10.0 Beta Release Notes

bootc-image-builder now supports creating image mode disk images with advanced partitioning

With this enhancement, the bootc-image-builder tool gained more options for customizing partitioning. You can use the bootc-image-builder tool to create disk images of image-mode RHEL with custom mountpoints, including custom mount options, LVM-based partitions and LVM-based SWAP to, for example, change the size of the / and the /boot directories by using the config.toml. As a consequence, you can create disk images with advanced partitioning layout.

RHEL 10 disk images will have predictable network interface names

The net.ifnames=0 will be removed from kernel arguments, causing all systems to use predictable network interface names. As a consequence, from RHEL 10-beta ongoing, disk images created wih RHEL image builder will now have predictable network interface names. There are no plans for backporting this update to older RHEL versions. As a workaround for older versions, remove the kernel argument after the first boot and reboot the system. See Configuring kernel command-line parameters for more details.

RHEL 10 disk images not longer have a separate /boot partition

RHEL 10 Public Beta disk images, such as AWS images, or KVM images, for example, do not have a separate /boot partition. Removing the /boot partition from prebuilt disk images aligns with the default partitioning created by Anaconda when LVM is not used. In RHEL images, the /boot/ partition removal targets confidential computing.

New users created in Anaconda are administrators by default

Previously, while creating new users from the installer, the Add administrative privileges to this user account option in graphical installation was deselected. Starting RHEL 10, this option is selected by default. As a result, the newly created users will have administrative privileges in the system by default. You can deselect this option to remove the administrative privileges of the new users, if needed.

NVMe over Fabrics devices are now available in the RHEL installation program

You can now add NVMe over Fabrics devices to your RHEL installation to extend the benefits of NVMe storage beyond local devices, enabling the same high-performance, low-latency access over a network. In the RHEL installation program, you can select these devices under the NVMe Fabrics Devices section while adding disks on the Installation Destination screen.

Remote Desktop Protocol (RDP) replaces VNC for graphical remote access

The protocol for graphical remote access has been replaced from VNC to remote desktop protocol (RDP), a more robust, and secure graphical remote access. It offers a reliable and encrypted connection, overcoming the limitations of VNC, which lacked encryption support and enforced password length restrictions.

keylime-agent-rust provided in version 0.2.5

The keylime-agent-rust package, which contains the Keylime agent, is provided in version 0.2.5 in RHEL 10. This version offers important enhancements and bug fixes, most importantly the following:

libreswan provided in version 4.15

The libreswan packages are provided in version 4.15 in RHEL 10. This version offers substantial improvements over the previous version 4.12 that was provided in previous releases:

New package: rust-sequoia-sq

The Sequoia PGP suite provides a memory-free implementation of the OpenPGP standard for ensuring confidentiality, key management, authentication, and digital signatures. The sq command-line tool is a frontend for managing OpenPGP encryption and signatures.

New package: rust-sequoia-sqv

The sqv program verifies OpenPGP signatures.

OpenSSH provided in version 9.8

RHEL 10 provides OpenSSH in version 9.8, which introduces many fixes and improvements over OpenSSH 8.7 which was provided in RHEL 9. For the complete list of changes, see the openssh-9.8p1/ChangeLog file. The most important changes are as follows:

Added custom configuration for pkcs11-provider

The pkcs11-provider allows direct access to hardware tokens by using pkcs11 URIs from OpenSSL programs. Upon installation, the pkcs11-provider is automatically enabled and loads tokens detected by the pcscd daemon by using the p11-kit driver by default. As a result, you can use tokens available to the system if you provide a key URI by using the pkcs11 URI specification to an application that supports that format by installing the package without the need to further change OpenSSL configuration. Uninstalling the package also removes the OpenSSL configuration snippet, which prevents errors when OpenSSL parses the configuration files.

File context equivalency set to /var/run = /run in the SELinux policy

The previous /run = /var/run file context equivalency is now inverted to /var/run = /run and the SELinux policy sources have been updated accordingly. The equivalency has been inverted to match the actual filesystem state and to prevent some userspace tools from reporting an error. This change should not be visible from the user or admin perspective. If you have any custom modules that contain file specification for files in /var/run, change them to /run.

OpenSSL uses pkcs11-provider for hardware tokens

Because OpenSSL 3.0 deprecated engines and replaced them with providers, RHEL 10 replaces the openssl-pkcs11 engine with the pkcs11-provider. This allows OpenSSL to use hardware tokens in applications such as apache HTTPD, libssh, bind, and other applications that are linked with OpenSSL and use asymmetric private keys stored in an HSM, smartcard or other tokens with a PKCS #11 driver available.

New capability.conf(5) man page

The capability.conf(5) man page has been added. It provides descriptions for the capability.conf configuration file and the pam_cap.so module arguments.

libkcapi provided in version 1.5.0

In RHEL 10.0, the libkcapi packages are provided in upstream version 1.5.0. This version provides various bug fixes, optimizations and enhancements, most notably:

Stricter SSH host key permissions have been restored

The necessary host key permissions have been changed from the previous less strict value of 0640 to 0600, which is also the value used upstream. The ssh_keys group, which previously owned all SSH keys, has also been removed. Therefore, the ssh-keysign utility uses the SUID bit instead of the SGID bit.

The selinux-policy git repository for Centos Stream 10 is now publicly accessible

CentOS Stream contributors now can participate in the development of the SELinux policy by contributing to the c10s branch of the fedora-selinux/selinux-policy git repository. These contributions can then be used to improve the SELinux policy of RHEL 10.

p11-kit provided in version 0.25.5

The p11-kit packages are provided in version 0.25.5 in RHEL 10. This version provides enhancements and fixes over the previous version, most importantly, the following:

pkeyutil now supports encapsulation and decapsulation

The pkeyutil OpenSSL subcommand supports performing encapsulation and decapsulation cryptographic operations. The new post-quantum cryptographic (PQC) algorithm ML-KEM (FIPS 203) permits only encapsulation and decapsulation operations, and you can now use algorithms such as RSASVE and ML-KEM through pkeyutil.

GnuTLS can use certificate compression

GnuTLS compresses client and server certificates with the zlib, brotli or zstd compression method according to RFC 8879 if both client and server support and enable it. This method reduces data usage, and should otherwise be unnoticeable to users.

New no-atexit option in OpenSSL

OpenSSL is now built with the no-atexit option, so that the OPENSSL_cleanup function is no longer registered as an atexit handler. Using this option might cause the valgrind debugging tool to report one-time memory leaks of the resources allocated on OpenSSL startup.

setools provided in version 4.5.0

The setools packages are provided in version 4.5.0 in RHEL 10. This version provides bug fixes and enhancements, most notably the following:

RHEL 10 provides NSS in version 3.101

The NSS cryptographic toolkit packages are provided in version 3.101 in RHEL 10, which provides many bug fixes and enhancements. The most notable changes are the following:

OpenSSL can create FIPS-compliant PKCS #12 files

The OpenSSL secure communication suite has been updated and can now create PKCS #12 files in accordance with the RFC 9579 document.

gnutls provided in version 3.8.7

In RHEL 10.0, the gnutls library package is provided in upstream version 3.8.7. This version provides various bug fixes, optimizations and enhancements, most notably:

The DEFAULT cryptographic policy uses additional scopes

The crypto-policies package now offers additional scopes @pkcs12, @pkcs12-legacy, @smime, and @smime-legacy, and uses them in the DEFAULT system-wide cryptographic policy. The selection of cryptographic algorithms used for PKCS #12 and S/MIME when network security services (NSS) is the underlying cryptographic library now follows system-wide cryptographic policies. Therefore, you can more easily select algorithms with higher granularity by using custom policies and subpolicies. The scopes use the following ciphers, hashes, and key exchanges:

OpenSSH in FIPS mode generates RSA keys by default

In previous versions, the ssh-keygen utility in OpenSSH generated RSA keys by default. In the versions provided with RHEL 10, ssh-keygen generates ed25519 keys by default in non-FIPS mode and RSA keys by default in FIPS mode.

NSS creates FIPS-compliant PKCS #12 in FIPS mode

PKCS #12 uses an ad-hoc mechanism for integrity checks. Since the publication of PKCS #12 version 1.1, more rigorous methods of integrity checks have been created in PKCS #5 Version 2.0: the password-based message authentication code 1 (PBMAC1). This update adds PBMAC1 support in PKCS #12 files to Network Security Services (NSS) in accordance with the RFC 9579 document. As a result, NSS can now read any .p12 file that uses RFC 9579 and can generate RFC-9579-compliant message authentication codes (MAC) when requested by the user. For compatibility, NSS generates old MACs by default when not in FIPS mode. For more information on generating new MACs, see the pk12util(1) man page on your system.

clevis provided in version 20

The clevis packages are provided in version 20 in RHEL 10. The most notable enhancements and fixes include the following:

jose provided in version 14

The jose package is provided in version 14 in RHEL 10. jose is a C-language implementation of the Javascript Object Signing and Encryption (JOSE) standards. The most important enhancements and fixes include the following:

SELinux userspace provided in version 3.7

RHEL 10 contains the SELinux user-space components in version 3.7. This version introduces enhancements and fixes over the previous version, most importantly, the following:

Rules for additional libvirt services added to the SELinux policy

The following SELinux types related to the libvirt services have been added to the SELinux policy:

The repository metadata is now not downloaded by default

Previously, when you downloaded a repository’s metadata, the filelists metadata was downloaded by default. The filelists metadata is large and is typically not needed. With this update, this metadata is not downloaded by default, which improves responsiveness and saves disk space. The filelists metadata is also no longer downloaded or updated from repositories and is not loaded into the DNF transaction when you run a dnf command. If the dnf command requires the filelists metadata or includes a file-related argument, the metadata is loaded automatically.

DNF now uses librpmio for processing PGP keys

To verify RPM package signatures, RPM uses the rpm-sequoia library instead of the previously-used custom PGP parser. With this update, the librepo library, which can verify PGP signatures on DNF repositories, now also uses rpm-sequoia through the librpmio library. As a result, to provide consistent user experience, the dnf, librpm, and rpm components now use the same PGP implementation.

dnf-plugins-core rebased to version 4.7.0

The dnf-plugins-core package has been rebased to version 4.7.0 that provides a new python3-dnf-plugin-pre-transaction-actions package. This package includes a new pre-transaction-actions DNF plugin that allows you to execute a command upon starting an RPM transaction. For more information, see the dnf-pre-transaction-actions(8) manual page on your system.

createrepo_c provided in version 1.0.0

RHEL 10 provides the createrepo_c package in version 1.0.0. Notable changes over the previous version include:

openCryptoki rebased to version 3.23.0

The openCryptoki packages are updated to version 3.23.0, which provides multiple bug fixes and enhancements. Notable changes include:

polkit rebased to 125

The polkit package is rebased to version 125. Notable enhancements include the following:

ksh is rebased to 93u+m/1.0.10

The KornShell (ksh) shell is rebased to the 93u+m/1.0.10 version. The notable changes are:

CUPS broadcast and mDNS are no longer the default configuration for cups-browsed daemon

With this enhancement, the mDNS and CUPS broadcast service browsing is no longer the default configuration for the cups-browsed daemon. As a result, to configure cups-browsed, you must add the BrowsePoll directive in the /etc/cups/cups-browsed.conf file. This file the specifies to the server that the cups-browsed daemon polls for printers.

tuned-ppd, Valkey, libcpuid and dnsconfd packages are now available

The following packages are included in Red Hat Enterprise Linux:

GECOS field for user is now changed to Super User

Previously, an application output for the GECOS/description appeared as root . Now, the GECOS/description for user root in the /etc/passwd file has been changed from root to Super User.

dnsconfd daemon can now be installed

With this enhancement, you can now install the dnsconfd, a local DNS cache configuration daemon. The newly configured daemon provides an easy way to set up DNS caching, split DNS, DNS over TLS, and other DNS features.

The Kea DHCP server replaces ISC DHCP

Kea is a new Dynamic Host Configuration Protocol (DHCP) server solution in RHEL. Kea DHCP is an implementation from Internet Systems Consortium (ISC) that includes fully functional DHCPv4, DHCPv6, and Dynamic DNS servers. The Kea DHCP server has the following advantages:

Enable Duplicate Address Detection for IPv4 in NetworkManager

Generally, assigning the same IP address to multiple systems can cause non-working setups and make it more difficult to debug problems. The Duplicate Address Detection (DAD) mechanism identifies and prevents this issue by ensuring that each IP address within a network is unique. In RHEL 10, the ipv4.dad-timeout parameter in NetworkManager has been set to 200ms by default. This enables the DAD functionality for IPv4 addresses on RHEL systems.

Kernel version in RHEL 10.0 Beta

Red Hat Enterprise Linux 10.0 Beta is distributed with the kernel version 6.11.0.

Enhanced kdump Service with Automated elfcorehdr Update

When the kdump service is active, and there is a hot add/remove in the system’s CPU or memory, the crash elfcorehdr needs updating to ensure the vmcore is accurate. The old method relying on udev rules caused performance issues.

kexec-tools package is split into three sub-packages

The kexec-tools package is split into three sub-packages: kdump-utils, makedumpfile, and kexec-tools.

rh_waived kernel command-line boot parameter is now supported

With this release, the rh_waived kernel command-line boot parameter is supported. rh_waived is used for enabling waived features in RHEL. The waived features are kernel features considered unmaintained, insecure, rudimentary, or deprecated. These features are disabled by default in RHEL 10. To use waived features, you must enable them manually.

python-blivet rebased to version 3.10

The python-blivet package has been rebased to version 3.10, providing various bug fixes and enhancements. The most notable changes are:

pcs now validates resource parameters when creating or updating a resource

When you create or update a cluster resource, the pcs command-line interface now automatically asks the resource agent to validate the parameters you entered. If you specify --agent-validation, an invalid parameter yields an error. To maintain backward compatibility, if you do not specify --agent-validation, an invalid parameter prints a warning but does not prevent misconfiguration.

New --yes flag to confirm potentially destructive actions

To confirm potentially destructive actions such as destroying a cluster, unblocking quorum, or confirming a node being fenced, the pcs command-line interface now supports the --yes flag. Previously, you could confirm these actions by using the --force flag, which is also used for overriding validation errors. With these two functions combined in a single flag, a user could inadvertently confirm a potentially destructive action when the intention is only to override a validation error. You should now use the --force flag to override validation errors, and you should use the --yes flag to confirm potentially destructive actions.

New pcs status wait command

The pcs command-line interface now provides a pcs status wait command. This command ensures that Pacemaker has completed any actions required by changes to the Cluster Information Base (CIB) and does not need to take any further actions in order to make the actual cluster state match the requested cluster state.

pcs support for new commands to query the status of a resource in a cluster

The pcs command-line interface now provides pcs status query resource commands to query various attributes of a single resource in a cluster. These commands query:

New pcs resource defaults and pcs resource op defaults option for displaying configuration in text, JSON, and command formats

The pcs resource defaults and pcs resource op defaults commands and their aliases pcs stonith defaults and pcs stonith op defaults now provide the --output-format option.

pcsd Web UI now available as a RHEL web console add-on

The pcsd Web UI is now available as the HA Cluster Management RHEL web console add-on. It is no longer operated as a standalone interface.

RHEL 10 provides Pacemaker version 2.1.8

Pacemaker has been upgraded to version 2.1.8, which provides multiple bug fixes and enhancements. Notable changes include:

Support for new Ha Cluster Management features

For RHEL 10, the pcsd Web UI is now available as a RHEL web console add-on as the HA Cluster Management application. It is no longer operated as a standalone interface. The HA Cluster Management application now supports the following features:

Python 3.12 in RHEL 10

Python 3.12 is the default Python implementation in RHEL 10. Python 3.12 is distributed as a non-modular python3 RPM package in the BaseOS repository and is usually installed by default. Python 3.12 will be supported for the whole life cycle of RHEL 10.

RHEL 10 introduces Perl 5.40

RHEL 10 includes Perl 5.40, which provides various enhancements over the previously available version 5.32.

RHEL 10 provides Node.js 22

RHEL 10 is distributed with Node.js 22. This version provides numerous new features, bug fixes, security fixes, and performance improvements over previously available Node.js 20.

RHEL 10 introduces MySQL 8.4

RHEL 10 is distributed with MySQL 8.4. Notable changes over the previously available version 8.0 include:

RHEL 10 provides PostgreSQL 16 with the pgvector extension

RHEL 10 is distributed with PostgreSQL 16. In addition to the pgaudit, pg_repack, and decoderbufs extensions, the Postgresql stack now provides the pgvector extension. With the pgvector extension, you can store and query high-dimensional vector embeddings directly within PostgreSQL databases and perform a vector similarity search. Vector embeddings are numerical representations of data that are often used in machine learning and AI applications to capture the semantic meaning of text, images, or other data types.

RHEL 10 introduces GCC 14.2

RHEL 10 is distributed with the GNU Compiler Collection (GCC) version 14.2.

GCC 14 defaults to x86-64-v3

GCC 14 in RHEL 10 defaults to the x86-64-v3 microarchitecture level. This level enables certain capabilities by default, such as the AVX and AVX2 instruction sets and the fused multiply-add (FMA) instruction set. See the related article for more details.

GCC defaults to using the IEEE128 floating point format on IBM Power Systems

In RHEL10, GCC uses the IEEE128 floating point format by default for all long double floating point numbers on IBM Power Systems instead of the earlier software-only IBM-DOUBLE-DOUBLE code. As a result, you can notice performance improvements in C or C++ code that performs computations by using long double floating point numbers.

RHEL 10 includes annobin version 12.55

RHEL 10 is distributed with annobin version 12.55. Notable changes over the previously available version 12.32 include:

RHEL 10 includes binutils version 2.41

RHEL 10 is distributed with binutils version 2.41. Notable changes over the previously available version 2.40 include:

The ld linker of binutils supports the --section-ordering-file option

You can now use the new --section-ordering-file command-line option with ld.bfd, the default system linker, to group sections of code or data that can benefit from being in proximity to each other.

glibc now supports dynamic linking of Intel APX-enabled functions

An incompatible dynamic linker trampoline was identified as a potential source of incompatibilities for Intel Advanced Performance Extensions (APX) applications. As a workaround, it was possible to use the BIND_NOW executable or use only the standard calling convention. With this update, the dynamic linker of glibc preserves APX-related registers.

RHEL 10 provides glibc version 2.39

RHEL 10 introduces GNU C Library (glibc) version 2.39.

Optimization of AMD Zen 3 and Zen 4 performance in glibc

Previously, AMD Zen 3 and Zen 4 processors sometimes used the Enhanced Repeat Move String (ERMS) version of the memcpy and memmove library routines regardless of the most optimal choice. With this update to glibc, AMD Zen 3 and Zen 4 processors use the most optimal versions of memcpy and memmove.

RHEL 10 provides GDB version 14.2

GDB has been updated to version 14.2. The following paragraphs list notable changes since GDB 12.1.

RHEL 10 provides elfutils version 0.191

The elfutils package has been updated to version 0.191. Notable improvements include:

RHEL 10 provides SystemTap version 5.1

RHEL 10 includes the SystemTap tracing and probing tool version 5.1. Notable changes since version 5.0 include:

RHEL 10 provides Valgrind version 3.23.0

The Valgrind suite has been updated to version 3.23.0. Notable enhancements include:

RHEL 10 introduces Dyninst version 12.3.0

RHEL 10 is distributed with the Dyninst library version 12.3.0.

RHEL 10 provides libabigail version 2.5

The libabigail library has been updated to version 2.5. Notable changes include:

RHEL 10 Beta introduces LLVM Toolset 18.1.8

RHEL 10 Beta is distributed with the LLVM Toolset version 18.1.8.

RHEL 10 Beta includes Rust Toolset version 1.79.0

RHEL 10 Beta is distributed with the Rust Toolset version 1.79.0. Notable enhancements since the previously available version 1.75.0 include:

RHEL 10 Beta provides Go Toolset version 1.22

RHEL 10 Beta introduces the Go Toolset version 1.22. Notable enhancements since the previously available version 1.21 include:

RHEL 10 includes PCP version 6.3.0

RHEL 10 is distributed with Performance Co-Pilot (PCP) version 6.3.0. Notable changes over the previously available version 6.2.0 include:

RHEL 10 provides Grafana version 10.2.6

The Grafana platform has been updated to version 10.2.6.

Grafana, PCP, and grafana-pcp now use Valkey to store data

In RHEL 10, the Valkey key-value store replaces Redis. As a result, Grafana, PCP, and the grafana-pcp plug-in now use Valkey to store data instead of Redis. The PCP Redis data source in the grafana-pcp plug-in is now named PCP Valkey.

zlib-ng-compat replaces zlib in RHEL 10

The new zlib-ng-compat package provides a general-purpose lossless data compression library that is used by many different programs. This implementation provides various benefits over zlib distributed in RHEL 9. For example, zlib-ng-compat supports hardware acceleration when available and enhances compression efficiency and performance. zlib-ng-compat is built in API and ABI compatible mode to ensure a smooth transition from zlib.

SWIG 4.2.1 available in the CRB repository

The Simplified Wrapper and Interface Generator (SWIG) version 4.2.1 is now available in the CodeReady Linux Builder (CRB) repository. Notable changes include:

Red Hat build of OpenJDK 21 is the default Java implementation in RHEL 10

The default RHEL 10 Java implementation is OpenJDK 21. Use the java-21-openjdk packages, which provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. For more information, see the OpenJDK documentation.

python-jwcrypto rebased to version 1.5.6

The python-jwcrypto package has been updated to version 1.5.6. This version includes a security fix to an issue where an attacker could cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio.

The ldap_id_use_start_tls option is now enabled by default

To improve security, the default value for ldap_id_use_start_tls has changed from false to true. When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

certmonger rebased to version 0.79.20

The certmonger package has been rebased to version 0.79.20. The update includes various bug fixes and enhancements, most notably:

RHEL 10 provides python-jwcrypto in version 1.5.6

The python-jwcrypto package has been updated to version 1.5.6. This version includes a security fix to an issue where an attacker could cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio.

Running SSSD with reduced privileges

To support general system hardening (running software with least privileges possible), the System Security Services Daemon (SSSD) service is now configured to run under sssd or root using the systemd service configuration files (service user). This service user now defaults to sssd and irrespective of what service user is configured, root or sssd, all root capabilities are dropped with the exception of a few privileged helper processes.

Support for KnownHostsCommand has been added to SSSD

With this update, support for KnownHostsCommand has been added to SSSD. You can use the tool sss_ssh_knownhosts with the SSH KnownHostsCommand configuration option to retrieve the host’s public keys from a remote server, such as FreeIPA, LDAP, and others. The sss_ssh_knownhosts tool replaces the less reliable sss_ssh_knownhostsproxy tool. sss_ssh_knownhostsproxy is no longer available and a message is displaying indicating the tool is obsolete.

RHEL 10 provides 389-ds-base package version 3.0.4

The 389-ds-base package is now based on upstream version 3.0.4. Notable bug fixes and enhancements over previous versions are described in the upstream release notes:

389-ds-base now fully supports LMDB

Introduced in RHEL 9.5 as a Technology Preview, Lightning Memory-Mapped Database (LMDB) is now fully supported by the 389-ds-base package in RHEL 10. Directory Server now creates instances with Lightning Memory-Mapped Database (LMDB) by default.

ansible-freeipa rebased to 1.13.2

The ansible-freeipa package has been rebased from version 1.12.1 to 1.13.2 Notable enhancements include:

Firefox and Thunderbird are provided only as Flatpaks in RHEL 10

In RHEL 10.0 Beta, the Firefox Flatpak is not preinstalled. For RHEL 10.0, Firefox Flatpak will be automatically installed after the system is registered and is connected to the Internet.

Window overview added to GNOME classic

In previous versions, the overview of open windows was not available while using the GNOME classic session. With this update, you can use the overview in both the standard GNOME and classic mode sessions. This makes the overview’s features, including system search, available to classic mode users. Users can now also use classic mode extensions with the default GNOME session.

GNOME Online Accounts can restrict which features providers can use

You can use the new goa.conf file in the system configuration directory, usually named /etc/goa.conf, to limit what features each provider can use.

New package: cockpit-files

The cockpit-files package provides the File manager page in the RHEL web console. With the File manager, you can perform the following actions:

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

New sudo RHEL system role

sudo is a critical part of RHEL system configuration. With the new sudo RHEL system role, you can consistently manage sudo configuration at scale across your RHEL systems.

The storage RHEL system role can now manage Stratis pools

With this enhancement, you can use the storage RHEL system role to complete the following tasks:

New variables in the podman RHEL system role: podman_registry_certificates and podman_validate_certs

The following two variables have been added to the podman RHEL system role:

New variables in the podman RHEL system role: podman_registry_username and podman_registry_password

The podman RHEL system role now enables you to specify the container image registry credentials either globally or on a per-specification basis. For that purpose, you must configure both role variables:

New variable in the podman RHEL system role: podman_credential_files

Some operations need to pull container images from registries in an automated or unattended way and cannot use the podman_registry_username and podman_registry_password variables.

New variables in the journald RHEL system role: journald_rate_limit_interval_sec and journald_rate_limit_burst

The following two variables have been added to the journald RHEL system role:

The ssh RHEL system role now recognizes the ObscureKeystrokeTiming and ChannelTimeout configuration options

The ssh RHEL system role has been updated to reflect addition of the following configuration options in the OpenSSH utility suite:

The storage RHEL system role can now resize LVM physical volumes

If the size of a block device has changed and you use this device in an LVM, you can adjust the LVM physical volume as well. With this enhancement, you can use the storage RHEL system role to resize LVM physical volumes to match the size of the underlying block devices after you resized it. To enable automatic resizing, set grow_to_fill: true on the pool in your playbook.

The nbde_client RHEL system role now enables you to skip running certain configurations

With the nbde_client RHEL system role you can now disable the following mechanisms:

New variable in the postfix RHEL system role: postfix_files

The postfix RHEL system role now enables you to configure extra files for the Postfix mail transfer agent. For that purpose, you can use the following role variable:

The snapshot RHEL system role now supports managing snapshots of LVM thin pools

With thin provisioning, you can use the snapshot RHEL system role to manage snapshots of LVM thin pools. These thin snapshots are space-efficient and only grow as data is written or modified after the snapshot is taken. The role automatically detects if the specified volume is scheduled for a thin pool. The added feature could be useful in environments where you need to take frequent snapshots without consuming a lot of physical storage.

New option in the logging RHEL system role: reopen_on_truncate

The files input type of the logging_inputs variable now supports the following option:

New variable in the logging RHEL system role: logging_custom_config_files

You can provide custom logging configuration files by using the following variable for the logging RHEL system role:

The logging RHEL system role can set ownership and permissions for rsyslog files and directories

The files output type of the logging_outputs variable now supports the following options:

Using the storage RHEL system role creates fingerprints on managed nodes

If not already present, storage creates a unique identifier (fingerprint) every time you run this role. The fingerprint has the form of the # system_role:storage string written to the /etc/fstab file on your managed nodes. As a result, you can track which nodes are managed by storage.

New src parameter is added to the network RHEL system role

The src parameter to the route sub-option of the ip option for the network_connections variable has been added. This parameter specifies the source IP address for a route. It is useful typically for the multi-WAN connections. There you get setups where a machine has multiple public IP addresses, and you want to ensure that outbound traffic uses a specific IP address tied to a particular network interface. As a result, support for the src parameter provides better control over traffic routing and ensures a more robust and flexible network configuration capability in the described scenarios

Support for configuring GFS2 file systems on RHEL 9 clusters by using RHEL system roles

Red Hat Enterprise Linux 10 supports the configuration and management of the Red Hat Global File System 2 (GFS2) by using the gfs2 RHEL system role on a RHEL 10 control node to manage RHEL 9 systems. The Red Hat Enterprise Linux (RHEL) Resilient Storage Add-On, which includes the GFS2 file system, is itself not supported on RHEL 10 systems. The role creates GFS2 file systems in a Pacemaker cluster managed with the pcs command-line interface.

nbdkit rebased to version 1.38

The nbdkit package has been rebased to upstream version 1.38, which provides various bug fixes and enhancements. The most notable changes are the following:

cloud-init now uses NetworkManager as the default network renderer

With this update, the cloud-init utility uses NetworkManager (NM) as the back end for network configuration when initializing a cloud instance. As a result, using NM keyfiles in cloud-init setup no longer requires reconfiguring /etc/cloud/cloud.cfg.

The plugin option names now use only hyphens instead of underscores

To ensure consistency across sos global options, the plugin option names now use only hyphens instead of underscores For example, the networking plugin namespace_pattern option is now namespace-pattern and must be specified by using the --plugin-option networking.namespace-pattern=<pattern> syntax.

The --api-url option is now available

With the --api-url option you can call another API as per requirement. For instance, the API for an OCP cluster. Example: sos collect --cluster-type=ocp --cluster-option ocp.api-url=_<API_URL> --alloptions.

The new --skip-cleaning-files option is now available

The --skip-cleaning-files option for the sos report command allows you to skip cleaning selected files. The option supports globs and wildcards. Example: sos report -o host --batch --clean --skip-cleaning-files 'hostname'.

Image mode for RHEL now supports FIPS mode

With this enhancement, you can enable the FIPS mode when building a bootc image to configure the system to use only FIPS-approved modules. You can use bootc-image-builder, which requires enabling the FIPS crypto policy in the Containerfile configuration, or use the RHEL Anaconda installation, that additionally to enabling FIPS mode in the Containerfile, also requires adding the fips=1 kernel argument when booting the system installation. See Installing the system with FIPS mode enabled for more details.

Image mode for RHEL now supports FIPS mode

With this enhancement, you can enable the FIPS mode when building a bootc image to configure the system to use only FIPS-approved modules. You can use bootc-image-builder, which requires enabling the FIPS crypto policy in the Containerfile configuration, or use the RHEL Anaconda installation, that additionally to enabling FIPS mode in the Containerfile, also requires adding the fips=1 kernel argument when booting the system installation. See Installing the system with FIPS mode enabled for more details.

Support to creating and deploying VMDK with bootc-image-builder

With this enhancement, now you can create a Virtual Machine Disk (VMDK) from a bootc image, by using the bootc-image-builder tool, and deploy VMDK images to VMware vSphere.

Podman and Buildah support adding OCI artifacts to image indexes

With this update, you can create artifact manifests and add them to image indexes.

Option is available to disable Podman healthcheck event

This enhancement adds a new healthcheck_events option in the containers.conf configuration file under the [engine] section to disable the generation of health_status events. Set healthcheck_events=false to disable logging healthchek events.

Runtime resource changes in Podman are persistent

The updates of container configuration by using the podman update command are persistent. Note that this enhancement is for both SQLite and BoltDB database backends.

Building multi-architecture images is fully supported

The podman farm build command that creates multi-architecture container images is now fully supported.

Quadlets for pods in Podman are available

Beginning with Podman v5.0, you can use Quadlet to automatically generate a systemd service file from a pod description.

The Podman v2.0 RESTful API has been updated

The new fields has been added to the libpod/images/json endpoint:

Kubernetes YAML now supports a data volume container as an init container

A list of images to automatically mount as volumes can now be specified in Kubernetes YAML by using the "io.podman.annotations.kube.image.automount/$ctrname" annotation. Image-based mounts using podman run --mount type=image,source=<image>,dst=<path>,subpath=<path> now support a new option, subpath, to mount only part of the image into the container.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:

The containers.conf file is now read-only

The system connections and farm information stored in the containers.conf file is now read-only. The system connections and farm information will now be stored in the podman.connections.json file, managed only by Podman. Podman continues to support the old configuration options such as [engine.service_destinations] and the [farms] section. You can still add connections or farms manually if needed however, it is not possible to delete a connection from the containers.conf file with the podman system connection rm command.

Default settings changes for Podman v5.0

In RHEL 10.0 Beta, the following default settings changes for Podman v5.0:

A new rhel10-beta/rteval container image

The real-time registry.redhat.io/rhel10-beta/rteval container image is now available in the Red Hat Container Registry to run latency analysis on either a standalone RHEL installation. With rhel10-beta/rteval container image, you can perform latency testing within a containerized setup to determine if such a solution is viable for your real-time workloads or to compare results against a bare-metal run of rteval. To use this feature, subscribe to RHEL with real-time support. No tuning guidelines are provided.

The --compat-volumes option is available for Podman and Buildah

You can use the new --compat-volumes option with the buildah build, podman build, and podman farm build commands. This option triggers special handling for the contents of directories marked using the VOLUME instruction such that their contents can subsequently only be modified by ADD and COPY instructions. Any changes made in those locations by RUN Instructions will be discarded. Previously, this behavior was the default, but it is now disabled by default.

macvlan and ipvlan network interface names are configurable in containers.conf

To specify macvlan and ipvlan networks, you can adjust the name of the network interface created inside containers by using the new interface_name field in the containers.conf configuration file.

The composefs filesystem is now available

The composefs read-only filesystem is now fully supported. This is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified filesystem tree mounted, with opportunistic fine-grained sharing of identical files.

Support to building GCP images by using bootc-image-builder

By using the bootc-image-builder tool you can now generate .gce disk images and provision the instances on the Google Compute Engine (GCE) platform.

The podman pod inspect command now provides a JSON array regardless of the number of pods

Previously, the podman pod inspect command omitted the JSON array when inspecting a single pod. With this update, the podman pod inspect command now produces a JSON array in the output regardless of the number of pods inspected.

IPsec ondemand connections no longer fail to establish

Previously, when an IPsec connection with the ondemand option was configured by using the TCP protocol, the connection failed to establish. With this update, the new Libreswan package makes sure that the initial IKE negotiation completes over TCP. As a result, Libreswan successfully establishes the connection even in TCP mode of IKE negotiation.

NSS now enforce EMS in FIPS mode

The Network Security Services (NSS) libraries now contain the TLS-REQUIRE-EMS keyword to require the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections as mandated by the FIPS 140-3 standard. NSS use the new keyword when the system-wide cryptographic policies are set to FIPS.

Binary tests for libcap are waived

The annocheck tool discovered binary packages in the libcap library function that were built without the required flags for RHEL 10 architectures. We examined the flags for potential problems and did not find any. After careful investigation, we have waived the results for libcap. As a result, all tests for libcap passed.

ReaR now interprets square brackets enclosing IPv6 addresses in URLs as expected

Previously, square brackets in OUTPUT_URL and BACKUP_URL were not interpreted correctly. Specifying an IPv6 address instead of a host name requires enclosing the address in square brackets, for example, [::1] for localhost. Since the brackets were not interpreted correctly, using an IPv6 address in a sshfs:// or nfs:// URL was not possible.

pcs validation of SBD options

Previously, when you enabled SBD with the pcs stonith sbd enable command and specified values for SBD options that are not valid, it resulted in SBD misconfiguration. The pcs command-line interface has been updated to validate the values for SBD options. When the values are not valid, pcs reports the error and does not create or update an SBD configuration.

Ability to remove Booth configuration from a Booth arbitrator node

Previously, running the pcs booth destroy command to remove Booth configuration from a Booth arbitrator node yielded an error. This happened because the command did not remove Booth configuration from nodes that are not part of the cluster. It is now possible to remove Booth configuration from Booth arbitrators.

pcsd processes now consistently stop correctly and promptly

Previously, the creation method for pcsd processes sometimes caused a deadlock during process termination. The processes were then terminated only after a systemd timeout. This fix changes the process creation method and there is no longer a deadlock when the processes are stopped. As a result, pcsd consistently stops correctly within a short time.

pcs no longer validates fencing topology with fencing levels greater than 9

The Pacemaker cluster resource manager ignores fencing topology levels greater than 9. Configuring levels greater than 9 may lead to failed fencing. With this update, you can configure fencing levels with values of only 1 to 9 in the pcs command-line interface and fencing topology works correctly.

The syntax for specifying a scorevalue is now consistent across all pcs constraint commands

Previously, some commands for creating constraints required you to specify a score value as score=value, whereas others expected just value without score=. With this update, all constraint commands accept a score value in the form score=value, with the exception of pcs constraint location prefers and pcs constraint location avoids, which expect node=score where score is the score value.

The ipa idrange-add command now warns that Directory Server must be restarted on all IdM servers

Previously, the ipa idrange-add command did not warn the administrator that they must restart the Directory Server (DS) service on all IdM servers after creating a new range. As a consequence, the administrator sometimes created a new user or group with a UID or GID belonging to the new range without restarting the DS service. The addition resulted in the new user or group not having an SID assigned. With this update, a warning that DS needs to be restarted on all IdM servers is added to the command output.

sssd-polkit-rules package content moved to sssd-common

Previously, if you needed to enable smart card support when the system security services daemon (SSSD) did not run as root, you had to install the sssd-polkit-rules package. The package provided polkit integration with SSSD. To resolve this issue, the sssd-common package now includes the content of the sssd-polkit-rules package and installation of a separate package is no longer required.

The ipa-replica-manage command no longer resets the nsslapd-ignore-time-skew setting during forced replication

Previously, the ipa-replica-manage force-sync command reset the nsslapd-ignore-time-skew setting to off, regardless of the configured value. With this update, the nsslapd-ignore-time-skew setting is no longer overwritten during forced replication.

certmonger now correctly renews KDC certificates on hidden replicas

Previously, when the certificate was about to expire, certmonger failed to renew the KDC certificate on hidden replicas. This happened because the renewal process only considered non-hidden replicas as active KDCs. With this update, the hidden replicas are treated as active KDCs, and certmonger renews the KDC certificate successfully on these servers.

The sshd RHEL system role can configure the second sshd service correctly

Running the sshd RHEL system role to configure the second sshd service on your managed nodes caused an error if you did not specify the sshd_config_file role variable. Consequently, your playbook would fail and the sshd service would not be configured correctly. To fix the problem, deriving of the main configuration file has been improved. Also, the documentation resources in the /usr/share/doc/rhel-system-roles/sshd/ directory have been made clearer to avoid this problem. As a result, configuring the second sshd service as described in the above scenario works as expected.

No property conflicts between the NetworkManager service and the NetworkManager plugin

Previously, the network RHEL system role did not request user consent to restart the NetworkManager service when updates were available to networking packages, particularly, due to wireless interface changes. Consequently, this led to potential conflicts between the NetworkManager service and the NetworkManager plugin. Alternatively, the NetworkManager plugin was failing to run correctly. The problem has been fixed by making the network RHEL system role ask user for their consent to restart the NetworkManager service. As a result, there are no property conflicts between the NetworkManager service and the NetworkManager plugin in the described scenario.

Implementation of multiple sets of key-value pairs of node attributes is now consistent with other cluster configuration components

The ha_cluster RHEL system role supports only one set of key-value pairs for each configuration item. Previously, when you configured multiple sets of node attributes, the sets were merged into a single set. With this update, the role uses only the first set you define and ignores the other sets. This behavior is now consistent with how the role implements multiple sets of key-value pairs for other configuration components that use a key-value pair structure.

The bootloader RHEL system role generates the missing /etc/default/grub configuration file if necessary

Previously, the bootloader RHEL system role expected the /etc/default/grub configuration file to be present. In some cases, for example on OSTtree systems, /etc/default/grub can be missing. As a consequence, the role failed unexpectedly. With this update, the role generates the missing file with default parameters if necessary.

The podman RHEL system role can set the ownership of the host directory again

Previously, the podman RHEL system role was using the become keyword with the user when setting the ownership of the host directory. As a consequence, the role could not properly set the ownership. With this update, the podman RHEL system role does not use become with the ordinary user. Instead, it uses the root user. As a result, podman can set the ownership of the host directory.

The linger feature can be canceled for the correct users

When processing the instruction list of configuration items from kube files or Quadlet files, the podman RHEL system role was incorrectly using the user ID associated with the entire list. It did not use the user ID associated with the list item to compile the linger file name. Consequently, the linger file was not created and therefore the podman RHEL system role could not cancel the linger feature for the actual user if necessary. With this update, podman uses the correct username to construct the linger file name. As a result, the linger feature can be canceled for the correct users.

The storage RHEL system role is idempotent again

The storage RHEL system role in some cases incorrectly calculated sizes of existing devices. Consequently, running the same playbook again without changes caused the role to attempt resizing the device that already had the correct size, instead of passing without errors. With this update, the size calculation was fixed. As a result, the role now correctly identifies that the device already has the size specified by the playbook and does not try to resize it.

Running the storage RHEL system role on a system with a pre-existing Stratis pool works as expected

Previously, the storage RHEL system role could not process the existing devices and device formats. This caused the role to fail on systems with a pre-existing Stratis pool, when checking if Stratis format conformed to the configuration specified by the playbook. Consequently, the playbook failed with an error, however the Stratis pool itself was not damaged or changed. This update makes the storage RHEL system role work correctly with Stratis devices and other formats without labelling support. As a result, running a playbook on a system with a pre-existing Stratis pool no longer fails.

You cannot set the name parameter for the imuxsock input type

Previously, the logging RHEL system role incorrectly set a name parameter for the imuxsock input type. As a consequence, this input type did not support the name parameter and the rsyslog utility on the managed node printed this error …​parameter 'name' not known — typo in config file?…​. This update fixes the logging RHEL system role to ensure that the name parameter is not associated with the imuxsock input type.

GRUB2 on RHEL 10 Beta and RHEL 9 UEFI managed nodes correctly prompts for a password

Previously, the bootloader RHEL system role incorrectly placed the password information in the /boot/efi/EFI/redhat/user.cfg file on managed nodes that ran RHEL 10 Beta and RHEL 9 with UEFI Secure Boot feature. The correct location was the /boot/grub2/user.cfg file. Consequently, when you rebooted the managed node to modify any boot loader entry, GRUB2 did not prompt you for a password. This update fixes the problem by setting the path for user.cfg to /boot/grub2/ in the source code. When you reboot the OS on a UEFI Secure Boot managed node to modify any boot loader entry, GRUB2 prompts you to input your password.

Removing Quadlet-defined networks using podman works irrespective of a custom NetworkName directive

When removing networks, the podman RHEL system role was using the "systemd- + name of the Quadlet file" syntax for the network name. Consequently, if the Quadlet file had a different NetworkName directive in it, the removal would fail. With this update, the podman source code has been updated to use "the Quadlet file name + the NetworkName directive from that file" as a name of the network to remove. As a result, removal of networks defined by Quadlet files using the podman RHEL system role works both with and without a custom NetworkName directive in the Quadlet file.

The podman RHEL system role creates new secrets if necessary

The podman RHEL system role incorrectly did not check whether a secret with the same name already existed if you used the skip_existing: true option of the podman_secrets role variable. Consequently, the role did not create any new secret if using that option. This update fixes the podman RHEL system role to check for existing secrets if you use skip_existing: true. As a result, the role properly creates new secrets if they do not exist. Conversely, it does not create a secret of the same name if you use skip_existing: true.

The network units in the Quadlet unit files are now properly cleaned up

The podman RHEL system role was not correctly managing the network units defined under the [Network] section in the Quadlet unit files. Consequently, the network units were not stopped and disabled and subsequent runs would fail due to those units not being cleaned up properly. With this update, podman manages the [Network] units, including stopping and removing. As a result, the [Network] units in the Quadlet unit files are properly cleaned up.

The podman RHEL system role now correctly searches for subgid values

Subordinate group IDs (subgid) is a range of group ID values assigned to non-root users. By using these values, you can run processes with different group IDs inside a container compared to the host system. Previously, the podman RHEL system role was incorrectly searching in the subgid values using the group name instead of using the user name. Consequently, the difference between the user name and the group name made podman fail to look up the subgid values. This update fixes podman to correctly search for subgid values and the problem no longer appears in this scenario.

The cockpit RHEL system role installs all cockpit-related packages that match a wildcard pattern

Previously, the dnf module used through the cockpit RHEL system role did not install all cockpit-related packages. As a consequence, some requested packages were not installed. With this update, the source code of the cockpit RHEL system role was changed to use the dnf module directly with an asterisk wildcard package name and a list of packages to exclude. As a result, the role correctly installs all requested packages that match the wildcard pattern.

The sos clean on an existing archive no longer fails

Previously, an existing archive could not be cleaned by running sos clean due to a regression in the sos code that incorrectly detected the root directory of a tarball and prevented it from cleaning data. As a consequence, sos clean running on an existing sosreport tarball does not clean anything within the tarball. This update adds an implementation of a proper detection of the root directory in the reordered tarball content. As a result, sos clean performs sensitive data obfuscation on an existing sosreport tarball correctly.

The sos stops collecting user’s .ssh configuration

Previously, the sos utility collected the .ssh configuration by default from a user. As a consequence, this action caused a broken system for users that are mounted by using automount utility. With this update, the sos utility no longer collects the .ssh configuration.

Netavark no longer fails resolving DNS TCP queries

Previously, when you ran a container in a Podman network, some domain names would not resolve even though they worked on the host system or in a container not using the Podman network. With this update, Netavark supports TCP DNS queries and the problem is fixed.

HSM support is available as a Technology Preview

Hardware Security Module (HSM) support is now available in Identity Management (IdM) as a Technology Preview. You can store your key pairs and certificates for your IdM CA and KRA on an HSM. This adds physical security to the private key material.

IdM-to-IdM migration is available as a Technology Preview

IdM-to-IdM migration is available in Identity Management as a Technology Preview. You can use a new ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.

AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines

As a Technology Preview, RHEL 10 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

composefs filesystem is available as a Technology Preview

composefs is the default backend for container storage. The key technologies composefs uses are:

Pushing and pulling images compressed with zstd:chunked is available as a Technology Preview

The zstd:chunked compression is now available as a Technology Preview.

auth or authconfig commands are removed

The auth or authconfig Kickstart commands which were deprecated in Red Hat Enterprise Linux 8, are removed now. As a replacement, use the authselect kickstart command.

The inst.xdriver and inst.usefbx options have been removed

The graphical system for the installation image switched from the Xorg server to a Wayland compositor. As a consequence, the inst.xdriver boot option has been removed. Wayland operates without relying on X drivers, making it incompatible with loading any such drivers. As a result, the inst.xdriver option is no longer applicable.

The openstack image type has been deprecated from RHEL image builder

From the RHEL 10-beta onward, RHEL image builder will no longer support the Openstack image type. You can use the .qcow2 image type to build Openstack images.

Capturing screenshots from the Anaconda GUI with a global hot key is removed

Previously, users could capture screenshots of the Anaconda GUI by using a global hot key. Consequently, users could extract the screenshots manually from the installation environment for any further usage. This functionality has been removed.

Removed inst.nompath, dmraid and nodmraid boot options

The inst.nompath, dmraid and nodmraid boot options have been removed now and are no longer available for use.

Removed automatic bug reporting system from Anaconda

The installer no longer supports automatically reporting problems to the Red Hat issue tracking system. You can collect the installation logs and report problems manually, as described in the troubleshooting section.

Removed a few options of the timezone Kickstart command

The following options of the timezone Kickstart command has been removed in Red Hat Enterprise Linux 10:

Removed the --level parameter of the logging Kickstart command

The --level parameter of the logging kickstart command has been removed. It is no longer possible to set the level of logging of the installation process.

The support for %anaconda Kickstart command has been removed

The support for the deprecated %anaconda Kickstart command has been removed. You can use the kernel arguments and command line line options to update the configuration in the Anaconda configuration files.

Removed pwpolicy Kickstart command

The support for the deprecated pwpolicy Kickstart command has been removed in Red Hat Enterprise Linux 10.

Removed support for adding additional repositories from GUI

Previously, when configuring the installation source, you could configure the additional repositories for the package installation. Starting in RHEL 10, this support has been removed. However, you can use the Kickstart installation method or inst.addrepo boot option if you want to specify additional repositories.

Removed support of the LUKS version selection from Anaconda

Previously, you could select the LUKS version from the Manual Installation screen. Starting in RHEL 10, the installer uses the luks2 version by default for all the new devices. No changes are made to the existing devices' LUKS version. You can also use the Kickstart method to select different LUKS versions.

The initial-setup package now has been removed

The initial-setup package has been removed in Red Hat Enterprise Linux 10. As a replacement, use gnome-initial-setup for the graphical user interface.

Redesigned the Time & Date spoke in the Installer GUI

Previously, Anaconda users were able to select the timezone using the time zone map. This screen is now redesigned and the timezone map has been replaced with the options where users can set the required timezone.

Removed teaming options from the network kickstart command

The --teamslaves and --teamconfig options used for configuring team devices in the network kickstart command have been removed. To configure similar network settings, use the --bondslaves and --bondopts options to set up a Bond device.

Removed NVDIMM reconfiguration support during the installation process

The support for reconfiguring NVDIMM devices during the Kickstart and GUI installation has been removed in RHEL-10. However, the NVDIMM devices in the sector mode can still be usable in the installation program.

The --excludeWeakdeps and --instLangs options from %packages have been removed

In RHEL-10, the --excludeWeakdeps and --instLangs options used in the %packages section have been removed. To maintain similar functionality, use the updated options --exclude-weakdeps and --inst-langs instead. These replacements ensure compatibility and provide the same dependency and language control within package management.

scap-workbench is removed

The scap-workbench package is removed in RHEL 10. The scap-workbench graphical utility was designed to perform configuration and vulnerability scans on a single local or remote system. As an alternative, you can scan local systems for configuration compliance by using the oscap command and remote systems by using the oscap-ssh command. For more information, see Configuration compliance scanning.

oscap-anaconda-addon is removed

The oscap-anaconda-addon, which provided means to deploy baseline-compliant RHEL systems by using the graphical installation, is removed in RHEL 10. As an alternative, you can build RHEL images that comply with a specific standard by Creating pre-hardened images with RHEL image builder OpenSCAP integration.

OVAL removed from vulnerability scanning applications

The Open Vulnerability Assessment Language (OVAL) data format, which provides declarative security data processed by the OpenSCAP suite, has been removed. Red Hat continues to provide declarative security data in the Common Security Advisory Framework (CSAF) format, which is the successor of OVAL.

DSA and SEED algorithms have been removed from NSS

The Digital Signature Algorithm (DSA), which was created by the National Institute of Standards and Technology (NIST) and is now completely deprecated by NIST, is removed from the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA and ECDSA.

HeartBeat removed from TLS

The support for the HeartBeat extension in TLS has been removed to reduce the attack surface.

SRP authentication removed from TLS

Authentication that uses Secure Remote Password protocol (SRP) in TLS has been removed from the gnutls package and is no longer supported. SRP authentication is considered insecure because it cannot be used with TLS 1.3 and relies on Cipher block chaining (CBC) and SHA-1 as a key exchange.

Keylime no longer supports HTTP for revocation notifications

The Keylime components no longer support the HTTP protocol for revocation notification webhooks. Use HTTPS instead. As a consequence, the Keylime verifier now requires the revocation notification webhook server CA certificate. You can add it to the trusted_server_ca configuration option or add it to the system trust store.

DEFAULT cryptographic policy rejects TLS ciphers with RSA key exchange

TLS ciphers that use the RSA key exchange are no longer accepted in the DEFAULT system-wide cryptographic policy in RHEL 10. These ciphers do not provide perfect forward secrecy and are not considered as secure as ciphers that use other key exchanges, for example, the Elliptic-curve Diffie-Hellman (ECDH) key exchange.

ca-certificates trust store moved

The /etc/pki/tls/certs trust store is converted to a different format better optimized for OpenSSL. As a consequence, if you use the files in /etc/pki/tls/certs directly, switch to the /etc/pki/ca-trust/extracted directory, where the same data is stored. For example, software that accesses the trust bundle at /etc/pki/tls/certs/ca-bundle.crt should switch to using /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem instead.

The LEGACY cryptographic policy disallows SHA-1 signatures in TLS

The LEGACY system-wide cryptographic policy in RHEL 10 no longer allows creating or verifying signatures that use SHA-1 in TLS contexts. Therefore, libraries other than OpenSSL might no longer accept or create any signatures that use SHA-1 regardless of use case. OpenSSL continues to accept signatures that use SHA-1 when not used for TLS if the system is in LEGACY or this functionality is re-enabled with a custom subpolicy.

pam_ssh_agent_auth is removed

The pam_ssh_agent_auth package has been removed from RHEL 10.

OpenSSL no longer permits SHA-1 at SECLEVEL=2 in TLS

OpenSSL does not accept the SHA-1 algorithm at SECLEVEL=2 in TLS in RHEL 10. If your scenario requires using TLS 1.0/1.1, you must explicitly set SECLEVEL=0 and switch to the LEGACY system-wide cryptographic policy. In the LEGACY policy, applications that use SHA-1 in signatures outside of TLS will continue to work.

stunnel does not support OpenSSL ENGINE API

The stunnel TLS offloading and load-balancing proxy no longer supports the previously deprecated OpenSSL ENGINE API. The most common use case was accessing hardware security tokens by using PKCS #11 through the openssl-pkcs11 package. As a replacement, you can use the pkcs11-provider, which uses the new OpenSSL provider API.

OpenSSL Engines removed from OpenSSL

OpenSSL Engines have been deprecated and will soon be removed from upstream. Therefore, the openssl-pkcs11 package has been removed from OpenSSL in RHEL 10. Use providers instead, such as the pkcs11-provider, which is supported in this version.

Several subscription-manager modules have been removed

Because of a simplified customer experience in Red Hat subscription services, which have transitioned to the Red Hat Hybrid Cloud Console and to account level subscription management with Simple Content Access, the following previously deprecated modules have been removed:

The support for the libreport library has been removed

The support for the libreport library has been removed from DNF. If you want to attach DNF logs to your bug reports, you need to do it manually or by using a different mechanism.

The DNF debug plug-in has been removed

The DNF debug plug-in, which included the dnf debug-dump and dnf debug-restore commands, has been removed from the dnf-plugins-core package. Depending on your scenario, you can use one of the following commands instead:

Significant changes in the package set for infrastructure services

The following packages are no longer included in Red Hat Enterprise Linux:

The dhcp-client package has been removed

The dhcp-client package has been removed from RHEL 10, because the ISC DHCP client is no longer maintained upstream. As a consequence, the dhclient utility is no longer available and you cannot use it as DHCP client in NetworkManager. As an alternative, use the NetworkManager-internal DHCP client, which was also the default in previous RHEL versions.

The kexec_load system call is removed

The kexec_load system call, which was deprecated in RHEL 9, is removed. In RHEL 10, the kexec_file_load system call replaces kexec_load and is the default system call on all architectures. Also, kexec_file_load is required for a secure boot.

Support for NVMe devices has been removed from the lsscsi package

Support for Non-volatile Memory Express (NVMe) devices has been removed from the lsscsi package. Use native tools such as nvme-cli, lsblk, and blkid instead. Report any missing functionality against the nvme-cli package.

Support for NVMe devices has been removed from the sg3_utils package

Support for Non-volatile Memory Express (NVMe) devices has been removed from the sg3_utils package. Use native tools such as the nvme-cli package instead and report any missing functionality against nvme-cli.

The VDO sysfs parameters have been removed

The Virtual Data Optimizer (VDO) sysfs parameters have been removed. Except for log_level, all module-level sysfs parameters for the kvdo module are removed. For individual dm-vdo targets, all sysfs parameters specific to VDO are also removed. There is no change for the parameters that are common to all DM targets. Configuration values for dm-vdo targets that are currently set by updating the removed module-level parameters, can no longer be changed.

Support for GFS2 file systems has been removed

The Red Hat Enterprise Linux (RHEL) Resilient Storage Add-On will no longer be supported starting with Red Hat Enterprise Linux 10. This includes the GFS2 file system, which is also no longer supported. The RHEL Resilient Storage Add-On will continue to be supported with earlier versions of RHEL (7, 8, 9) and throughout their respective maintenance support lifecycles.

pcsd Web UI no longer available as a standalone user interface

The pcsd Web UI has been modified to be usable as a RHEL web console add-on and is no longer operated as a standalone interface.

Removed functionality for the Red Hat High Availability Add-On

The following Red Hat High Availability Add-On features are no longer supported in RHEL 10.

Support for the RHEL Resilient Storage Add-On has been removed

The Red Hat Enterprise Linux (RHEL) Resilient Storage Add-On will no longer be supported starting with Red Hat Enterprise Linux 10 and any subsequent releases after RHEL 10. The RHEL Resilient Storage Add-On will continue to be supported with earlier versions of RHEL (7, 8, 9) and throughout their respective maintenance support lifecycles.

The enumeration feature has been removed for AD and IdM

Support for the enumeration feature was deprecated for AD and IdM in Red Hat Enterprise Linux (RHEL) 9. The enumeration feature has been removed for AD and IdM in RHEL 10.

The libsss_simpleifp subpackage has been removed

The libsss_simpleifp subpackage that provided the libsss_simpleifp.so library was deprecated in Red Hat Enterprise Linux (RHEL) 9. The libsss_simpleifp subpackage has been removed in RHEL 10.

The pam_console module has been removed

The pam_console module has been removed from RHEL 10. The pam_console module granted file permissions and authentication capabilities to users logged in at the physical console or terminals, and adjusted these privileges based on console login status and user presence. As an alternative to pam_console, you can use the systemd-logind system service instead. For configuration details, see the logind.conf(5) man page.

The NIS server emulator has been removed

RHEL Identity Management (IdM) does not provide the NIS functionality anymore.

Other removed functionality for RHEL Identity Management

The following packages were part of RHEL 9 but are not distributed with RHEL 10:

BDB is no longer supported in 389-ds-base

The libdb library that implements the Berkeley Database (BDB) version used by 389-ds-base is no longer available in RHEL 10. As a result, Directory Server no longer supports BDB.

TigerVNC has been removed

The TigerVNC remote desktop solution has been removed in RHEL 10.

Totem media player has been removed in RHEL 10

The RHEL 10 installation does not contain any media player by default. You can use any third party media player available, for example, on Flathub.

power-profiles-daemon is removed in RHEL 10

The power-profiles-daemon package that provided power mode configuration in GNOME has been removed in RHEL 10. In RHEL 10, you can manage power profiles with the Tuned daemon.

gedit is removed in RHEL 10

gedit, the default graphical text editor in Red Hat Enterprise Linux, is removed in RHEL 10. As an alternative, you can use GNOME Text Editor.

Tweaks is no longer available as a RHEL package in RHEL 10

Instead of the Tweaks desktop application, you can use the default GNOME Settings app, which has been expanded to include many options previously only found in Tweaks.

Qt5 libraries are removed in RHEL 10

Qt5 libraries are replaced with Qt6 libraries, with new functionality and better support.

WebKitGTK is removed in RHEL 10

The WebKitGTK web browser engine is removed in RHEL 10. As a consequence, you can no longer build applications that depend on WebKitGTK. Desktop applications other than Firefox can no longer display web content. There is no alternative web browser engine provided in RHEL 10.

Evolution is removed in RHEL 10

Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The application and its plugins are removed in RHEL 10. You can find an alternative in a third party source, for example on Flathub.

Festival is not supported in RHEL 10

With support for the Festival speech synthesizer removed in RHEL 10, the Festival binaries, libraries and the plugin for Speech Dispatcher are also removed.

The Eye of GNOME is removed

The Eye of GNOME (eog) image viewer application is removed in RHEL 10.

Cheese is removed

The Cheese camera application is removed in RHEL 10.

Devhelp has been removed

Devhelp, a graphical developer tool for browsing and searching API documentation, has been removed in RHEL 10. You can now find API documentation online in specific upstream projects.

gtkmm based on GTK 3 has been removed

gtkmm is a C++ interface for the GTK graphical toolkit. The gtkmm version that was based on GTK 3 has been removed in RHEL 10 with all its dependencies. To access gtkmm in RHEL 10, migrate to the gtkmm version based on GTK 4.

The PulseAudio daemon is removed in RHEL 10

The PulseAudio daemon, and its packages pulseaudio and alsa-plugins-pulseaudio, have been removed in RHEL 10.

Red Hat Virtualization compatibility has been removed from virt-v2v

Because the maintenance support for Red Hat Virtualization (RHV) has ended, the virt-v2v utility no longer supports exporting virtual machines to RHV. As a consequence, the following options are no longer available in virt-v2v:

Anaconda built-in help has been removed

The built-in documentation from spokes and hubs of all Anaconda user interfaces, which was available during Anaconda installation, has been removed. Instead, refer to the official RHEL documentation.

The squashfs package has been deprecated

The squashfs package has been deprecated, and. As an alternative, dracut has support for mounting erofs.

sgdisk has been deprecated from the boot.iso

gdisk has been deprecated from the boot.iso image type. You still can use gdisk in your kickstarts. For the boot.iso image type, other tools are available for handling GPT disks, for example, the parted utility.

The module kickstart command has been deprecated

Anaconda has deprecated its support for DNF modularity, and as a consequence the module kickstart command has been deprecated. This might impact you if you are using modules in the %packages section of your kickstart files or the module kickstart command. This change is implemented for simplifying the installation process and ensuring a more consistent experience moving forward.

The inst.gpt boot option is now deprecated

The inst.gpt boot option is now deprecated and will be removed in the future releases. To specify a preferred disk label type, use the inst.disklabel boot option. Specify gpt or mbr to create GPT or MBR disk labels, respectively.

ENGINE API in OpenSSL is deprecated

In RHEL 10, ENGINE API is deprecated and is planned to be removed in a future major release. No new applications should be built by using the ENGINE API. To keep application binary interface (ABI) and existing applications working, OpenSSL still exports the ENGINE symbols. To prevent new applications from using ENGINE API, OpenSSL sets the OPENSSL_NO_ENGINE flag system-wide, and the header engine.h that exposes the ENGINE API has been removed.

HMAC-SHA-1 in FIPS mode is deprecated

The HMAC-SHA-1 cryptographic algorithm is deprecated in FIPS mode, and it may be removed in a future release. Outside FIPS mode, support for HMAC-SHA-1 is preserved.

The perl(Mail::Sender) module has been removed

The perl(Mail::Sender) module is removed from RHEL 10 without any replacement. As a consequence, the checkbandwidth script from net-snmp-perl package does not support email alerts when bandwidth high/low levels for a host or interface are reached.

Deprecated High Availability Add-On features

The following features have been deprecated in Red Hat Enterprise Linux 10 and will be removed in the next major release

The utmp and utmpx interfaces in glibc are deprecated

The utmp and utmpx interfaces provided by the glibc library include a counter that counts time since the Unix epoch. This counter will overflow on February 07, 2106. Therefore, utmp and utmpx are deprecated in RHEL 10 and will be removed in RHEL 11.

The host switcher in the RHEL web console is deprecated

The host switcher that provides connections to multiple machines through SSH from a single RHEL web console session is deprecated and disabled by default. Due to the web technology limitations, this feature cannot be secure. You can enable the host switcher after assessing the risks in your scenario. As more secure alternatives, you can use:

The i440fx virtual machine type has been deprecated

In RHEL 10, the i440fx machine types for virtual machines (VMs) have become deprecated, and will be removed in a future major version of RHEL.

The runc container runtime has been removed

The runc container runtime is removed. The default container runtime is crun. If you upgrade from the previous RHEL versions to RHEL 10.0 Beta, you have to run the podman system migrate --new-runtime=crun command to set a new OCI runtime for all containers.

tzdata package is no longer installed by default in the minimal container images

The tzdata package is no longer installed in the registry.access.redhat.com/ubi10-beta-minimal container image. As a consequence, if you migrate your minimal container builds from a previous RHEL release to RHEL 10.0 Beta, and you enter the microdnf reinstall tzdata command to reinstall the tzdata package, you get an error message because the tzdata package is no longer installed by default. In this case, enter the microdnf install tzdata command to install tzdata.

The Podman v5.0 deprecations

In RHEL 10.0 Beta, the following is deprecated in Podman v5.0:

Anaconda installer appears as unresponsive in the rescue mode

When booting into a rescue mode and selecting the Continue or Skip to shell options, you might experience an issue where the Anaconda installer appears to be frozen. Despite the lack of visible response, the installer is still functional and reacting to your inputs; however, the prompt does not display on the screen, leading to confusion.

Unable to register RHEL-10 beta systems with Red Hat Satellite

Currently, Red Hat Satellite does not support RHEL-10 clients. As a result, attempting to register your system to a Satellite instance during the RHEL-10 beta installation fails. As a consequence, your system remains unregistered to Satellite after installation, which might impact further system management through Satellite. At the moment, there is no workaround.

Unable to build ISOs from a signed container

Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following:

The Red Hat Insights remediations service is not available to execute playbooks in RHEL 10-beta for directly connected systems

Due to a missing RPM package (rhc-worker-playbook), the remediations service cannot execute playbooks in RHEL 10-beta for systems that are directly connected with the remote host configuration (rhc) client.

Nginx does not support PKCS #11 and TPM

The OpenSSL engines API was deprecated in RHEL 9 and removed from Nginx in RHEL 10. The corresponding functionality using the current OpenSSL providers API is not yet available. As a consequence, the Nginx HTTP server does not work with hardware security modules (HSMs) through PKCS #11 and Trusted Platform Module (TPM) devices.

crashkernel boot parameter does not load in rhel-guest-image

Presently, RHEL cloud image built by osbuild misses the crashkernel kernel parameter. As a result, kdump.service fails to start.

The kdump service fails during boot

After the installation of registry.redhat.io/rhel9/rhel-bootc container image to a physical system, the kdump.service fails.

The new version of TBB is incompatible

RHEL 10 includes the Threading Building Blocks (TBB) library version 2021.11.0, which is incompatible with the versions distributed with previous releases of RHEL. You must rebuild applications that use TBB to make them run on RHEL 10.

The IdM server functions only partially or not at all

In this release, changes introduced by OpenSSL have impacted the integrated DNS functionality within Identity Management (IdM). Most notably, the OpenSSL PKCS #11 engine is replaced by a new pkcs11-provider. This shift affects multiple components in IdM, including ipa, bind, bind-dyndb-ldap, softhsm, and python-cryptography.

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.

Migrating an IdM deployment may result in duplicate HBAC rules

Migrating from one Identity Management (IdM) deployment to another by using the ipa-migrate utility may lead to duplicate host-based access control (HBAC) rules on the destination server. Consequently, the allow_all and allow_systemd-user HBAC rules appear twice when running the ipa hbacrule-find command on that server.

Automatic host keytab renewal via adcli run by SSSD is failing

In direct SSSD-AD integration, SSSD checks daily if the machine account password is older than the configured age in days and, if needed, tries to renew it. The configured age is set by the ad_maximum_machine_account_password_age value, with a default of 30 days. A value of 0 disables the renewal attempt.

dsctl healthcheck can report a wrong database type

If you created an instance with the Lightning Memory-Mapped Database Manager (LMDB) database type, running the dsctl healthcheck command can result in on of the following error messages, because Directory Server checks a wrong configuration parameter:

An error message is displayed during migration from BDB to LMDB

When you run the dsctl dblib bdb2mdb command to migrate from Berkeley Database (BDB) to Lightning Memory-Mapped Database Manager (LMDB) and you have not enabled the replication, the following error message is displayed in the output:

VNC console in the RHEL web console does not work correctly on ARM64

Currently, when you import a virtual machine (VM) in the RHEL web console on ARM64 architecture and then you try to interact with it in the VNC console, the console does not react to your input.

Using SEV-SNP is not possible

Currently, when attempting to start an AMD SEV-SNP enabled virtual machine (VM), QEMU checks the incorrect capability of KVM, and the guest fails to start. As a consequence, running VMs with AMD SEV-SNP configured is not possible with RHEL10 Beta. There is no workaround for the issue.

RDMA devices currently do not work on vSphere

When using a RHEL 10 instance on the VMware vSphere platform, the vmw_pvrdma module currently does not install properly. As a consequence, VMware paravirtual remote direct memory access (PVRDMA) devices do not work on the affected instances.

Podman and bootc do not share the same registry login process

Podman and bootc use different registry login processes when pulling images. As a consequence, if you login to an image by using Podman, logging to a registry for bootc will not work on that image. When you install an image mode for RHEL system, and login to registry.redhat.io by using the following command:

cloud-init growpart skips with composefs is enabled

When composefs is enabled, if you generate an image from the generic base image, then the rootfs will note grow the filesystem, prompting an error similar to: