10.1 Release Notes

New boot menu entry for fips=1 added to ISO installations

With this update, the DVD and Boot ISO image installations provide a new boot menu entry for setting the fips=1 kernel boot option. This simplifies the process, as enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. By using this boot option, you start the installation with the fips=1 kernel parameter and you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.

Soft reboots are now available in RHEL

Systemd now offers soft reboots, a capability for rebooting userspace without requiring full system downtime. Key enhancements include:

The rpm command is now available in the installation environment

Previously, the rpm command was not included in the installation environment. With this update, the rpm command is now included. Users can use this command when installing RHEL, for example, in the %post Kickstart scripts.

The blueprint file customization now supports a URI field for referencing files from external sources

This update adds the URI field support to the blueprint file customization structure. As a result, you can reference and source files from external locations rather than only those included directly in the blueprint, providing more flexible customization of the build system and a more adaptable build experience.

RHEL image builder supports a new image type vagrant-libvirt for vagrant

With this update, RHEL image builder supports the libvirt hypervisor, and you can easily run RHEL virtual machines by using Vagrant. This enhancement provides pre-configured images to ensure a consistent and streamlined setup. It also grants sudo privileges to the vagrant user within the Vagrant box, making it easier to manage and execute administrative tasks. These enhancements deliver a more efficient and seamless experience when working with RHEL virtual machines in Vagrant environments.

RHEL Image Builder now supports WSL2 images

You can now use the RHEL image builder to create Windows Subsystem for Linux (WSL2). The image type is available in the wsl format, and to consume the image, deploy it by double-clicking the generated file.

RHEL Image Builder GUI supports modularized content discovery

Starting from RHEL 9.7, RHEL Image Builder Graphical User Interface (GUI) supports modularized content discovery. This capability introduces the following enhancements:

image-installer provides a new boot menu entry for fips=1

In this update, the image-installer ISO image type provides a new boot menu entry for setting the fips=1 kernel boot option during installation. This simplifies the process, as in RHEL 10, you cannot switch an installed system to FIPS mode, and you must add fips=1 to the kernel command line when starting the installation. By setting fips=1 for the installation, you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.

Logical volume devices in /etc/fstab now use UUID in the fs_spec field

After installation, the system writes logical volume (LV) devices in /etc/fstab by using UUID in the fs_spec field. This change provides the following benefits:

RHEL 10.1 crypto-policies enable PQC algorithms by default

The system-wide cryptographic policies in RHEL 10.1 extend support for post-quantum cryptography (PQC) and enable PQC algorithms by default in all predefined policies. The most notable enhancements and fixes over the version in RHEL 10.0 include:

AD-SUPPORT-LEGACY subpolicy re-added to crypto-policies

The AD-SUPPORT-LEGACY cryptographic subpolicy, which is used to support legacy RC4 encryption for interoperability with outdated Active Directory implementations, is re-added to RHEL.

OpenSSL rebased to 3.5

OpenSSL is rebased to upstream version 3.5. This version provides important fixes and enhancements, most notably the following:

NSS rebased to 3.112

The NSS cryptographic toolkit packages have been rebased to upstream version 3.112, which provides many improvements and fixes. Most notably, the following:

libreswan rebased to 5.3

The libreswan packages are rebased to the 5.3 upstream version.

GnuTLS rebased to 3.8.10

The gnutls package is rebased to the 3.8.10 upstream release, which includes the following enhancements:

Sequoia PGP updated to support OpenPGP v6

With this update, the sequoia-sq and sequoia-sqv can handle post-quantum cryptography (PQC) keys. The rpm-sequoia package newly supports verifications of OpenPGP v6 signatures. As a result, you can use quantum-resistant digital signatures conforming to the Commercial National Security Algorithm Suite (CNSA) 2.0 standard.

selinux-policy rebased to 42.1

The selinux-policy packages are rebased to upstream version 42.1. This version contains many fixes and improvements, including packaging improvements. Notably, SELinux types related to the systemd generators have been added to the SELinux policy.

OpenSSL supports sslkeylogfile

OpenSSL supports the sslkeylogfile format for TLS. As a result, you can log all secrets produced by SSL connections by setting the SSLKEYLOGFILE environment variable.

NSS supports ML-DSA keys

With this update, the Network Security Services (NSS) database now supports using Module-Lattice-Based Digital Signature Algorithm (ML-DSA) keys. ML-DSA is a new signing algorithm approved by the National Institute of Standards and Technology (NIST) as resistant to attacks from a Cryptographically Relevant Quantum Computer (CRQC).

Hybrid ML-KEM cryptography works in FIPS mode

With this release, Hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) post-quantum cryptographic algorithms are supported in FIPS mode of RHEL. OpenSSL is able to fetch the Elliptic Curve Diffie-Hellman (ECDH) part of the new hybrid post-quantum groups from the FIPS provider when the system is running in FIPS mode. As a result, the OpenSSL library uses FIPS-compliant cryptography for the ECDH part of the hybrid post-quantum key exchanges.

OpenSSL 3.5 uses standard format for ML-KEM and ML-DSA

In RHEL 10.0, the oqsprovider library used a pre-standard format for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) private keys. With the rebase to OpenSSL 3.5, you must convert the ML-KEM and ML-DSA keys to the standard format by using the following command:

SCAP Security Guide rebased to 0.1.78

For additional information, see the SCAP Security Guide release notes.

SELinux policy modules related to EPEL packages moved to -extra subpackages in the CRB repository

In RHEL 10.0, SELinux policy modules related only to packages contained in the Extra Packages for Enterprise Linux (EPEL) repository and not to any RHEL package were moved from the selinux-policy package to the selinux-policy-epel package. This reduced the size of selinux-policy, enabling the system to perform operations such as rebuilding and loading the SELinux policy faster.

setroubleshoot-server no longer requires initscripts

Before this update, the %post and %postun scriptlets for the setroubleshoot-server SELinux diagnostic tool called /sbin/service. With this update, the scriptlets now directly call auditctl for reloading the auditd service, and bypass the use of /sbin/service. This enhancement simplifies the dependency structure and streamlines the execution of the scriptlets.

OpenSSH ignores invalid RSA hostkeys in known_hosts

Before this update, if known_hosts contained only a bad hostkey, the SSH connection failed with a bad hostkey: Invalid key length message when OpenSSH received a server hostkey, even if the server had valid hostkeys available. With this update, OpenSSH ignores RSA hostkeys that are invalid due to being too short in the known_hosts file. As a result, instead of a failed SSH connection, OpenSSH receives new keys and can establish a connection.

Three RHEL services removed from SELinux permissive mode

The following SELinux domains for RHEL services have been removed from SELinux permissive mode:

GnuTLS supports ML-DSA keys in TLS connections.

With this update, the GnuTLS library supports using X.509 certificates with Module-Lattice-Based Digital Signature Algorithm (ML-DSA) keys in TLS 1.3 connections. For resistance against attacks by quantum computers, the certificate chain and the TLS handshake must be authenticated with a post-quantum algorithm, such as ML-DSA.

OpenSSH server supports Kerberos authentication indicators

When in Match configuration, OpenSSH server supports authentication indicators from Kerberos tickets. If the GSSAPIIndicators option is defined in sshd configuration, a Kerberos ticket that has indicators but does not match the policy is denied. If at least one indicator is configured, whether for access or denial, tickets without authentication indicators are explicitly rejected. For more information, see the sshd_config(5) man page on your system.

DNS over TLS is generally available in RHEL 10.1

Encrypted DNS (eDNS) is generally available to secure all DNS communication using the DNS-over-TLS (DoT) protocol. You can use eDNS to secure new RHEL installations during boot time, which ensures no plaintext DNS traffic is ever sent. You can also convert an existing RHEL system to use eDNS.

New package: fips-provider-next

The fips-provider-next package provides the next version of the FIPS provider that is submitted to the National Institute of Standards and Technology (NIST) for validation. The package is not installed by default because the openssl-fips-provider package is the validated OpenSSL FIPS provider. To switch from ‎openssl-fips-provider to ‎fips-provider-next:

Rsyslog imuxsock provides the new ratelimit.discarded counter

With this update, the imuxsock Rsyslog module includes a new counter, ratelimit.discarded, which tracks the number of messages dropped due to rate-limiting on the Unix socket. This enhancement provides administrators with visibility into message loss due to rate-limiting, enabling them to fine-tune their rate-limiting settings and prevent critical logs from being discarded.

The SELinux policy adds rules and type for the qgs daemon

The qgs daemon was added to RHEL with the linux-sgx package, which supports TDX confidential virtualization. The qgs daemon communicates with QEMU over a UNIX domain socket when the guest OS requests attestation of the virtual machine (VM). To make this possible, the SELinux policy adds a new qgs_t type, access rules, and permissions.

audit.cron helps to set up time-based auditd log rotation

With this update, the auditd.cron file has been added to the audit packages. This enhancement provides a clear, documented example of how to configure time-based auditd log rotation using existing tools. As a result, administrators have a simple, official guide to set up auditd log rotation based on time.

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

Rsyslog imfile provides the new deleteStateOnFileMove option

With this update, the new deleteStateOnFileMove parameter has been added to the imfile module, available as both a module-level and a per-action option. This enhancement addresses the issue of orphaned state files accumulating in the spool/ directory when monitored log files are rotated or moved. By enabling this parameter, you can automatically clean up these obsolete files when log files are moved, preventing disk space from being wasted and simplifying management.

RPM supports spec-local file attributes and dependency generators

File attributes and their dependency generators are usually shipped in separate packages that you must install prior to building a package that uses these attributes. However, you might need a file attribute to take effect during the build of the package that ships this attribute. You might also need the file attribute just for building the package, without shipping the attribute at all.

RPM records a checksum of the original package during installation

With this update, RPM records the SHA256 and SHA512 digests of the entire .rpm package during its installation. You can then retrieve these digests from the RPM database to verify that the installed package corresponds to a specific .rpm file. As a result, you can improve the integrity of your RHEL system by retrospectively verifying that the installed package set matches, bit-by-bit, a known set of .rpm packages, such as the ones available in a DNF repository.

System clock skew is reported during dnf transactions

Significant clock skew between a system and the entitlement server can make content repositories unavailable, even on properly registered systems. This is difficult to troubleshoot, particularly when a negative skew makes entitlements appear to start in the future.

Support added for post-quantum cryptography in tog-pegasus

Previously, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

Support added for post-quantum cryptography in sblim-sfcb

Previously, the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

Support added for post-quantum cryptography in openwsman

Previously,the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

openCryptoki provided in version 3.25.0

The openCryptoki packages are provided in version 3.25.0. Support has been added for the following:

RHEL is now equipped with dyninst version 13.0.0

The dyninst framework is rebased to upstream version 13.0.0 This version offers the following list of enhancements:

RHEL is now equipped with SystemTap version 5.3

SystemTap is rebased to version 5.3, and its multithreaded parsing capability now improves startup performance by reducing initialization time by several seconds.

elfutils is now rebased to version 0.193

elfutils 0.193 is now available in RHEL 10.1. The notable changes in this update include:

valgrind has been upgraded to upstream version 3.25.1

The upgrade from version 3.24.0 (RHEL 10.0) to the upstream version 3.25.1 (RHEL 10.1) provides the following notable enhancements:

valgrind package split into subpackages for flexible installation

Before this update, the ‎valgrind package included all core functionality, post-processing scripts, GDB integration, and documentation in a single package which required you to install all components, even if you only needed specific features.

jemalloc 5.3.0 is integrated within Varnish

Before this update, some users reported excessive memory usage in Varnish following upgrades to newer versions of Red Hat Enterprise Linux. Despite setting explicit memory limits (for example, -s malloc,1G), memory consumption continued to grow over time.

The BrowseOptionsUpdate directive is now available in RHEL

The BrowseOptionsUpdate directive determines the source and update frequency of default printing options. It specifies whether the system retrieves options from a local system or a remote printing server, and if it updates them at service startup, at certain intervals, or not at all.

NetworkManager and Nmstate support configuring IPv4 forwarding per interface

With this enhancement, NetworkManager can enable and disable IPv4 forwarding per network interface. This enables granular control directly in NetworkManager connection profiles, and updating sysctl kernel settings is no longer required. If you enable the ipv4.forwarding parameter in a profile, the corresponding interface acts as a router and forwards IPv4 packets. With the default value auto, NetworkManager enables IPv4 forwarding if any shared connection is active and, in other cases, it uses the kernel default value.

KTLS now supports rekeying for TLS 1.3

Kernel Transport Layer Security (KTLS), which is an unsupported Technology Preview in RHEL, now supports in-kernel rekeying for TLS 1.3. Previously, long-lived sessions with large data transfers were not possible because only a limited number of bytes could be sent with the initial key. With this enhancement, updates now occur seamlessly during an active session, supporting the transfer of large amounts of data without applications needing to restart connections. Note that, to use this feature, user-space libraries, such as OpenSSL and GnuTLS, must also support KTLS rekeying capability.

Nmstate now supports the mtu and quickack route options

With this enhancement, you can use Nmstate to set the mtu and quickack route options. These settings are important for optimizing the network performance if the maximum transmission unit is different from the default and for tuning the TCP acknowledgment behavior. As a result, you now have more precise control over network traffic behavior.

Nmstate now supports configuring FEC settings for network interfaces

With this enhancement, you can now use Nmstate to apply Forward Error Correction (FEC) modes, such as RS-FEC, Base-R and Disabled to interfaces. These settings are crucial for improving data transmission reliability by detecting and correcting errors without retransmission. As a result, you can now use Nmstate to apply FEC settings instead of manually configuring them or using platform-specific tools.

An NBFT parser was added to nm-initrd-generator

NVMe Boot Firmware Table (NBFT) is a standard method for firmware to pass network and storage configuration from the pre-boot environment directly to the operating system by using an ACPI table. The nm-initrd-generator utility now uses this parser to automatically detect and apply this configuration, and creates the necessary connections without manual setup. This implementation replaces the 95nvmf module in dracut and relies on systemd automation for a more streamlined and robust boot sequence.

NetworkManager now supports fixed subnet IDs for downstream interfaces when using IPv6 prefix delegation

With this enhancement, you can now specify a fixed subnet ID for downstream interfaces in NetworkManager when you use IPv6 prefix delegation. In previous releases, when you rebooted the system, the subnet ID for these interfaces could change. With a fixed subnet ID, IPv6 addresses assigned to devices in the downstream network do not change when you reboot the RHEL host.

Nmstate now supports configuring routes by using a MAC address instead of an interface name

With Nmstate, you can create a network connection by assigning it to the MAC address of an interface. With this enhancement, you can use the profile name instead of the interface name in the next-hop-interface parameter in the routing configuration. With this feature, you can create static routes without knowing the interface name.

Nmstate can assign settings to network interfaces based on PCI addresses

With this enhancement, you can use Nmstate to set up network interfaces based on their PCI address instead of a device name. Use this feature to ensure consistent configuration across nodes in a cluster. For further details, see Configuring an Ethernet connection with a dynamic IP address by using nmstatectl with a device path and Configuring an Ethernet connection with a static IP address by using nmstatectl with a device path.

Nmstate now supports egress and ingress priority mapping for VLAN interfaces

NetworkManager already supports configuring traffic priority mapping for VLAN interfaces. With this enhancement, the Nmstate library can also handle both egress and ingress priority quality of service (QoS) mapping rules. As a result, you can use Nmstate to create VLANs and define bidirectional priority mapping, helping manage traffic more precisely and efficiently.

nmtui now supports configuring the loopback interface

NetworkManager already supports configuring the loopback interface by using the nmcli utility. This enhancement adds the same functionality to the nmtui application. As a result, you can configure IP addresses and routes on the loopback interface.

The NetworkManager-libreswan plugin supports using the Libreswan default values

With this enhancement, you can set the no-nm-default property in Libreswan VPN connection profiles to true to use Libreswan’s instead of NetworkManager’s default values. This ensures the compatibility with configurations defined for native Libreswan. As a result, you can now, for example, configure subnet-to-subnet tunnels.

Bond configurations in Nmstate support optimization settings

With this enhancement, the Nmstate API supports the following bond options:

iproute rebased to version 6.14.0

The iproute package has been updated to upstream version 6.14.0.

New network packet drop reasons and MIB counters

The kernel’s networking stack now provides more detailed reasons when it drops network packets. This enhancement also adds two new Management Information Base (MIB) counters: LINUX_MIB_PAWS_TW_REJECTED and LINUX_MIB_PAWS_OLD_ACK. As a result, debugging and diagnosing network problems, is now easier.

The nft monitor trace command now displays connection tracking information

You can now use the nft monitor trace command to display details about connection tracking. This feature simplifies debugging connections and helps to better understand connection states.

The fwctl subsystem has been added to the kernel

If the kernel lock-down feature is enabled, the kernel does not allow access to resource0 files in the /sys/ directory and PCI config spaces for security reasons. The fwctl kernel subsystem manages communication with the firmware in software-defined devices, such as the mlx5 network interface controller. This subsystem establishes a standardized and secure Remote Procedure Call (RPC) interface, that enables user-space applications to interact with device firmware for diagnostics, configuration, and updates. In addition to the new subsystem, the mstflint utility now also uses the fwctl subsystem, and the utility functions fully in these secure environments.

The ice driver now supports reducing the MSI-X vector usage for a PF to free vectors for associated VF

With this enhancement, you can now reduce the Message Signaled Interrupts eXtended (MSI-X) vectors allocated to a physical function (PF) to ensure that a sufficient number of vectors are available for associated virtual functions (VFs). For details, see Reducing the MSI-X vector usage for a physical function to free vectors for associated virtual functions.

The named and dnssec utilities now support OpenSSL providers for hardware tokens

Before this update, support for using hardware security tokens to store private keys for DNSSEC zone signing was unavailable after the removal of OpenSSL ENGINEs. This functionality was required both for directly using hardware tokens with the named service and for the DNSSEC feature in the ipa-server-dns package.

NetworkManager and Nmstate support configuring IPv4 forwarding per interface

With this enhancement, NetworkManager can enable and disable IPv4 forwarding per network interface. This enables granular control directly in NetworkManager connection profiles, and updating sysctl kernel settings is no longer required. If you enable the ipv4.forwarding parameter in a profile, the corresponding interface acts as a router and forwards IPv4 packets. With the default value auto, NetworkManager enables IPv4 forwarding if any shared connection is active and, in other cases, it uses the kernel default value.

Kernel version in RHEL 10.1

Red Hat Enterprise Linux 10.1 is distributed with the kernel version 6.12.0-124.8.1.

Perf core counters supported on Intel Panther Lake CPUs

Previously, users could not monitor hardware events using perf core counters on Intel Panther Lake CPUs. With the addition of Panther Lake support in the ‎perf package, users can access hardware event monitoring on this microarchitecture.

The default measurement module for rteval is now rtla timerlat for better tracing of problem latencies

With this enhancement, you should be able to easily identify the source of problem latencies. The desired cyclictest measurement module can be chosen using the rteval.config file.

kpatch-dnf plugin is updated with improved kernel management

Before this update, the ‎kpatch-dnf plugin did not align kernel upgrades with kpatch support. As a consequence, administrators might install or upgrade to kernels that were not supported by kpatch, thereby increasing the risk of running unsupported kernels and reducing system stability.

perf tool rebased to upstream v6.14

The perf tool and its kernel backend are rebased to align with upstream version v6.14. This update introduces several enhancements and bug fixes. Most notably, the following:

Added support for virtio devices

Before this update, virtio devices inside of KVM guests were all listed as type generic-ccw. With this enhancement, you can easily identify which device type is connected at which device number by using the lszdev command:

Intel Arrow Lake U RAPL energy events support in kernel

The kernel package now supports RAPL (Running Average Power Limit) energy performance counters for the Intel Arrow Lake U microarchitecture. With this enhancement, the perf tool identifies power-consumption events for Arrow Lake U platforms to monitor energy usage for CPU cores, GPUs, packages, and system domains.

Adaptive PEBS enables counter snapshotting support in perf on Intel Panther Lake

Before this update, the Linux kernel’s perf tool relied on software-based sample reads to collect performance event data. This approach introduced minor timing gaps and additional overhead when reading counters after an event overflow. With this update, adaptive PEBS counter snapshotting is available on Intel Panther Lake CPUs. With this feature, the kernel captures programmable counters, fixed-function counters, and performance metrics directly in the PEBS record by using the PEBS format version 6.

Intel Trace Hub supports Intel Panther Lake

Before this update, the kernel package did not support Intel Panther Lake (P, H, U variants) in Intel Trace Hub. With this update, device IDs for Panther Lake platforms are added to Intel Trace Hub in the kernel package.

Perf uncore event support for Intel Clearwater Forest

The perf package adds uncore event monitoring on Clearwater Forest microarchitecture. With this enhancement, the perf package supports the uncore event monitoring on Clearwater Forest systems. As a result, users can perform advanced performance analysis and debugging on supported hardware.

Perf core event support for Intel Clearwater Forest

The perf package adds core event monitoring on Clearwater Forest microarchitecture. As a result, users can monitor and analyze core-level performance events on Intel Clearwater Forest systems using perf.

AMD Milan CPUs support per-core energy tracking with RAPL perf events

Before this update, energy monitoring on AMD systems was limited to package-level measurements. With this update, the kernel package supports per-core energy tracking through Running Average Power Limit (RAPL) performance events on AMD Milan CPUs. As a result, you can measure and analyze energy consumption at the individual core level for more granular performance and power management.

Intel Arrow Lake H microarchitecture support added to ‎⁠intel_th⁠

Before this update, Intel Trace Hub did not recognize Arrow Lake H NPK device IDs, which limited trace and debugging capabilities for systems using this hardware. With this update, the ‎⁠intel_th⁠ package supports the Intel Arrow Lake H microarchitecture in Intel Trace Hub. With the new support, users have enhanced tracing and debugging features on Arrow Lake H platforms.

PerfMon support enabled for Intel Arrow Lake H in kernel

With this update, the kernel package provides PerfMon support for Core, Uncore, Cstate, and MSR features on the Intel Arrow Lake H microarchitecture. As a result, you can monitor and analyze performance metrics specific to Arrow Lake H systems by using the perf tool.

KVM modules are integrated into the Realtime Kernel package

This update removes the generation of KVM module packages for the Realtime Kernel in RHEL, aligning with the decision to make the Realtime Kernel a deployment option for base RHEL. This change streamlines the deployment process, integrating KVM modules directly into the Realtime Kernel package and eliminating the separate kernel-rt-kvm package. As a result, users will experience a more seamless and efficient setup when deploying the Realtime Kernel on RHEL, improving the overall user experience.

Added Processor Trace Trigger Tracing (PTTT) support in the perf tool

With this update, performance analysis is elevated through the introduction of Processor Trace (PT) Trigger tracing. This enables software to select specific events as trigger points for pausing and resuming tracing activity, thereby enhancing the efficiency and accuracy of performance monitoring. This leads to more efficient and targeted tracing, ultimately offering a clearer comprehension of their application’s performance.

python-drgn rebased to version 0.0.31

python-drgn has been rebased to version 0.0.31. This update introduces several enhancements and new features:

eBPF subsystem rebased to version 6.14.

The eBPF subsystem is rebased to the Linux kernel upstream version v6.14. This version includes the following changes and enhancements:

perf tool rebased to upstream v6.15

The perf tool and its kernel backend are rebased to align with upstream version v6.15. This update introduces several enhancements and bug fixes. Most notably, the following:

crash rebased to 9.0.0

The crash package, which provides a kernel analysis utility for live systems and various types of dump files, has been rebased to upstream version 9.0.0. This version provides a number of fixes and enhancements, most notably the following:

Default configuration now disables jitter entropy source in rng-tools

The jitter entropy source is now disabled by default in rng-tools. Modern CPUs provide a hardware entropy source, and most virtual machines offer the /dev/hwrng device as an entropy source from the virtual host. In these environments, the jitter entropy source consumes unnecessary CPU cycles. For older hardware without a hardware entropy source, you can explicitly enable the jitter entropy source in /etc/sysconfig/rngd.

stalld no longer conflicts with the working of the dl-server

With this release, the stalld functionality detects the dl-server in the host kernel and boosts only the tasks that the dl-server fails to run. Currently, dl-server does not boost FIFO tasks. You might prefer to keep using stalld in a system upgrade and disable dl-server. The dl-server is the only entity responsible for running the starving tasks.

Secure boot shim signing for RHEL 10 on x86_64 and aarch64

RHEL 10 requires a signed shim binary to enable secure boot on AMD and Intel 64-bit architectures and on the 64-bit ARM architecture. Without a signed and trusted shim, systems with enforced secure boot did not boot, which affected both enterprise and cloud deployments.

multipathd supports file-based sockets

With this update, the multipathd daemon listens for commands on a file-based socket /run/multipathd.socket in addition to the abstract namespace socket. You can communicate with the host’s multipathd daemon from within a container by using a bind mount for the new socket file.

LVM RAID repairs volumes after multiple simultaneous device failures

With this enhancement, you can use the lvconvert --repair /dev/VG-name/LV-name command to reintegrate missing RAID devices back into a striped RAID (raid4, raid5, and raid6). This repair process works even when the number of temporarily missing devices exceeds the fault tolerance of the RAID level, allowing for recovery once the devices reappear. Note that you must unmount and deactivate the volume and the file system on top before repairing them.

The IPaddr2 resource agent now detects network link failures

Before this update, the IPaddr2 resource agent did not monitor the link state of the network interface. As a consequence, an IPaddr2 resource continued to report success on a node even if the underlying interface was in a DOWN or LOWERLAYERDOWN state, preventing the cluster from recovering the resource on another node.

AWS resource agents reuse IMDS tokens to improve reliability

Before this update, the AWS resource agents requested a new Instance Metadata Service (IMDS) token for every operation. This could lead to a large number of API calls on a single node, which increased the risk of resource failures, especially in environments with many AWS resources.

The awsvip resource agent allows specifying a network interface

Before this update, the awsvip resource agent always assigned the virtual IP address to the primary network interface of an EC2 instance. It was not possible to use a secondary network interface for the resource.

The fence_sbd agent can automatically detect the SBD device

Before this update, when configuring a fence_sbd resource, you were required to explicitly specify the SBD device path by using the devices parameter.

Watchdog device listing provides more detailed information

Before this update, when listing available watchdog devices, the output only displayed the device path, such as /dev/watchdog0. This made it difficult for administrators to distinguish between multiple devices on the same system.

New fence agent for Nutanix AHV virtualization is now available

Previously, Red Hat High Availability Add-On did not provide a dedicated fence agent for Nutanix Acropolis Hypervisor (AHV) environments.

pcs warns users before removing the last fencing device

Before this update, pcs allowed users to disable or remove the last fencing device from a cluster without a warning. This could inadvertently leave the cluster in an unsupported state without any STONITH or SBD fencing configured.

pcs provides more detailed error messages for failed CIB updates

Previously, when a CIB update failed when using the pcs cluster edit or pcs cluster cib-push commands, the error message provided by Pacemaker was generic. It did not explain the specific reason for the failure, which made troubleshooting the invalid configuration difficult.

The pcs alert config command now supports multiple output formats

Previously, the pcs alert config command displayed its output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.

The pcs resource meta command is improved to support bundles and prevent guest node misconfiguration

Previously, the pcs resource meta command did not support managing meta attributes for bundle resources. Additionally, the command did not prevent users from incorrectly modifying the connection parameters of a guest node, which could lead to a misconfigured resource.

A new pcs command is available for renaming a cluster

Previously, it was not possible to change the name of an existing cluster using pcs commands. Administrators had to perform a series of manual steps, which were complex and could lead to errors.

The pcs node attribute and pcs node utilization commands now support multiple output formats

Previously, the pcs node attribute and pcs node utilization commands displayed their output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.

pcs automatically validates the CIB for potential issues

Previously, the pcs utility did not automatically run advanced validation checks on the Cluster Information Base (CIB). As a consequence, certain cluster misconfigurations could remain undetected during routine operations.

New crypt resource agent for managing encrypted volumes

Previously, Red Hat High Availability Add-On did not provide a resource agent for managing encrypted devices. This made it difficult to configure volumes encrypted with cryptsetup as highly available resources within a Pacemaker cluster.

The PostGIS extension is available for PostgreSQL

This enhancement adds the PostGIS extension to PostgreSQL. With this extension, PostgreSQL supports geographic objects, enabling spatial queries and analysis for Geographic Information System (GIS) applications, such as mapping, geolocation, and distance calculations within a relational database.

glibc now supports ‎sched_setattr and ‎sched_getattr for advanced scheduler options

Previously, ‎glibc provided access to only a limited set of Linux scheduler options through functions defined in ‎<sched.h>. This limitation required applications to use direct system calls or Linux kernel headers to access advanced scheduling features.

Geomap support added for PCP Valkey datasource in ‎grafana-pcp

Previously, users could not visualize PCP metrics on a map in Grafana because the PCP Valkey data source did not provide the longitude and latitude labels required for geomap panels. This limitation made it difficult to compare the performance of monitored systems across different locations.

llvm-toolset rebased to LLVM 20

The ‎llvm-toolset is updated to LLVM 20, delivering improved code generation, performance optimizations, and expanded language front‑end and library support across C, C++, and Rust workflows. This rebase aligns dependent components in RHEL, including rebuilds for ‎rust, ‎annobin, ‎bcc, ‎bpftrace, ‎qt5-qttools, and ‎mesa. The build is validated with ‎llvm-20.1.8-1.el10.

GDB now supports IBM’s z17 CPU architecture

The ‎gdb package is enhanced to support binaries that use new hardware instructions introduced with IBM’s z17 CPU architecture. This update enables developers and system administrators to debug applications compiled for the latest IBM Z hardware on RHEL 10.1.

GCC Toolset 15 is now available

With this update, ‎gcc-toolset-15 is now available in RHEL 10.1. The toolset includes the latest supported versions of GCC and related utilities, enabling developers to build, test, and deploy applications using up-to-date compiler technology.

glibc provides the GLIBC_ABI_GNU2_TLS symbol on x86_64

‎⁠glibc⁠ includes the GLIBC_ABI_GNU2_TLS symbol on x86_64 systems. Programs that use the gnu2 thread-local storage access convention might require this symbol to start. Before this update, if ‎⁠glibc⁠ did not provide this symbol, affected programs would fail to launch. With this update, programs that depend on GLIBC_ABI_GNU2_TLS start and run as expected.

glibc adds GLIBC_ABI_DT_X86_64_PLT symbol support for x86_64

Before this update, programs that required the GLIBC_ABI_DT_X86_64_PLT symbol failed to start when it was not available in ‎⁠glibc⁠. With this enhancement, ‎⁠glibc⁠ includes the GLIBC_ABI_DT_X86_64_PLT symbol for x86_64 systems. With this enhancement, programs requiring this symbol to start now run as expected.

glibc header files updated to align with Linux 6.12 UAPI

The glibc header files in Red Hat Enterprise Linux 10 are updated to incorporate the latest Linux User-space API (UAPI)constants for MAP_*, PIDFD_*, SCHED_*, and SYS_*, from Linux kernel version 6.12. As a result, developers can access new and revised UAPI constants when building applications, ensuring consistency and compatibility with the latest kernel features.

gdb is rebased to version 16.3

This update of gdb to version 16.3 in RHEL 10.1 provides the following notable enhancements:

GCC tuning for IBM z16 is default on s390x

The default tuning for code generated by the‎‎ gcc compiler on the s390x architecture in RHEL 10.1 now aligns with IBM z16.

Initial support for IBM Z z17 added to ‎glibc

The dynamic loader in ‎glibc is enhanced to support detecting IBM z17 CPUs or their specific features. As a result, any IBM z17-optimized libraries installed in the ‎/usr/lib64/glibc-hwcap/z17/ directory are loaded automatically on z17 systems. This update improves hardware compatibility and performance for IBM Z z17 platforms.

Rust Toolset rebased to version 1.88.0

RHEL 10.1 is distributed with Rust Toolset in version 1.88.0. This update includes the following notable enhancements:

tzdata includes the NEWS file

With this update, the tzdata package includes its NEWS file with each release to provide precise descriptions of timezone data changes. As a result, you can review what changed in detail. Users can review the included NEWS file to understand what changed in the update.

Red Hat build of OpenJDK 25 is available

Red Hat introduces the latest long term support (LTS) release of the Red Hat build of OpenJDK (Open Java Development Kit) 25, a free and open source implementation of the Java Platform, Standard Edition (Java SE). Red Hat build of OpenJDK 25 is available starting from RHEL 10.1. For more information about OpenJDK Life Cycle, Support Policy, and all supported configurations, see the OpenJDK Life Cycle and Support Policy.

ipa-healthcheck now warns about expiring certificates

With this update, the ipa-healthcheck tool now evaluates user-provided HTTP, DS, and PKINIT certificates for expiration and provides warnings 28 days prior to their expiration date. This is to prevent certificate expirations going potentially unnoticed, which can lead to downtime.

ansible-freeipa rebased to 1.15.1

The ansible-freeipa package, which provides modules and roles to manage Red Hat Identity Management (IdM) environments, has been rebased from version 1.13.2 to 1.15.1. The update includes the following enhancement:

Healthcheck warns if krbLastSuccessfulAuth is enabled

Enabling the krbLastSuccessfulAuth setting in the ipaConfigString attribute can lead to performance issues if large numbers of users are authenticating at the same time. Therefore, it is disabled by default. With this update, Healthcheck displays a message if krbLastSuccessfulAuth is enabled, warning about the possible performance problems.

IdM now supports UIDs up to Linux maximum UID limit for legacy systems compatibility

With this update, you can now use User and Group IDs up to 4,294,967,293, or 2^32-1. This aligns IdM’s maximum with the Linux UID limit and can be useful in rare cases where the standard IdM range, up to 2,147,483,647, is insufficient. Specifically, it enables IdM deployment alongside legacy systems that require the full 32-bit POSIX ID space.

samba rebased to version 4.22.4

The samba package has been updated to upstream version 4.22.4. This version provides bug fixes and enhancements, most notably the following:

Identity Management Upgrade Helper

The Identity Management Upgrade Helper is a new application that simplifies upgrading your IdM environment to a newer RHEL version. It provides an upgrade plan with step-by-step instructions that are specific to your upgrade path. As a result, you can use the app to prepare your deployment, set up a new replica, and decommission an old server with clear instructions.

You can now use dsconf or the web console to exclude subtrees from the attribute uniqueness verification

With this update, you can configure the uniqueness-exclude-subtrees parameter for the Attribute Uniqueness plug-in directly through the dsconf utility and web console. Before this update, uniqueness-exclude-subtrees was set only by using the ldapmodify utility.

389-ds-base rebased to version 3.1.3

The 389-ds-base package has been updated to version 3.1.3. This version provides various bug fixes and enhancements, most notably:

Custom matching rules in the Attribute Uniqueness plug-in to search uniqueness attributes

With this update, in Attribute Uniqueness plug-in configuration, you can specify a matching rule for the attribute you want to enforce uniqueness on. For example, when you want to override the attribute’s syntax from case exact or case ignore.

JSON format is available for the access and error logs in 389-ds-base

With this update, you can use the following commands to configure JSON format for the access and error log files:

The new list --full-dn option is available for the dsidm utility

With this update, you can use the list --full-dn option to get the list of full distinguished names (DN) of the entries of the same type. For example, to see the role DNs, use the following command:

389-ds-base log files now contain a session identifier for bind or modify operations

With this enhancement, the replication plugin works with the session tracking feature, correlating replication agreement activities with consumer operations in 389-ds-base.

ACME server adds support for the ES256 signature algorithm

Previously, the Automatic Certificate Management Environment (ACME) server did not support the ES256 signature algorithm for JSON Web Key (JWK) validation. This lack of support prevented certain clients, such as the Caddy web server, from successfully obtaining certificates.

IdM-to-IdM migration now available

IdM-to-IdM migration, previously available as a Technology Preview, is now fully supported with this release. You can use the ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, from one IdM server to another. This can be useful, for example, when moving IdM from a development or staging environment into a production one.

HSM is now fully supported in IdM

Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.

Improved smart card authentication for environments with multiple PKCS#11 tokens

SSSD smart card authentication has been enhanced to handle authentication in environments that have multiple PKCS#11 tokens inserted simultaneously. This improves authentication, especially in STIG compliant environments that require multiple user accounts, each with distinct privileges and often tied to a separate PKI token.

The new SSSD option ldap_read_rootdse to control RootDSE reads

With this update, SSSD provides a new option, ldap_read_rootdse, to control how SSSD reads Root Directory Service Entry (RootDSE) from the LDAP server. By default, SSSD attempts to read the RootDSE anonymously before the user authenticates. However, this default behavior might conflict with strict security policies that typically restrict all anonymous binds to the LDAP server.

OpenGL and Vulkan are supported by default in Toolbx containers based on UBI

Before this update, you had to manually install Mesa-related packages to enable OpenGL and Vulkan support, which was not intuitive or documented.

cockpit rebased to version 344

The cockpit packages have been rebased to version 344, which provides many improvements and fixes compared to version 334 in RHEL 10.0, most notably:

new subpackage: cockpit-ws-selinux

The SELinux policy for the cockpit_ws processes is provided in a separate subpackage cockpit-ws-selinux. This prevents the RHEL web console from failing when run on a system without SELinux installed, because the package manager installs the selinux_policy packages as dependencies. See the cockpit_ws_selinux(8) man page on your system for more information.

Introduced a variable MaxRetention to configure the maximum retention parameter

With this update, users can configure the maximum retention parameter for journald, enabling time-based deletion of journal files. This enhancement provides flexibility in managing log data according to specific data retention policies, allowing both time-based log deletion and size-based deletion. It helps with compliance with data retention requirements and improves overall system performance by preventing excessive log storage.

metrics role supports enabling additional PCP PMDA

With this update, the rhel-system-roles package adds the ‎metrics_optional_domains variable to the ‎metrics system role. A domain is a set of metrics managed by a Performance Metrics Domain Agent (PMDA), such as a database, specialized hardware, or an application. Use this variable to enable additional PMDAs. The role adds these PMDAs to the default set (for example, the kernel) and the PMDAs that the role manages explicitly (for example, SQL Server databases). As a result, users can enable the domains they require for their specific use cases, improving flexibility in data collection and monitoring.

Ability to configure the default kernel in rhel-system-roles

Previously, users could not specify which kernel should be set as the default during system boot. This limitation prevented administrators from managing the default kernel selection through automation.

The ad_integration RHEL system role can control the SSSD domain section naming and consolidate duplicates

With this update, users can control the name of the section used in the SSSD config file for the domain or realm-specific settings, as managed by the ad_dyndns_update and ad_integration_sssd_custom_settings parameters. By default, the ad_integration role uses the lower case of the ad_integration_realm variable. However if users want to use the actual case of ad_integration_realm, users can use a new option ad_integration_sssd_realm_preserve_case = true to preserve the case of the realm. This may leave the SSSD config file with multiple sections for the realm. Use the new ad_integration_sssd_remove_duplicate_sections setting to consolidate all of the settings from the multiple sections into the chosen section. As a result, the ad_integration system role can manage domain and realm sections in the SSSD config file correctly.

The journald RHEL system role can monitor disk space

With this update, you can configure the SystemKeepFree option in the journald.conf journal service to set a maximum size for the system journal. This improves overall system stability and performance. As a result, you can use the journald_system_keep_free variable to configure size limit. The value is specified in megabytes. There is no default value - by default, it will use the journald default value.

Introducing flexibility for package installation in ad_integration role

Previously, the ad_integration role always attempted to install the required packages, for example, realmd, sssd-ad, adcli, and many more that are listed in __ad_integration_packages. In environments where external systems handled package management, for example, via configuration management outside of this role, pre-baked images, or immutable systems, this step was redundant and undesirable.

The firewall RHEL system role now supports including other services

With this enhancement, you can include other services when you use the firewall RHEL system role to create firewalld service definitions. For example, you can create a service webserver that includes the http and https services. If you then enable the webserver service, firewalld open the ports defined in http and https services. For further details, see Creating a custom firewalld service by using the firewall RHEL system role.

The podman role generates all TOML compliant configuration file

Before this update, the current Jinja-based formatter did not support many TOML features, including tables and inline tables, which were required to configure all aspects of podman. With this enhancement, all features of TOML are supported by using a true TOML formatter instead of a simple Jinja template. As a result, the podman role can generate any TOML compliant configuration file that podman can use.

Metrics role now supports Apache Spark metric collection and export

Previously, users could not directly collect or export Apache Spark metrics using the metrics role. With this update, the ‎rhel-system-roles package adds support to gather and update metrics from Apache Spark. Two new boolean parameters are introduced:

Enables IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role

With this update, users can customize the chronyd configuration on RHEL 10.1 when IPv6 is disabled on a node. The enhancement provides two options: add a setting to the timesync role to disable IPv6, or pass a parameter to set the OPTIONS value for chronyd. These options enable IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role. This improves time synchronization accuracy and stability for environments where IPv6 is disabled.

The ha_cluster RHEL System Role can now export resource definitions

Previously, the ha_cluster RHEL System Role’s export functionality did not include variables related to cluster resources, such as primitives, groups, and clones. This made it difficult to use the role to get a complete, reusable definition of an existing cluster’s configuration.

The ha_cluster RHEL System Role can now export OS and pcsd configurations

Previously, when using the ha_cluster RHEL System Role to export the configuration of an existing cluster, the export did not include important OS-level settings such as repository, firewall, or SELinux configurations. This resulted in an incomplete definition, making it difficult to fully recreate a cluster from the exported data.

postfix provided in version 3.8.5

RHEL 10.0 provides the postfix in version 3.8.5. Notable changes include:

virtio-mem is available on IBM Z

With this update, virtio-mem, a paravirtualized memory device, can be used on IBM Z hardware. By using virtio-mem, you can dynamically add or remove host memory in virtual machines.

New command for IBM Z hosts: virsh hypervisor-cpu-models

This update introduces the virsh hypervisor-cpu-models command. You can use this command on the IBM Z architecture to display which CPU models your hypervisor recognizes.

virt-v2v can now convert VMware VMs that use NVMe disks

With this update, the libvirt toolset can correctly detect non-volatile memory express (NVMe) disks when analyzing the configuration of virtual machines (VMs) created on the VMware hypervisor. As a result, it is now possible to use the virt-v2v utility to convert such VMs for the KVM hypervisor.

Fast initialization NetKVM parameter 

This update adds a Fast Initialization (FastInit) parameter for NetKVM drivers. Enabling this parameter ensures that the driver allocates only a part of the required memory blocks to virtual queues, and then indicates readiness to the kernel. The remaining memory blocks are then initialized in the background. 

virtio-mem can be used with Windows virtual machines

With this update, you can use virtio-mem, a paravirtualized memory device, with Windows virtual machines (VMs) running on a RHEL 10 host. With the virtio-mem device, you can dynamically add or remove host memory in VMs.

Performance-enhanced PCI translation for IBM Z guests

With this update, virtual machines (VMs) on IBM Z hosts can use identity-mapped direct memory access (DMA) for PCI devices. This feature significantly improves the performance of PCI device passthrough. Note that to use the feature, your system must be configured as follows:

virtio based keyboard driver improvements

With this update, the new virtio based keyboard driver enables capturing early keyboard input in a virtual machine, especially in firmware setup screens and in GRUB bootloader.

New option for VM live migration: --available-switchover-bandwidth

When live-migrating a virtual machine (VM) by using the virsh migrate --live command, you can now add the --available-switchover-bandwidth option to specify the bandwidth at which the migration switches over to the destination host in the pre-copy process. By default, the hypervisor measures the available bandwidth automatically, but when this might not reliably ensure that the live migration finishes successfully, using --available-switchover-bandwidth can fix the issue.

VMs can now use MSDM ACPI tables

On certain Windows guest operating systems, license activation requires the guest to be configured with a Microsoft Data Management (MSDM) Advanced Configuration and Power Interface (ACPI) table. For this purpose, you can now set up a MSDM ACPI table on virtual machines (VMs) hosted on RHEL. To do so, use the following lines in the XML configuration of the VM:

Support for disabling the firmware configuration screen for UEFI virtual machines

With this update, a new capability to block the firmware configuration screen for UEFI virtual machines (VMs) has been added to QEMU. Blocking the firmware configuration screen can prevent unauthorized access to the firmware configuration application and ensures the VM boots only from authorized devices.

Fine-grained configuration of VM actions on host shutdown

With this update, it is possible to configure the libvirt drivers on how to handle virtual machines (VMs) when the host shuts down. For example, you can configure the VM memory to be saved when the host shuts down, and for VMs to be automatically started from the saved memory when the host starts. For the specific configuration options, see the auto_shutdown parameters in the /etc/libvirt/virtqemud.conf file. 

New QEMU configuration parameter: migrate_tls_priority

With this update, you can configure the migrate_tls_priority parameter in the /etc/libvirt/qemu.conf file. You can use this parameter to work around QEMU issues with TLS when live migrating virtual machines. To obtain the recommended value to set if the default does not work on your deployment, contact Red Hat customer support.

New features for virtual machines on 64-bit ARM hosts

The following features are now supported for virtual machines on RHEL hosts that use the 64-bit ARM architecture (aarch64):

Direct kernel boot supported for SecureBoot VMs

With this update, you can set up direct kernel boot in virtual machines (VM) that are configured with the SecureBoot feature. To do so, use the <shim> parameter in the XML configuration of the VM, for example as follows:  

Support for multiple I/O threads in virtio-scsi devices

With this update, you can configure multiple I/O threads for a single virtio-scsi device. To do so, use the <iothreads> parameter in the XML configuration of the virtual machine to which the device is attached. This provides additional options for fine-tuning the performance and scalability of your virtual SCSI devices.

Enhanced automatic registration for eligible RHEL images

With this update, RHEL instances based on eligible images from eligible marketplaces automatically receive content and updates from Red Hat content delivery network (CDN) instead of the Red Hat Update Infrastructure (RHUI). The RHUI repositories are turned off by default.

RHEL is available on Azure confidential VMs

You can create and run RHEL confidential virtual machines (CVMs) on Microsoft Azure by using RHEL CVM images. The images support full disk encryption through the Confidential OS disk encryption feature in Azure.

New package: azure-vm-utils

This update adds the azure-vm-utils package, which provides a collection of utilities and udev rules to optimize the experience of using RHEL 10 as a guest operating system on Microsoft Azure.

sos now collects the Satellite metrics file for improved support diagnostics

The foreman-installer plugin of sos now collects the satellite_metrics.yml file located at /var/lib/foreman-maintain/ directory. It provides insight into which features of Satellite are in use and in what scale.

A new rhel10/valkey-8 container image is generally available in RHEL

The newly available rhel10/valkey-8 container image allows atomic operations and supports various data types like strings, hashes, lists, sets, and sorted sets. The image offers high performance because of its in-memory dataset, which can be persisted to disk or by appending commands to a log.

Improved support for reproducible container builds

Reproducible builds ensure that a given set of inputs consistently generates the same output. This enhancement addresses several factors that previously complicated reproducibility in container image builds. While using -source-date-epoch and -rewrite-timestamp improves the reproducibility of builds and better aligns with common practices like setting and looking for $SOURCE_DATE_EPOCH, it cannot guarantee complete reproducibility.

New artifact endpoints for Podman RESTFUL API

Podman RESTFUL API now includes new artifact endpoints, enabling programmatic management of OCI artifacts. This enhancement simplifies integration of OCI artifact operations into existing systems and scripts.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version v1.41.0, and Skopeo has been updated to version 1.20.0.

The ADD and COPY instructions now support the --link option

Buildah and Podman now support the --link flag for ADD and COPY instructions in Containerfiles, which causes the new content to be added as its own layer in the built image.

StrictForwardPorts is now available in firewalld

When the StrictForwardPorts option in the /etc/firewalld/firewalld.conf configuration file is set to yes, port forwarding from Podman is no longer possible, and attempting to start a container or pod with the -p or -P options returns errors. All ports must be forwarded by using firewalld. This ensures that containers cannot allow traffic through the firewall without administrator intervention. See the netavark-firewalld man page for more details.

New rhel10/nodejs-24 and rhel10/nodejs-24-minimal container images available

The real-time registry.redhat.io/rhel10/nodejs-24 and registry.redhat.io/rhel10/nodejs-24-minimal container images are now available in the Red Hat Container Registry.

RHEL image mode supports creating root-level directories and symlinks at runtime

With this release, you can use RHEL image mode to create root-level directories and symbolic links after system deployment, then return the filesystem to read-only mode. As a result, you can use a single base image across multiple deployment environments with different file system requirements.

bootc-image-builder uses the local container storage by default

With this release, the bootc-image-builder tool operates in local mode by default, which means it no longer pulls container images from remote registries. To build disk images, you must pre-load the base bootc container image in the local container registry of the system before building disk images. If you have existing workflows that relied on automatic image pulling, you must update them. This change improves security by reducing external network dependencies during the build process.

The command-line assistant supports image mode for RHEL

With this enhancement, you can customize your Containerfile to include the command-line-assistant package, create a disk image from a container image, and boot a system with that image. As a result, the system image has the command-line assistant preinstalled, and you can use it after you register your system with subscription-manager.

The command-line assistant context limit increased to 32KB input

Before this update, the command-line assistant had a 2KB input context limit, causing it to fail when input exceeded this limit. As a consequence, user experience was limited, preventing thorough log analysis due to the 2KB input context limit. With this release, the command-line assistant input context limit has been increased from 2KB to 32KB. As a result, the command-line assistant now supports larger input contexts, enabling better log analysis and potential issue detection.

The command-line assistant for RHEL Lightspeed has better error handling and exit codes

With this enhancement, the command-line assistant brings better error handling and exit codes, such as:

Command-line assistant -w option displays current output

Before this update, when you tried to use the -w option without the current enable-capture mode, the command-line assistant incorrectly displayed output from an earlier session. With this update, the terminal capture log file is actively verified before outputting from the -w option. As a result, the mentioned problem is fixed, and the displayed output is accurate.

Accelerator drivers available through Red Hat

With RHEL 10.1, third-party accelerator drivers and compute stacks, for example CUDA from NVIDIA and ROCm from AMD, are directly available to install from Red Hat. The kernel drivers are built and signed within the Red Hat infrastructure and work with secure boot. In addition, a new AppStream component, rhel-drivers, eases the installation of these third-party drivers and regular updates are through the existing dnf update process.

Simplified third-party driver installation with rhel-drivers

RHEL 10.1 introduces the rhel-drivers installer, which is available in the AppStream repository. With this tool, you can more easily install third-party hardware drivers for GPUs and AI accelerators by using a single, uniform command-line interface. The rhel-drivers tool manages the installation of complex driver stacks, such as the NVIDIA kernel module and CUDA libraries, by pulling packages directly from the RHEL Extensions and Supplementary channels.

image-builder-cli replaces osbuild-composer and composer-cli (Technology Preview)

With this release, you can install and use the new image-builder-cli package to build an image with one command. The new tool supports containers and enhances your user experience to create a container image that you can use to build other images. This capability is a Technology Preview feature. For more details, see Installing RHEL image builder.

Support for signing packages with Sequoia PGP is available as a Technology Preview

The macros.rpmsign-sequoia macro file that configures RPM to use Sequoia PGP instead of GnuPG for signing packages is now available as a Technology Preview. To enable its usage, perform the following steps:

RHEL 10.1 provides ReaR on aarch64 as a Technology Preview

RHEL 10.1 introduces the Relax and Recover (ReaR) package for the 64-bit ARM architecture (aarch64) as a Technology Preview. ReaR is a disaster recovery tool that produces a bootable image that you can use to restore the system from a backup. You can currently use the following output methods with ReaR on aarch64: ISO, USB, and PXE.

The Red Hat Enterprise Linux for Real Time on ARM64 is now available as a Technology Preview

With this Technology Preview, the Red Hat Enterprise Linux for Real Time is now enabled for ARM64. The ARM64 is enabled on ARM (AARCH64), for both 4k and 64k ARM kernels.

ublk_drv driver is available as a Technology Preview

The ublk_drv kernel module is now enabled as a technology preview. It provides the ublk framework with which you can create and build high-performance block devices from userspace. Currently, ublk requires userspace implementations, such as the Userspace Block Driver (ublksrv) or the Rust-based ublk (rublk), to function effectively.

NVMe/TCP using TLS is available as a Technology Preview

Encrypting Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) network traffic using TLS configured with Pre-Shared Keys (PSK) has been added as a Technology Preview in RHEL 10.0. For instructions, see Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys.

xfs_scrub utility is available as a Technology Preview

You can check all the metadata on a mounted XFS file system by using the xfs_scrub utility as a Technology Preview. It functions similarly to the xfs_repair -n command for an unmounted XFS filesystem. For details, see the xfs_scrub(8) man page on your system. Note that currently only the scrub feature is available in RHEL 10 kernels and online repair is not enabled.

Limited shrinking of XFS file systems is available as Technology Preview

You can reduce the size of XFS file systems by using the xfs_growfs utility as a Technology Preview. You can remove blocks from the end of the file system by using xfs_growfs, provided that all of the following conditions are true:

Mounting XFS file systems with blocks larger than system page is available as Technology preview

You can now mount XFS file systems created with a block size larger than the system page size as a Technology Preview. For example, a file system with 16-KB blocks can now be mounted on a system with a 4-KB page size, such as x86_64.

io-uring interface is available as a Technology Preview

The io_uring, which is an asynchronous I/O interface, is available as a Technology Preview. By default, this feature is disabled in RHEL 10. You can enable this interface by setting the kernel/io_uring_disabled variable:

Node.js 24 is available as a Technology Preview

A new ‎nodejs24 component is available as a Technology Preview in Red Hat Enterprise Linux 10.1. This update introduces Node.js 24, which includes new features, bug fixes, security updates, and performance improvements compared to Node.js 22 in RHEL 10.0.

eu-stacktrace available as a Technology Preview

The eu-stacktrace utility, which has been distributed through the elfutils package since version 0.192, is available as a Technology Preview feature. eu-stacktrace is a prototype utility that uses the elfutils toolkit’s unwinding libraries to support a sampling profiler to unwind frame pointer-less stack sample data.

DNS over TLS (DoT) in IdM deployments is available as a Technology Preview

Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Encrypted DNS with DoT is now available in ansible-freeipa installations of IdM as a Technology Preview

You can now use Ansible to ensure that all DNS queries and responses between DNS clients and Identity Management (IdM) DNS servers are encrypted. Encrypted DNS using DNS over TLS (DoT) has been available as a Technology Preview in IdM deployments since RHEL 10. In RHEL 10.1, the functionality is available as a Technology Preview in the freeipa.ansible_freeipa collection.

TDX is available on RHEL hosts as a Technology Preview

As a Technology Preview, you can enable Trust Domain Extensions (TDX) on RHEL hosts. TDX is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

VDUSE for RHEL networking is available as a Technology Preview

The virtio Data Path Acceleration (vDPA) device in userspace (VDUSE) feature is now available as a Technology Preview for RHEL networking. VDUSE is a Linux kernel mechanism, which allocates user-space for vDPA devices specifically. This mechanism enables a user-space process to register a virtio-class device, such as a NIC or block device, with the kernel in a controlled manner. As a result, you can use it on virtual machines or the host through standard vDPA or virtio interfaces.

AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines are available as a Technology Preview

As a Technology Preview, RHEL provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the VM security.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 10. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 10 host can act as a hypervisor, and host its own VMs.

New package: trustee-guest-components

As a Technology Preview, this update adds the trustee-guest-components package. This makes it possible for confidential virtual machines to attest themselves and get confidential resources from a Trustee server.

Virtual Socket to TCP bridge is available as a Technology Preview

As a Technology Preview, you can use a Virtual Socket (vsock) to TCP bridge. By using this bridge, you can securely expose a virtual machine (VM) service, like SSH, to the host machine without configuring any IP networking.

SEV-SNP is available on RHEL hosts as a Technology Preview

As a Technology Preview, you can enable Secure Encrypted Virtualization‑Secure Nested Paging (SEV‑SNP) on RHEL hosts. SEV-SNP is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

CCA in ARM virtual machines is available as a Technology Preview

As a Technology Preview, you can enable Confidential Compute Architecture (CCA) in RHEL 10.1 virtual machines (VMs). CCA, built on top of Realm Management Extension (RME), helps to maintain data privacy while it is in use within a virtual machine.

Partial pulls for zstd:chunked are available as a Technology Preview

You can pull only the changed parts of the container images compressed with the zstd:chunked format, reducing network traffic and necessary storage. You can enable partial pulls by adding the enable_partial_images = "true" setting to the /etc/containers/storage.conf file. This functionality is available as a Technology Preview.

The podman artifact command is available as a Technology Preview

The podman artifact command, which you can use to work with OCI artifacts at the command-line level, is available as a Technology Preview. For further informal, reference the man page.

The vrf option for the podman network create is available as a Technology Preview

The podman network create command now provides the vrf value for the --opt option, as a Technology Preview. The vrf value assigns a virtual routing and forwarding instance (VRF) to the bridge interface. It accepts the name of the VRF and defaults to none.

Podman compatibility with Docker API is available as a Technology Preview

Podman supports the following Docker API versions as a Technology Preview:

The cockpit-composer package is removed

The cockpit-composer package is removed and is no longer supported. From now on, use cockpit-image-builder.

gdisk is removed from boot.iso in RHEL 10

The gdisk partitioning utility is removed from the boot.iso image type in RHEL 10. You still can use gdisk in your Kickstarts. For the boot.iso image type, other tools are available for handling GPT disks, for example, the parted utility.

Network team driver was removed

The teamd service and the libteam library were removed in Red Hat Enterprise Linux 10. As a replacement, configure a bond instead of a network team.

32-bit ARM and MIPS backends are removed from ‎llvm 

The ‎llvm package in RHEL 10.1 removed the 32-bit ARM and MIPS backends. This change reduces build time and maintenance effort for the toolchain. If you require these backends, you should use alternative build targets or earlier package versions.

The referral mode is removed from 389-ds-base

Before this update, Directory Server supported starting the server in the referral mode. However, because of the stability issues, this feature is no longer supported and was removed.

nsslapd-subtree-rename-switch is removed from 389-ds-base

Before this update, you could configure Directory Server to prevent moving entries between sub-trees in a database. Because of the stability issues, this feature is removed. Consequently, the nsslapd-subtree-rename-switch parameter no longer exists.

The mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula variable has been deprecated

With a future major update of RHEL, the mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula variable will no longer be supported in the mssql system role because the role can now install the odbc driver for mssql_tools version 17 and 18. Therefore, you must use the mssql_accept_microsoft_odbc_driver_for_sql_server_eula variable without the version number instead.

Live VM dumps are no longer supported

With this update, the -- live option for the virsh dump command has become unsupported. If you attempt to create a virtual machine dump by using virsh dump with the --live option, the command will fail.

The squashfs package has been deprecated

The squashfs package has been deprecated, and will be removed in a future major RHEL release. As an alternative, dracut has support for mounting erofs.

The module Kickstart command has been deprecated

Anaconda has deprecated its support for DNF modularity, and as a consequence the module Kickstart command has been deprecated. This might impact you if you are using modules in the %packages section of your Kickstart files or the module Kickstart command. This change is implemented for simplifying the installation process and ensuring a more consistent experience moving forward.

The inst.gpt boot option is now deprecated

The inst.gpt boot option is now deprecated and will be removed in the future releases. To specify a preferred disk label type, use the inst.disklabel boot option. Specify gpt or mbr to create GPT or MBR disk labels.

oqsprovider and liboqs are deprecated

The oqsprovider and liboqs packages, which provided post-quantum cryptography (PQC) for OpenSSL 3.0, are deprecated and might be removed in a future major release. Instead, use the PQC functionality provided by OpenSSL 3.5.

X25519-MLKEM768 deprecated and aliased to MLKEM768-X25519 in crypto-policies

The X25519-MLKEM768 value in system-wide cryptographic policies is deprecated and aliased to the MLKEM768-X25519 value. This unifies the concatenation order, allowing both variants to work.

ENGINE API in OpenSSL is deprecated

In RHEL 10, ENGINE API is deprecated and is planned to be removed in a future major release. No new applications should be built by using the ENGINE API. To keep application binary interface (ABI) and existing applications working, OpenSSL still exports the ENGINE symbols. To prevent new applications from using ENGINE API, OpenSSL sets the OPENSSL_NO_ENGINE flag system-wide, and the header engine.h that exposes the ENGINE API has been removed.

crypto-policies now set allow-rsa-pkcs1-encrypt = false for GnuTLS

In RHEL 10, the GnuTLS library blocks encryption and decryption with the RSA PKCS #1 v1.5 padding by default. Except for the LEGACY policy, the allow-rsa-pkcs1-encrypt = false option is specified in all system-wide cryptographic policies (DEFAULT, FUTURE, and FIPS).

HMAC-SHA-1 in FIPS mode is deprecated

The HMAC-SHA-1 cryptographic algorithm is deprecated in FIPS mode, and it might be removed in a future release. Outside FIPS mode, support for HMAC-SHA-1 is preserved.

Modularity is deprecated

In RHEL 10, the modularity functionality is deprecated and will be removed in a future major release. Therefore, the DNF module command displays a deprecation warning.

FTP clients and Servers software are now deprecated

The following FTP clients and servers software are deprecated and will be removed in the future major version of RHEL:

ipset has been unmaintained

In RHEL 10, the ipset utility is unmaintained and is planned to be removed in a future major release. Red Hat will provide only critical bug fixes during the current release lifecycle. As an alternative to ipset, you can use the nftables sets functionality instead.

The BIND auto-dnssec parameter is deprecated

Starting with RHEL 9.7, the BIND auto-dnssec parameter is deprecated and will be removed in a future release. As a replacement, use the dnssec-policy parameter to specify a complete Key and Signing Policy (KASP) that groups all related configurations into a single, intuitive block.

The squashfs package has been deprecated

SquashFS is deprecated and will be removed in the next major release. It will no longer receive enhancements and is in RHEL 10 for specific use cases that are internal to Red Hat. Consider using EROFS as an alternative solution.

Deprecated High Availability Add-On features

The following features have been deprecated in Red Hat Enterprise Linux 10 and will be removed in the next major release:

GCC Toolset 15 environment script replaces Software Collections (scl-enable)

Previously, the ‎scl enable gcc-toolset-15 <command> command was used to manage the development environment for GCC Toolset 15 on Red Hat Enterprise Linux. In RHEL 10, Software Collections are no longer used for this purpose. As a consequence, the ‎scl enable option does not work with ‎gcc-toolset-15.

The utmp and utmpx interfaces in glibc are deprecated

The utmp and utmpx interfaces provided by the glibc library include a counter that counts time since the UNIX epoch. This counter will overflow on February 07, 2106. Therefore, utmp and utmpx are deprecated in RHEL 10 and will be removed in RHEL 11.

The host switcher in the RHEL web console is deprecated

The host switcher that provides connections to multiple machines through SSH from a single RHEL web console session is deprecated and disabled by default. Due to the web technology limitations, this feature cannot be secure.

The sshd variable deprecated and replaced by sshd_config

To unify coding standards across the RHEL system roles, the sshd variable has been replaced by the sshd_config variable. The sshd variable is now deprecated and might be removed from the sshd Ansible role in a future major version of RHEL.

Specific IBM z16 CPU features have been deprecated.

With this update, the te and cte CPU features have been deprecated for IBM z16 KVM VMs. Note, however, that migrating a virtual machine with CPU model host-model from an IBM z16 host to an IBM z17 host does not require any adjustments to CPU feature settings.

The rtl8139 NIC has been deprecated for VMs

With this update, the rtl8139 network interface controller type has been deprecated, and will become unsupported for use in virtual machines in a future major release of RHEL. If you require using a non-virtio NIC type on your host, use the e1000 or e1000e NIC instead.

libslirp has been deprecated

In RHEL 10, the libslirp networking back end has become deprecated, and will be removed in a future major version release.

The i440fx virtual machine type has been deprecated

In RHEL 10, the i440fx machine types for virtual machines (VMs) have become deprecated, and will be removed in a future major version of RHEL.

Legacy vCPU models are now deprecated

Several virtual CPU models are now deprecated and will become unsupported for use in virtual machines (VMs) in a future major release of RHEL. Notably, the deprecated models include the following:

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager might not be yet available in the RHEL web console.

libvirtd has become deprecated

The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA-2 algorithm, or later.

The virtual floppy driver has become deprecated

The isa-fdc driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 10.1.

qcow2-v2 image format is deprecated

With RHEL 10.1, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 10.1 Image Builder cannot create disk images in the qcow2-v2 format.

tzdata package is no longer installed by default in the minimal container images

The tzdata package is no longer installed in the registry.access.redhat.com/ubi10-minimal container image. As a consequence, if you migrate your minimal container builds from a previous RHEL release to RHEL 10.0, and you enter the microdnf reinstall tzdata command to reinstall the tzdata package, you get an error message because the tzdata package is no longer installed by default. In this case, enter the microdnf install tzdata command to install tzdata.

The Podman v5.0 deprecations

In RHEL 10.0, the following is deprecated in Podman v5.0:

The podman-tests package has been deprecated

The podman-tests package has been deprecated in the AppStream repository. The package is now available in the CodeReady Linux Builder (CRB). More information about the CRB repository can be found at https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/package_manifest/repositories#CodeReadyLinuxBuilder-repository.

nodejs-18 and nodejs-18-minimal are deprecated

The nodejs-18 and nodejs-18-minimal container images are now deprecated and will no longer receive feature updates. Use nodejs-22 and nodejs-22-minimal instead.

Crash dumps are not performed by default

By default, crash dumps do not occur for default installation methods using RHEL Image Mode, because the crashkernel= kernel argument is not set. To work around this problem, set a crashkernel= kernel argument at build or during installation time.

Podman and bootc do not share the same registry login process

Podman and bootc use different registry login processes when pulling images. As a consequence, if you login to an image by using Podman, logging to a registry for bootc will not work on that image. When you install an image mode for RHEL system, and login to registry.redhat.io by using the following command:

cloud-init growpart skips with composefs is enabled

When composefs is enabled, if you generate an image from the generic base image, then the rootfs will note grow the filesystem, prompting an error similar to:

Unable to build ISOs from a signed container

Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following:

Hostname resolution fails with encrypted DNS and custom CA in boot options

While using the inst.repo= or inst.stage2= boot options in the kernel command line along with a remote installation URL, an encrypted DNS, and a custom CA certificate in the Kickstart file, the installation program attempts to download the install.img stage2 image before processing the Kickstart file. Consequently, the hostname resolution fails, leading to display of some errors before successfully fetching the stage2 image. Workaround: Define the installation source in the Kickstart file instead of the kernel command line.

The installation program becomes unresponsive during final RPM installation stage

An installation program may become unresponsive during the RPM installation process at the final stage. Before the issue occurs, you might see the repeated Configuring rootfiles.noarch messages. Workaround: Restart the installation process.

Disabled keyboard layout switching by using shortcut during installation

To prevent confusion caused by a broken keyboard shortcut to change keyboard layout, this feature has been disabled in Anaconda. You cannot change keyboard layouts by using shortcuts during installation. Workaround: Use the keyboard layout icon on the top bar to switch layouts.

Bonding device with LACP takes longer to become operational, causing subscription failures

When configuring a bonding device with LACP by using both kernel command-line boot options and a Kickstart file, the connection is created during the initramfs stage but reactivated in Anaconda. As a consequence, it causes a temporary disruption that leads to system subscription failure via the rhsm Kickstart command.

The services Kickstart command fails to disable the firewalld service

A bug in Anaconda prevents the services --disabled=firewalld command from disabling the firewalld service in Kickstart. Workaround: Use the firewall --disabled command instead. As a result, the firewalld service is disabled properly.

Installation program fails if /boot partition is not created when using ostreecontainer

When using the ostreecontainer Kickstart command to install a bootable container, the installation fails if the /boot partition is not created. This issue occurs because the installation program requires a dedicated /boot partition to proceed with the container deployment.

Kickstart installation fails with an unknown disk error when ignoredisk command precedes iscsi command

Installing RHEL by using the kickstart method fails if the ignoredisk command is placed before the iscsi command. This issue occurs because the iscsi command attaches the specified iSCSI device during command parsing, while the ignoredisk command resolves device specifications simultaneously. If the ignoredisk command references an iSCSI device name before it is attached by the iscsi command, the installation fails with an "unknown disk" error.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Driver disk menu fails to display user inputs on the console

When you start RHEL installation by using the inst.dd option on the kernel command line with a driver disk, the console fails to display the user input. Consequently, it seems that the application does not respond to the user input and stops responding, but displays the output which is confusing for users. However, this behavior does not affect the functionality, and user input gets registered after pressing Enter.

Insufficient disk space can cause deployment failure

Deploying a bootc container image on a package mode system without enough free disk space can result in installation errors and prevent the system from booting. Ensure adequate disk space is available for the image to install and adjust the provision logical volume before deployment.

Anaconda may not work correctly on s390x and ppc64le architectures

Image mode for RHEL supports pp64le and s390x architectures besides the already supported x86_64 and ARM architectures. However, Anaconda may not function correctly on s390x and ppc64le architectures.

RHEL images on Azure marked as LVM require default layout resizing

When using system-reinstall-bootc or bootc install on Azure, RHEL images marked as LVM will require resizing the default layout.

sq cannot generate keys in FIPS mode

The sq utility from the Sequoia PGP toolset uses the deprecated OpenSSL API for key generation. Consequently, you cannot generate keys with sq on the system running in FIPS mode.

GnuTLS cannot convert ML-DSA private keys to public ones

GnuTLS lacks an algorithm to convert a private ML-DSA key in the expanded form to a public ML-DSA key. Consequently, operations requiring both keys fail when only the expanded private key is provided.

Updating the NSS database password corrupts the ML-DSA seed

Generating an ML-DSA key begins with a seed, which is sufficient to derive the key. However, the keys can also be expanded to accelerate subsequent operations. If you have ML-DSA keys in an NSS database, either generated or imported, both the expanded format and the seed are likely stored. Due to a bug in how NSS handles database re-encryption, if you change the password of the database, the seed attribute is not updated to accommodate the new password, and its value is permanently lost, even with the knowledge of the previous password.

PQC for rpm-sequoia is always enabled in crypto-policies

In RHEL 10.1, the rpm-sequoia fails to verify dual-signed RPM packages if one of the algorithms used for signing is disabled in system-wide cryptographic policies. This problem is common on systems that have post-quantum (PQ) algorithms disabled and cannot install packages signed with both classic and PQ cryptography.

SELinux policy rules for four libvirt services temporarily changed into permissive mode

Previously, the SELinux policy was changed to reflect the replacement of the legacy monolithic libvirtd daemon with a new set of modular daemons. Because this change requires testing of a lot of scenarios, the following services have been temporarily changed into SELinux permissive mode:

Cryptographic tokens do not work in FIPS mode with pkcs11-provider

When the system runs in FIPS mode, the pkcs11-provider OpenSSL provider does not work correctly and the OpenSSL TLS toolkit falls back to the default provider. Consequently, OpenSSL fails to load PKCS #11 keys, and cryptographic tokens do not work in this scenario.

uname command produces an unknown output

The uname command displays unknown output with flags --hardware-platform and --processor. In the previous RHEL versions, uname -i and uname -p were aliases for uname -m and are not portable even across GNU/Linux distributions.

Hot-plugged memory is not available to VMs running on IBM Z by default

RHEL provides default udev rules that automatically configure memory onlining when you hot plug memory to virtual machines (VMs) with virtio-mem. However, current udev rules do not include VMs running on IBM Z. As a consequence, after hot-plugging memory to VMs running on IBM Z with virtio-mem, the memory is not immediately available in the VM.

Nginx does not support PKCS #11 and TPM

The OpenSSL engines API was deprecated in RHEL 9 and removed from Nginx in RHEL 10. The corresponding functionality using the current OpenSSL providers API is not yet available. As a consequence, the Nginx HTTP server does not work with hardware security modules (HSMs) through PKCS #11 and Trusted Platform Module (TPM) devices.

Using the incorrect Perl database driver for MariaDB and MySQL can lead to unexpected results

The MariaDB database is a fork of MySQL. Over time, these services developed independently and are no longer fully compatible. These differences also affect the Perl database drivers. Consequently, if you use the DBD::mysql driver in a Perl application to connect to a MariaDB database, or the DBD::MariaDB driver to connect to a MySQL database, operations can lead to unexpected results. For example, the driver can return incorrect data from read operations. To avoid such problems, use the Perl driver in your application that matches the database service.

Inconsistent NVMe device names after reboot

A new kernel feature that enables asynchronous NVMe namespace scans is introduced in RHEL 10, to accelerate NVMe disk detection. As a consequence of the asynchronous scans, the /dev/nvmeXnY device files might point to different namespaces after each reboot. This can lead to inconsistent device names. At this time, there is no known workaround for this issue.

iSCSI-backed logical volumes fail to activate after a reboot

During installation, a logical volume spanning a local disk and an iSCSI device can fail to activate the iSCSI device in the installed system. This occurs where a non-root filesystem LVM logical volume is located both on a local disk and on an iSCSI device, which results in the iSCSI device not getting configured with node.startup=onboot by the installation program. As a result, the system cannot access the volume after reboot, because it doesn’t get automatically activated upon boot.

ACL roles should not reference location constraints with two rules

In Red Hat Enterprise Linux 10, more than one top-level rule in a location constraint is not supported. When upgrading from RHEL 9 to RHEL 10, verify that any ACL roles you have configured do not reference a location constraint with two rules and are still valid.

The new version of TBB is incompatible

RHEL 10 includes the Threading Building Blocks (TBB) library version 2021.11.0, which is incompatible with the versions distributed with previous releases of RHEL. You must rebuild applications that use TBB to make them run on RHEL 10.

An error message is displayed during migration from BDB to LMDB

When you run the dsctl dblib bdb2mdb command to migrate from Berkeley Database (BDB) to Lightning Memory-Mapped Database Manager (LMDB) and you have not enabled the replication, the following error message is displayed in the output:

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.

Installing a RHEL 7 IdM client with a RHEL 10 IdM server in FIPS mode fails due to EMS enforcement

The TLS Extended Master Secret (EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 10 systems. This is in accordance with FIPS-140-3 requirements. However, the openssl version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 10 fails.

Automatic host keytab renewal via adcli run by SSSD is failing

In direct SSSD-AD integration, SSSD checks daily if the machine account password is older than the configured age in days and, if needed, tries to renew it. The configured age is set by the ad_maximum_machine_account_password_age value, with a default of 30 days. A value of 0 disables the renewal attempt.

ldapmodify does not delete a single specific value from any attribute in cn=config

Currently, when you try to delete a value from any attribute in cn=config, the value remains in the attribute and the server might require a restart to fully remove it.

SSSD retrieves incomplete list of members if the group size exceeds 1500 members

During the integration of SSSD with Active Directory, SSSD retrieves incomplete group member lists when the group size exceeds 1500 members. This issue occurs because Active Directory’s MaxValRange policy, which restricts the number of members retrievable in a single query, is set to 1500 by default.

Plymouth duplicates log entries of the kernel log ringbuffer

Plymouth, an application which provides a graphical boot experience for Red Hat Enterprise Linux, has a "console syndication" feature that outputs log messages to all configured consoles during boot. The kernel can natively output log messages only to the last configured console. In the default configuration, the kernel is muted, but removing the quiet argument from the kernel command line unmutes the kernel, and causes both Plymouth and the kernel to send the boot log messages to the last-configured console. As a result, log messages might be duplicated on the last-configured console (for example ttyS0). Plymouth further duplicates these log entries by replaying the entire contents of the kernel log ringbuffer during boot and shutdown. To work around this problem, disable Plymouth.

Standard mouse cursor is offset in VMs when using Mutter

When you use a standard mouse within a virtual machine (VM) configuration in the Mutter compositing window manager, you might notice an offset between the physical mouse cursor and the actual pointer within the virtual environment. The actual pointer might not even be visible in the virtual environment.

Standard mouse cursor is offset in VMs when using Mutter

When you use a standard mouse within a virtual machine (VM) configuration in the Mutter compositing window manager, you might notice an offset between the physical mouse cursor and the actual pointer within the virtual environment. The actual pointer might not even be visible in the virtual environment.

VNC console in the RHEL web console does not work correctly on ARM64

Currently, when you import a virtual machine (VM) in the RHEL web console on ARM64 architecture and then you try to interact with it in the VNC console, the console does not react to your input.

Ansible rpm_key modules fail to work with the OpenPGP v6 RPM-GPG-KEY-redhat-release key

RHEL 10.1 uses the Red Hat RPM signing key extended with a post-quantum public key and stored in the /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release file in the OpenPGP v6 format. Because the Ansible rpm_key modules use the GnuPG tools, which cannot handle post-quantum keys and OpenPGP v6, the modules fail to work with this key.

PostgreSQL, MariaDB, and MySQL do not work with RHEL in image mode

The PostgreSQL, MariaDB, and MySQL database management systems do not use the sysusers.d directories to populate users and working directories. MariaDB and MySQL also do not use the tmpfiles.d directory. As a consequence, the database user can be missing and the database systems are not able to initialize because their working directory is missing. There is currently no workaround for this issue.

ansible-core does not install sshpass as a dependency

The ansible-core package does not install the sshpass package as a dependency. Consequently, you cannot use Ansible to manage systems over SSH with an SSH password.

Windows VMs might become unresponsive due to storage errors

On virtual machines (VMs) that use Windows guest operating systems, the system in some cases becomes unresponsive when under high I/O load. When this happens, the system logs a viostor Reset to device, \Device\RaidPort3, was issued error. There is currently no workaround for this issue.

Windows 10 VMs with certain PCI devices might become unresponsive on boot

Currently, a virtual machine (VM) that uses a Windows 10 guest operating system might become unresponsive during boot if a virtio-win-scsi PCI device with a local disk back end is attached to the VM.

Using virtiofs with the rsync and du commands can result in too many open files errors

The virtiofsd daemon keeps file descriptors open until the guest invalidates its cache. When tracking a large number of files, this can cause virtiofsd on the host to exceed the maximum open files limit.

Installing the VirtIO-Win bundle cannot be canceled

Currently, if you start the installation of virtio-win drivers from the VirtIO-Win installer bundle in a Windows guest operating system, clicking the Cancel button during the installation does not correctly stop it. The installer wizard interface displays a "Setup Failed" screen, but the drivers are installed and the IP address of the guest is reset.

A virtual machine with a large amount of bootable data disks might fail to start

If you attempt to start a virtual machine (VM) with a large amount of bootable data disks, the VM might fail to boot with this error: Something has gone seriously wrong: import_mok_state() failed: Volume Full

VMs with large memory cannot boot on SEV-SNP host with AMD Genoa CPUs

Currently, virtual machines (VMs) cannot boot on hosts that use a 4th Generation AMD EPYC processor (also known as Genoa) and have the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature enabled. Instead of booting, a kernel panic occurs in the VM.

The virtio balloon driver sometimes does not work on Windows 10 and Windows 11 VMs

Under certain circumstances, the virtio-balloon driver does not work correctly on virtual machines (VMs) that use a Windows 10 or Windows 11 guest operating system. As a consequence, such VMs might not use their assigned memory efficiently.

Windows 11 VMs with a memory balloon device set might close unexpectedly during reboot

Currently, rebooting virtual machines (VMs) that use a Windows 11 guest operating system and a memory balloon device in some cases fails with a DRIVER POWER STAT FAILURE blue-screen error.

Windows VM with VBS and IOMMU device fails to boot

When you boot a Windows VM with Virtualization Based Security (VBS) enabled and an Input-Output Memory Management Unit (IOMMU) device by using the qemu-kvm utility, the booting sequence only shows the boot screen, resulting in an incomplete booting process.

Windows VM running on Sapphire Rapids CPU with hypervisor launch type set to auto might fail to boot when restarted

If you set the hypervisor launch type to auto in a Windows virtual machine (VM) running on a Sapphire Rapids CPU, the VM might fail to boot when it is restarted. For example, you can set the hypervisor launch type to auto by using the bcdedit /set hypervisorlaunchtype Auto command.

Hot-plugging vCPUs and memory to Windows guests with VBS does not work

Currently, Windows Virtualization-based Security (VBS) is not compatible with hot-plugging CPU and memory resources. As a consequence, attempting to attach memory or vCPUs to a running Windows virtual machine (VM) with VBS enabled only adds the resources to the VM after the guest system is restarted. 

VMs with 5-level page merging and a lot of memory sometimes fail to start

VMs with the following configuration fail to boot if you set the host-phys-bits-limit parameter to 49 or more:

Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV causes non-root partitions to disappear

When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a consequence, the following problems occur:

RDMA devices currently do not work on vSphere

When using a RHEL 10 instance on the VMware vSphere platform, the vmw_pvrdma module currently does not install properly. As a consequence, VMware paravirtual remote direct memory access (PVRDMA) devices do not work on the affected instances.

The leapp upgrade fails when upgrading from RHEL 9.6 to RHEL 10.0 for the cloud-init network configuration

If you deploy RHEL 9.6 with the cloud-init default configuration and with sysconfig as the default network configuration directory, the sysconfig configuration files do not support the ifcfg legacy format for RHEL 10.0. Consequently, the leapp upgrade fails when upgrading from RHEL 9.6 to RHEL 10.0 for the legacy network configuration files, such as ifcfg-<enp1s0>.