Chapter 4. New features and enhancements

This version adds the following major new features and improvements of some existing features. Some packages might be rebased to a newer upstream version, which provides significant improvements.

4.1. Installer and image creation

bootc-image-builder now supports creating image mode disk images with advanced partitioning

With this enhancement, the bootc-image-builder tool gained more options for customizing partitioning. You can use the bootc-image-builder tool to create disk images of image-mode RHEL with custom mountpoints, including custom mount options, LVM-based partitions and LVM-based SWAP to, for example, change the size of the / and the /boot directories by using the config.toml. As a consequence, you can create disk images with advanced partitioning layout.

Jira:RHELDOCS-18532^[1]

RHEL 10 disk images will have predictable network interface names

The net.ifnames=0 will be removed from kernel arguments, causing all systems to use predictable network interface names. As a consequence, from RHEL 10-beta ongoing, disk images created wih RHEL image builder will now have predictable network interface names. There are no plans for backporting this update to older RHEL versions. As a workaround for older versions, remove the kernel argument after the first boot and reboot the system. See Configuring kernel command-line parameters for more details.

Jira:RHELDOCS-18880^[1]

RHEL 10 disk images not longer have a separate /boot partition

RHEL 10 Public Beta disk images, such as AWS images, or KVM images, for example, do not have a separate /boot partition. In RHEL images, the /boot/ partition removal targets confidential computing.

This change prevents the /boot partition from running off disk space, which was often the case when /boot was on a separate partition. As a result, operational failures are less likely to occur.

Jira:RHELDOCS-18902^[1]

New users created in Anaconda are administrators by default

Previously, while creating new users from the installer, the Add administrative privileges to this user account option in graphical installation was deselected. Starting RHEL 10, this option is selected by default. As a result, the newly created users will have administrative privileges in the system by default. You can deselect this option to remove the administrative privileges of the new users, if needed.

Jira:RHELDOCS-18425^[1]

NVMe over Fabrics devices are now available in the RHEL installation program

You can now add NVMe over Fabrics devices to your RHEL installation to extend the benefits of NVMe storage beyond local devices, enabling the same high-performance, low-latency access over a network. In the RHEL installation program, you can select these devices under the NVMe Fabrics Devices section while adding disks on the Installation Destination screen.

Jira:RHELDOCS-18819^[1]

Remote Desktop Protocol (RDP) replaces VNC for graphical remote access

The protocol for graphical remote access has been replaced from VNC to remote desktop protocol (RDP), a more robust, and secure graphical remote access. It offers a reliable and encrypted connection, overcoming the limitations of VNC, which lacked encryption support and enforced password length restrictions.

You can now securely connect to graphical installation sessions. As part of this change, the inst.vnc, inst.vncpassword, and inst.vncconnect kernel boot options have been removed and the new options inst.rdp, inst.rdp.password, and inst.rdp.username have been introduced.

Jira:RHEL-38407

4.2. Security

keylime-agent-rust provided in version 0.2.5

The keylime-agent-rust package, which contains the Keylime agent, is provided in version 0.2.5 in RHEL 10. This version offers important enhancements and bug fixes, most importantly the following:

Added support for Initial Device Identity (IDevID) and Initial Attestation Key (IAK) for device identity. The following configuration options have been added:
enable_iak_idevid
(default: false) Enables the use of IDevID and IAK certificates to identify the device.
iak_idevid_template
(default: detect) Specifies the template that sets the algorithms to be used for IDevID and IAK (defined in TPM 2.0 Keys for Identity and Attestation, section 7.3.4). The detect keyword sets the template according to the algorithms used in the configured certificates.
iak_idevid_name_alg
(default: sha256) Specifies the digest algorithm used in IDevID and IAK. Used only if the iak_idevid_template option is not set as detect.
iak_idevid_asymmetric_alg
(default: rsa) Specifies the signing algorithm used in IDevID and IAK. Used only if the iak_idevid_template option is not set as detect.
iak_cert
(default: default) Specifies the path to the file that contains the X509 IAK certificate. The default path is /var/lib/keylime/iak-cert.crt.
idevid_cert
(default: default) Specifies the path to the file that contains the X509 IDevID certificate. The default path is /var/lib/keylime/idevid-cert.crt.
Configurable IMA and measured boot event log locations are supported by using the new ima_ml_path and measuredboot_ml_path configuration options.
Local DNS name, local IP, and configured contact IP are included as part of the Subject Alternative Name of the generated self-signed X509 certificate.
IPv6 addresses with or without brackets are supported in the registrar_ip configuration option.
Hexadecimal encoded values are supported in the tpm_ownerpassword configuration option.
TLS 1.3 is enabled in connections to the agent.

Jira:RHEL-38409

libreswan provided in version 4.15

The libreswan packages are provided in version 4.15 in RHEL 10. This version offers substantial improvements over the previous version 4.12 that was provided in previous releases:

Removed a dependency on libxz through libsystemd.
In IKEv1, default proposals have been set to aes-sha1 for Encapsulating Security Payload (ESP) and sha1 for Authentication Header (AH).
IKEv1 rejects ESP proposals that combine Authenticated Encryption with Associated Data (AEAD) and non-empty INTEG.
IKEv1 rejects exchange when a connection has no proposals.

IKEv1 has a more limited default cryptosuite:

IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31}
ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256}
AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128

Failures of the libcap-ng library are no longer fatal.
TFC padding is set for AEAD algorithms in the pluto utility.

Jira:RHEL-52935^[1]

New package: rust-sequoia-sq

The Sequoia PGP suite provides a memory-free implementation of the OpenPGP standard for ensuring confidentiality, key management, authentication, and digital signatures. The sq command-line tool is a frontend for managing OpenPGP encryption and signatures.

Jira:RHELPLAN-170379^[1]

New package: rust-sequoia-sqv

The sqv program verifies OpenPGP signatures.

Jira:RHELPLAN-170378^[1]

OpenSSH provided in version 9.8

RHEL 10 provides OpenSSH in version 9.8, which introduces many fixes and improvements over OpenSSH 8.7 which was provided in RHEL 9. For the complete list of changes, see the openssh-9.8p1/ChangeLog file. The most important changes are as follows:

A system for restricting forwarding and use of keys that were added to the ssh-agent program has been added to ssh, sshd, ssh-add, and ssh-agent programs.
Improvements to the use of the FIDO standard:
- The verify-required certificate option has been added to ssh-keygen.
- Fixes to FIDO key handling reduce unnecessary PIN prompts for keys that support intrinsic user verification.
- A check for existing matching credentials in the ssh-keygen program prompts the user before overwriting the credential.
New EnableEscapeCommandline option in the ssh_config configuration file enables the command line option in the EscapeChar menu for interactive sessions.
New ChannelTimeout keyword specifies whether and how quickly the sshd daemon should close inactive channels.
The ssh-keygen utility generates Ed25519 keys by default except in FIPS mode, where the default is RSA.
The ssh client performs keystroke timing obfuscation by sending interactive traffic at fixed intervals, every 20 ms by default, when only a small amount of data is being sent. It also sends fake keystrokes for a random interval after the last real keystroke, defined by the ObscureKeystrokeTiming keyword.
DSA keys have been deprecated, and might be removed in a future major release.
With the new ChannelTimeout type, ssh and sshd close all open channels if all channels lack traffic for a specified interval. This is in addition to the existing per-channel timeouts.
The sshd server blocks client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication, or that crash the server.
The sshd server penalizes client addresses that do not successfully complete authentication. The penalties are controlled by the new PerSourcePenalties keyword in sshd_config.
The sshd server is split into a listener binary sshd and a per-session binary sshd-session. This reduces the listener binary size that does not need to support the SSH protocol. This also removes support for disabling privilege separation and disabling re-execution of sshd
In portable OpenSSH, sshd no longer uses argv[0] as the PAM service name. You can select the service name at runtime with the new PAMServiceName directive in the sshd_config file. This defaults to "sshd".
The HostkeyAlgorithms keyword allows ssh to disable implicit fallback from certificate host key to plain host keys.
The components have been hardened in general and work better with the PKCS #11 standard.

Jira:RHEL-42635

Added custom configuration for pkcs11-provider

The pkcs11-provider allows direct access to hardware tokens by using pkcs11 URIs from OpenSSL programs. Upon installation, the pkcs11-provider is automatically enabled and loads tokens detected by the pcscd daemon by using the p11-kit driver by default. As a result, you can use tokens available to the system if you provide a key URI by using the pkcs11 URI specification to an application that supports that format by installing the package without the need to further change OpenSSL configuration. Uninstalling the package also removes the OpenSSL configuration snippet, which prevents errors when OpenSSL parses the configuration files.

Jira:RHEL-29672

File context equivalency set to /var/run = /run in the SELinux policy

The previous /run = /var/run file context equivalency is now inverted to /var/run = /run and the SELinux policy sources have been updated accordingly. The equivalency has been inverted to match the actual filesystem state and to prevent some userspace tools from reporting an error. This change should not be visible from the user or admin perspective. If you have any custom modules that contain file specification for files in /var/run, change them to /run.

Jira:RHEL-36094^[1]

OpenSSL uses pkcs11-provider for hardware tokens

Because OpenSSL 3.0 deprecated engines and replaced them with providers, RHEL 10 replaces the openssl-pkcs11 engine with the pkcs11-provider. This allows OpenSSL to use hardware tokens in applications such as apache HTTPD, libssh, bind, and other applications that are linked with OpenSSL and use asymmetric private keys stored in an HSM, smartcard or other tokens with a PKCS #11 driver available.

Jira:RHEL-40124

New capability.conf(5) man page

The capability.conf(5) man page has been added. It provides descriptions for the capability.conf configuration file and the pam_cap.so module arguments.

Jira:RHEL-31988

libkcapi provided in version 1.5.0

In RHEL 10.0, the libkcapi packages are provided in upstream version 1.5.0. This version provides various bug fixes, optimizations and enhancements, most notably:

The sha* applications have been removed and replaced with a single application called kcapi-hasher. Symlinks to kcapi-hasher with equivalent names as the original sha* applications have been added into the bin and libexec directories. This change does not cause any known regressions.
The sha3sum command, which prints checksums of files that use sha3, has been added.
The kcapi_md_sha3_* wrapper APIs have been added.

Jira:RHEL-50457^[1]

Stricter SSH host key permissions have been restored

The necessary host key permissions have been changed from the previous less strict value of 0640 to 0600, which is also the value used upstream. The ssh_keys group, which previously owned all SSH keys, has also been removed. Therefore, the ssh-keysign utility uses the SUID bit instead of the SGID bit.

Jira:RHEL-59102^[1]

The selinux-policy git repository for Centos Stream 10 is now publicly accessible

CentOS Stream contributors now can participate in the development of the SELinux policy by contributing to the c10s branch of the fedora-selinux/selinux-policy git repository. These contributions can then be used to improve the SELinux policy of RHEL 10.

Jira:RHEL-33844

p11-kit provided in version 0.25.5

The p11-kit packages are provided in version 0.25.5 in RHEL 10. This version provides enhancements and fixes over the previous version, most importantly, the following:

Support for recursive attributes has been added to the p11-kit RPC protocol.
A function to check run-time version of the library has been added.
Version information is no longer accessible through macros.
With the new --id option, you can assign an ID to key pairs generated with the generate-keypair command or imported with the import-object command.
With the new --provider option, you can specify a PKCS #11 module when using p11-kit commands.
Fixed a bug in p11-kit where the EdDSA mechanism was not recognized in generate-keypair.
p11-kit falls back to the C_GetFunctionList function when the C_GetInterface function is not supported.

Jira:RHEL-46898^[1]

pkeyutil now supports encapsulation and decapsulation

The pkeyutil OpenSSL subcommand supports performing encapsulation and decapsulation cryptographic operations. The new post-quantum cryptographic (PQC) algorithm ML-KEM (FIPS 203) permits only encapsulation and decapsulation operations, and you can now use algorithms such as RSASVE and ML-KEM through pkeyutil.

Jira:RHEL-54156

GnuTLS can use certificate compression

GnuTLS compresses client and server certificates with the zlib, brotli or zstd compression method according to RFC 8879 if both client and server support and enable it. This method reduces data usage, and should otherwise be unnoticeable to users.

Jira:RHEL-42514^[1]

New no-atexit option in OpenSSL

OpenSSL is now built with the no-atexit option, so that the OPENSSL_cleanup function is no longer registered as an atexit handler. Using this option might cause the valgrind debugging tool to report one-time memory leaks of the resources allocated on OpenSSL startup.

Jira:RHEL-40408

setools provided in version 4.5.0

The setools packages are provided in version 4.5.0 in RHEL 10. This version provides bug fixes and enhancements, most notably the following:

Graphical results for information flow analysis and domain transition analysis have been added to the apol, sedta, and seinfoflow tools.
Tooltips and detail popups in apol have been added to help cross-referencing query and analyzing results along with context-sensitive help.

Jira:RHEL-29967

RHEL 10 provides NSS in version 3.101

The NSS cryptographic toolkit packages are provided in version 3.101 in RHEL 10, which provides many bug fixes and enhancements. The most notable changes are the following:

DTLS 1.3 protocol is now supported (RFC 9147).
PBMAC1 support has been added to PKCS #12 (RFC 9579).
Experimental support for X25519Kyber768Draft00 hybrid post-quantum key agreement has been added (draft-tls-westerbaan-xyber768d00). It will be removed in a future release.
lib::pkix is the default validator in RHEL 10.
RSA certificates with keys shorter than 2048 bits stop working in SSL servers, in accordance with the system-wide cryptographic policy.

Jira:RHEL-46839

OpenSSL can create FIPS-compliant PKCS #12 files

The OpenSSL secure communication suite has been updated and can now create PKCS #12 files in accordance with the RFC 9579 document.

Jira:RHEL-36659

gnutls provided in version 3.8.7

In RHEL 10.0, the gnutls library package is provided in upstream version 3.8.7. This version provides various bug fixes, optimizations and enhancements, most notably:

Certificate compression in TLS is supported (RFC 8879).
Optimal Asymmetric Encryption Padding scheme (RSA-OAEP) is supported (RFC 8017).
API for incremental calculation of SHAKE hashes of arbitrary length across multiple calls has been added.
RSA encryption and decryption with PKCS #1 v1.5 padding is deprecated and disallowed by default.
In FIPS mode, gnutls now defaults to exporting PKCS #12 files with Password-Based Message Authentication Code 1 (PBMAC1) as defined in RFC 9579. If you need interoperability with systems running in FIPS mode, use PBMAC1 explicitly.

Jira:RHEL-50011^[1]

The DEFAULT cryptographic policy uses additional scopes

The crypto-policies package now offers additional scopes @pkcs12, @pkcs12-legacy, @smime, and @smime-legacy, and uses them in the DEFAULT system-wide cryptographic policy. The selection of cryptographic algorithms used for PKCS #12 and S/MIME when network security services (NSS) is the underlying cryptographic library now follows system-wide cryptographic policies. Therefore, you can more easily select algorithms with higher granularity by using custom policies and subpolicies. The scopes use the following ciphers, hashes, and key exchanges:

cipher@pkcs12 = AES-256-CBC AES-128-CBC
cipher@pkcs12-import = 3DES-CBC+ RC2-CBC+
cipher@smime = AES-256-CBC AES-128-CBC 3DES-CBC
cipher@smime-import = RC2-CBC+
hash@{pkcs12,smime} = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 \
	SHA2-224 SHA3-224
hash@{pkcs12-import,smime} = SHA1+
key_exchange@smime = RSA DH ECDH

The LEGACY cryptographic policy uses a less strict selection of ciphers, hashes, and key exchanges than the DEFAULT policy, whereas the FUTURE policy is stricter. As a result, you can customize the algorithms used in NSS for importing and exporting PKCS #12 files and S/MIME encryption and decryption. NSS is currently the only cryptographic library linked to the newly offered scopes.

Jira:RHEL-50655

OpenSSH in FIPS mode generates RSA keys by default

In previous versions, the ssh-keygen utility in OpenSSH generated RSA keys by default. In the versions provided with RHEL 10, ssh-keygen generates ed25519 keys by default in non-FIPS mode and RSA keys by default in FIPS mode.

Jira:RHEL-37324

NSS creates FIPS-compliant PKCS #12 in FIPS mode

PKCS #12 uses an ad-hoc mechanism for integrity checks. Since the publication of PKCS #12 version 1.1, more rigorous methods of integrity checks have been created in PKCS #5 Version 2.0: the password-based message authentication code 1 (PBMAC1). This update adds PBMAC1 support in PKCS #12 files to Network Security Services (NSS) in accordance with the RFC 9579 document. As a result, NSS can now read any .p12 file that uses RFC 9579 and can generate RFC-9579-compliant message authentication codes (MAC) when requested by the user. For compatibility, NSS generates old MACs by default when not in FIPS mode. For more information on generating new MACs, see the pk12util(1) man page on your system.

Jira:RHEL-39732

clevis provided in version 20

The clevis packages are provided in version 20 in RHEL 10. The most notable enhancements and fixes include the following:

Increased security by fixing potential problems reported by static analyzer tools in the clevis luks command, udisks2 integration, and the Shamir’s Secret Sharing (SSS) thresholding scheme.
Password generation now uses the jose utility instead of pwmake. This ensures enough entropy for passwords generated during the Clevis binding step.

Jira:RHEL-29279

jose provided in version 14

The jose package is provided in version 14 in RHEL 10. jose is a C-language implementation of the Javascript Object Signing and Encryption (JOSE) standards. The most important enhancements and fixes include the following:

Improved bound checks for the len function for the oct JWK Type in OpenSSL, as a fix to an error reported by the SAST (Static Application Security Testing) process.
The protected JSON Web Encryption (JWE) headers no longer contain zip.
jose avoids potential denial of service (DoS) attacks by using high decompression chunks.

Jira:RHEL-38084

SELinux userspace provided in version 3.7

RHEL 10 contains the SELinux user-space components in version 3.7. This version introduces enhancements and fixes over the previous version, most importantly, the following:

New audit2allow -C option for the CIL output mode.
The sepolgen utility has been adjusted to parse refpolicy modules.
The semanage utility now allows modifying records on add.
The semanage utility no longer sorts local fcontext definitions.
The checkpolicy program supports the CIDR notation for nodecon statements.
The SELinux sandbox utility now supports the Wayland display protocol.

Jira:RHEL-40233

Rules for additional libvirt services added to the SELinux policy

The following SELinux types related to the libvirt services have been added to the SELinux policy:

virt_dbus_t
virt_hook_unconfined_t
virt_qmf_t
virtinterfaced_t
virtnetworkd_t
virtnodedevd_t
virtnwfilterd_t
virtproxyd_t
virtqemud_t
virtsecretd_t
virtstoraged_t
virtvboxd_t
virtvzd_t
virtxend_t

Jira:RHEL-46893

4.3. Software management

The repository metadata is now not downloaded by default

Previously, when you downloaded a repository’s metadata, the filelists metadata was downloaded by default. The filelists metadata is large and is typically not needed. With this update, this metadata is not downloaded by default, which improves responsiveness and saves disk space. The filelists metadata is also no longer downloaded or updated from repositories and is not loaded into the DNF transaction when you run a dnf command. If the dnf command requires the filelists metadata or includes a file-related argument, the metadata is loaded automatically.

Note

When a package has a filepath dependency that requires filelists metadata to be resolved, the transaction fails with a dependency resolution error and the following hint:

(try to add '--skip-broken' to skip uninstallable packages or '--setopt=optional_metadata_types=filelists' to load additional filelists metadata)

Note

If you want to re-enable the default filelist metadata downloading, you can add the filelists value to the optional_metadata_types option in the /etc/dnf/dnf.conf configuration file.

Jira:RHEL-12355^[1]

DNF now uses librpmio for processing PGP keys

To verify RPM package signatures, RPM uses the rpm-sequoia library instead of the previously-used custom PGP parser. With this update, the librepo library, which can verify PGP signatures on DNF repositories, now also uses rpm-sequoia through the librpmio library. As a result, to provide consistent user experience, the dnf, librpm, and rpm components now use the same PGP implementation.

Jira:RHEL-47106

dnf-plugins-core rebased to version 4.7.0

The dnf-plugins-core package has been rebased to version 4.7.0 that provides a new python3-dnf-plugin-pre-transaction-actions package. This package includes a new pre-transaction-actions DNF plugin that allows you to execute a command upon starting an RPM transaction. For more information, see the dnf-pre-transaction-actions(8) manual page on your system.

Jira:RHEL-38831

createrepo_c provided in version 1.0.0

RHEL 10 provides the createrepo_c package in version 1.0.0. Notable changes over the previous version include:

Default compression switched from gz to zstd, which provides smaller metadata that is faster to decompress. Note that the gz compression is still supported.
To save time and disk space, metadata in the SQLite database format is no longer generated by default. Note that you can still create this metadata by using the --database switch or the sqliterepo_c tool.
Managing the group.xml metadata has been standardized. Previously, this metadata was present twice, as compressed and uncompressed. With this update, the group metadata is present only once as compressed and has the group metadata type.
Note
The group.xml metadata is not compatible with YUM in RHEL 7. If required, you can still create repositories with the old layout by using the modifyrepo_c command.

Jira:RHELDOCS-18997^[1]

4.4. Shells and command-line tools

openCryptoki rebased to version 3.23.0

The openCryptoki packages are updated to version 3.23.0, which provides multiple bug fixes and enhancements. Notable changes include:

EP11: Added support for FIPS-session mode
Various updates are available for protection against RSA timing attacks

Jira:RHEL-24038^[1]

polkit rebased to 125

The polkit package is rebased to version 125. Notable enhancements include the following:

polkit uses the tmpfiles.d file to store configuration in the /etc/polkit-1 directory.
polkit now supports syslog-style log levels and LogControl protocol for dynamic loglevel changing.

The rebase allows the removal of /etc/polkit-1/<subdirs> directories and their automatic recreation with appropriate access rules on the next boot. It aligns polkit with the reset OS to factory settings by deleting /etc approach. Now, the user does not have to reinstall polkit, if the etc/polkit-1 directory was deleted.

Additionally, the polkit.service unit file now contains a new parameter specified in the call of polkitd daemon, that is, --log-level=<level>. By default in RHEL 10, this parameter is set to --log-level=err, logging only error messages. If the parameter --log-level is omitted, only critical messages are logged.

This change allows users to control how verbose polkit should be in logs and especially in the journal. The enhancement addresses the requirement to log every loaded .rules file for debug purposes, preventing the journal from being flooded with unnecessary information.

Jira:RHEL-55287

ksh is rebased to 93u+m/1.0.10

The KornShell (ksh) shell is rebased to the 93u+m/1.0.10 version. The notable changes are:

The alarm command, a shell built-in part of ksh, is no longer supported and will be removed. The replacement is the cron daemon, a utility for tasks that must run at fixed intervals.
The ksh shell is now capable of handling more than 32767 simultaneous background jobs, subject to system limitations.
Fixes a bug that caused an incorrect default exit status for exit within a trap action and a race condition occurring on some systems when running an external command with a redirection from a command substitution.
Various other bug fixes

Jira:RHEL-45981

4.5. Infrastructure services

CUPS broadcast and mDNS are no longer the default configuration for cups-browsed daemon

With this enhancement, the mDNS and CUPS broadcast service browsing is no longer the default configuration for the cups-browsed daemon. As a result, to configure cups-browsed, you must add the BrowsePoll directive in the /etc/cups/cups-browsed.conf file. This file the specifies to the server that the cups-browsed daemon polls for printers.

Note: To search on mDNS and CUPS broadcast, set BrowseRemoteProtocols dnssd cups in the /etc/cups/cups-browsed.conf file.

Jira:RHELDOCS-17893^[1]

tuned-ppd, Valkey, libcpuid and dnsconfd packages are now available

The following packages are included in Red Hat Enterprise Linux:

tuned-ppd : The tune-ppd is a replacement of drop-in power-profiles-daemon which uses TuneD as a backend.
Valkey : Replaces redis and provides the same features.
libcpuid : Enables accurate CPU model identification in TuneD.
dnsconfd : A local DNS cache configuration daemon that simplifies setting up DNS caching, split DNS, DNS over TLS, and other DNS features.

Jira:RHELDOCS-18925^[1]

GECOS field for user is now changed to Super User

Previously, an application output for the GECOS/description appeared as root . Now, the GECOS/description for user root in the /etc/passwd file has been changed from root to Super User.

Jira:RHELDOCS-18776^[1]

dnsconfd daemon can now be installed

With this enhancement, you can now install the dnsconfd, a local DNS cache configuration daemon. The newly configured daemon provides an easy way to set up DNS caching, split DNS, DNS over TLS, and other DNS features.

Jira:RHEL-34791^[1]

The Kea DHCP server replaces ISC DHCP

Kea is a new Dynamic Host Configuration Protocol (DHCP) server solution in RHEL. Kea DHCP is an implementation from Internet Systems Consortium (ISC) that includes fully functional DHCPv4, DHCPv6, and Dynamic DNS servers. The Kea DHCP server has the following advantages:

It is an extensible server solution with module hooks.
It allows re-configuration through the REST API.
It has a design that allows separation of data (leases) and execution environment.

Jira:RHEL-9306^[1]

4.6. Networking

Enable Duplicate Address Detection for IPv4 in NetworkManager

Generally, assigning the same IP address to multiple systems can cause non-working setups and make it more difficult to debug problems. The Duplicate Address Detection (DAD) mechanism identifies and prevents this issue by ensuring that each IP address within a network is unique. In RHEL 10, the ipv4.dad-timeout parameter in NetworkManager has been set to 200ms by default. This enables the DAD functionality for IPv4 addresses on RHEL systems.

Jira:RHEL-1531^[1]

4.7. Kernel

Kernel version in RHEL 10.0 Beta

Red Hat Enterprise Linux 10.0 Beta is distributed with the kernel version 6.11.0.

rh_waived kernel command-line boot parameter is now supported

With this release, the rh_waived kernel command-line boot parameter is supported. rh_waived is used for enabling waived features in RHEL. The waived features are kernel features considered unmaintained, insecure, rudimentary, or deprecated. These features are disabled by default in RHEL 10. To use waived features, you must enable them manually.

Jira:RHEL-26170^[1]

4.8. File systems and storage

python-blivet rebased to version 3.10

The python-blivet package has been rebased to version 3.10, providing various bug fixes and enhancements. The most notable changes are:

Removed support for Python 2.
Support for adding disks to the existing Stratis pool.
Support for Stratis encryption with Clevis or Tang.
Support for semi-automatic resizing of the lvmpv format to fill underlying block devices.

Jira:RHEL-45175

cryptsetup rebased to version 2.7

The cryptsetup package has been rebased to version 2.7. This version provides various bug fixes and enhancements, most notably:

Improvements for the libcryptsetup package to support LUKS encrypted devices in the kdump enabled systems.
Critical fixes for LUKS2 SED OPAL feature.
Avoids known or already fixed issues with LUSK2 SED OPAL feature.

Jira:RHEL-33395^[1]

4.9. High availability and clusters

pcs now validates resource parameters when creating or updating a resource

When you create or update a cluster resource, the pcs command-line interface now automatically asks the resource agent to validate the parameters you entered. If you specify --agent-validation, an invalid parameter yields an error. To maintain backward compatibility, if you do not specify --agent-validation, an invalid parameter prints a warning but does not prevent misconfiguration.

Jira:RHEL-35670

New --yes flag to confirm potentially destructive actions

To confirm potentially destructive actions such as destroying a cluster, unblocking quorum, or confirming a node being fenced, the pcs command-line interface now supports the --yes flag. Previously, you could confirm these actions by using the --force flag, which is also used for overriding validation errors. With these two functions combined in a single flag, a user could inadvertently confirm a potentially destructive action when the intention is only to override a validation error. You should now use the --force flag to override validation errors, and you should use the --yes flag to confirm potentially destructive actions.

Jira:RHEL-36612

New pcs status wait command

The pcs command-line interface now provides a pcs status wait command. This command ensures that Pacemaker has completed any actions required by changes to the Cluster Information Base (CIB) and does not need to take any further actions in order to make the actual cluster state match the requested cluster state.

Jira:RHEL-38491^[1]

pcs support for new commands to query the status of a resource in a cluster

The pcs command-line interface now provides pcs status query resource commands to query various attributes of a single resource in a cluster. These commands query:

the existence of the resource
the type of the resource
the state of the resource
various information about the members of a collective resource
on which nodes the resource is running

You can use these commands for pcs-based scripting since there is no need to parse plain text outputs.

Jira:RHEL-38489^[1]

New pcs resource defaults and pcs resource op defaults option for displaying configuration in text, JSON, and command formats

The pcs resource defaults and pcs resource op defaults commands and their aliases pcs stonith defaults and pcs stonith op defaults now provide the --output-format option.

Specifying --output-format=text displays the configured resource defaults or operation defaults in plain text format, which is the default value for this option.
Specifying --output-format=cmd displays the pcs resource defaults or pcs resource op defaults commands created from the current cluster defaults configuration. You can use these commands to re-create configured resource defaults or resource operation defaults on a different system.
Specifying --output-format=json displays the configured resource defaults or resource operation defaults in JSON format, which is suitable for machine parsing.

Jira:RHEL-38487^[1]

pcsd Web UI now available as a RHEL web console add-on

The pcsd Web UI is now available as the HA Cluster Management RHEL web console add-on when the cockpit-ha-cluster package is installed. It is no longer operated as a standalone interface.

Jira:RHEL-23048

RHEL 10 provides Pacemaker version 2.1.8

Pacemaker has been upgraded to version 2.1.8, which provides multiple bug fixes and enhancements. Notable changes include:

You can now set the PCMK_panic_action variable in the /etc/sysconfig/pacemaker configuration file to off or sync-off. When you set this variable to off or sync-off, a node remains shut down after a panic condition instead of rebooting automatically.
The CIB manager no longer increases in size indefinitely with each request from an asynchronous client. Previously, when the CIB manager received a request from an asynchronous client, it leaked a small amount of memory. This caused the CIB manager process gradually to grow in size. With this upgrade, the relevant memory is freed for asynchronous clients and the CIB manager process no longer grows in size indefinitely.

Jira:RHEL-38543

Support for new Ha Cluster Management features

For RHEL 10, the pcsd Web UI is now available as a RHEL web console add-on as the HA Cluster Management application. It is no longer operated as a standalone interface. The HA Cluster Management application now supports the following features:

When you set the placement-strategy cluster property to default, the HA Cluster Management application displays a warning near the utilization attributes for nodes and resources. This warning notes that the utilization has no effect due to placement-strategy configuration.
The HA Cluster Management application supports dark mode, which you can set through the user menu in the masthead.

Jira:RHEL-38493^[1], Jira:RHEL-38496

4.10. Dynamic programming languages, web and database servers

Python 3.12 in RHEL 10

Python 3.12 is the default Python implementation in RHEL 10. Python 3.12 is distributed as a non-modular python3 RPM package in the BaseOS repository and is usually installed by default. Python 3.12 will be supported for the whole life cycle of RHEL 10.

Additional versions of Python 3 will be distributed as RPM packages with a shorter life cycle through the AppStream repository and will be installable in parallel. The python command (/usr/bin/python), as well as other Python-related commands, such as pip, are available in the unversioned form and point to the default Python 3.12 version.

Notable enhancements compared to the previously released Python 3.11 include:

Python introduces a new type statement and new type parameter syntax for generic classes and functions.
Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
Python now provides a unique per-interpreter global interpreter lock (GIL).
You can now use the buffer protocol from Python code.
To improve security, the built-in hashlib implementations of the SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code from the HACL* project. The builtin implementations remain available as fallback if OpenSSL does not provide them.
Dictionary, list, and set comprehensions in CPython are now inlined. This significantly increases the speed of a comprehension execution.
CPython now supports the Linux perf profiler.
CPython now provides stack overflow protection on supported platforms.
Python 3.12 is compiled with GCC’s -O3 optimization flag, which has been used by default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter.

To install packages from the Python 3.12 stack, you can use, for example, the following commands:

# dnf install python3
# dnf install python3-pip

To run the interpreter, you can use, for example, the following commands:

$ python
$ python3
$ python3 -m pip --help

Jira:RHELDOCS-18402^[1], Jira:RHEL-45315

RHEL 10 introduces Perl 5.40

RHEL 10 includes Perl 5.40, which provides various enhancements over the previously available version 5.32.

Core enhancements:
- Perl now supports Unicode 15.0.
- You can now use a new -g command-line option, which is an alias for the umask option -0777.
- The -M command-line option now accepts a space.
- A new builtin module now provides documentation for new always-present functions.
- A new try/catch feature has been added.
- Deprecation warnings now have specific subcategories to provide finer-grained control. Note that you can still disable all deprecation warnings in a single statement.
- The @INC hooks have been enhanced, including the $INC variable and the new INCDIR method.
- Forbidden control flow out of the defer and finally modules is now detected at compile-time.
- The use of (?{ … }) and (??{ … }) in a pattern now disables various optimisations globally in that pattern.
- The limit for the REG_INF regex engine quantifier has been increased from 65,536 to 2,147,483,647.
- A new regexp variable ${^LAST_SUCCESSFUL_PATTERN} allows access to the last successful pattern that matched in the current scope.
- A new __CLASS__ keyword has been introduced.
- Perl now supports a new ^^ logical XOR operator.
Incompatible changes:
- A physically empty sort function now triggers a compile-time error.
- The readline() function no longer clears the stream error and EOF flags.
- INIT blocks no longer run after an exit() function inside a BEGIN block.
- Calling the import method on an unknown package now produces a warning.
- The return function no longer allows an indirect object.
- Changes in errors and warnings can now cause failures in tests.
Deprecations:
- The use of the ' character as a package name separator is deprecated.
- The switch feature and the smartmatch operator ~~ are deprecated.
- Using the goto function to jump from an outer scope into an inner scope is deprecated.
Internal changes:
- Multiple deprecated C functions have been removed.
- Internal C API functions are now hidden with the __attribute__((hidden)) attribute on the platforms that support it. This means they are no longer callable from XS modules on those platforms.
Modules:
- The Term::Table and Test2::Suite modules have been added to Perl Core.
- Most modules have been updated.

For more information, see the perl5340delta, perl5360delta, perl5380delta, and perldelta man pages.

Jira:RHELDOCS-18869^[1]

RHEL 10 provides Node.js 22

RHEL 10 is distributed with Node.js 22. This version provides numerous new features, bug fixes, security fixes, and performance improvements over previously available Node.js 20.

Notable changes include:

The V8 JavaScript engine has been upgraded to version 12.4.
The V8 Maglev compiler is now enabled by default on architectures where it is available (AMD and Intel 64-bit architectures and the 64-bit ARM architecture).
Maglev improves performance for short-lived CLI programs.
The npm package manager has been upgraded to version 10.8.1.
The node --watch mode is now considered stable. In watch mode, changes in watched files cause the Node.js process to restart.
The browser-compatible implementation of WebSocket is now considered stable and enabled by default. As a result, a WebSocket client to Node.js is available without external dependencies.
Node.js now includes an experimental feature for execution of scripts from package.json. To use this feature, execute the node --run <script-in-package.json> command.

Jira:RHEL-35992

RHEL 10 introduces MySQL 8.4

RHEL 10 is distributed with MySQL 8.4. Notable changes over the previously available version 8.0 include:

The deprecated mysql_native_password authentication plug-in is no longer enabled by default.
When upgrading to MySQL 8.4, user accounts or roles that have the BINLOG_ADMIN privilege are automatically granted the TRANSACTION_GTID_TAG privilege.
When you install MySQL 8.4, the mysql_upgrade_history file is created or updated in the server’s data directory. The file is in JSON format and includes information about the version installed, date and time of installation, and whether the release was part of a Long-Term Support (LTS series) or an Innovation series.
The use of the % and _ characters as wildcards in database grants has been deprecated, and the wildcard functionality will be removed in a future MySQL release. These characters will be treated as literals. They are already treated as literals when the partial_revokes server system variable is set to ON.
The treatment of the % character by the server as a synonym for localhost when checking privileges has been deprecated.
The deprecated --ssl and --admin-ssl server options and have_ssl and have_openssl server system variables have been removed. Use the --tls-version and --admin-tls-version server system variables instead.
The deprecated default_authentication_plugin system variable has been removed. Use the authentication_policy server system variable instead.
The deprecated SET_USER_ID privilege has been removed. Instead, you can use the SET_ANY_DEFINER privilege for definer object creation and the ALLOW_NONEXISTENT_DEFINER privileges for orphan object protection.
The deprecated mysql_upgrade utility has been removed.

For more information, see the upstream MySQL documentation.

Jira:RHEL-36050

RHEL 10 provides PostgreSQL 16 with the pgvector extension

RHEL 10 is distributed with PostgreSQL 16. In addition to the pgaudit, pg_repack, and decoderbufs extensions, the Postgresql stack now provides the pgvector extension. With the pgvector extension, you can store and query high-dimensional vector embeddings directly within PostgreSQL databases and perform a vector similarity search. Vector embeddings are numerical representations of data that are often used in machine learning and AI applications to capture the semantic meaning of text, images, or other data types.

Jira:RHEL-35993^[1]

4.11. Compilers and development tools

RHEL 10 introduces GCC 14.2

RHEL 10 is distributed with the GNU Compiler Collection (GCC) version 14.2.

Notable changes since GCC 13 include:

Optimization and diagnostic improvements
A new -fhardened umbrella option, which enables a set of hardening flags
A new -fharden-control-flow-redundancy option to detect attacks that transfer control into the middle of functions
A new strub type attribute to control stack scrubbing properties of functions and variables
A new -finline-stringops option to force inline expansion of certain mem* functions
Support for new OpenMP 5.1, 5.2, and 6.0 features
Several new C23 features
Multiple new C++23 and C++26 features
Several resolved C++ defect reports
New and improved experimental support for C++20, C++23, and C++26 in the C++ library
Support for new CPUs in the 64-bit ARM architecture
Multiple new instruction set architecture (ISA) extensions in the 64-bit Intel architecture, for example: AVX10.1, AVX-VNNI-INT16, SHA512, and SM4
New warnings in the GCC’s static analyzer
Certain warnings changed to errors; for details, see Porting to GCC 14
Various bug fixes

For more information about changes in GCC 14, see the upstream GCC release notes.

Jira:RHEL-45041

GCC 14 defaults to x86-64-v3

GCC 14 in RHEL 10 defaults to the x86-64-v3 microarchitecture level. This level enables certain capabilities by default, such as the AVX and AVX2 instruction sets and the fused multiply-add (FMA) instruction set. See the related article for more details.

Jira:RHEL-33254

GCC defaults to using the IEEE128 floating point format on IBM Power Systems

In RHEL10, GCC uses the IEEE128 floating point format by default for all long double floating point numbers on IBM Power Systems instead of the earlier software-only IBM-DOUBLE-DOUBLE code. As a result, you can notice performance improvements in C or C++ code that performs computations by using long double floating point numbers.

Note that this 128-bit long double floating point ABI is incompatible with the floating point ABI used in RHEL 8 and earlier versions. Support for hardware instructions to perform IEEE128 operations is available since IBM POWER9.

Jira:RHEL-24760^[1]

RHEL 10 includes annobin version 12.55

RHEL 10 is distributed with annobin version 12.55. Notable changes over the previously available version 12.32 include:

Updated tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers
Recording and testing for the use of the GCC command-line options -Wimplicit-int and -Wimplicit-function-declaration
Improved support for LLVM
New tests
A new check to identify if the deprecated OpenSSL Engine code is used
Various bug fixes

Jira:RHEL-526^[1]

RHEL 10 includes binutils version 2.41

RHEL 10 is distributed with binutils version 2.41. Notable changes over the previously available version 2.40 include:

binutils tools support architecture extensions in the 64-bit Intel and ARM architectures.
The linker now accepts the --remap-inputs <PATTERN>=<FILE> command-line option to replace any input file that matches <PATTERN> with <FILE>. In addition, you can use the --remap-inputs-file=<FILE> option to specify a file containing any number of these remapping directives.
For ELF targets, you can use the linker command-line option --print-map-locals to include local symbols in a linker map.
For most ELF-based targets, you can use the --enable-linker-version option to insert the version of the linker as a string into the .comment section.
The linker script syntax has a new command for output sections, ASCIZ "<string>", which inserts a zero-terminated string at the current location.
You can use the new -z nosectionheader linker command-line option to omit ELF section header.

Jira:RHELDOCS-18761^[1]

The ld linker of binutils supports the --section-ordering-file option

You can now use the new --section-ordering-file command-line option with ld.bfd, the default system linker, to group sections of code or data that can benefit from being in proximity to each other.

This feature improves performance of programs by reducing cache misses. You can use profiling tools to analyze use of your program’s code over time, and then improve code grouping in the executable image. As a result, you have more control over the layout of your programs in memory.

The --section-ordering-file option also enhances compatibility with the gold and lld linkers, which already provide this feature.

For details, see the blog post A practical guide to linker section ordering.

Jira:RHEL-36305

glibc now supports dynamic linking of Intel APX-enabled functions

An incompatible dynamic linker trampoline was identified as a potential source of incompatibilities for Intel Advanced Performance Extensions (APX) applications. As a workaround, it was possible to use the BIND_NOW executable or use only the standard calling convention. With this update, the dynamic linker of glibc preserves APX-related registers.

Note

Because of this change, additional space is needed beyond the top of the stack. Users who strictly limit this space might need to adjust or evaluate the stack limits.

Jira:RHEL-25045

RHEL 10 provides glibc version 2.39

RHEL 10 introduces GNU C Library (glibc) version 2.39.

Jira:RHEL-25850

Optimization of AMD Zen 3 and Zen 4 performance in glibc

Previously, AMD Zen 3 and Zen 4 processors sometimes used the Enhanced Repeat Move String (ERMS) version of the memcpy and memmove library routines regardless of the most optimal choice. With this update to glibc, AMD Zen 3 and Zen 4 processors use the most optimal versions of memcpy and memmove.

Jira:RHEL-25530

RHEL 10 provides GDB version 14.2

GDB has been updated to version 14.2. The following paragraphs list notable changes since GDB 12.1.

General:

The info breakpoints command now displays enabled breakpoint locations of disabled breakpoints as in the y- state.
Added support for debug sections compressed with Zstandard (ELFCOMPRESS_ZSTD) for ELF.
The Text User Interface (TUI) no longer styles the source and assembly code highlighted by the current position indicator by default. To re-enable styling, use the new command set style tui-current-position.
A new $_inferior_thread_count convenience variable contains the number of live threads in the current inferior.
For breakpoints with multiple code locations, GDB now prints the code location using the <breakpoint_number>.<location_number> syntax.
When a breakpoint is hit, GDB now sets the $_hit_bpnum and $_hit_locno convenience variables to the hit breakpoint number and code location number. You can now disable the last hit breakpoint by using the disable $_hit_bpnum command, or disable only the specific breakpoint code location by using the disable $_hit_bpnum.$_hit_locno command.
Added support for the NO_COLOR environment variable.
Added support for integer types larger than 64 bits.
You can use new commands for multi-target feature configuration to configure remote target feature sets (see the set remote <name>-packet and show remote <name>-packet in Commands).
Added support for the Debugger Adapter Protocol.
You can now use the new inferior keyword to make breakpoints inferior-specific (see break or watch in Commands).
You can now use the new $_shell() convenience function to execute a shell command during expression evaluation.

Changes to existing commands:

break, watch
- Using the thread or task keywords multiple times with the break and watch commands now results in an error instead of using the thread or task ID of the last instance of the keyword.
- Using more than one of the thread, task, and inferior keywords in the same break or watch command is now invalid.
printf, dprintf
- The printf and dprintf commands now accept the %V output format, which formats an expression the same way as the print command. You can also modify the output format by using additional print options in brackets […] following the command, for example: printf "%V[-array-indexes on]", <array>.
list
- You can now use the . argument to print the location around the point of execution in the current frame, or around the beginning of the main() function if the inferior has not started yet.
- Attempting to list more source lines in a file than are available now issues a warning, referring the user to the . argument.
document user-defined
- It is now possible to document user-defined aliases.

New commands:

set print nibbles [on|off] (default: off), show print nibbles - controls whether the print/t command displays binary values in groups of four bits (nibbles).
set debug infcall [on|off] (default: off), show debug infcall - prints additional debug messages about inferior function calls.
set debug solib [on|off] (default: off), show debug solib - prints additional debug messages about shared library handling.
set print characters <LIMIT>, show print characters, print -characters <LIMIT> - controls how many characters of a string are printed.
set debug breakpoint [on|off] (default: off), show debug breakpoint - prints additional debug messages about breakpoint insertion and removal.
maintenance print record-instruction [ N ] - prints the recorded information for a given instruction.
maintenance info frame-unwinders - lists the frame unwinders currently in effect in the order of priority (highest first).
maintenance wait-for-index-cache - waits until all pending writes to the index cache are completed.
info main - prints information on the main symbol to identify an entry point into the program.
set tui mouse-events [on|off] (default: on), show tui mouse-events - controls whether mouse click events are sent to the TUI and Python extensions (when on), or the terminal (when off).

Machine Interface (MI) changes:

MI version 1 has been removed.
MI now reports no-history when reverse execution history is exhausted.
The thread and task breakpoint fields are no longer reported twice in the output of the -break-insert command.
Thread-specific breakpoints can no longer be created on non-existent thread IDs.
The --simple-values argument to the -stack-list-arguments, -stack-list-locals, -stack-list-variables, and -var-list-children commands now considers reference types as simple if the target is simple.
The -break-insert command now accepts a new -g thread-group-id option to create inferior-specific breakpoints.
Breakpoint-created notifications and the output of the -break-insert command can now include an optional inferior field for the main breakpoint and each breakpoint location.
The async record stating the breakpoint-hit stopped reason now contains an optional field locno giving the code location number in case of a multi-location breakpoint.

Changes in the GDB Python API:

Events
- A new gdb.ThreadExitedEvent event.
- A new gdb.executable_changed event registry, which emits the ExecutableChangedEvent objects that have progspace and reload attributes.
- New gdb.events.new_progspace and gdb.events.free_progspace event registries, which emit the NewProgpspaceEvent and FreeProgspaceEvent event types. Both of these event types have a single attribute progspace to specify the gdb.Progspace program space that is being added to or removed from GDB.
The gdb.unwinder.Unwinder class
- The name attribute is now read-only.
- The name argument of the __init__ function must be of the str type, otherwise a TypeError is raised.
- The enabled attribute now accepts only the bool type.
The gdb.PendingFrame class
- New methods: name, is_valid, pc, language, find_sal, block, and function, which mirror similar methods of the gdb.Frame class.
- The frame-id argument of the create_unwind_info function can now be either an integer or a gdb.Value object for the pc, sp, and special attributes.
A new gdb.unwinder.FrameId class, which can be passed to the gdb.PendingFrame.create_unwind_info function.
The gdb.disassembler.DisassemblerResult class can no longer be sub-classed.
The gdb.disassembler module now includes styling support.
A new gdb.execute_mi(COMMAND, [ARG]…) function, which invokes a GDB/MI command and returns result as a Python dictionary.
A new gdb.block_signals() function, which returns a context manager that blocks any signals that GDB needs to handle.
A new gdb.Thread subclass of the threading.Thread class, which calls the gdb.block_signals function in its start method.
The gdb.parse_and_eval function has a new global_context parameter to restrict parsing on global symbols.
The gdb.Inferior class
- A new arguments attribute, which holds the command-line arguments to the inferior, if known.
- A new main_name attribute, which holds the name of the inferior’s main function, if known.
- New clear_env, set_env, and unset_env methods, which can modify the inferior’s environment before it is started.
The gdb.Value class
- A new assign method to assign a value of an object.
- A new to_array method to convert an array-like value to an array.
The gdb.Progspace class
- A new objfile_for_address method, which returns the gdb.Objfile object that covers a given address (if exists).
- A new symbol_file attribute holding the gdb.Objfile object that corresponds to the Progspace.filename variable (or None if the filename is None).
- A new executable_filename attribute, which holds the string with a filename that is set by the exec-file or file commands, or None if no executable file is set.
The gdb.Breakpoint class
- A new inferior attribute, which contains the inferior ID (an integer) for breakpoints that are inferior-specific, or None if no such breakpoints are set.
The gdb.Type class
- New is_array_like and is_string_like methods, which reflect whether a type might be array- or string-like regardless of the type’s actual type code.
A new gdb.ValuePrinter class, which can be used as the base class for the result of applying a pretty-printer.
A newly implemented gdb.LazyString.__str__ method.
The gdb.Frame class
- A new static_link method, which returns the outer frame of a nested function frame.
- A new gdb.Frame.language method that returns the name of the frame’s language.
The gdb.Command class
- GDB now reformats the doc string for the gdb.Command class and the gdb.Parameter sub-classes to remove unnecessary leading whitespace from each line before using the string as the help output.
The gdb.Objfile class
- A new is_file attribute.
A new gdb.format_address(ADDRESS, PROGSPACE, ARCHITECTURE) function, which uses the same format as when printing address, symbol, and offset information from the disassembler.
A new gdb.current_language function, which returns the name of the current language.
A new Python API for wrapping GDB’s disassembler, including gdb.disassembler.register_disassembler(DISASSEMBLER, ARCH), gdb.disassembler.Disassembler, gdb.disassembler.DisassembleInfo, gdb.disassembler.builtin_disassemble(INFO, MEMORY_SOURCE), and gdb.disassembler.DisassemblerResult.
A new gdb.print_options function, which returns a dictionary of the prevailing print options, in the form accepted by the gdb.Value.format_string function.
The gdb.Value.format_string function
- gdb.Value.format_string now uses the format provided by the print command if it is called during a print or other similar operation.
- gdb.Value.format_string now accepts the summary keyword.
A new gdb.BreakpointLocation Python type.
The gdb.register_window_type method now restricts the set of acceptable window names.

Architecture-specific changes:

AMD and Intel 64-bit architectures
- Added support for disassembler styling using the libopcodes library, which is now used by default. You can modify how the disassembler output is styled by using the set style disassembler * commands. To use the Python Pygments styling instead, use the new maintenance set libopcodes-styling off command.
The 64-bit ARM architecture
- Added support for dumping memory tag data for the Memory Tagging Extension (MTE).
- Added support for the Scalable Matrix Extension 1 and 2 (SME/SME2). Some features are still considered experimental or alpha, for example, manual function calls with ZA state or tracking Scalable Vector Graphics (SVG) changes based on DWARF.
- Added support for Thread Local Storage (TLS) variables.
- Added support for hardware watchpoints.
The 64-bit IBM Z architecture
- Record and replay support for the new arch14 instructions on IBM Z targets, except for the specialized-function-assist instruction NNPA.
IBM Power Systems, Little Endian
- Added base enablement support for POWER11.

For changes since the RHEL 9 system version of GDB 10.2, see the release notes for the GCC Toolset 12 version of GDB 11.2 and the GCC Toolset 13 version of GDB 12.1.

Jira:RHEL-33256, Jira:RHEL-24764, Jira:RHEL-39324

RHEL 10 provides elfutils version 0.191

The elfutils package has been updated to version 0.191. Notable improvements include:

Changes in the libdw library:
- The dwarf_addrdie function now supports binaries lacking a debug_aranges section.
- Support for DWARF package files has been improved.
- A new dwarf_cu_dwp_section_info function has been added.
Caching eviction logic in the debuginfod server has been enhanced to improve retention of small, frequent, or slow files, such as vdso.debug.
The eu-srcfiles utility can now fetch the source files of a DWARF/ELF file and place them into a zip archive.

Jira:RHEL-29197

RHEL 10 provides SystemTap version 5.1

RHEL 10 includes the SystemTap tracing and probing tool version 5.1. Notable changes since version 5.0 include:

An experimental --build-as=USER flag to reduce privileges during script compilation.
Improved support for probing processes running in containers, identified by host PID.
New probes for userspace hardware breakpoints and watchpoints.
Support for the --remote operation of --runtime=bpf mode.
Improved robustness of kernel-user transport.

Jira:RHEL-29529

RHEL 10 provides Valgrind version 3.23.0

The Valgrind suite has been updated to version 3.23.0. Notable enhancements include:

The --track-fds=yes option now warns against double closing of file descriptors, generates suppressible errors, and supports XML output.
The --show-error-list=no|yes option now accepts a new value, all, to also print the suppressed errors.
On the 64-bit IBM Z architecture, Valgrind now supports neural network processing assist (NNPA) facility vector instructions: VCNF, VCLFNH, VCFN, VCLFNL, VCRNF, and NNPA (z16/arch14).
On the 64-bit ARM architecture, Valgrind now supports dotprod instructions (sdot/udot).
On the AMD and Intel 64-bit architectures, Valgrind now provides more accurate instruction support for the x86_64-v3 microarchitecture.
Valgrind now provides wrappers for the wcpncpy, memccpy, strlcat, and strlcpy functions that can detect memory overlap.
Valgrind now supports the following Linux syscalls: mlock2, fchmodat2, and pidfd_getfd.

Jira:RHEL-29535

RHEL 10 introduces Dyninst version 12.3.0

RHEL 10 is distributed with the Dyninst library version 12.3.0.

Jira:RHEL-49597^[1]

RHEL 10 provides libabigail version 2.5

The libabigail library has been updated to version 2.5. Notable changes include:

Improved suppression specification for strict conversions of flexible array data members.
Added support for pointer-to-member types in C++ binaries.
Improved weak mode of the abicompat tool.
A new abidb tool to manage the ABI of operating systems.
Numerous bug fixes.

Jira:RHEL-30014

RHEL 10 Beta introduces LLVM Toolset 18.1.8

RHEL 10 Beta is distributed with the LLVM Toolset version 18.1.8.

Notable LLVM updates:

The constant expression variants of the following instructions have been removed: and, or, lshr, ashr, zext, sext, fptrunc, fpext, fptoui, fptosi, uitofp, sitofp.
The llvm.exp10 intrinsic has been added.
The code_model attribute for global variables has been added.
The backend for the AArch64, AMDGPU, PowerPC, RISC-V, SystemZ and x86 architectures has been improved.
LLVM tools have been improved.

Notable Clang enhancements:

C++20 feature support:
- Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the -Xclang -fno-skip-odr-check-in-gmf option.
C++23 feature support:
- A new diagnostic flag -Wc++23-lambda-attributes has been added to warn about the use of attributes on lambdas.
C++2c feature support:
- Clang now allows using the _ character as a placeholder variable name multiple times in the same scope.
- Attributes now expect unevaluated strings in attribute parameters that are string literals.
- The deprecated arithmetic conversion on enumerations from C++26 has been removed.
- The specification of template parameter initialization has been improved.
For a complete list of changes, see the upstream release notes for Clang.

ABI changes in Clang:

Following the SystemV ABI for x86_64, the __int128 arguments are no longer split between a register and a stack slot.
For more information, see the list of ABI changes in Clang.

Notable backwards incompatible changes:

A bug fix in the reversed argument order for templated operators breaks code in C++20 that was previously accepted in C++17.
The GCC_INSTALL_PREFIX CMake variable (which sets the default --gcc-toolchain=) is deprecated and will be removed. Specify the --gcc-install-dir= or --gcc-triple= option in a configuration file instead.
The default extension name for precompiled headers (PCH) generation (-c -xc-header and -c -xc++-header) is now .pch instead of .gch.
When -include a.h probes the a.h.gch file, the include now ignores a.h.gch if it is not a Clang PCH file or a directory containing any Clang PCH file.
A bug that caused __has_cpp_attribute and __has_c_attribute to return incorrect values for certain C++-11-style attributes has been fixed.
A bug in finding a matching operator!= while adding a reversed operator== has been fixed.
The name mangling rules for function templates have been changed to accept that functions can be overloaded on their template parameter lists or requires-clauses.
The -Wenum-constexpr-conversion warning is now enabled by default on system headers and macros. It will be turned into a hard (non-downgradable) error in the next Clang release.
A path to the imported modules for C++20 named modules can no longer be hardcoded. You must specify all the dependent modules from the command line.
It is no longer possible to import modules by using import <module>; Clang uses explicitly-built modules.
For more details, see the list of potentially breaking changes.

For more information, see the LLVM release notes and Clang release notes.

LVM Toolset is a rolling Application Stream, and only the latest version is supported.

Jira:RHEL-28056

RHEL 10 Beta includes Rust Toolset version 1.79.0

RHEL 10 Beta is distributed with the Rust Toolset version 1.79.0. Notable enhancements since the previously available version 1.75.0 include:

A new offset_of! macro
Support for C-string literals
Support for inline const expressions
Support for bounds in associated type position
Improved automatic temporary lifetime extension
Debug assertions for unsafe preconditions

Rust Toolset is a rolling Application Stream, and only the latest version is supported.

Jira:RHEL-30071

RHEL 10 Beta provides Go Toolset version 1.22

RHEL 10 Beta introduces the Go Toolset version 1.22. Notable enhancements since the previously available version 1.21 include:

Variables in for loops are now created per iteration, preventing accidental sharing bugs. Additionally, for loops can now range over integers.
Commands in workspaces can now use a vendor directory for the dependencies of the workspace.
The go get command no longer supports the legacy GOPATH mode. This change does not affect the go build and go test commands.
The vet tool has been updated to match the new behavior of the for loops.
CPU performance has been improved by keeping type-based garbage collection metadata nearer to each heap object.
Go now provides improved inlining optimizations and better profile-guided optimization support for higher performance.
A new math/rand/v2 package is available.
Go now provides enhanced HTTP routing patterns with support for methods and wildcards.

For more information, see the Go upstream release notes.

Go Toolset is a rolling Application Stream, and only the latest version is supported.

Jira:RHEL-46971

RHEL 10 includes PCP version 6.3.0

RHEL 10 is distributed with Performance Co-Pilot (PCP) version 6.3.0. Notable changes over the previously available version 6.2.0 include:

New tools and agents

pcp2openmetrics: a new tool to push PCP metrics in Open Metrics format to remote end points
pcp-geolocate: a new tool to report latitude and longitude metric labels
pmcheck: a new tool to interrogate and control PCP components
pmdauwsgi: a new PCP agent that exports instrumentation from uWSGI servers

Enhanced tools

pmdalinux: added new kernel metrics (hugepages, filesystems, TCP, softnet, virtual machine balloon)
pmdalibvirt: added support for metric labels, added new balloon, vCPU, and domain info metrics
pmdabpf: improved eBPF networking metrics for use with the pcp-atop utility

Jira:RHELDOCS-18787^[1]

RHEL 10 provides Grafana version 10.2.6

The Grafana platform has been updated to version 10.2.6.

Notable enhancements include:

Support for zooming in on the y axis of time series and candlestick visualizations by holding shift while clicking and dragging.
Streamlined data source selection when creating a dashboard.
Updated User Interface, including updates to navigation and the command palette.
Various improvements to transformations, including the new unary operation mode for the Add field from calculation transformation.
Various improvements to dashboards and data visualizations, including a redesigned empty dashboard and dashboard panel.
New geomap and canvas panels.

Other changes:

Various improvements to users, access, authentication, authorization, and security.
Alerting improvements along with new alerting features.
Public dashboards now available.

For a complete list of changes since the previously available Grafana version 9.2, see the upstream documentation.

Jira:RHEL-35761

Grafana, PCP, and grafana-pcp now use Valkey to store data

In RHEL 10, the Valkey key-value store replaces Redis. As a result, Grafana, PCP, and the grafana-pcp plug-in now use Valkey to store data instead of Redis. The PCP Redis data source in the grafana-pcp plug-in is now named PCP Valkey.

Jira:RHEL-45646

zlib-ng-compat replaces zlib in RHEL 10

The new zlib-ng-compat package provides a general-purpose lossless data compression library that is used by many different programs. This implementation provides various benefits over zlib distributed in RHEL 9. For example, zlib-ng-compat supports hardware acceleration when available and enhances compression efficiency and performance. zlib-ng-compat is built in API and ABI compatible mode to ensure a smooth transition from zlib.

Jira:RHEL-24058^[1]

SWIG 4.2.1 available in the CRB repository

The Simplified Wrapper and Interface Generator (SWIG) version 4.2.1 is now available in the CodeReady Linux Builder (CRB) repository. Notable changes include:

Python Standard Template Library (STL) container wrappers now use the Python Iterator Protocol.
SWIG now supports:
- Python stable Application Binary Interface (ABI)
- Python 3.12 and Python 3.13
- Ruby 3.2 and Ruby 3.3
- Tcl 9.0
- PHP 8; support for PHP 7 has been removed.
Support for the C++14 auto variable without trailing return type for the C++11 auto variable has been added.
Constructors, destructors, and assignment operators have been fixed, including implicit, default, and deleted, and related non-assignable variable wrappers.
A new Javascript generator targeting Node.js binary stable ABI Node-API is now available.
Multiple deprecated features have been removed.

Note that packages included in the CodeReady Linux Builder repository are unsupported.

Jira:RHELDOCS-19059^[1]

Red Hat build of OpenJDK 21 is the default Java implementation in RHEL 10

The default RHEL 10 Java implementation is OpenJDK 21. Use the java-21-openjdk packages, which provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. For more information, see the OpenJDK documentation.

Jira:RHEL-51248

4.12. Identity Management

python-jwcrypto rebased to version 1.5.6

The python-jwcrypto package has been updated to version 1.5.6. This version includes a security fix to an issue where an attacker could cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio.

Jira:RHELDOCS-18197^[1]

The ldap_id_use_start_tls option is now enabled by default

To improve security, the default value for ldap_id_use_start_tls has changed from false to true. When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

As unencrypted communication is not secure, the default ldap_id_use_start_tls option is now set to true.

Jira:RHELDOCS-19185^[1]

certmonger rebased to version 0.79.20

The certmonger package has been rebased to version 0.79.20. The update includes various bug fixes and enhancements, most notably:

Enhanced handling of new certificates in the internal token and improved the removal process on renewal.
Removed restrictions on tokens for CKM_RSA_X_509 cryptographic mechanism.
Fixed the documentation for the getcert add-scep-ca, --ca-cert, and --ra-cert options.
Renamed the D-Bus service and configuration files to match canonical name.
Added missing .TP tags in the getcert-resubmit man page.
Migrated to the SPDX license format.
Included owner and permissions information in the getcert list output.
Removed the requirement for an NSS database in the cm_certread_n_parse function.
Added translations using Webplate for Simplified Chinese, Georgian, and Russian.

Jira:RHEL-40922^[1]

RHEL 10 provides python-jwcrypto in version 1.5.6

Jira:RHELDOCS-19191^[1]

RHEL 10 provides 389-ds-base package version 3.0.4

The 389-ds-base package is now based on upstream version 3.0.4. Notable bug fixes and enhancements over previous versions are described in the upstream release notes:

Jira:RHEL-31780

389-ds-base now fully supports LMDB

Introduced in RHEL 9.5 as a Technology Preview, Lightning Memory-Mapped Database (LMDB) is now fully supported by the 389-ds-base package in RHEL 10. Directory Server now creates instances with Lightning Memory-Mapped Database (LMDB) by default.

LMDB introduces the following configuration parameters that are stored under the new cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config configuration entry:

nsslapd-mdb-max-size. Sets the database maximum size in bytes.
Important
Make sure that nsslapd-mdb-max-size is high enough to store all intended data. However, the parameter size must not be too high to impact the performance because the database file is memory-mapped.
nsslapd-mdb-max-readers. Sets the maximum number of read operations that can be opened at the same time. Directory Server autotunes this setting.
nsslapd-mdb-max-dbs. Sets the maximum number of named database instances that can be included within the memory-mapped database file.

Along with the new LMDB settings, you can still use the nsslapd-db-home-directory database configuration parameter.

The BDB instances are no longer supported. Therefore, migrate all instances to LMDB.

Jira:RHELDOCS-18966^[1]

ansible-freeipa rebased to 1.13.2

The ansible-freeipa package has been rebased from version 1.12.1 to 1.13.2 Notable enhancements include:

The ansible-freeipa package requires the ansible-core package version 2.15 minimum. Both ansible-core 2.15 and the latest version of ansible-freeipa are available in the Appstream repository. For this reason, no manual update of ansible-core is required.
You can now create an inventory of Identity Management (IdM) servers for ansible-freeipa playbooks dynamically. The freeipa plugin gathers data about the IdM servers in the domain, and selects only those that have a specified IdM server role assigned. For example, if you want to search the logs of all IdM DNS servers in the domain to detect possible issues, the plugin ensures that all IdM replicas with the DNS server role are detected and automatically added to the managed nodes.
You can now more efficiently run ansible-freeipa playbooks that use a single Ansible task to add, modify, and delete multiple Identity Management (IdM) users, user groups, hosts, and services. Previously, each entry in a list of users had its dedicated API call. With this enhancement, several API calls are combined into one API call within a task. The same applies to lists of user groups, hosts and services.
As a result, the speed of adding, modifying, and deleting these IdM objects by using the ipauser, ipagroup, ipahost and ipaservice modules is increased. The biggest benefit can be seen when the client context is used.
The ansible-freeipa rpm now installs the freeipa.ansible_freeipa collection only.
To use the new collection, add the freeipa.ansible_freeipa prefix to the names of roles and modules. Use the fully-qualified names to follow Ansible recommendations. For example, to refer to the ipahbacrule module, use freeipa.ansible_freeipa.ipahbacrule.
You can simplify the use of the modules that are part of the freeipa.ansible_freeipa collection by applying module_defaults.

Jira:RHEL-35566

4.13. SSSD

authselect is mandatory to configure authentication and identity sources

With this enhancement, authselect is now required by PAM and manages nsswitch.conf and selected PAM configuration, including system-auth, password-auth, smartcard-auth, fingerprint-auth, and postlogin in /etc/pam.d/.

For system upgrades from previous RHEL versions:

If an authselect configuration already exists, authselect apply-changes automatically updates the configuration to the latest version. If there was no previous authselect configuration on your system, no changes are made.
On systems managed by authselect, any non-authselect configurations are now forcefully overwritten without a prompt during the next authselect call. The --force option is no longer required.

If you require a special configuration, create a custom authselect profile. Note that you must manually update custom profiles to keep them up to date with your system.

You can opt-out from using authselect:

# authselect opt-out

Jira:RHELDOCS-19197^[1]

Local profile is the new default authselect profile

Due to the removal of the SSSD files provider, a new authselect local profile has been introduced to handle local user management without relying on SSSD. The local profile replaces the previous minimal profile and becomes the default authselect profile for new installations instead of the sssd profile.

During upgrades, the authselect utility automatically migrates existing configurations from minimal to local profile.

Additionally, the sssd authselect profile has been updated to remove the with-files-domain and with-files-access-provider options and it no longer handles local user accounts directly via these options. If you relied on these options, you must update your SSSD configuration to use proxy provider instead of files provider.

The sssd profile now supports the --with-tlog option, which enables session recording for users managed by SSSD.

Jira:RHELDOCS-19263^[1]

Running SSSD with reduced privileges

To support general system hardening (running software with least privileges possible), the System Security Services Daemon (SSSD) service is now configured to run under sssd or root using the systemd service configuration files (service user). This service user now defaults to sssd and irrespective of what service user is configured, root or sssd, all root capabilities are dropped with the exception of a few privileged helper processes.

Note that you must ensure the correct ownership of configuration files. The sssd.conf file must be owned by the same user that is used to run the SSSD service. By default, in RHEL 10, this is the sssd user. If you create your sssd.conf file either manually or via an Ansible script, ensure the ownership is correct. For example, if you create a sssd.conf file under the root user, you must change the ownership to sssd:sssd using the chown command.

Jira:RHELDOCS-18882^[1]

Support for KnownHostsCommand has been added to SSSD

With this update, support for KnownHostsCommand has been added to SSSD. You can use the tool sss_ssh_knownhosts with the SSH KnownHostsCommand configuration option to retrieve the host’s public keys from a remote server, such as FreeIPA, LDAP, and others. The sss_ssh_knownhosts tool replaces the less reliable sss_ssh_knownhostsproxy tool. sss_ssh_knownhostsproxy is no longer available and a message is displaying indicating the tool is obsolete.

Jira:RHELDOCS-19162^[1]

4.14. Desktop

Firefox and Thunderbird are provided only as Flatpaks in RHEL 10

In RHEL 10.0 Beta, the Firefox Flatpak is not preinstalled. For RHEL 10.0, Firefox Flatpak will be automatically installed after the system is registered and is connected to the Internet.

To learn more about Flatpaks, see the Introducing the Red Hat Flatpak runtime for desktop containers Red Hat Blog article.

Install Firefox or Thunderbird on a RHEL 10-beta system by using the following steps:

Add the Flatpak registry to your system:

# flatpak remote-add rhel-10-beta \
https://flatpaks.redhat.io/rhel-10-beta.flatpakrepo

Log into the Red Hat Container Catalog:
```
# podman login registry.redhat.io

Username: <username>
Password: <password>
```
Provide the credentials to your Red Hat Customer Portal account or your registry service account tokens.
By default, Podman saves the credentials only until you log out.
Optional: Save your credentials permanently. Use one of the following options:
- Save the credentials for the current user:
```
# cp $XDG_RUNTIME_DIR/containers/auth.json \
$HOME/.config/flatpak/oci-auth.json
```
- Save the credentials system-wide:
```
# cp $XDG_RUNTIME_DIR/containers/auth.json \
/etc/flatpak/oci-auth.json
```
  When installing credentials system-wide, log into the Red Hat Container Catalog by using registry account tokens.

Install Firefox RHEL 10 Beta Flatpak

# flatpak install rhel-10-beta org.mozilla.Firefox

Run Firefox from the GNOME overview or from the command line:
```
# flatpak run org.mozilla.Firefox
```

Jira:RHEL-24332^[1]

Window overview added to GNOME classic

In previous versions, the overview of open windows was not available while using the GNOME classic session. With this update, you can use the overview in both the standard GNOME and classic mode sessions. This makes the overview’s features, including system search, available to classic mode users. Users can now also use classic mode extensions with the default GNOME session.

Jira:RHELDOCS-19060^[1]

GNOME Online Accounts can restrict which features providers can use

You can use the new goa.conf file in the system configuration directory, usually named /etc/goa.conf, to limit what features each provider can use.

In the goa.conf file, the group name defines the provider type, and the keys define boolean switches to disable the respective features. If you do not set any key or section for a feature, the feature is enabled.

For example, to disable the mail feature for Google accounts, use the following setting:

[google]
mail=false

You can use the all special section name to cover every provider. The value in the specific provider has precedence, if it exists and contains a valid boolean value. Note that some combinations of disabled features can lead to incomplete or invalid accounts being read by the GOA users, such as the Evolution application. Always test the changes first. Restart the GNOME Online Accounts for the changed configuration to take effect.

Jira:RHEL-40831

4.15. The web console

New package: cockpit-files

The cockpit-files package provides the File manager page in the RHEL web console. With the File manager, you can perform the following actions:

Browse files and directories on file systems you can access
Sort files and directories by various criteria
Filter displayed files by a sub-string
Copy, move, delete, and rename files and directories
Create directories
Upload files
Bookmark file paths
Use keyboard shortcuts for the actions

Jira:RHELDOCS-16362^[1]

4.16. Red Hat Enterprise Linux System Roles

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

Configuring utilization attributes for node and primitive resources.
Configuring node addresses and SBD options by using the ha_cluster_node_options variable. If both ha_cluster_node_options and ha_cluster variables are defined, their values are merged, with values from ha_cluster_node_options having precedence.
Configuring access control lists (ACLs).
Configuring Pacemaker alerts to take an external action when a cluster event such as node failure or resource starting or stopping occurs.
Easy installation of agents for cloud environments by setting the ha_cluster_install_cloud_agents variable to true.

Jira:RHEL-34893^[1], Jira:RHEL-34898, Jira:RHEL-34894, Jira:RHEL-34885

New sudo RHEL system role

sudo is a critical part of RHEL system configuration. With the new sudo RHEL system role, you can consistently manage sudo configuration at scale across your RHEL systems.

Jira:RHEL-37551

The storage RHEL system role can now manage Stratis pools

With this enhancement, you can use the storage RHEL system role to complete the following tasks:

Create a new encrypted and unencrypted Stratis pool
Add new volumes to the existing Stratis pool
Add new disks to the Stratis pool

For details on how to manage Stratis pools and other related information, see the resources in the /usr/share/doc/rhel-system-roles/storage/ directory.

Jira:RHEL-40798^[1]

New variables in the podman RHEL system role: podman_registry_certificates and podman_validate_certs

The following two variables have been added to the podman RHEL system role:

podman_registry_certificates (list of dictionary elements): Enables you to manage TLS certificates and keys used to connect to the specified container image registry.
podman_validate_certs (boolean, defaults to null): Controls whether pulling images from container image registries will validate TLS certificates or not. The default null value means that it is used whatever the default configured by the containers.podman.podman_image module is. You can override the podman_validate_certs variable on a per-specification basis with the validate_certs variable.

As a result, you can use the podman RHEL system role to configure TLS settings for connecting to container image registries.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/ directory. Alternatively, you can review the containers-certs(5) manual page.

Jira:RHEL-34884^[1]

New variables in the podman RHEL system role: podman_registry_username and podman_registry_password

The podman RHEL system role now enables you to specify the container image registry credentials either globally or on a per-specification basis. For that purpose, you must configure both role variables:

podman_registry_username (string, defaults to unset): Configures the username for authentication with the container image registry. You must also set the podman_registry_password variable. You can override podman_registry_username on a per-specification basis with the registry_username variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification.
podman_registry_password (string, defaults to unset): Configures the password for authentication with the container image registry. You must also set the podman_registry_username variable. You can override podman_registry_password on a per-specification basis with the registry_password variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification. For security, encrypt the password using the Ansible Vault feature.

As a result, you can use the podman RHEL system role to manage containers with images, whose registries require authentication for access.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/ directory.

Jira:RHEL-34890^[1]

New variable in the podman RHEL system role: podman_credential_files

Some operations need to pull container images from registries in an automated or unattended way and cannot use the podman_registry_username and podman_registry_password variables.

Therefore, the podman RHEL system role now accepts the containers-auth.json file to authenticate against container image registries. For that purpose, you can use the following role variable:

podman_credential_files (list of dictionary elements): Each dictionary element in the list defines a file with user credentials for authentication to private container image registries. For security, encrypt these credentials using the Ansible Vault feature. You can specify file name, mode, owner, group of the file, and can specify the contents in different ways. See the role documentation for more details.

As a result, you can input container image registry credentials for automated and unattended operations.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/ directory. Alternatively, you can review the containers-auth.json(5) and containers-registries.conf(5) manual pages.

Jira:RHEL-34891^[1]

New variables in the journald RHEL system role: journald_rate_limit_interval_sec and journald_rate_limit_burst

The following two variables have been added to the journald RHEL system role:

journald_rate_limit_interval_sec (integer, defaults to 30): Configures a time interval in seconds, within which only the journald_rate_limit_burst log messages are handled. The journald_rate_limit_interval_sec variable corresponds to the RateLimitIntervalSec setting in the journald.conf file.
journald_rate_limit_burst (integer, defaults to 10 000): Configures the upper limit of log messages, which are handled within the time defined by journald_rate_limit_interval_sec. The journald_rate_limit_burst variable corresponds to the RateLimitBurst setting in the journald.conf file.

As a result, you can use these settings to tune the performance of the journald service to handle applications that log many messages in a short period of time.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/journald/ directory.

Jira:RHEL-34892^[1]

The ssh RHEL system role now recognizes the ObscureKeystrokeTiming and ChannelTimeout configuration options

The ssh RHEL system role has been updated to reflect addition of the following configuration options in the OpenSSH utility suite:

ObscureKeystrokeTiming (yes|no|interval specifier, defaults to 20): Configures whether the ssh utility should obscure the inter-keystroke timings from passive observers of network traffic.
ChannelTimeout: Configures whether and how quickly the ssh utility should close inactive channels.

When using the ssh RHEL system role, you can use the new options like in this example play:

- name: Non-exclusive sshd configuration
   hosts: managed-node-01.example.com
   tasks:
     - name: Configure ssh to obscure keystroke timing and set 5m session timeout
        ansible.builtin.include_role:
          name: rhel-system-roles.ssh
        vars:
          ssh_ObscureKeystrokeTiming: _"interval:80"_
          ssh_ChannelTimeout: _"session=5m"_

Jira:RHEL-40181

The storage RHEL system role can now resize LVM physical volumes

If the size of a block device has changed and you use this device in an LVM, you can adjust the LVM physical volume as well. With this enhancement, you can use the storage RHEL system role to resize LVM physical volumes to match the size of the underlying block devices after you resized it. To enable automatic resizing, set grow_to_fill: true on the pool in your playbook.

Jira:RHEL-40797^[1]

The nbde_client RHEL system role now enables you to skip running certain configurations

With the nbde_client RHEL system role you can now disable the following mechanisms:

Initial ramdisk
NetworkManager flush module
Dracut flush module

The clevis-luks-askpass utility unlocks some storage volumes late in the boot process after the NetworkManager service puts the OS on the network. Therefore, no configuration changes to the mentioned mechanisms are necessary.

As a result, you can disable the mentioned configurations from being run to support advanced networking setups, or volume decryption to occur late in the boot process.

Jira:RHEL-45718^[1]

New variable in the postfix RHEL system role: postfix_files

The postfix RHEL system role now enables you to configure extra files for the Postfix mail transfer agent. For that purpose, you can use the following role variable:

postfix_files: Defines a list of files to be placed in the /etc/postfix/ directory that can be converted into Postfix Lookup Tables if needed. This variable enables you to configure Simple Authentication and Security Layer (SASL) credentials, and similar. For security, encrypt files that contain credentials and other secrets using the Ansible Vault feature.

As a result, you can use the postfix RHEL system role to create these extra files and integrate them in your Postfix configuration.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/postfix/ directory.

Jira:RHEL-46855^[1]

The snapshot RHEL system role now supports managing snapshots of LVM thin pools

With thin provisioning, you can use the snapshot RHEL system role to manage snapshots of LVM thin pools. These thin snapshots are space-efficient and only grow as data is written or modified after the snapshot is taken. The role automatically detects if the specified volume is scheduled for a thin pool. The added feature could be useful in environments where you need to take frequent snapshots without consuming a lot of physical storage.

Jira:RHEL-48230^[1]

New option in the logging RHEL system role: reopen_on_truncate

The files input type of the logging_inputs variable now supports the following option:

reopen_on_truncate (boolean, defaults to false): Configures the rsyslog service to re-open the input log file if it was truncated, such as during log rotation. The reopen_on_truncate role option corresponds to the reopenOnTruncate parameter for rsyslog.

As a result, you can configure rsyslog in an automated fashion through the logging RHEL system role to re-open an input log file if it was truncated.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/ directory.

Jira:RHEL-48609^[1]

New variable in the logging RHEL system role: logging_custom_config_files

You can provide custom logging configuration files by using the following variable for the logging RHEL system role:

logging_custom_config_files (list): Configures a list of configuration files to copy to the default logging configuration directory. For example, for the rsyslog service it is the /etc/rsyslog.d/ directory. This assumes the default logging configuration loads and processes the configuration files in that directory. The default rsyslog configuration has a directive such as $IncludeConfig /etc/rsyslog.d/*.conf.

As a result, you can use customized configurations not provided by the logging RHEL system role.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/ directory.

Jira:RHEL-50288^[1]

The logging RHEL system role can set ownership and permissions for rsyslog files and directories

The files output type of the logging_outputs variable now supports the following options:

mode (raw, defaults to null): Configures the FileCreateMode parameter associated with the omfile module in the rsyslog service.
owner (string, defaults to null): Configures the fileOwner or fileOwnerNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets fileOwnerNum. Otherwise, it sets fileOwner.
group (string, defaults to null): Configures the fileGroup or fileGroupNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets fileGroupNum. Otherwise, it sets fileGroup.
dir_mode (defaults to null): Configures the DirCreateMode parameter associated with the omfile module in rsyslog.
dir_owner (defaults to null): Configures the dirOwner or dirOwnerNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets dirOwnerNum. Otherwise, it sets dirOwner.
dir_group (defaults to null): Configures the dirGroup or dirGroupNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets dirGroupNum. Otherwise, it sets dirGroup.

As a result, you can set ownership and permissions for files and directories created by rsyslog.

Note that the file or directory properties are the same as the corresponding variables in the Ansible file module.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/ directory. Alternatively, review the output of the ansible-doc file command.

Jira:RHEL-50289^[1]

Using the storage RHEL system role creates fingerprints on managed nodes

If not already present, storage creates a unique identifier (fingerprint) every time you run this role. The fingerprint has the form of the # system_role:storage string written to the /etc/fstab file on your managed nodes. As a result, you can track which nodes are managed by storage.

Jira:RHEL-50291^[1]

New src parameter is added to the network RHEL system role

The src parameter to the route sub-option of the ip option for the network_connections variable has been added. This parameter specifies the source IP address for a route. It is useful typically for the multi-WAN connections. There you get setups where a machine has multiple public IP addresses, and you want to ensure that outbound traffic uses a specific IP address tied to a particular network interface. As a result, support for the src parameter provides better control over traffic routing and ensures a more robust and flexible network configuration capability in the described scenarios

For more details, see the resources in the /usr/share/doc/rhel-system-roles/network/ directory.

Jira:RHEL-53901^[1]

Support for configuring GFS2 file systems on RHEL 9 clusters by using RHEL system roles

Red Hat Enterprise Linux 10 supports the configuration and management of the Red Hat Global File System 2 (GFS2) by using the gfs2 RHEL system role on a RHEL 10 control node to manage RHEL 9 systems. The Red Hat Enterprise Linux (RHEL) Resilient Storage Add-On, which includes the GFS2 file system, is itself not supported on RHEL 10 systems. The role creates GFS2 file systems in a Pacemaker cluster managed with the pcs command-line interface.

Previously, setting up GFS2 file systems in a supported configuration required you to follow a long series of steps to configure the storage and cluster resources. The gfs2 role simplifies the process. Using the role, you can specify only the minimum information needed to configure GFS2 file systems in a RHEL high availability cluster.

The gfs2 role performs the following tasks:

Installing the packages necessary for configuring a GFS2 file system in a Red Hat high availability cluster
Setting up the dlm and lvmlockd cluster resources
Creating the LVM volume groups and logical volumes required by the GFS2 file system
Creating the GFS2 file system and cluster resources with the necessary resource constraints

Jira:RHEL-34828^[1]

4.17. Virtualization

nbdkit rebased to version 1.38

The nbdkit package has been rebased to upstream version 1.38, which provides various bug fixes and enhancements. The most notable changes are the following:

Block size advertising has been enhanced and a new read-only filter has been added.
The Python and OCaml bindings support more features of the server API.
Internal struct integrity checks have been added to make the server more robust.

For a complete list of changes, see the upstream release notes.

Jira:RHEL-32748

4.18. RHEL in cloud environments

cloud-init now uses NetworkManager as the default network renderer

With this update, the cloud-init utility uses NetworkManager (NM) as the back end for network configuration when initializing a cloud instance. As a result, using NM keyfiles in cloud-init setup no longer requires reconfiguring /etc/cloud/cloud.cfg.

Jira:RHEL-29720^[1]

4.19. Supportability

The plugin option names now use only hyphens instead of underscores

To ensure consistency across sos global options, the plugin option names now use only hyphens instead of underscores For example, the networking plugin namespace_pattern option is now namespace-pattern and must be specified by using the --plugin-option networking.namespace-pattern=<pattern> syntax.

Jira:RHELDOCS-18655^[1]

The --api-url option is now available

With the --api-url option you can call another API as per requirement. For instance, the API for an OCP cluster. Example: sos collect --cluster-type=ocp --cluster-option ocp.api-url=_<API_URL> --alloptions.

Jira:RHEL-24523

The new --skip-cleaning-files option is now available

The --skip-cleaning-files option for the sos report command allows you to skip cleaning selected files. The option supports globs and wildcards. Example: sos report -o host --batch --clean --skip-cleaning-files 'hostname'.

Jira:RHEL-30893^[1]

4.20. Containers

Image mode for RHEL now supports FIPS mode

With this enhancement, you can enable the FIPS mode when building a bootc image to configure the system to use only FIPS-approved modules. You can use bootc-image-builder, which requires enabling the FIPS crypto policy in the Containerfile configuration, or use the RHEL Anaconda installation, that additionally to enabling FIPS mode in the Containerfile, also requires adding the fips=1 kernel argument when booting the system installation. See Installing the system with FIPS mode enabled for more details.

The following is a Containerfile with instructions to enable the fips=1 kernel argument:

FROM registry.redhat.io/rhel9/rhel-bootc:latest#
# Enable fips=1 kernel argument:
https://containers.github.io/bootc/building/kernel-arguments.html
COPY 01-fips.toml /usr/lib/bootc/kargs.d/
# Install and enable the FIPS crypto policy
RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS

Jira:RHELDOCS-18585^[1]

Support to creating and deploying VMDK with bootc-image-builder

With this enhancement, now you can create a Virtual Machine Disk (VMDK) from a bootc image, by using the bootc-image-builder tool, and deploy VMDK images to VMware vSphere.

Jira:RHELDOCS-18398^[1]

Podman and Buildah support adding OCI artifacts to image indexes

With this update, you can create artifact manifests and add them to image indexes.

The buildah manifest add command now supports the following options:

the --artifact option to create artifact manifests
the --artifact-type, --artifact-config-type, --artifact-layer-type, --artifact-exclude-titles, and --subject options to finetune the contents of the artifact manifests it creates.

The buildah manifest annotate command now supports the following options:

the --index option to set annotations on the index itself instead of a one of the entries in the image index
the --subject option for setting the subject field of an image index.

The buildah manifest create command now supports the --annotation option to add annotations to the new image index.

Jira:RHEL-33571

Option is available to disable Podman healthcheck event

This enhancement adds a new healthcheck_events option in the containers.conf configuration file under the [engine] section to disable the generation of health_status events. Set healthcheck_events=false to disable logging healthchek events.

Jira:RHEL-34604

Runtime resource changes in Podman are persistent

The updates of container configuration by using the podman update command are persistent. Note that this enhancement is for both SQLite and BoltDB database backends.

Jira:RHEL-33566

Building multi-architecture images is fully supported

The podman farm build command that creates multi-architecture container images is now fully supported.

A farm is a group of machines that have a unix Podman socket running in them. The nodes in the farm can have different machines of various architectures. The podman farm build command is faster than the podman build --arch --platform command.

You can use podman farm build to perform the following actions:

Build an image on all nodes in a farm.
Bundle an image on all nodes in a farm up into a manifest list.
Execute the podman build command on all the farm nodes.
Push the images to the registry specified by using the --tag option.
Locally create a manifest list.
Push the manifest list to the registry.

The manifest list contains one image per native architecture type present in the farm.

Jira:RHEL-34611

Quadlets for pods in Podman are available

Beginning with Podman v5.0, you can use Quadlet to automatically generate a systemd service file from a pod description.

Jira:RHEL-33573

The Podman v2.0 RESTful API has been updated

The new fields has been added to the libpod/images/json endpoint:

The isManifest boolean field to determine if the target is a manifest or not. The libpod endpoint returns both images and manifest lists.
The os and arch fields for image listing.

Jira:RHEL-34613

Kubernetes YAML now supports a data volume container as an init container

A list of images to automatically mount as volumes can now be specified in Kubernetes YAML by using the "io.podman.annotations.kube.image.automount/$ctrname" annotation. Image-based mounts using podman run --mount type=image,source=<image>,dst=<path>,subpath=<path> now support a new option, subpath, to mount only part of the image into the container.

Jira:RHEL-34606

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:

The podman manifest add command now supports a new --artifact option to add OCI artifacts to a manifest list.
The podman create, podman run, and podman push commands now support the --retry and --retry-delay options to configure retries for pushing and pulling images.
The podman run and podman exec commands now support the --preserve-fd option to pass a list of file descriptors into the container. It is an alternative to --preserve-fds, which passes a specific number of file descriptors.
Quadlet now supports templated units.
The podman kube play command can now create image-based volumes by using the volume.podman.io/image annotation.
Containers created with the podman kube play command can now include volumes from other containers by using a new annotation, io.podman.annotations.volumes-from.
Pods created with the podman kube play command can now set user namespace options by using the io.podman.annotations.userns annotation in the pod definition.
The --gpus option to podman create and podman run is now compatible with Nvidia GPUs.
The --mount option to podman create and podman run supports a new mount option, no-dereference, to mount a symlink instead of its dereferenced target into a container.
Podman now supports the new --config global option to point to a Docker configuration where registry login credentials can be sourced.
The podman ps --format command now supports the new .Label format specifier.
The uidmapping and gidmapping options to the podman run --userns=auto option can now map to host IDs by prefixing host IDs with the @ symbol.
Quadlet now supports systemd-style drop-in directories.
Quadlet now supports creating pods by using the new .pod unit files.
Quadlet now supports two new keys, Entrypoint and StopTimeout, in .container files.
Quadlet now supports specifying the Ulimit key multiple times in .container files to set more than one ulimit on a container.
Quadlet now supports setting the Notify key to healthy in .container files, to only notify that a container has started when its health check begins passing.
The output of the podman inspect command for containers has changed. The Entrypoint field changes from a string to an array of strings and StopSignal from an integer to a string.
The podman inspect command for containers now returns nil for health checks when inspecting containers without health checks.
It is no longer possible to create new BoltDB databases. Attempting to do so results in an error. All new Podman installations now use the SQLite database backend. Existing BoltDB databases remain usable.
Support for CNI networking is gated by a build tag and is not enabled by default.
Podman now prints warnings when used on cgroups v1 systems. Support for cgroups v1 is deprecated and will be removed in a future release. You can set the PODMAN_IGNORE_CGROUPSV1_WARNING environment variable to suppress warnings.
Network statistics sent over the Docker-compatible API are now per-interface, and not aggregated, which improves Docker compatibility.
The default tool for rootless networking has been changed from slirp4netns to pasta for improved performance. As a result, networks named pasta are no longer supported.
Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility.
The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delimited lists, and instead to require the option to be passed multiple times. These options are:
- The --annotation option to podman manifest annotate and podman manifest add
- The --configmap, --log-opt, and --annotation options to podman kube play
The --pubkeysfile option to podman image trust set
- The --encryption-key and --decryption-key options to podman create, podman run, podman push and podman pull
- The --env-file option to podman exec, the --bkio-weight-device, --device-read-bps, --device-write-bps, --device-read-iops, --device-write-iops, --device, --label-file, --chrootdirs, --log-opt, --env-file options to podman create and podman run
- The --hooks-dir and --module global options
The podman system reset command no longer waits for running containers to stop, and instead immediately sends the SIGKILL signal.
The podman network inspect command now includes running containers that use the network in its output.
The podman compose command is now supported on other architectures in addition to AMD and Intel 64-bit architectures (x86-64-v2) and the 64-bit ARM architecture (ARMv8.0-A)..
The --no-trunc option to the podman kube play and podman kube generate commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, which removes the need for this option.
Connections from the podman system connection command and farms from the podman farm command are now written to a new configuration file called podman-connections.conf file. As a result, Podman no longer writes to the containers.conf file. Podman still respects existing connections from containers.conf.
Most podman farm subcommands no longer need to connect to the machines in the farm to run.
The podman create and podman run commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command is passed to the OCI runtime, and the resulting behavior is runtime-specific.
A new API endpoint, /libpod/images/$name/resolve, has been added to resolve a potential short name to a list of fully-qualified image references Podman, which you can use to pull the image.

For more information about notable changes, see upstream release notes.

Jira:RHEL-32715

The containers.conf file is now read-only

The system connections and farm information stored in the containers.conf file is now read-only. The system connections and farm information will now be stored in the podman.connections.json file, managed only by Podman. Podman continues to support the old configuration options such as [engine.service_destinations] and the [farms] section. You can still add connections or farms manually if needed however, it is not possible to delete a connection from the containers.conf file with the podman system connection rm command.

You can still manually edit the containers.conf file if needed. System connections that were added by Podman v4.0 remain unchanged after the upgrade to Podman v5.0.

Jira:RHEL-40639

Default settings changes for Podman v5.0

In RHEL 10.0 Beta, the following default settings changes for Podman v5.0:

cgroups v2 is used by default instead of cgroups v1
pasta is the default network used by rootless containers instead of slirp4netns

Jira:RHEL-40643

A new rhel10-beta/rteval container image

The real-time registry.redhat.io/rhel10-beta/rteval container image is now available in the Red Hat Container Registry to run latency analysis on either a standalone RHEL installation. With rhel10-beta/rteval container image, you can perform latency testing within a containerized setup to determine if such a solution is viable for your real-time workloads or to compare results against a bare-metal run of rteval. To use this feature, subscribe to RHEL with real-time support. No tuning guidelines are provided.

Jira:RHELDOCS-18522^[1]

The --compat-volumes option is available for Podman and Buildah

You can use the new --compat-volumes option with the buildah build, podman build, and podman farm build commands. This option triggers special handling for the contents of directories marked using the VOLUME instruction such that their contents can subsequently only be modified by ADD and COPY instructions. Any changes made in those locations by RUN Instructions will be discarded. Previously, this behavior was the default, but it is now disabled by default.

Jira:RHEL-52240

macvlan and ipvlan network interface names are configurable in containers.conf

To specify macvlan and ipvlan networks, you can adjust the name of the network interface created inside containers by using the new interface_name field in the containers.conf configuration file.

Jira:RHELDOCS-18769^[1]

The composefs filesystem is now available

The composefs read-only filesystem is now fully supported. This is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified filesystem tree mounted, with opportunistic fine-grained sharing of identical files.

Jira:RHEL-18157^[1]

Support to building GCP images by using bootc-image-builder

By using the bootc-image-builder tool you can now generate .gce disk images and provision the instances on the Google Compute Engine (GCE) platform.

Jira:RHELDOCS-18472^[1]

The podman pod inspect command now provides a JSON array regardless of the number of pods

Previously, the podman pod inspect command omitted the JSON array when inspecting a single pod. With this update, the podman pod inspect command now produces a JSON array in the output regardless of the number of pods inspected.

Jira:RHELDOCS-18770^[1]

Chapter 4. New features and enhancements

4.1. Installer and image creation

4.2. Security

4.3. Software management

4.4. Shells and command-line tools

4.5. Infrastructure services

4.6. Networking

4.7. Kernel

4.8. File systems and storage

4.9. High availability and clusters

4.10. Dynamic programming languages, web and database servers

4.11. Compilers and development tools

4.12. Identity Management

4.13. SSSD

4.14. Desktop

4.15. The web console

4.16. Red Hat Enterprise Linux System Roles

4.17. Virtualization

4.18. RHEL in cloud environments

4.19. Supportability

4.20. Containers

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links