10.2 Release Notes

[X86] Control the behavior of the microcode loader.

Options:

[NVME] Provide a list of quirk entries to augment the built-in NVMe quirk list.

Format: nvme.quirks=<VendorID>:<ProductID>:<quirk_names>-…​

The vendor ID and product ID are 4-digit hexadecimal numbers. The quirk_names field is a comma-separated list of quirk names. You can prefix a quirk name with ^ to disable that quirk explicitly.

Example: nvme.quirks=7710:2267:bogus_nid,^identify_cns-9900:7711:broken_msi

[KNL] Set the nominal wait interval for normal conditional grace periods, in microseconds. The kernel randomly selects the actual wait interval up to this value with nanosecond granularity.

This parameter controls the wait interval for conditional grace periods that you specify through the rcutorture.gp_cond and rcutorture.gp_cond_full module parameters.

Defaults to 16 jiffies; for example, 16,000 microseconds on a system with HZ=1000.

[KNL] Set the nominal wait interval for expedited conditional grace periods, in microseconds. The kernel randomly selects the actual wait interval up to this value with nanosecond granularity.

This parameter controls the wait interval for expedited conditional grace periods that you specify through the rcutorture.gp_cond_exp and rcutorture.gp_cond_exp_full module parameters.

Defaults to 128 microseconds.

[KNL] Set the nominal wait interval for normal conditional grace periods when using polled update-side primitives, in microseconds. The kernel randomly selects the actual wait interval up to this value with nanosecond granularity.

This parameter controls the wait interval for conditional grace periods that you specify through the rcutorture.gp_poll and rcutorture.gp_poll_full module parameters.

Defaults to 16 jiffies; for example, 16,000 microseconds on a system with HZ=1000.

[KNL] Set the nominal wait interval for expedited conditional grace periods when using polled update-side primitives, in microseconds. The kernel randomly selects the actual wait interval up to this value with nanosecond granularity.

This parameter controls the wait interval for expedited conditional grace periods that you specify through the rcutorture.gp_poll_exp and rcutorture.gp_poll_exp_full module parameters.

Defaults to 128 microseconds.

[KNL] Enable grace-period wrap lag testing in rcutorture. Set this parameter to false to prevent the gpwrap lag test from running.

The default value is true.

[KNL] Set the number of grace periods to tolerate between the per-CPU RCU data structure (rdp) and the RCU node (rnp) gp_seq values before setting the overflow flag during active wrap-lag testing.

The default value is 8.

[KNL] Set the total cycle duration for gpwrap lag testing, in minutes. The cycle includes both active and inactive testing periods.

The default value is 30 minutes.

[KNL] Set the duration, in minutes, during which gpwrap lag is active in each testing cycle. During the active period, the grace-period wrap lag is controlled by the value of rcutorture.gpwrap_lag_gps.

The default value is 5 minutes.

[KNL] Set the duration, in milliseconds, of preemptions by a high-priority FIFO real-time task.

Set this parameter to 0 (the default) to disable the preemption test. The kernel selects CPUs to preempt randomly from the set of CPUs that are online at that moment. Races with CPUs going offline are ignored; in such cases, that preemption attempt is skipped.

[KNL] Set the interval, in milliseconds, between preemptions by a high-priority FIFO real-time task. The interval defaults to 1 second.

This delay is driven by an hrtimer and is fuzzed to avoid unintended synchronizations between preemptions.

[KNL] Set a bit mask that indicates which RCU readers to use in rcutorture.

If more than one bit is set, rcutorture enters readers in order from the lowest-order bit to the highest-order bit and exits readers in the reverse order. For SRCU, the bits have the following meanings:

[KNL] Set the holdoff time, in seconds, from the start of a rcutorture test to the start of RCU priority-boost testing.

The default value is 0, which disables any holdoff period.

[X86] Control mitigation for transient scheduler attacks on AMD CPUs.

For additional technical background, search for the document titled "Technical guidance for mitigating transient scheduler attacks".

Values:

[X86] Control mitigation for VMscape attacks.

VMscape attacks can leak information from a userspace hypervisor to a guest through speculative side-channel techniques.

Values:

[X86, PPC, S390, ARM64, EARLY] Control optional mitigations for CPU vulnerabilities through curated, architecture-independent options.

The off option now also disables the vmscape mitigation on x86:

The off setting is equivalent to the following per-architecture options, if supported:

On x86, after you specify one of the main mitigation modes (such as off, auto, or auto,nosmt), you can additionally use attack-vector based controls as described in Documentation/admin-guide/hw-vuln/attack_vector_controls.rst.

[KNL] Reduce the latency of synchronize_rcu() calls by maintaining an independent list of callers. This mechanism does not interact with regular RCU callbacks because it does not rely on the call_rcu() or call_rcu_hurry() paths and applies to normal grace periods only.

You can enable the behavior by writing 1 to /sys/module/rcutree/parameters/rcu_normal_wake_from_gp or by passing rcutree.rcu_normal_wake_from_gp=1 on the kernel command line.

By default, this behavior is now enabled when num_possible_cpus() ⇐ 16, unless you explicitly disable it by passing rcutree.rcu_normal_wake_from_gp=0 on the kernel command line.

[KNL] Use conditional or asynchronous update-side normal-grace-period primitives, if available.

Previously, this option was documented as using conditional or asynchronous update-side primitives without explicitly clarifying that they apply to normal grace periods.

Enable waived items in RHEL.

Some specific features or security mitigations can be waived, that is, toggled on or off on demand, in RHEL. However, you should use waivers cautiously, because waiving a mitigation or feature can render a system insecure or even out of scope for support.

Format: <item-1>,<item-2>,…​,<item-n>

Use the rh_waived parameter to enable all waived items that are listed in Documentation/admin-guide/rh-waived-features.rst.

[X86] This dedicated parameter for controlling microcode minimal revision enforcement has been removed.

You can now use the microcode= parameter with the force_minrev option to enable or disable minimal revision enforcement for the runtime microcode loader.

The core dump facility now supports sorting virtual memory areas (VMAs) by size in the generated core file.

By default, the kernel writes VMAs in address order. When you set core_sort_vma to 1, the kernel writes VMAs from the smallest size to the largest size. This behavior is known to break at least elfutils, but it can be useful when you work with very large or truncated core dumps where the most useful debugging information resides in smaller VMAs.

Control how AF_VSOCK sockets in a network namespace participate in CID allocation and cross-namespace communication.

This setting is read-only. It reports the current namespace’s mode, which is determined when the namespace is created and cannot be changed afterwards.

Values:

The init_net namespace always operates in the global mode.

Control the default ns_mode value for newly created child network namespaces that use AF_VSOCK.

At namespace creation, the kernel initializes ns_mode in the child namespace from the parent namespace’s child_ns_mode. Initially, a namespace’s child_ns_mode matches its own ns_mode.

Values:

The first write to child_ns_mode locks its value. Later writes that set the same value succeed, but writes that attempt to change the value return -EBUSY.

Changing child_ns_mode affects only namespaces that the kernel creates after the change. Existing namespaces and their children are not modified.

If a namespace runs with ns_mode=local, it cannot change child_ns_mode to global. Attempts to do so fail with -EPERM.

The core_pattern parameter now supports the %F specifier to record the pidfd number in core file names.

The following additional format specifier is available:

With this update, Anaconda can automatically install the Flatpak applications during RHEL system installation from Red Hat Satellite. When systems are deployed through Satellite, Anaconda uses the preinstall.d mechanism to install Flatpak packages based on the selected environment. For example, the "Server with GUI" environment includes Flatpak-based Mozilla Firefox, ensuring GUI-based systems have necessary applications available immediately after installation. This enables Satellite-managed environments to deliver containerized applications through Flatpak while maintaining existing deployment workflows.

This enhancement ensures Satellite deployments can support RHEL 10 systems with Flatpak-based applications by using familiar installation processes. It also eliminates manual post-installation configuration steps.

Jira:RHEL-95061^[1]

With this update, Anaconda can automatically install Flatpak applications during the RHEL system installation based on the selected environment. This capability works with all installation sources, such as Content Delivery Network (CDN), offline DVD.iso media, and custom LAN servers.

Anaconda installs Flatpak packages by using the preinstall.d mechanism during the installation process when users select environments that require Flatpak applications. For example, the "Server with GUI" environment includes Flatpak-based Mozilla Firefox, ensuring GUI-based systems have necessary applications available immediately after installation.

This enhancement enables delivering containerized applications through Flatpak while maintaining a consistent installation experience across all RHEL installation methods. It also eliminates the need for manual Flatpak installation steps after system deployment. You can change the delivery method in Anaconda from Flatpaks back to RPM packages by following the process outlined in the Package selection in Kickstart section of RHEL documentation. For example, use the following configuration to preinstall the Firefox RPM package instead of the Flatpak:

%packages
@^graphical-server-environment
-redhat-flatpak-preinstall-firefox
firefox
%end

Jira:RHEL-95062^[1]

A new rdp Kickstart command was added to enable Remote Desktop Protocol (RDP)-based graphical installations directly from a Kickstart configuration file. The command has the following syntax:

# rdp [--username <USERNAME>] [--password <PASSWORD>]

With this enhancement, you can configure and start a fully automated, headless RDP installation by using Kickstart commands. For complete information about the rdp command and its options, see the Kickstart commands reference in the Automatically installing RHEL guide.

Jira:RHEL-96216

Before this release, 1 GiB for the /boot was often insufficient for systems that require large firmware blobs in initramfs. With this update, the default size for the /boot partition has been increased from 1 GiB to 2 GiB. This change ensures that there is enough disk space for future kernel updates and associated initramfs images. You can manually reduce the partition size or reuse existing smaller partitions when necessary.

Jira:RHEL-151547

You can create bootable containers and disk images by using the RHEL image builder app in the web console and by using image-builder-cli. On first boot, the images automatically subscribe to Red Hat services.

Jira:RHELDOCS-19587^[1]

With this update, you can use the image-builder-cli utility to create stateless PXE images. As a result, you can quickly boot ephemeral nodes that run entirely in RAM over a network by using either an HTTP server or a combined image.

Jira:RHELDOCS-22010

With this update, you can use RHEL image builder to create Anaconda network installer .iso images. By including activation keys directly into the installer, you can automate system registration during the installation process. As a result, instead of standard download pages, you can generate customized, pre-configured images for nightly builds or specific deployment environments.

Jira:RHELDOCS-21852^[1]

With this update, you can download bootc system updates without automatically applying them on reboot. You can use the bootc upgrade --download-only command to stage updates. To apply the downloaded updates at a later time, use the bootc upgrade command. Alternatively, use the bootc upgrade --from-downloaded command to apply the staged update without checking the registry for newer versions. The notable enhancements with this update are:

Jira:RHELDOCS-21394^[1]

With this update, you can run and convert boot container images into virtual machines. Use the bcvk utility to launch ephemeral virtual machines for rapid development and testing, or to generate persistent disk images for production deployments. As a result, your virtual machines run the exact same containerized bootable images used across your environment, maintaining consistency from development to production.

Jira:RHELDOCS-21383^[1]

You can create stateless PXE images from your container builds in image mode for high-performance computing (HPC) and diskless systems. The build process generates the necessary artifacts, such as kernel, initrd, and squashfs.

Jira:RHELDOCS-20631^[1]

This update of the fapolicyd-selinux package introduces an SELinux module to protect the fapolicyd service. The new SELinux module prevents users from sending the SIGSTOP signal to fapolicyd or tracing fapolicyd by using the ptrace() function, which might cause the system to crash. As a result, the system no longer hangs or requires manual reboots in the described scenarios.

Jira:RHEL-1368

With this update, you can set the GSSAPIDelegatedCredentials option in the sshd_config configuration file to no. Although the default value yes ensures backward compatibility, you can use no for enhanced security control. As a result, an OpenSSH server with GSSAPIDelegatedCredentials set to no refuses to forward credentials.

Jira:RHEL-5281

Before this update, the libreswan package was a monolithic package with a dependency on systemd. This dependency increased the image size of containerized applications.

With this update, the package is modularized by introducing a new libreswan-minimal sub-package without dependencies on systemd and other optional external tools. As a result, you can create smaller container images for applications that do not use systemd. These provide faster startup times and reduced resource usage.

Jira:RHEL-5299

New rules in the SELinux policy provide specific confinement for the redfish-finder systemd service. This update helps comply with the CIS Server Level 2 benchmark for the restriction of unconfined daemons.

As a result, redfish-finder no longer uses the unconfined_service_t label and runs correctly in SELinux enforcing mode.

Jira:RHEL-50299^[1]

With this update, the OpenSSH suite adds support for the mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 key exchange algorithms. As a result, you can protect SSH connections by using the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) post-quantum (PQ) key exchange combined with elliptic curves standardized by the National Institute of Standards and Technology (NIST).

Jira:RHEL-70824

With this update, the libssh library introduces support for post-quantum traditional (PQ/T) hybrid key exchange methods based on the quantum-resistant Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) standard and traditional Elliptic-curve Diffie-Hellman (ECDH) key exchange schemes. You can use the following methods defined by the Internet Engineering Task Force (IETF) draft-ietf-sshm-mlkem-hybrid-kex document in the SSH protocol:

Note that mlkem768x25519-sha256 is the preferred key exchange method for SSH connections unless you change the configuration.

Jira:RHEL-70825

The p11-kit-client.so module moves from the p11-kit-server subpackage to the new p11-kit-client subpackage. With the separated subpackages, you can install only the required parts and avoid redundant content on host systems or in containers.

Jira:RHEL-89706

With this update, the OpenSSH suite permits GSSAPI key exchange methods with the following Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) groups in FIPS mode:

Also, OpenSSH in FIPS mode allows a non-cryptographic use of the MD5 algorithm. As a result, you can use OpenSSH in FIPS mode to establish SSH connections by using GSSAPI key exchange.

Jira:RHEL-91181

With this update, you can use the restorecon command with the -c option. The restorecon -c command performs relabeling, prints the number of relabeled files in its output, and sets the exit code to 0 only if at least one file is relabeled. This makes restorecon -c useful for verifying that remediations of labeling problems are successful.

Jira:RHEL-94827

This update of the openssh packages introduces the CanonicalMatchUser directive for the sshd_config configuration file. With the new directive, you can configure Match User blocks so that sshd first attempts to obtain the username from a password database instead of using an alias. As a result, Active Directory (AD) users can no longer bypass chroot restrictions when using capital letters in their usernames, which might lead to privilege escalation.

Jira:RHEL-101440^[1]

New rules in the SELinux policy provide specific confinement for the systemd-oomd service. This update helps comply with the CIS Server Level 2 benchmark for the restriction of unconfined daemons.

As a result, systemd-oomd no longer uses the unconfined_service_t label and runs correctly in SELinux enforcing mode.

Jira:RHEL-106998^[1]

With this update, the following SELinux domains move from permissive to enforcing mode:

These domains temporarily operated in permissive mode. This allowed the system to log additional access denials and gather data to complete the security policy without a service failure. The temporary observation phase is complete.

As a result, the system proactively prevents unauthorized access for these services.

Jira:RHEL-107038^[1]

With this update, the SELinux policy defines specific security contexts and transitions for the new OpenSSH binary structure, including the /usr/libexec/openssh/sshd-session and /usr/libexec/openssh/sshd-auth binaries.

The change aligns with splitting the monolithic sshd daemon into specialized binaries to reduce the attack surface. By splitting the listener sshd, the per-session logic sshd-session, and the authentication phase sshd-auth into separate processes, the pre-authentication code is isolated in a disjoint address space. This architectural change requires explicit SELinux types to ensure each component maintains the necessary privileges while adhering to the principle of least privilege.

As a result, the OpenSSH server benefits from improved security through process isolation and reduced memory usage after the authentication phase completes. SELinux correctly confines these new binaries, ensuring that host keys and authentication sockets remain protected while allowing standard operations such as PAM authentication to function seamlessly in the new multi-binary environment.

Jira:RHEL-107732

With this update, the setfiles utility includes a new -A option. Tracking conflicts between inodes with multiple hard links can consume significant memory, especially on large file systems. Use the -A option to disable tracking of these conflicts. This reduces memory consumption, allowing to run setfiles on memory-constrained systems without encountering high memory overhead.

Jira:RHEL-111505

RHEL 10.2 introduces the capnproto package, a high-performance data interchange and remote procedure call (RPC) system. This package serves as a shared dependency for rust-sequoia-sq and rust-sequoia-podman, both of which bundled this library internally before this update.

The rust-sequoia packages use the capnproto zero-copy serialization and RPC system to communicate with the Sequoia Keystore. This architecture isolates private keys in a separate process to enhance security and ensures the high-speed performance required for large-scale cryptographic tasks, such as container image signing.

The capnproto package is available for installation from the CodeReady Builder (CRB) repository. As a result, security updates and bug fixes for the library can be applied independently of the applications that depend on it.

Jira:RHEL-114452^[1]

The setools packages, which provide SELinux user-space analysis tools, are rebased to upstream version 4.6.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-115363

The fapolicyd packages are rebased to upstream version 1.4.3 and provide many enhancements and bug fixes over the previous version. Most notably:

Jira:RHEL-118362

This update of the system-wide cryptographic policies crypto-policies adds support for the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) post-quantum (PQ) key exchange in the libssh library. The mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 algorithms are enabled by default in all predefined policies. This aligns with support for ML-KEM in OpenSSH, providing a quantum-resistant key exchange method for your SSH sessions.

Jira:RHEL-125889

This release of the openssh packages introduces support for the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) post-quantum (PQ) key exchange combined with elliptic curves standardized by the National Institute of Standards and Technology (NIST) in FIPS mode. You can establish SSH connections with a hybrid security provided by the combination of classical cryptography and a quantum-resistant key exchange mechanism.

Jira:RHEL-125929

The podman-sequoia library provides the ML-DSA-65+Ed25519 and ML-DSA-87+Ed448 algorithms to meet the Commercial National Security Algorithm Suite (CNSA) 2.0 guidelines for software signatures.

As a result, after you install podman and podman-sequoia, you can create and verify container image signatures with these post-quantum schemes.

Jira:RHEL-126677^[1]

The capnproto package is rebased to version 1.3. This update provides security enhancements and bug fixes, and ensures compatibility with newer Sequoia versions.

Jira:RHEL-127899

With this update of the selinux-policy packages, the following devices have more specific SELinux labels:

This aligns with the addition of new character device interfaces to the kernel, providing user-space application binary interface (ABI) access to the Power Architecture Platform Reference (PAPR) system parameters, in addition to the existing kernel-internal API.

As a result, the SELinux policy assigns distinct labels to these devices so that different permissions can apply to various services accessing them.

Jira:RHEL-129839

The libssh packages have been upgraded to version 0.12.0. The new version provides many enhancements and bug fixes, notably:

Jira:RHEL-133421

With this update, the system-wide cryptographic policies enable the mlkem768x25519-sha256 key exchange algorithm for the libssh library in all predefined policies. This aligns with recently added support for this ML-KEM curve hybrid in libssh. As a result, mlkem768x25519-sha256 is enabled by default and negotiated with the highest priority, protecting SSH connections with a combination of traditional and post-quantum cryptography (PQC).

Jira:RHEL-133522

The p11-kit packages have been upgraded to upstream version 0.26.1. The new version provides many enhancements and bug fixes, most notably:

Jira:RHEL-139074^[1]

The clevis-pin-trustee package provides a new Clevis pin trustee that enables automated encryption and decryption of LUKS-encrypted volumes by using remote attestation through the Trustee Key Broker Service (KBS). The trustee pin integrates with the standard Clevis framework through the clevis-encrypt-trustee and clevis-decrypt-trustee commands, and it includes a Dracut module 60clevis-pin-trustee for automated root volume unlocking during early boot.

In scenarios such as confidential clusters for OpenShift and confidential virtual machines with OpenShift Virtualization, the Trustee server acts as the policy enforcement point, releasing the disk encryption key only when the requesting platform’s attestation evidence validates against a set of reference values.

As a result, you can bind LUKS-encrypted volumes to one or more Trustee servers by using a clevis luks bind -d <device> trustee '<config>' command. You can also combine the trustee pin with other Clevis pins, such as tang and tpm2, for multi-factor or multi-policy unlock configurations.

Jira:RHEL-139808^[1]

The Keylime packages are rebased to upstream version 7.14.1. The most notable bug fixes and enhancements include the following:

Jira:RHEL-140896

The keylime-agent package is rebased to upstream version 0.2.9, which includes the following enhancements:

Jira:RHEL-140897

With this update, the system-wide cryptographic policies enable the mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 key exchange algorithms for OpenSSH in FIPS mode. This aligns with recently added support for these ML-KEM NIST curve hybrids in OpenSSH. As a result, RHEL 10.2 hosts running in FIPS mode and with the FIPS system-wide cryptographic policy active perform SSH key exchanges by using mlkem768nistp256-sha256 or mlkem1024nistp384-sha384 as long as the other peer also supports and prefers them.

Jira:RHEL-148560

The OpenSCAP packages have been rebased to upstream version 1.4.3. This version provides bug fixes and various enhancements. For additional information, see the OpenSCAP release notes.

Jira:RHEL-133978

For additional information, see the SCAP Security Guide release notes.

Jira:RHEL-152059

RHEL 10.2 introduces a new implementation of the FIDO Device Onboarding (FDO) client and servers. These components, which were not available in previous releases, are fully supported and available as the following RPMs:

Jira:RHELDOCS-18977^[1]

The greenboot health check framework was enhanced as greenboot-rs, a reimplementation designed for improved maintainability and supportability. The new version is fully compatible with existing greenboot functionality and custom health checks. As a result, this version ensures more robust system roll backs during system upgrades.

Jira:RHELDOCS-21813^[1]

The libsolv packages are rebased to upstream version 0.7.33. This version provides the following important fixes and enhancements:

Jira:RHEL-86940

The librepo packages are rebased to upstream version 1.19.0. This version provides the following important fixes and enhancements:

Jira:RHEL-126292^[1]

The openwsman package has been updated to version 2.8.1 with the following improvements:

Jira:RHEL-99191^[1]

The opencryptoki packages are rebased to upstream version 3.26.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-100058^[1]

With this update, you can override the systemd-logind session class for sessions that cron scripts start. To start a session without triggering the systemd --user manager, set the XDG_SESSION_CLASS=background-light environment variable in the crontab. This configuration reduces the number of log messages that cron executions generate.

Jira:RHEL-109832^[1]

Environment modules is rebased to upstream version 5.6.1. This release introduces key new features, enhancements, documentation and community updates, and few bug fixes. Here is the list for reference:

Jira:RHEL-132336

This update adds support for dropping root privileges in the ptp4l process. To facilitate this, the linuxptp package creates the linuxptp system user and the /run/ptp directory for Unix domain sockets used by the ptp4l, phc2sys, ts2phc, tz2alt, and pmc programs. The linuxptp user is included in the clock system group to reopen /dev/ptp* devices after start.

After updating the udev rules included in the systemd-udev package, perform these steps to drop root privileges:

As a result, the ptp4l process can run with reduced privileges.

Jira:RHEL-12183^[1]

With this update, the default chrony configuration on the s390x architecture uses the s390-specific Server Time Protocol (STP) reference clock instead of public servers from pool.ntp.org. As a result, chrony synchronizes time with the STP reference clock by default on s390x systems.

Jira:RHEL-62844^[1]

The foomatic-rip filter rejects PostScript Printer Description (PPD) values not in an approved list of hashes. Before this update, certain PPD options were vulnerable to security exploits. This update implements an allowlist mechanism to ensure secure printing.

For new installations, use the foomatic-hash tool to scan the PPD file and move approved hashes to the /etc/foomatic/hashes.d/ directory. For existing installations, review auto-allowed values in the /var/tmp/foomatic.* file.

Jira:RHEL-93944^[1]

The chrony packages are rebased to upstream version 4.8, which includes the following notable enhancements and bug fixes:

Jira:RHEL-112593

The upgrade to the upstream version 3.26.0 provides the following notable enhancements:

Jira:RHEL-120966

SystemTap is rebased to version 5.4. The notable changes in this update include:

Jira:RHEL-121663

The upgrade to the upstream version 0.194 provides the following notable enhancements:

Jira:RHEL-121665

The sscg packages are rebased to upstream version 4.0.3. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-123675

With this update, Apache’s ErrorLogFormat supports millisecond timestamps. Millisecond-level timestamps in error logs improve log filtering, troubleshooting efficiency, and cross-system traceability. You can configure this, for example, by using the %{m}t format specifier. As a result, you can correlate and filter logs across systems with millisecond precision.

Jira:RHEL-145713^[1]

By default, the NMstate API uses NetworkManager to send configurations to Libreswan service. In this case, NetworkManager defines default values, which are different from Libreswan’s defaults. With this enhancement, you can set nm-auto-defaults: false in the YAML file and Nmstate does not inject any extra settings. In this case, Libreswan uses this configuration and also its own default values.

For backward compatibility, the default value of nm-auto-defaults is true.

Jira:RHEL-26350

This update enhances the NetworkManager Libreswan client plugin and Nmstate to configure multiple subnets in IPsec policies. This corresponds to the use of multiple subnets in the leftsubnets and rightsubnets parameters in the Libreswan configuration. As a result, users can connect to multiple subnets by using a single IPsec tunnel.

Jira:RHEL-33712

With this enhancement, you can use the NetworkManager-libreswan plugin to start Libreswan IPsec connections in listening mode. Previously, NetworkManager failed to activate a connection if the remote endpoint was unreachable. By setting the new nm-connect-mode property to ondemand in the connection profile, the tunnel remains active in a listening state after an initial failure. This ensures the system can still accept incoming connection requests even if it could not initiate the primary tunnel.

Jira:RHEL-67307

This enhancement adds IRQ suspension support to the epoll kernel API. This improves network processing efficiency within the kernel stack. This mechanism bridges the gap between throughput and latency by providing a way to dynamically optimize the networking stack for high-load efficiency and low-load responsiveness simultaneously. Applications that use epoll with this new mechanism can reduce CPU cycle consumption during high traffic loads and decrease tail latency during low traffic periods.

Note that you must modify your application to support this IRQ suspending.

Jira:RHEL-77189^[1]

With this enhancement, you can use the Nmstate API to set alternative names on network interfaces to simplify configuration management and support processes. For example, to assign LAN as an alternative name to enp1s0 and remove the name internal-LAN, use:

interfaces:
  - name: enp1s0
    alt-names:
      - name: LAN
      - name: internal-LAN
        state: absent

Jira:RHEL-90096

The iproute package has been updated to upstream version 6.17.0.

Notable enhancements:

Jira:RHEL-98263

With this update, RHEL users can configure an interlink interface for High-availability Seamless Redundancy (HSR) connections. Users can now use the hsr.interlink property to specify the interlink interface name. As a result, you can configure RHEL as a Redundancy Box (RedBox).

Jira:RHEL-100768

The hsr kernel module provides the following protocols:

Jira:RHEL-100942^[1]

With this update, users can now set the DHCP client ID as a kernel argument. Certain DHCP servers require this ID to identify a client correctly. By setting the rd.net.dhcp.client-id kernel argument, the client ID is already available during early boot operations.

Jira:RHEL-108454

This enhancement introduces name-based netdev hooks with wildcard support to the nftables kernel component. This ensures defined rule sets remain stable regardless of interface presence. Previously, nftables would bind to each specified interface immediately upon adding a flowtable or netdev-family chain. Consequently, the transaction failed due to a non-existing interface, and removing an interface deleted the matching interface specifications or entire bound chains.

With this update, hooks for non-existing interfaces are accepted in an inactive state and bind to matching interfaces at the time they appear in the system. This dynamic registration also provides the possibility to accept simple interface (suffix) wildcards to bind a flowtable or netdev-family chain to any matching interface. You can inspect currently active hooks by using the nft list hooks command.

Jira:RHEL-108861

RHEL 9.8 added support for WiFi7 hardware. You can use use it to connect your host to wireless networks that use this standard.

Jira:RHEL-111098^[1]

With this enhancement, you can set a lower maximum TCP retransmission timeout value than the default 120000 ms to reduce network latency. Note that changing this setting can require tuning other kernel settings as well.

You can configure this limit either through the tcp_rto_max_ms kernel sysctl setting or the TCP_RTO_MAX_MS socket option. If you set both, the socket option has a higher priority.

Jira:RHEL-115393^[1]

The FRR is now rebased to version 10.4.1. This version fixes several issues affecting stability, correctness, and reliability. Notable changes include:

Jira:RHEL-118620

The nftables package has been updated to upstream version 1.1.5.

Notable enhancements:

Notable bug fixes:

Jira:RHEL-121194

With this enhancement, you can create VLAN interfaces on top of High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) interfaces to enable network traffic segmentation. When configured, the kernel adds a VLAN tag to all packets transmitted through the VLAN interface. This provides greater control over traffic isolation. Note that supervision frames remain unaffected by this configuration and are always transmitted without a VLAN tag.

Jira:RHEL-130475^[1]

With this enhancement, you can enable threaded NAPI busy polling on RHEL to significantly reduce the network latency. This feature uses dedicated kernel threads to continuously check for incoming packets, rather than waiting for hardware interrupts.

By design, threaded NAPI busy polling consumes more CPU cycles to achieve higher performance and lower latency, as the CPU remains active to process data immediately. Threaded NAPI busy polling is beneficial for high-performance, low latency applications, for example applications that use the AF_XDP socket. Use this enhancement for workloads where predictable, sub-microsecond response times are critical.

Jira:RHEL-130765^[1]

With this update, the iproute package includes the dpll utility which you can use to manage and monitor digital phase-locked loop (DPLL) devices. The utility uses libmnl to communicate with the kernel through the netlink interface, providing a configuration tool for DPLL devices and pins.

Jira:RHEL-131660

The K1 state reduces power consumption on ICH-family network interface controllers (NIC) during idle periods. However, on Intel Meteor Lake and later platforms, enabling K1 state on NICs that use the e1000e driver can cause packet loss due to firmware misconfiguration, interoperability with certain link partners, and other conditions.

Default:

Jira:RHEL-134991^[1]

Due to missing upstream support for passing Qualcomm wireless cards to VMs by using the PCI pass through feature, these cards do not work correctly in VMs. With this update, the ath11k and ath12k drivers use certain kernel parameters to work around the problem. As a result, Qualcomm wireless cards that use these drivers work if you pass the devices to VMs. Note that the solution is only an unsupported workaround.

Jira:RHEL-141347^[1]

This update adds the fou and fou6 modules to the kernel-modules-extra package. With these modules, you can configure connections that use the following protocols:

Jira:RHEL-142435^[1]

This enhancements adds support for policy sets to the firewalld service. Policy sets are collections of pre-defined policies that you can use as a starting point for certain configurations. For example, the gateway policy set is a set of configurations that enable masquerading, connection tracking helpers, and forwarding between zones.

For further details, see Using firewalld policy sets to configure a router.

Jira:RHEL-70357^[1]

With this update, the perf command supports Monaka CPU to enable performance monitoring in the system. As a result, you can use this feature to analyze performance and power for high-performance computing (HPC) and datacenter applications. This feature is integrated into the Linux kernel version 6.12.0 and later.

Jira:RHEL-23107^[1]

With this update, you can pass the LUKS volume key to the kdump kernel, to save vmcore data to a LUKS-encrypted disk volume. This enhancement secures vmcore data on RHEL systems, as sensitive data remains protected in the event of system crashes. To activate this optional feature, you must use the 'kdumpctl setup-crypttab' command. This update is available for the x86_64 architecture in RHEL 10.2.

Jira:RHEL-29037

With this update, PerfMon support is added for Clearwater Forest, a hardware or software platform, on the CentOS Stream kernel. This enhancement enables performance monitoring for the Clearwater Forest platform, improving overall system efficiency and stability.

Jira:RHEL-45066^[1]

The EDAC driver is updated to add platform support for Intel Clearwater Forest (CWF) servers, enhancing RAS capabilities for this hardware. This change improves error detection and correction functionality specific to the Intel platform.

Jira:RHEL-45084^[1]

The perf tool and its kernel backend are rebased to align with upstream version 6.17. This update introduces several enhancements and bug fixes. Most notably, the following:

Jira:RHEL-78200^[1]

Jira:RHEL-78204^[1]

The perf tool and its kernel backend are rebased to align with upstream version v6.18. This update introduces several enhancements and bug fixes. Most notably, the following:

Jira:RHEL-78292^[1]

With this update, the cpupower Python bindings are integrated in RHEL 10. This enhancement places the bindings in the kernel-tools-libs-devel package for easier access.

Jira:RHEL-83442^[1]

With this update, the rtla tool now supports triggering userspace actions either when a latency threshold is reached or tracing concludes. With rtla, you can execute diagnostic commands or extract trace data before the instance is removed, regardless of whether a threshold violation occurred.

Jira:RHEL-89807^[1]

The Intel QAT crypto device driver is updated to support QAT GEN6 devices through the new qat_6xxx driver. GEN6 devices enable concurrent use of symmetric encryption, asymmetric encryption, and data compression. This was not available in earlier generations.

Jira:RHEL-94928^[1]

The tpm2-tools package is updated to ensure compatibility with modern TPM 2.0 hardware and improve security tooling support. This update enables enhanced TPM-based operations and aligns with upstream security and feature developments.

Jira:RHEL-94930^[1]

With this update, the IAA is now moved from a Technology Preview to the supported state and the device IDs are added for In-memory Analytics Accelerator (IAA). As a result, devices on the Wildcat Lake platform are now supported.

Jira:RHEL-95628^[1]

With this update, you can trace and debug kernel issues more effectively on Red Hat Enterprise Linux (RHEL). This feature displays return values of functions within the function graph by using the function_graph tracer in ftrace. As a result, debugging experience improves for developers and system administrators.

Jira:RHEL-105766^[1]

kpatch reports which kernel CVEs are patched by live patches for the currently running base kernel. This enhancement helps administrators verify that specific CVEs are already remediated through live patching even when the on-disk kernel version appears vulnerable.

By listing CVEs that are patched only by kpatch, this enhancement improves security reporting and enables integration with compliance workflows and external scanners that must account for live-patched vulnerabilities.

Jira:RHEL-106283^[1]

This update adds support for the AMD Venice CCP crypto device with PCI device ID 0x17D8 (PCIID 1002:17D8) in the kernel CCP driver. This enables systems with the Venice CCP hardware to use the updated cryptographic offload capabilities provided by the device.

Jira:RHEL-106909^[1]

The crash package, which provides a kernel analysis utility for live systems and various types of dump files, is rebased to upstream version 9.0.1. This version provides a number of fixes and enhancements, most notably the following:

Jira:RHEL-114659

With this update, you can select the measurement module for the rteval utility. This overrides the default setting in the rteval.conf file. This new feature, 'measurement-module', provides greater flexibility and control over performance testing, which enhances the precision and customization.

Jira:RHEL-114927^[1]

With this update, you can manage CPU idle states more effectively in Tuna 10.2. The libcpupower functionality has been re-enabled, which allows disabling, enabling, or checking the status of idle states on selected CPUs. By using the tuna cpu_power command, you can optimize your CPU usage.

Jira:RHEL-116084

With this release, PowerVM LPAR guest operating systems on IBM Power Systems support dynamic key management for secure boot verification. This enhancement allows you to enroll and manage your own keys in the Platform Key Store, transitioning from a static key model.

During boot, the partition firmware authenticates grub2 using the enrolled verification key. Then grub2 verifies the kernel image integrity before loading. This improves flexibility and control over boot integrity and strengthens the security posture for IBM Power Systems environments.

Jira:RHEL-24510^[1]

You can create Boot Loader Specification (BLS) snippets for kernel unified kernel images (UKIs) and use the efi keyword to specify the path to the UKI, similar to how the linux keyword specifies the path to the kernel. For example:

title Red Hat Enterprise Linux 10.2 (6.12.0-197.el10)
version 6.12.0-197.el10.x86_64
efi /EFI/Linux/kernel-6.12.0-197.el10-UKI.efi

In this configuration, BLS snippets reside in /boot/efi/loader/entries, and the UKIs reside in /boot/efi/EFI/Linux.

Jira:RHEL-119685

The shim bootloader package is signed with both the Microsoft Windows UEFI Driver Publisher (MS 2011) certificate and the Microsoft UEFI CA 2023 certificate for Red Hat Enterprise Linux 10.2. This update helps maintain compatibility with systems that rely on either of these Microsoft UEFI trust anchors while preserving the existing Red Hat UEFI Publisher 2024 signature.

With this change, both shimx64.efi and shimaa64.efi binaries are correctly signed, enabling secure boot environments to validate the updated bootloader components on supported hardware platforms.

Jira:RHEL-144033

With this update, an optional watchdog for fanotify permission events has been introduced. If a system hang occurs due to fanotify permission events, the watchdog logs the process ID and name of the task responsible for the hang to the system log. This enhancement simplifies and accelerates the diagnosis of fanotify related hangs without requiring kernel crash dump analysis.

Note that the watchdog is disabled by default. To enable it, write a timeout value to /proc/sys/fs/fanotify/watchdog_timeout. When enabled, the watchdog incurs negligible performance overhead.

Jira:RHEL-44601^[1]

With this update, the Logical Volume Manager (LVM) has been enhanced to manage persistent reservations on a volume group (VG). With this feature, LVM controls access and ownership of shared storage resources used by Volume Groups. This can be useful in clustered environments that use shared block storage. For more information, see the lvmpersist(8) man page on your system.

Jira:RHEL-60931

The io_uring interface supports asynchronous I/O operations. With this update, applications use this interface to submit multiple I/O requests without blocking the calling process. io_uring uses shared ring buffers between user space and kernel space to reduce system call overhead and avoid buffer copying. This interface is more efficient and supports more asynchronous system calls than Linux AIO.

Jira:RHEL-120700^[1]

With the release of stratisd 3.8.6 and stratis-cli 3.8.3, the Stratis storage management system can now automatically maintain the volume keys of encrypted pools.

Previously, if stratisd needed to extend an encrypted pool automatically, the operation could fail if the encryption information was not available. With this update, stratisd maintains the volume key in its own process keyring. The key is automatically loaded when the pool is unlocked or when the service starts with an existing encrypted pool. To ensure security, the key is removed from the keyring when the stratisd process exits or when the pool is stopped or destroyed. If the pool is a V2 encrypted pool and the volume key is not present in the stratisd process keyring, stratis-cli displays an alert in its pool listing.

Jira:RHEL-125937^[1]

The snapm package has been rebased to upstream version 0.7.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-137376^[1]

Before this update, multipath devices remained in the system if you did not remove SCSI devices before disconnecting a LUN. This sometimes resulted in queued I/O or incorrect writes if the LUN was repurposed.

With this update, the purge_disconnected option is available in the defaults, devices, and multipaths sections of the multipath.conf file. When you set this option to yes, the multipathd daemon automatically removes disconnected SCSI devices from the system.

Jira:RHEL-141287

Previously, there was no built-in method in pcs to add supplemental text descriptions directly to resources and other cluster elements. This limited the ability of administrators to document, provide context, or aid in troubleshooting elements within the Pacemaker cluster.

With this enhancement, a new command, pcs cib element description, is available.

As a result, you can add brief text descriptions to a wide range of CIB elements that support the description attribute, including primitive resources, groups, clones, bundles, ACL permissions, ACL roles, alerts, alert recipients, and nodes. For a more intuitive experience, two new aliases are also available: pcs resource description and pcs stonith description.

Jira:RHEL-7670^[1]

Previously, when configuring resource or stonith devices, a user could set meta attributes that were not recognized by the cluster. This led to silent configuration errors where the invalid attributes were accepted without warning but had no effect on cluster resource handling.

With this enhancement, meta attribute names for primitive and stonith resources are validated against the provided cluster meta attributes definition.

As a result, a warning is printed when invalid meta attributes are used with the following commands:

Jira:RHEL-7673

Before this update, users could disable the cluster’s fencing mechanism by setting the cluster property stonith-enabled to false without receiving any warning. This could inadvertently leave the cluster in an unsupported and unsafe state.

With this enhancement, the cluster management utility includes a safety check.

As a result, when you attempt to disable fencing using stonith-enabled=false the utility displays a warning message informing you that the cluster fencing mechanism will be lost.

Jira:RHEL-84120

Previously, the portblock resource agent relied on iptables for managing port access. Since iptables is now primarily a wrapper for nftables and is slated for removal in future releases, a transition to native nftables support was necessary.

With this enhancement, the portblock resource agent now supports nftables natively.

As a result, nftables is used by default for port blocking operations. For environments that still require the legacy behavior, you can manually switch back to iptables by setting the firewall resource parameter to iptables.

Jira:RHEL-116152

MariaDB 11.8 packages are available in RHEL 10.2.

Notable changes over the previously available version 10.11 include:

Notable breaking differences:

For more information about MariaDB, see Using MariaDB.

To install the new packages, enter:

# dnf install mariadb11.8-server

If you want to upgrade from MariaDB 10.11, see Upgrading from a RHEL 10 version of MariaDB 10.11 to MariaDB 11.8.

For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-115468^[1]

PostgreSQL 18 packages are available.

Notable changes:

Jira:RHEL-116546^[1]

Before this update, a missing or incomplete user postgres entry caused PostgreSQL initialization to fail in a podman-bootc environment using a Containerfile. With this update, the initialization issue is resolved. As a result, PostgreSQL initializes and operates correctly in Image Mode.

Jira:RHEL-126140

The ruby4.0 runtime provides a Ruby 4.0 stack with database connector support. As a result, you can select the ruby4.0 runtime alongside the existing Ruby stack to develop and run Ruby applications with supported database connectivity.

Jira:RHEL-133550^[1]

The python3.14 stack with essential packages is available in RHEL 10.2. This new alternative stack provides Python 3.14 to develop and run applications while staying on the RHEL 10 minor release.

Jira:RHEL-120788^[1]

RHEL 10.2 provides PHP in version 8.4. This version provides many enhancements and bug fixes over version 8.3, most notably:

Jira:RHEL-105827^[1]

The glibc memstream documentation explains how open_memstream handles seeking and the current position when using SEEK_END. The updated text clarifies how writing at the end of the buffer behaves, in line with the implementation-defined behavior introduced in POSIX Issue 8.

Jira:RHEL-65838

A new Performance Metrics Domain Agent, pmdaopentelemetry, is available to ingest OpenTelemetry metrics into Performance Co-Pilot (PCP). This enhancement bridges the OpenTelemetry ecosystem with PCP by dynamically creating PCP metrics from configured endpoints that export data in OTLP JSON format. The PMDA replaces the legacy pmdajson for OpenTelemetry use cases.

Features include:

Jira:RHEL-83866

The pmproxy service supports exporting Performance Co-Pilot (PCP) metrics in OpenTelemetry JSON format through the existing /metrics REST API endpoint. When a client includes the Accept: application/json header in the HTTP request, pmproxy returns metrics in the OpenTelemetry resourceMetrics JSON structure instead of the default OpenMetrics text format.

This enhancement enables direct integration of PCP metrics with OpenTelemetry-based monitoring solutions without requiring additional format conversion. The existing OpenMetrics text format remains the default when the Accept: application/json header is not specified. Features include:

Jira:RHEL-85456

With this update, a new tool, pcp2opentelemetry, is introduced for exporting both real-time and archived Performance Co-Pilot (PCP) data in the OpenTelemetry format. This tool extends OpenTelemetry support within PCP, similar to pcp2openmetrics, and is part of the ongoing support for OpenTelemetry in PCP v7. By using this tool, you can export PCP data in the OpenTelemetry format. It boosts compatibility with other tools within the OpenTelemetry ecosystem and offers a more adaptable and integrated method for managing performance data.

Jira:RHEL-85457

With the Performance Co-Pilot (PCP), a new Performance Metrics Domain Agent (PMDA) is available for monitoring SAP HANA databases. You can now use PCP to collect and analyze metrics from SAP HANA, enabling improved visibility into database performance and behavior. This enhancement helps administrators monitor the SAP HANA workloads by using standard PCP tools and workflows.

Jira:RHEL-85725

The llvm toolset has been rebased to version 21 in RHEL 10.2. This rebase provides updated compiler and tooling features for building and optimizing applications that depend on llvm.

As part of this change, dependent packages in RHEL 10 have been rebuilt against llvm 21 to ensure compatibility with the updated toolset.

The notable changes are:

Jira:RHEL-100887

PCP supports a push model for pmlogger that enables remote archival of performance metrics data by using an HTTP REST API. Previously, centralized logging required administrators to reconfigure the central system to pull data from each newly added host. With the push model, each host streams archived data directly to a centralized pmproxy server in real time. This approach simplifies scaling and removes the need to store archives locally on remote systems. Additional key features include the following:

Jira:RHEL-104669^[1]

Before this update, gcov function summaries only reported the number of lines executed and did not include details about branch or call coverage within the function.

With this enhancement, requesting function summaries using the -f option now includes data on branches taken and function calls made within the profiled function. This provides a more comprehensive view of function-level test coverage.

Jira:RHEL-105464^[1]

Previously, the glibc APIs inet_ntop and inet_pton did not include Source Fortification support, so the compiler was unable to detect some buffer errors before running the program.

With this update, attribute access annotations is added to inet_ntop and inet_pton, enabling the compiler to warn about potential buffer misuse at compile time. As a result, these APIs are now covered by Source Fortification, which improves their security and reliability.

Jira:RHEL-111115^[1]

RHEL 10.2 rebases the rust-toolset Application Stream to version 1.92.0, providing an updated Rust compiler and associated tooling for developing and running Rust applications. This rebase continues the rolling Application Stream model, where only the latest rust-toolset version is supported.

Notable enhancements include:

Jira:RHEL-111845

The freopen function behaves more reliably and correctly under various usage scenarios. The function no longer leaks memory on failure, preserves and applies file descriptor flags such as O_CLOEXEC correctly, and sets the stream orientation properly when a character set is specified.

Jira:RHEL-115823^[1]

The glibc vectorized math library (libmvec) was upgraded to the upstream 2.40 version. The upstream glibc 2.40 release adds 55 additional vectorized math routines that were previously not available in the RHEL glibc based on version 2.39.

As a result, vectorized code compiled with the -ffast-math build option on AArch64 now benefits from these functions and might use symbols with the glibc version 2.40.

Jira:RHEL-118273^[1]

The boost-url shared library is available as part of the main boost package in the CodeReady Builder (CRB) repository. This change resolves the missing boost-url subpackage that blocked some dependent builds in earlier releases.

Because boost-url is a dependency of the boost metapackage, it is shipped with boost instead of as a separate repository entry. In RHEL 10.2, the boost-1.83.0-7.el10 build ensures that boost-url is included in the product listing, and installing boost-devel also provides the headers and libraries needed to build applications that rely on Boost.URL.

Jira:RHEL-124169

pcp-7.0.3-1.el10 in RHEL 10.2 introduces enhancements to monitoring capabilities, including new metric sources and improved sample resolution.

The update adds new Performance Metrics Domain Agents (PMDAs), expands dstat plugin coverage, and improves timestamp granularity for collected samples. The following enhancements are included in this update:

Jira:RHEL-124897

With this update, the Red Hat Build of OpenJDK 25 for RHEL integrates with the RHEL crypto-policies package. This enhancement ensures secure system property handling and improves the security of Java applications running on RHEL by loading additional configuration files based on Red Hat system properties. This change also adds FIPS support using NSS.

Jira:RHEL-128409^[1]

The glibc package uses the euro currency symbol for the bg_BG locale to reflect Bulgaria’s adoption of the euro as of 1 January 2026.

As a result, applications that use the bg_BG locale display currency values with the updated euro symbol.

Jira:RHEL-137184

The glibc package now uses the euro currency symbol for the hr_HR locale in RHEL. This change aligns Croatian locale data with the country’s current official currency.

As a result, applications that rely on glibc locale information for the hr_HR locale now display the up-to-date euro currency symbol instead of the former Croatian kuna.

Jira:RHEL-140103

With this enhancement, the glibc package optimizes the trylock implementation for workloads with high thread counts on multi-core systems, improving trylock throughput under heavy contention.

Jira:RHEL-139419

The RTLD_DI_ORIGIN_PATH dlinfo request type in glibc accepts the size of the destination buffer when retrieving the shared object origin path. This request type helps avoid buffer overflows when obtaining the shared object origin path.

The behavior of the existing RTLD_DI_ORIGIN request type remains unchanged.

Jira:RHEL-146428^[1]

With this update, the auto-sizing feature for entry and DN caches adapts its tuning when a Directory Server instance uses multiple databases of different sizes. The cache size matches the database size, allocating more physical resources to larger databases.

Jira:RHEL-18041

With this update, Directory Server introduces a new configuration attribute, nsslapd-cache-pinned-entries, in backend configuration entries to pin the largest groups in the entry cache. You can set the number of entries that you want to pin by using the nsslapd-cache-pinned-entries attribute. These group entries are only evicted when modifying the group or when bringing the backend down. The default value is 0 meaning no group entries are pinned.

Jira:RHEL-58682

Before this update, the ipa-client-automount utility relied on the host’s current DNS domain for service discovery. This caused issues in cross-domain environments where the client host resided in a different DNS domain than the Identity Management (IdM) server, often requiring administrators to manually configure numerous server settings in multiple locations.

With this update, ipa-client-automount introduces the --domain option. This allows users to explicitly define the IdM domain to be used for DNS discovery during the automount configuration.

As a result, installation efficiency and reliability are improved for complex network topologies.

Jira:RHEL-86030^[1]

With this update, you can update server certificates on a running instance and trigger a certificate refresh without stopping the dirsrv service. After deploying new certificates, you can use the dsconf <instance_name> config refresh-certs command to activate them for new incoming TLS connections, enabling smoother, more automated certificate renewal processes with less downtime. Existing LDAP connections are not explicitly closed. However, if the CA certificate has changed, some existing LDAPS connections might be terminated by clients with SERVER_DOWN errors. This occurs when the clients expect the previous certificate while the server renegotiates encryption with the new one.

Jira:RHEL-86320

With this update, you can define group membership based on LDAP search filters, similar to OpenLDAP, instead of managing static member lists. Using search filters to define group membership provides more flexible and scalable access control. Membership is automatically calculated from LDAP search URLs when you configure a dedicated object class, URL attribute, and list attribute. As a result, Directory Server introduces the following configuration attributes under cn=config,cn=ldbm database,cn=plugins,cn=config:

Jira:RHEL-86534

With this update, you can use the dsconf <instance_name> repl-conflict delete-all "<suffix_name>" command to delete all replication conflicts in bulk. Before this update, each conflict had to be deleted individually by using dsconf <instance_name> repl-conflict delete. Now, you can delete all replication conflicts in a single operation by using dsconf.

Alternatively, you can try to resolve conflicts instead of deleting them. For details, see Solving common replication problems.

Jira:RHEL-99331^[1]

Before this update, importing the wrong LDIF file would erase the backend first and only report errors after processing the entire file, potentially causing data loss.

With this update, the server performs early validation when importing LDIF files to detect mismatched or incorrect files before erasing the existing backend database. If the LDIF does not contain the expected suffix entry, the import terminates immediately with a clear error message, leaving the existing backend data intact.

Jira:RHEL-106849

The dsctl dbverify command, used to verify the integrity of a Directory Server database, provides explicit feedback depending on the database backend type. For Lightning Memory-Mapped Database (LMDB) backends, the command displays a warning that the verification is always reported as successful because LMDB has built-in integrity protection. As a result, administrators can distinguish between a missing backend and a genuinely successful verification when running dsctl dbverify.

Jira:RHEL-107003

With this update, you can configure the MemberOf plugin to monitor only selected groups for membership evaluation. Previously, MemberOf plugin processing was controlled at the suffix level, which included all groups under a configured suffix. By defining a group scope, you can target list of groups or create exceptions for specific groups. This improves performance by avoiding unnecessary plugin operations on irrelevant entries.

MemberOf plugin introduces the following multi-valued configuration attributes under cn=MemberOf Plugin,cn=plugins,cn=config:

Jira:RHEL-109113^[1]

With this update, Directory Server supports TLS certificates that use ML-DSA-44, ML-DSA-65, and ML-DSA-87 keys. This enables adoption of post-quantum cryptography standards to help protect your directory against potential quantum computing attacks.

Jira:RHEL-110192

When integrating Identity Management (IdM) with a third-party application that does not support Kerberos authentication, you can define a dedicated system account for the application to securely reset user passwords. Notably, these resets do not trigger the "password change required" flag, ensuring a seamless login experience for the end user. The system account authenticates by using LDAP.

As a result, organizations can integrate their own secure password management solutions directly with IdM.

Jira:RHEL-110204

With this update, the ipa-certupdate tool includes a new --force-server <server_fqdn> option. Before this update, an Identity Management (IdM) client only connected to its default IdM server, specified in the /etc/ipa/default.conf file, when updating the local CA trust store. If this default server was down or unreachable, the ipa-certupdate command failed. As a result, administrators can ensure successful trust store updates and maintain service continuity, even if the primary server is unavailable.

Jira:RHEL-113778

The samba packages, which provide file and print services using the SMB protocol, have been rebased to upstream version 4.23.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-114545

Identity Management (IdM) password policies support four new options (--dcredit, --ucredit, --lcredit, and --ocredit) based on the libpwquality credit system. A negative value sets the minimum number of characters of that type required in a password; a positive value provides a credit toward the minimum password length. These options are mutually exclusive with --minclasses and offer a more granular way to enforce per-class character requirements. As a result, administrators can configure specific character type minimums in IdM password policies, for example, to satisfy DISA STIG compliance requirements.

For more information, see Additional password policy options in IdM.

Jira:RHEL-119481^[1]

The ipa packages have been rebased to upstream version 4.13.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-120956^[1]

With this update, you can use Classless Inter-Domain Routing (CIDR) notation to define ranges of trusted IP addresses instead of manually listing each address. You can now specify multiple CIDR ranges, as well as a mix of individual IPs and ranges. Example multi-valued configuration:

nsslapd-haproxy-trusted-ip: 2001:db8::/32
nsslapd-haproxy-trusted-ip: 192.168.1.0/24
nsslapd-haproxy-trusted-ip: 192.168.2.50

RHEL-121208

Jira:RHEL-121208

The cepces package, which provides a certificate enrollment client for Microsoft Active Directory Certificate Services (AD CS), has been rebased to upstream version 0.3.12. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-121729

For installations using a hardware security module (HSM), Lightweight CA (LWCA) certificates and private keys are now generated on the HSM. This provides the same hardware-level security for the private keys as the root CA private key. The LWCA private key is generated on the HSM with the HSM token name as the prefix, for example mytoken:lwca.

Jira:RHEL-126761

This update ensures that automated services like crond and systemd-user are prevented from unlocking accounts locked by faillock. Previously, these services would automatically clear the "failed login" counter when they ran, which could allow a malicious actor to keep guessing passwords without being permanently locked out. With this release, once an account is locked by a security policy, it remains locked until the timeout expires or an administrator intervenes, regardless of any background system activity.

Jira:RHEL-130871^[1]

The ansible-freeipa packages, which provide Ansible modules and roles for Identity Management (IdM), have been rebased to upstream version 1.16.0. This version provides important fixes and enhancements, most notably the following:

The sysaccount module (ipasysaccount) creates and manages system accounts in IdM. The role module (iparole) supports system accounts as role members, so you can assign privileges such as user password management to those accounts in playbooks. You can, for example, use system accounts to integrate IdM with an external password reset management solution. For more information, refer to the sysaccount and role module READMEs.

The ipapasskeyconfig module is available in the ansible-freeipa collection. You can use this module to configure whether passkey authentication in IdM requires user verification, such as a PIN, when users authenticate with a passkey device. Additionally, the ipauser module supports passkey as a user authentication type, and the ipaservice and ipahost modules support passkey as an authentication indicator.

Jira:RHEL-139147

With this update, the ipaconfig, ipahost, ipaservice, and ipauser modules support the passkey authentication type for IdM resources. This enables you to manage Passkey device authentication directly through your Ansible playbooks by setting the authentication type to passkey.

Jira:RHEL-139258

The 389-ds-base package, which provides an enterprise-class LDAP server, has been rebased to upstream version 3.2.0.

Jira:RHEL-139826

You can now install a Certificate System (CS) that uses Module-Lattice-based Digital Signature Algorithm (ML-DSA) for both key types and signatures. Because ML-DSA is standardized by NIST to withstand future quantum computing threats, the CS can now generate and manage quantum-resistant certificates. This release supports ML-DSA at three NIST-defined security levels: ML-DSA-44, 65, and 87.

Jira:RHEL-143038

The pki packages have been rebased to upstream version 11.9. This version provides important fixes and enhancements, most notably the following:

Jira:RHELDOCS-21885^[1]

The adcli delete-computer command supports the --recursive option to delete computer objects from Active Directory, including their child objects. Previously, attempting to delete a computer object that contained child objects, such as metadata for BitLocker drive recovery, failed with a CANT_ON_NON_LEAF error in AD. With this update, users can cleanly delete computer objects that contain child objects using adcli.

Jira:RHEL-16141

The sudo packages have been rebased to upstream version 1.9.17p2, which includes the following notable bug fixes and enhancements:

Jira:RHEL-112100

With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) domains and Active Directory forests that use Domain Controllers running Windows Server 2025.

Jira:RHELDOCS-21527^[1]

Before this update, some short error messages on the login screen disappeared too quickly to be read. As a consequence, users missed important login feedback. With this update, the display time for short error messages is extended. As a result, these messages remain visible for a longer period of time.

Jira:RHEL-11918

The papers document viewer is rebased to version 48.4. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-86193

The fwupd package, which updates firmware on your system, has been rebased to upstream version 2.0.19. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-110760^[1]

The libinput package is rebased to upstream version 1.30. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-136390

With this update, the default delivery method for Mozilla Firefox and Thunderbird is changed from RPM packages to Flatpaks. Anaconda, the RHEL installer, preinstalls these Flatpaks by default.

If your system is subscribed to Red Hat, you do not need to provide your Red Hat credentials when accessing the Red Hat Flatpak Registry. If you use the Red Hat Flatpak Registry on an unsubscribed system, follow the official guidelines.

Because there might be use cases where Flatpaks do not fit well, Red Hat will continue to provide and support firefox and thunderbird RPM packages in the AppStream repository for the lifetime of RHEL 10. If you identify any of these use cases, contact Red Hat Support. Alternatively, you can provide your feedback in the RHEL-160615 Jira ticket.

You can change the delivery method in Anaconda from Flatpaks back to RPM packages by following the process outlined in the documentation. For example, use the following configuration to preinstall the firefox RPM package instead of the Flatpak:

%packages
@^graphical-server-environment
-redhat-flatpak-preinstall-firefox
firefox
%end

Jira:RHEL-139533

The cockpit packages have been rebased to version 356, which provides many improvements and fixes compared to version 344 in RHEL 10.1, most notably:

Jira:RHEL-112867

Previously, the ha_cluster RHEL System Role did not include detailed constraint information in its exported data.

With this enhancement, the ha_cluster role now includes variables for location, colocation, order, and ticket constraints.

As a result, the following variables are now available in the module output, facilitating better configuration management and role-based automation:

Jira:RHEL-46226

Previously, the ha_cluster RHEL System Role provided limited visibility into the current cluster configuration.

With this update, the ha_cluster role has been expanded to include cluster properties and resource defaults.

As a result, the following variables are now exported, allowing for easier auditing and configuration mirroring:

Jira:RHEL-46227

With this update, you can manage disk partitions by using the storage role, streamlining storage management. With this unified approach you can add, remove, resize, and format partitions, ensuring consistent and repeatable results.

Jira:RHEL-66738^[1]

With this update, you can create bootable snapshot sets on platforms that support snapm, such as RHEL 9.6 and Fedora 41 or later. You can now set a bootable flag when requesting snapshots and boot the system directly from a snapshot.

Jira:RHEL-104931

With this enhancement, you can now use IPv6 addresses within the ipset_entries variable when utilizing hash:ip or hash:net types in playbooks that use the firewall RHEL system role. You can also specify additional <key>:<value> pairs of options for ipset by using the ipset_options variable. pairs

Due to a limitation of the underlying firewalld implementation, you cannot mix IPv4, IPv6, and MAC addresses in the same ipset_entries list.

Jira:RHEL-114467^[1]

To provide more granular control over conditional configurations, the sshd system role supports the sshd_CanonicalMatchUser variable. You can specify whether to evaluate OpenSSH Match blocks against a user’s initial login name or their final canonical username after the server rewrites it.

As a result, you can consistently apply security policies in environments where external identity providers or local configuration rules modify usernames. This ensures that Match blocks accurately reflect the user’s identity once the server determines the final canonical username.

Jira:RHEL-127971

Before this update, the high-availability stack primarily supported the stonith-watchdog-timeout property for managing watchdog-based fencing. However, future Pacemaker versions replace this property with fencing-watchdog-timeout.

With this update, the role handles both the legacy and new property names consistently.

As a result, the role supports future Pacemaker versions and ensures that watchdog-related cluster properties remain functional regardless of which property name you use. The role preserves both stonith-watchdog-timeout and fencing-watchdog-timeout when creating or pushing CIB configurations.

Jira:RHEL-136597

With this enhancement, you can use the metrics RHEL system role to configure TLS-encrypted connections to Grafana. To use this feature, specify the following variables in your playbook:

Jira:RHEL-136607^[1]

With this update, you can configure the VersionAddendum option in SSH settings for match blocks, host blocks, and global client configurations. This enhancement ensures compatibility with the latest OpenSSH versions and provides granular control over your SSH connections.

Jira:RHEL-138277

The new GSSAPIDelegateCredentials parameter provides Generic Security Services Application Programming Interface (GSSAPI) credential delegation in Kerberos environments and enables a seamless single sign-on experience.

As a result, you can automate the configuration of GSSAPI credential delegation to simplify network authentication.

Jira:RHEL-144495

The postgresql RHEL system role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 18.

For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.

Jira:RHEL-144914^[1]

With this update, you can manage SELinux port types for Datagram Congestion Control Protocol (DCCP) and Stream Control Transmission Protocol (SCTP). By configuring SELinux port labels for these protocols, you can apply granular access controls and improve system security.

Jira:RHEL-145214

You can use RHEL system roles to build and manage immutable operating systems. This provides a consistent management interface across different backend technologies, including ostree.

As a result, you can deploy and configure immutable systems using the same roles used for traditional systems, ensuring environment consistency. Note: This feature is currently not compatible with the nbde_client role.

Jira:RHELDOCS-21216

With this release, you can use the analysis, remediate, and upgrade Ansible roles to automate the pre-upgrade and upgrade phases of the in-place upgrade. By using these Ansible roles, you can quickly and efficiently upgrade large numbers of systems, saving you time.

For more information, see Upgrading large deployments by using Ansible roles.

Jira:RHEL-141757

With this update, virtual machines (VMs) on RHEL 10 hosts that use IBM Z hardware can have multiple kernel entries for the virtio-net device. As a result, you can use multiple VM kernel boot entries available over PXE if the primary boot device is not bootable.

Jira:RHEL-71834

After using the virsh nodedev-update command to update a cryptograpic coprocessor (vfio-ap) device on an IBM Z host, the new configuration now takes effect significantly faster.

Jira:RHEL-73000^[1]

Virtual machines (VMs) on RHEL 10 hosts that use IBM Z hardware can now use the Control Program Identification (CPI) feature. By using CPI, you can obtain system information about VMs without accessing them. For more information about CPI, see IBM documentation.

Note that on VMs that use IBM Secure Execution, CPI is disabled by default to ensure confidentiality, and must be enabled manually. For instructions, see Setting up IBM Secure Execution on IBM Z.

Jira:RHEL-73008^[1]

The libvirt virtualization API supports setting hostname and Fully Qualified Domain Name (FQDN) options for virtual machines on network interfaces that use the passt backend. This feature integrates passt DHCP and DHCPv6 capabilities to simplify network identity assignment. As a result, you can configure hostname and FQDN directly in the domain XML. For example:

<backend type='passt' hostname='vm1' fqdn='vm1.kubevirt.org.'/>

Both attributes are optional.

Jira:RHEL-79806

Backup jobs initiated through tools such as virsh backup-begin now keep the virtual machine (VM) process active even if the guest operating system (OS) shuts down during the operation. Previously, a guest OS shutdown caused libvirt to terminate the VM process, which failed the backup and required a manual restart. This enhancement ensures that backup jobs complete successfully regardless of the guest OS state, providing greater reliability and eliminating manual intervention.

Jira:RHEL-80679

Virtual Socket (vsock) is a communication interface for direct socket-based communication between a host and virtual machines (VMs) running on the host. With this update, the virtio-win package includes the viosock driver, which implements vsock support in Windows VMs running on a KVM host. The driver enables use cases such as running commands in a Windows VM directly from the host.

The virtio-win package also includes the VsockTcpBridge service, which provides a vsock-to-TCP bridge. This bridge allows existing TCP-based applications in the Windows VM to communicate over the vsock interface without modification.

The viosock driver is available in the virtio-win ISO and installer. When you install the driver, the VsockTcpBridge service and the vsock provider are configured automatically.

Jira:RHEL-91040

The updated qemu-kvm package provides a new s390-ccw-virtio-rhel10.2.0 machine type for IBM Z virtual machines (VMs). This machine type enables Control Program Identification (CPI) and performance-enhanced PCI translation for passthrough PCI devices by default. As a result, IBM Z VMs that use the s390-ccw-virtio-rhel10.2.0 machine type benefit from improved performance with passthrough PCI devices and CPI without additional configuration.

Jira:RHEL-104009^[1]

The virsh domstats --block command displays block device I/O limits for virtual machine (VM) block nodes. The limits include:

Jira:RHEL-118671

This update introduces the Provisioning Caching Certification Service (PCCS) for Intel Trust Domain Extensions (TDX). This provides the local caching required to use Intel hosted Provisioning Certification Services (PCS) at scale, and also makes it possible to perform TDX attestation on host systems that are isolated from the public internet.

Jira:RHEL-121612

The libvirt package provides a new host-model mode for Hyper-V Enlightenments, which automatically enables all Hyper-V enlightenments supported on the host. This mode eliminates the need for separate configuration templates for Intel and AMD hosts. As a result, you can configure <hyperv mode='host-model'/> in the XML definition of a virtual machine to automatically apply all host-supported Hyper-V Enlightenments without maintaining separate configurations for each vendor.

Jira:RHEL-122932^[1]

This update introduces the virt-secrets-init-encryption service, which encrypts libvirt secrets, such as keys for the virtual Trusted Platform Module (vTPM). By default, this encryption uses systemd credentials sealing. However, you can use the new /etc/libvirt/secret.conf file to specify a custom key for encrypting secrets, as well as to disable automatic encryption of secrets. As a result, critical vTPM metadata is protected from unauthorized access on the host file system. This also hardens the overall security of the virtualization environment.

Jira:RHEL-7125^[1]

With this update, the QEMU emulator no longer needs to emulate the Forced Unit Access (FUA) I/O method, and instead can use FUA natively. This can improve the overall performance of virtual storage, particularly in database workloads.

Jira:RHEL-66064^[1]

In the latest version of the sos tool, system administrators can effortlessly retrieve a list of active mon sessions from a Ceph cluster. This was accomplished by connecting to the admin socket and executing the ceph tell mon sessions command. This feature was implemented to enhance the efficiency of troubleshooting Ceph related problems.

As a result, users can now investigate issues related to Ceph sessions with the data included in a SOS archive.

Jira:RHEL-103783

With this update, sos includes a plugin that collects metadata information from AWS instances. This update introduces the following notable enhancements:

Jira:RHEL-114887

Before this update, the sos report was collected on AAP. With this update, the notable enhancements to the following AAP plugins are:

Jira:RHEL-121524

With this update, you can manage SSL/TLS certificates that contain sensitive data during the SOS clean process. The new --treat-certificates option provides the option to remove, obfuscate, or maintain the original binary format of these certificates ensuring that no sensitive data persists.

As a result, you can enhance data security and privacy by selecting the treatment for SSL/TLS certificates during the SOS clean process.

Jira:RHEL-142619

With this update, the sos utility automatically detects the user running containers for Ansible Application Platform (AAP) deployments. This eliminates the need for manual specification, ensuring the collection of all necessary AAP data.

Jira:RHEL-140738

With this update, Podman supports a Sequoia-PGP-based back end for OpenPGP image signatures. Previously, Podman used GnuPG (through gpgme/pgpme bindings) for OpenPGP operations. This update includes the following enhancements:

Jira:RHEL-56365^[1]

The container-selinux package, which provides necessary SELinux policies, types, and rules to confine and secure container runtimes, has been rebased to version 2.244.0-1. This version provides important bug fixes and enhancements, most notably:

Jira:RHEL-111947

The gvisor-tap-vsock package, which provides a user space networking stack for virtual machines, particularly those used with Podman, is rebased to upstream version 0.8.7-1. This version provides important fixes and enhancements, most notably, users can integrate a private image registry within a private Microsoft Azure cluster, enhancing security and efficiency of image management.

As a result, the ability to create customizable, secure storage endpoints within the deployment, streamlining storage resource management and reducing potential security risks.

Jira:RHEL-111948

The buildah package, which provides a daemonless command-line tool for building Open Container Initiative (OCI-compliant), is rebased to upstream version 1.41.8-1. This version provides important fixes and enhancements, most notably, you can integrate a private image registry within a private Microsoft Azure cluster, enhancing the management and deployment of container images in a secure and scalable environment.

As a result, a more secure storage solution is available because you can now secure the storage endpoints privately on Azure, protecting their data from unauthorized access. Simplified management of storage endpoints also makes it easier for you to maintain their storage infrastructure.

Jira:RHEL-114411

The crun package provides a fast, lightweight, and low memory Open Container Initiative (OCI) runtime acting as the default, high-performance alternative to runc for executing containers. The crun is rebased to upstream version 1.25.1-1. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-114419

The python-podman package is rebased to upstream version 5.7.0-1. With python-podman, you can manage Podman containers, images, volumes, and pods. The new version provides important fixes and enhancements, most notably, you can integrate a private image registry within a secure Azure cluster. The private registry installation ensures a more secure deployment of applications, as it offers enhanced protection for sensitive images.

Jira:RHEL-114423

With this update, rootless Podman introduces a unified system-wide configuration file that enables centralized policy management, a consistent security baseline, and operational standardization across all users.

As a result, you can inherit sensible defaults without manual configuration while maintaining the flexibility to override system defaults through personal configuration files. Additionally, this update ensures backward compatibility, so existing workflows and configurations remain unchanged.

Jira:RHEL-126644

The updated Container Tools RPM meta-package, which includes the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version 1.43.1, and Skopeo has been updated to version 1.22.2. Podman release 5.8.2 contains the following notable bug fixes and enhancements over the previous version:

Jira:RHEL-127903

The fuse-overlayfs package, a user space implementation of the OverlayFS file system provides rootless containers, which Podman or Buildah run, is rebased to upstream version 1.16-1. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-128521

This update introduces air-gapped and disconnected updates for RHEL deployments, enabling edge deployments to perform updates without internet connectivity. As a result, you can benefit from greater flexibility and reliability for offline updates, improving deployment management in remote or secure environments.

Jira:RHELDOCS-20708^[1]

With this update, Podman supports a Sequoia-PGP-based backend for OpenPGP image signatures. Previously, Podman used GnuPG ( gpgme/pgpme bindings) for OpenPGP operations. This update includes the following enhancements:

Jira:RHELDOCS-21869^[1]

The rhel10/ruby-40, rhel10/postgresql-18, rhel10/python-314-minimal, rhel10/mariadb-118 and rhel10/php-84 container images are now available in the Red Hat Container Registry. The notable enhancements for each image are:

Jira:RHELDOCS-21963

With this update, the command-line assistant supports color output by default, aligning its appearance with other RHEL command-line tools. This update improves output readability through increased visual contrast.

You can disable color output by using the --plain option or by setting the NO_COLOR=1 environment variable.

Jira:RHELDOCS-21814^[1]

With this enhancement, RHEL Lightspeed includes the Red Hat Enterprise Linux for SAP Solutions documentation set in its knowledge base. You can now ask RHEL Lightspeed technical questions specific to SAP deployments on RHEL. This update provides more accurate and context-aware responses for SAP-related administrative and configuration tasks.

Jira:RHELDOCS-21815^[1]

The installer includes support for the new bootc Kickstart command as a Technology Preview. It enables the deployment of bootable containers. Although comparable to the existing ostreecontainer Kickstart command, this implementation relies on the bootc utility to manage both operating system content provisioning and boot loader setup. You can use the command in the following way:

# bootc --source-imgref=<transport>:<registry>/<namespace>/<name>:<tag> --target-imgref=<registry>/<namespace>/<name>:<tag>

For more information, see Installing RHEL from a bootable container image by using the bootc Kickstart command.

Jira:RHEL-58215^[1]

With this Technology Preview, you can cryptographically seal your boot container images by using your organization’s Secure Boot keys, ensuring complete operating system integrity from build through runtime. This is based on Unified Kernel Images that embed a digest of the target container root filesystem, alongside a bootloader (such as systemd-boot) also signed with your key.

As a result, you can achieve higher security than current solutions and meet compliance requirements for tamper-proof systems, ensuring the integrity of the executed code from hardware to the operating system. The container image includes a Unified Kernel Image and covers the integrity of the boot process, path, and host operating system. For more information, see Building sealed images.

Jira:RHELDOCS-20426^[1]

NVMe/TLS, available as a Technology Preview, complies with standard TLS key derivation specifications. This update introduces a breaking change to TLS Pre-Shared Key (PSK) import functionality. This change affects the gen-tls-key and check-tls-key commands for nvme-cli versions earlier than 2.16 and libnvme versions earlier than 1.16.

If NVMe/TLS connections to a storage target fail after an upgrade, perform one of the following actions:

Jira:RHEL-135994

Identity Management (IdM) administrators can configure the GNOME Display Manager (GDM) login screen to display multiple authentication mechanisms. In addition to existing smart card authentication, administrators can enable new passwordless methods, such as external identity providers (EIdP) and FIDO2-compatible passkeys. Enable the with-switchable-auth feature in authselect and configure the System Security Services Daemon (SSSD) to allow users to choose their preferred credential directly at login.

Passwordless authentication aligns with zero trust architecture by replacing static passwords with cryptographic proof that verifies both user identity and device integrity for each access request. For detailed configuration instructions and a list of current limitations, see Enabling authentication mechanism selection in GDM using SSSD.

Jira:RHEL-11913^[1]

With this update, Identity Management (IdM) provides the Modern Web UI as a Technology Preview. This new interface features updated design and is available at the /ipa/modern-ui endpoint. You can access the new interface through a link on the IdM Web UI login screen.

As a Technology Preview, the Modern Web UI is under active development and intended for experimentation in non-production environments. Provide feedback at the FreeIPA Web UI community project to help improve the interface.

Jira:RHEL-90121

SSSD provides a generic identity provider (IdP), initially supporting Keycloak and Entra ID. You can configure SSSD to read users and groups directly from these IdPs and authenticate users by using the OAuth 2.0 Device Authorization Grant (RFC 8628). This allows you to use modern IdPs for centralized authentication and access management. This capability is a Technology Preview feature.

For more information, see the sssd-idp(5) man page.

Jira:RHEL-4990

The GNOME Display Manager (GDM) provides an interface for users to select a preferred authentication method. Previously, the graphical login environment restricted users to a single authentication method. With this update, users can switch between methods such as external identity providers (EIdP), FIDO2-compatible passkey devices, or smart cards directly from the login screen. The feature is available as a Technology preview.

For more information to enable this functionality and a list of current limitations, see Enabling authentication mechanism selection in GDM using SSSD.

Jira:RHEL-14524^[1]

The mutter 49 rebase introduces a High Dynamic Range (HDR) switch in the display settings. The HDR switch enables users to change between HDR and Standard Dynamic Range (SDR) modes, which improves media and graphics visuals on compatible devices. This feature is available as a Technology Preview.

Jira:RHEL-144935

As a Technology Preview, you can now configure the Secure Boot feature for virtual machines (VMs) on RHEL 10 hosts that use ARM64 hardware (also known as AArch64). Secure Boot ensures that the VM is running a cryptographically signed operating system (OS). This can be useful if the guest OS of a VM has been altered by malware. In such a scenario, Secure Boot prevents the VM from booting, which stops the potential spread of the malware to your host machine.

Jira:RHEL-82645

As a Technology Preview, you can now live migrate a virtual machine (VM) with enabled SCSI3-Persistent Reservation (S3-PR), with the reservation state being preserved after the migration. To do this, you must use the following XML configuration for the VM:

<reservations managed="no" migration="yes">

Note, however, that migrating a VM with S3-PR and this configuration to a host that uses a previous version of QEMU fails.

Jira:RHEL-135115

As a Technology Preview, you can enable Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) on RHEL hosts. SEV-SNP is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

SEV-SNP is available only with AMD CPUs, and you must use the snphost package to configure the feature on the host.

Jira:RHELDOCS-19757^[1]

Red Hat Enterprise Linux offers the krun runtime as a Technology Preview for running container workloads. You can launch containers inside lightweight microVMs, which provides an additional isolation boundary for your workloads by using the crun configured to support krun. This feature improves container workload performance, security, and addresses an issue where running containers by using krun fails because RHEL did not previously include a version of the krun runtime.

Jira:RHEL-161090

With this Developer Preview feature, you can configure bootc to pull the host image into bootc-owned container storage, enhancing container image management efficiency. This feature reduces the need for repeated image pulls on the same host, allowing the host image to be reused by container runtimes, such as podman for running and building layered images. It improves overall network performance by using zstd chunking when available and streamlines development and testing processes.

As a result, by configuring the unified storage feature on your system, you can store, manage, and utilize container images more efficiently, providing a seamless bootc container management experience.

Jira:RHELDOCS-21395^[1]

This update introduces goose as an alternative to the command-line interface (CLI) client for the existing RHEL command-line assistant (CLA) back-end service. These changes do not affect the command-line assistant back end, and functionalities remain the same. The goose package is available on the RHEL Extensions repository. You can use the goose text chat interface interactively during the chat session.

When you use goose, before you execute the MCP server or a local Linux command, it prompts you to confirm that the LLM does not break your system or workflow.

For more information, see the Red Hat Knowledgebase article link:https://access.redhat.com/articles/7142302Optimize the RHEL command-line assistant tasks by using goose-redhat].

Jira:RSPEED-2846^[1]

With this Developer Preview, Red Hat Enterprise Linux introduces two new agent skills designed to enhance AI-driven administration and troubleshooting for Red Hat Enterprise Linux (RHEL). The Agent skills for RHEL are built on the Agent Skills (SKILL.md) open standard. These integrations equip AI agents, such as Cursor and Claude Code, with workflows and domain expertise directly from Red Hat.

By using these skills, you can help ensure that the AI-generated guidance aligns with RHEL standards, moving away from generic Linux advice toward recommended Red Hat methodologies.

Jira:RHELDOCS-22164^[1]

The FUTURE system-wide cryptographic policy no longer allows traditional, non-post-quantum, key exchange (KEX) methods. With this update, you can use only hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) key exchange algorithms.

This aligns with the target use of the FUTURE policy in controlled, isolated deployments and impacts interoperability with the public internet. For example, when you switch RHEL 10 to the FUTURE policy, you cannot connect to the cdn.redhat.com network. Also, Java clients cannot connect to TLS servers running in FUTURE.

Note that upcoming RHEL releases might further restrict signature algorithms in certificates and signatures to allow only post-quantum cryptography (PQC) in the FUTURE policy.

Jira:RHEL-93769

The vi command no longer launches the Vim editor when both vim-minimal and vim-enhanced are installed. Instead, the vi command starts the minimal editor from vim-minimal. To use Vim, run the vim command.

Jira:RHEL-145868^[1]

The ipa_enable_dns_sites option in SSSD is removed and is no longer available in RHEL 10.2. Because the corresponding server-side functionality was never implemented, the option was non-functional. It has been removed to simplify configuration and avoid confusion.

Jira:RHEL-127792

With Windows Server 2012 R2 reaching its end-of-life, Red Hat aligns supported platform versions with Microsoft support lifecycles and has removed support for this version for Active Directory trusts.

Jira:RHELDOCS-22174^[1]

Previously, the knet transport protocol in Corosync allowed the selection of Stream Control Transmission Protocol (SCTP), although this specific transport was not officially supported in RHEL.

With this update, using SCTP for knet transport is officially deprecated. The option to use SCTP might be removed in a future release.

As a result, users are advised to transition to supported transport protocols. The pcs cluster setup, pcs cluster link add, and pcs cluster link update commands now display a warning if SCTP is specified for knet transport.

Jira:RHEL-126839

The MySQL80 and Python 3.11 container images are now deprecated and will no longer receive feature updates. To maintain support and receive new features, you must migrate to the MySQL84 and Python 3.12 container images.

Jira:RHELDOCS-22088^[1]

The bootc-image-builder tool, to convert bootc images into disk images for different platforms and formats, is deprecated and might be removed in a future major release. It remains supported for the lifetime of Red Hat Enterprise Linux (RHEL) 10. You can create bootable containers and disk images by using the RHEL image builder instead.

Jira:RHELDOCS-22154^[1]