For example:

Using Mozilla Firefox, you can connect to the Cockpit service on the server.

Jira:RHELPLAN-27394^[1]