Red Hat SummitChapter 6. New features and enhancements
This version adds the following major new features and enhancements.
6.1. Installer and image creation
New boot menu entry for fips=1 added to ISO installations
With this update, the DVD and Boot ISO image installations provide a new boot menu entry for setting the fips=1 kernel boot option. This simplifies the process, as enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. By using this boot option, you start the installation with the fips=1 kernel parameter and you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.
Soft reboots are now available in RHEL
Systemd now offers soft reboots, a capability for rebooting userspace without requiring full system downtime. Key enhancements include:
- Reduced downtime: Perform a soft reboot to update system state without the time-consuming process of a full reboot, which benefits scheduled maintenance and troubleshooting.
-
Flexible patching: Apply certain userspace updates, such as
openssl,glibc, anddbus-broker, without requiring a full system reboot. - Image mode integration: In image mode, soft reboots either restart userspace when no update is staged or seamlessly switch to a staged update if one is present, excluding kernel changes.
- Improved immutability experience: Soft reboots simplify the adoption of new image versions on immutable systems by reducing the need for frequent full reboots.
Known limitations:
- Kernel modules: Changes to kernel modules may result in mismatches with the running kernel after a soft reboot.
- Kernel and firmware updates: Soft reboots do not apply kernel, kpatch, or firmware initialization changes.
Jira:RHELDOCS-20453[1]
The rpm command is now available in the installation environment
Previously, the rpm command was not included in the installation environment. With this update, the rpm command is now included. Users can use this command when installing RHEL, for example, in the %post Kickstart scripts.
Jira:RHEL-101695[1]
The blueprint file customization now supports a URI field for referencing files from external sources
This update adds the URI field support to the blueprint file customization structure. As a result, you can reference and source files from external locations rather than only those included directly in the blueprint, providing more flexible customization of the build system and a more adaptable build experience.
Jira:RHELDOCS-21016[1]
RHEL image builder supports a new image type vagrant-libvirt for vagrant
With this update, RHEL image builder supports the libvirt hypervisor, and you can easily run RHEL virtual machines by using Vagrant. This enhancement provides pre-configured images to ensure a consistent and streamlined setup. It also grants sudo privileges to the vagrant user within the Vagrant box, making it easier to manage and execute administrative tasks. These enhancements deliver a more efficient and seamless experience when working with RHEL virtual machines in Vagrant environments.
Jira:RHELDOCS-21025[1]
RHEL Image Builder now supports WSL2 images
You can now use the RHEL image builder to create Windows Subsystem for Linux (WSL2). The image type is available in the wsl format, and to consume the image, deploy it by double-clicking the generated file.
Jira:RHELDOCS-20633[1]
RHEL Image Builder GUI supports modularized content discovery
Starting from RHEL 9.7, RHEL Image Builder Graphical User Interface (GUI) supports modularized content discovery. This capability introduces the following enhancements:
- When creating RHEL OS images, you can use the RHEL Image Builder GUI to discover and include modularized content from various repositories, including RHEL AppStream and third-party repositories, for example, Extra Packages for Enterprise Linux (EPEL).
-
Enhanced modularity support in RHEL. Application Streams leverage DNF modularity and
modulemdmetadata to provide flexible package management. You can specify version streams and use case profiles in the modules with support for default streams and profiles. -
DNF modularity implementation updates. The
@character syntax for specifying RPM groups enables and installs module streams, providing compatibility for kickstart files.
Jira:RHELDOCS-21026[1]
image-installer provides a new boot menu entry for fips=1
In this update, the image-installer ISO image type provides a new boot menu entry for setting the fips=1 kernel boot option during installation. This simplifies the process, as in RHEL 10, you cannot switch an installed system to FIPS mode, and you must add fips=1 to the kernel command line when starting the installation. By setting fips=1 for the installation, you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.
Logical volume devices in /etc/fstab now use UUID in the fs_spec field
After installation, the system writes logical volume (LV) devices in /etc/fstab by using UUID in the fs_spec field. This change provides the following benefits:
-
Ensures consistency across all device entries in
/etc/fstab. -
Supports LV or volume group (VG) renaming without changes in
/etc/fstab. -
Keeps
/etc/fstabvalid after re-encrypting devices with LUKS. - Preserves correct mapping of the root (/) and other mounts across re-provisioning, even if device-mapper paths change.
- Offers predictable and portable configs as UUIDs are globally unique identifiers stored in the file system superblock.
Jira:RHEL-87651[1]
6.2. Security
RHEL 10.1 crypto-policies enable PQC algorithms by default
The system-wide cryptographic policies in RHEL 10.1 extend support for post-quantum cryptography (PQC) and enable PQC algorithms by default in all predefined policies. The most notable enhancements and fixes over the version in RHEL 10.0 include:
- Hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and pure Module-Lattice-Based Digital Signature Standard (ML-DSA) post-quantum cryptographic algorithms are enabled in LEGACY, DEFAULT, and FUTURE cryptographic policies with the highest priorities.
- The new NO-PQ subpolicy simplifies turning off the PQC algorithms.
- The TEST-PQ subpolicy no longer enables PQC algorithms as a Technology Preview, but you can use it to enable pure ML-KEM in OpenSSL.
- The FIPS cryptographic policy enables hybrid ML-KEM and pure ML-DSA post-quantum cryptographic algorithms.
- The new OpenSSL group selection syntax prioritizes post-quantum groups over classical ones. The behavior of earlier releases can be achieved only by disabling all PQ groups.
- The PQC algorithms are enabled for the Sequoia PGP tool in all policies.
-
ML-DSA algorithms are enabled for GnuTLS TLS connections by default, and you can control them through the
MLDSA44,MLDSA65, andMLDSA87values. - The ML-DSA-44, ML-DSA-65, and ML-DSA-87 PQC algorithms are enabled for NSS TLS connections in all cryptographic policies.
-
The
mlkem768x25519,secp256r1mlkem768, andsecp384r1mlkem1024hybrid ML-KEM groups are enabled for NSS TLS negotiations.
Jira:RHEL-113008, Jira:RHEL-106868, Jira:RHEL-86059, Jira:RHEL-103962, Jira:RHEL-92148, Jira:RHEL-101123, Jira:RHEL-97763, Jira:RHEL-98732, Jira:RHEL-85078
AD-SUPPORT-LEGACY subpolicy re-added to crypto-policies
The AD-SUPPORT-LEGACY cryptographic subpolicy, which is used to support legacy RC4 encryption for interoperability with outdated Active Directory implementations, is re-added to RHEL.
Jira:RHEL-93323[1]
OpenSSL rebased to 3.5
OpenSSL is rebased to upstream version 3.5. This version provides important fixes and enhancements, most notably the following:
- Added support for the ML-KEM, ML-DSA, and SLH-DSA post-quantum algorithms.
- Added the hybrid ML-KEM algorithms to the default TLS group list.
- Enhanced TLS configuration options.
- Added support for the QUIC transport protocol according to the IETF RFC 9000 draft.
- Added support for opaque symmetric key objects in the form of the EVP_SKEY data structure.
- Disabled the SHA-224 digest.
-
SHAKE-128 and SHAKE-256 implementations no longer have a default digest length. Therefore, these algorithms cannot be used with the
EVP_DigestFinal/_ex()function unless thexoflenparameter is set. - Added a capability for a client to send multiple key shares in TLS 1.3 connections.
NSS rebased to 3.112
The NSS cryptographic toolkit packages have been rebased to upstream version 3.112, which provides many improvements and fixes. Most notably, the following:
- Added support for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA), which is a post-quantum cryptography (PQC) standard.
- Added hybrid support for SSL for the MLKEM1024 key encapsulation mechanism.
The following known issues occur in this version:
- Updating the NSS database password corrupts the ML-DSA seed. For more information, see RHEL-114443.
libreswan rebased to 5.3
The libreswan packages are rebased to the 5.3 upstream version.
Jira:RHEL-102733[1]
GnuTLS rebased to 3.8.10
The gnutls package is rebased to the 3.8.10 upstream release, which includes the following enhancements:
-
You can set TLS certificate compression methods with the
cert-compression-algconfiguration option in thegnutlspriority file. -
You can use all variants of ML-DSA private key formats defined in the
draft-ietf-lamps-dilithium-certificates-12document. - You can use the ML-DSA-44, ML-DSA-65, and ML-DSA-87 signature algorithms in TLS.
-
You can use PKCS#11 modules to override the default cryptographic backend as a Technology Preview. You can test this feature by specifying the
[provider]section in the system-wide configuration to set the path and pin to the module.
Jira:RHEL-102557[1]
Sequoia PGP updated to support OpenPGP v6
With this update, the sequoia-sq and sequoia-sqv can handle post-quantum cryptography (PQC) keys. The rpm-sequoia package newly supports verifications of OpenPGP v6 signatures. As a result, you can use quantum-resistant digital signatures conforming to the Commercial National Security Algorithm Suite (CNSA) 2.0 standard.
Jira:RHEL-101952, Jira:RHEL-101906, Jira:RHEL-92148, Jira:RHEL-101905
selinux-policy rebased to 42.1
The selinux-policy packages are rebased to upstream version 42.1. This version contains many fixes and improvements, including packaging improvements. Notably, SELinux types related to the systemd generators have been added to the SELinux policy.
OpenSSL supports sslkeylogfile
OpenSSL supports the sslkeylogfile format for TLS. As a result, you can log all secrets produced by SSL connections by setting the SSLKEYLOGFILE environment variable.
Enabling the SSLKEYLOGFILE variable poses an explicit security risk. Recording the exchanged keys during an SSL session allows anyone with read access to the file to decrypt application traffic sent over that session. Use this feature only in test and debug environments.
NSS supports ML-DSA keys
With this update, the Network Security Services (NSS) database now supports using Module-Lattice-Based Digital Signature Algorithm (ML-DSA) keys. ML-DSA is a new signing algorithm approved by the National Institute of Standards and Technology (NIST) as resistant to attacks from a Cryptographically Relevant Quantum Computer (CRQC).
Hybrid ML-KEM cryptography works in FIPS mode
With this release, Hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) post-quantum cryptographic algorithms are supported in FIPS mode of RHEL. OpenSSL is able to fetch the Elliptic Curve Diffie-Hellman (ECDH) part of the new hybrid post-quantum groups from the FIPS provider when the system is running in FIPS mode. As a result, the OpenSSL library uses FIPS-compliant cryptography for the ECDH part of the hybrid post-quantum key exchanges.
OpenSSL 3.5 uses standard format for ML-KEM and ML-DSA
In RHEL 10.0, the oqsprovider library used a pre-standard format for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) private keys. With the rebase to OpenSSL 3.5, you must convert the ML-KEM and ML-DSA keys to the standard format by using the following command:
openssl pkcs8 -in <old_private_key> -nocrypt -topk8 -out <standard_private_key>
# openssl pkcs8 -in <old_private_key> -nocrypt -topk8 -out <standard_private_key>
Replace <old_private_key> with the path to the non-standard private key, and <standard_private_key> with the path where the standard key will be saved.
SCAP Security Guide rebased to 0.1.78
For additional information, see the SCAP Security Guide release notes.
SELinux policy modules related to EPEL packages moved to -extra subpackages in the CRB repository
In RHEL 10.0, SELinux policy modules related only to packages contained in the Extra Packages for Enterprise Linux (EPEL) repository and not to any RHEL package were moved from the selinux-policy package to the selinux-policy-epel package. This reduced the size of selinux-policy, enabling the system to perform operations such as rebuilding and loading the SELinux policy faster.
In RHEL 10.1, the modules from selinux-policy-epel are moved to the following -extra subpackages in the RHEL CodeReady Linux Builder (CRB) repository:
-
selinux-policy-targeted-extra -
selinux-policy-mls-extra
This change enables the automatic installation of -extra SELinux policy modules when users enable the EPEL repository.
setroubleshoot-server no longer requires initscripts
Before this update, the %post and %postun scriptlets for the setroubleshoot-server SELinux diagnostic tool called /sbin/service. With this update, the scriptlets now directly call auditctl for reloading the auditd service, and bypass the use of /sbin/service. This enhancement simplifies the dependency structure and streamlines the execution of the scriptlets.
OpenSSH ignores invalid RSA hostkeys in known_hosts
Before this update, if known_hosts contained only a bad hostkey, the SSH connection failed with a bad hostkey: Invalid key length message when OpenSSH received a server hostkey, even if the server had valid hostkeys available. With this update, OpenSSH ignores RSA hostkeys that are invalid due to being too short in the known_hosts file. As a result, instead of a failed SSH connection, OpenSSH receives new keys and can establish a connection.
Jira:RHEL-83644[1]
Three RHEL services removed from SELinux permissive mode
The following SELinux domains for RHEL services have been removed from SELinux permissive mode:
-
gnome_remote_desktop_t -
pcmsensor_t -
samba_bgqd_t
Previously, these services from packages recently added to RHEL 10 were temporarily set to SELinux permissive mode, which allows gathering information about additional denials while the rest of the system is in SELinux enforcing mode. This temporary setting has now been removed, and as a result, these services now run in SELinux enforcing mode.
Jira:RHEL-82672[1]
GnuTLS supports ML-DSA keys in TLS connections.
With this update, the GnuTLS library supports using X.509 certificates with Module-Lattice-Based Digital Signature Algorithm (ML-DSA) keys in TLS 1.3 connections. For resistance against attacks by quantum computers, the certificate chain and the TLS handshake must be authenticated with a post-quantum algorithm, such as ML-DSA.
OpenSSH server supports Kerberos authentication indicators
When in Match configuration, OpenSSH server supports authentication indicators from Kerberos tickets. If the GSSAPIIndicators option is defined in sshd configuration, a Kerberos ticket that has indicators but does not match the policy is denied. If at least one indicator is configured, whether for access or denial, tickets without authentication indicators are explicitly rejected. For more information, see the sshd_config(5) man page on your system.
DNS over TLS is generally available in RHEL 10.1
Encrypted DNS (eDNS) is generally available to secure all DNS communication using the DNS-over-TLS (DoT) protocol. You can use eDNS to secure new RHEL installations during boot time, which ensures no plaintext DNS traffic is ever sent. You can also convert an existing RHEL system to use eDNS.
To perform a new installation with eDNS, specify the DoT-enabled DNS server by using the kernel command line. If you require a custom CA certificate bundle, you can install it only by using the %certificate section in the Kickstart file. Currently, the custom CA bundle can be installed only through Kickstart installation.
On an existing system, configure NetworkManager to use a new DNS plugin, dnsconfd, which manages the local DNS resolver (unbound) for eDNS. Add kernel arguments to configure eDNS for the early boot process, and optionally install a custom CA bundle.
As a result, you can encrypt all RHEL DNS traffic end-to-end using the DoT protocol and configure policies to prevent any fallback to insecure protocols. See Securing system DNS traffic with encrypted DNS for more details.
Jira:RHELDOCS-21104[1]
New package: fips-provider-next
The fips-provider-next package provides the next version of the FIPS provider that is submitted to the National Institute of Standards and Technology (NIST) for validation. The package is not installed by default because the openssl-fips-provider package is the validated OpenSSL FIPS provider. To switch from openssl-fips-provider to fips-provider-next:
dnf swap openssl-fips-provider fips-provider-next
# dnf swap openssl-fips-provider fips-provider-nextJira:RHEL-105014[1]
Rsyslog imuxsock provides the new ratelimit.discarded counter
With this update, the imuxsock Rsyslog module includes a new counter, ratelimit.discarded, which tracks the number of messages dropped due to rate-limiting on the Unix socket. This enhancement provides administrators with visibility into message loss due to rate-limiting, enabling them to fine-tune their rate-limiting settings and prevent critical logs from being discarded.
Jira:RHEL-96589[1]
The SELinux policy adds rules and type for the qgs daemon
The qgs daemon was added to RHEL with the linux-sgx package, which supports TDX confidential virtualization. The qgs daemon communicates with QEMU over a UNIX domain socket when the guest OS requests attestation of the virtual machine (VM). To make this possible, the SELinux policy adds a new qgs_t type, access rules, and permissions.
audit.cron helps to set up time-based auditd log rotation
With this update, the auditd.cron file has been added to the audit packages. This enhancement provides a clear, documented example of how to configure time-based auditd log rotation using existing tools. As a result, administrators have a simple, official guide to set up auditd log rotation based on time.
Jira:RHEL-77141[1]
Additional services confined in the SELinux policy
This update adds additional rules to the SELinux policy that confine the following systemd services:
-
switcheroo-control -
tuned-ppd
As a result, these services no longer run with the unconfined_service_t SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule, and run successfully in SELinux enforcing mode.
Jira:RHEL-69450, Jira:RHEL-83267
Rsyslog imfile provides the new deleteStateOnFileMove option
With this update, the new deleteStateOnFileMove parameter has been added to the imfile module, available as both a module-level and a per-action option. This enhancement addresses the issue of orphaned state files accumulating in the spool/ directory when monitored log files are rotated or moved. By enabling this parameter, you can automatically clean up these obsolete files when log files are moved, preventing disk space from being wasted and simplifying management.
Jira:RHEL-92757[1]
6.3. Software management
RPM supports spec-local file attributes and dependency generators
File attributes and their dependency generators are usually shipped in separate packages that you must install prior to building a package that uses these attributes. However, you might need a file attribute to take effect during the build of the package that ships this attribute. You might also need the file attribute just for building the package, without shipping the attribute at all.
With this update, you can register spec-local file attributes and generators by performing the following actions:
-
Define the
%_local_file_attrsmacro.%_local_file_attrsaccepts a colon-separated list of new attribute names to register directly in yourspecfile. -
Define one or more dependency generator macros for each attribute, such as
%__NAME_providesor%__NAME_path, whereNAMEis the name of the local file attribute.
RPM then uses the file attributes for dependency generation when the spec file is built. As a result, you can create build-time file attributes that are not necessarily meant for installation.
For example, the following spec file snippet generates the provides for each packaged file by using the foobar.sh script bundled with your package’s sources:
Source1: foobar.sh
[...]
%define _local_file_attrs foobar
%define __foobar_provides %{SOURCE1}
%define __foobar_path .*
Source1: foobar.sh
[...]
%define _local_file_attrs foobar
%define __foobar_provides %{SOURCE1}
%define __foobar_path .*RPM records a checksum of the original package during installation
With this update, RPM records the SHA256 and SHA512 digests of the entire .rpm package during its installation. You can then retrieve these digests from the RPM database to verify that the installed package corresponds to a specific .rpm file. As a result, you can improve the integrity of your RHEL system by retrospectively verifying that the installed package set matches, bit-by-bit, a known set of .rpm packages, such as the ones available in a DNF repository.
To print the package digests of an installed package, use the following command:
rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" <package_name>
$ rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" <package_name>
You can also customize which digest types are recorded in the database by configuring the new %_pkgverify_digests macro, for example:
%_pkgverify_digests 8:10
%_pkgverify_digests 8:10System clock skew is reported during dnf transactions
Significant clock skew between a system and the entitlement server can make content repositories unavailable, even on properly registered systems. This is difficult to troubleshoot, particularly when a negative skew makes entitlements appear to start in the future.
With this enhancement, when subscription-manager detects a clock skew greater than 2 seconds, the following message is printed to stdout during a dnf transaction:
The system clock is skewed. There is a time difference of X.Y seconds with the entitlement server. Please check your clock settings to ensure access to all entitled content.
The system clock is skewed. There is a time difference of X.Y seconds with the entitlement server. Please check your clock settings to ensure access to all entitled content.
Additional DEBUG logging is written to the /var/log/rhsm/rhsm.log file when the skew exceeds 2 seconds, changing to a WARNING if it exceeds 15 minutes.
For instructions on how to keep your RHEL 10 system clock synchronized with an NTP server, see Configuring time synchronization.
Jira:RHEL-13374[1]
6.4. Shells and command-line tools
Support added for post-quantum cryptography in tog-pegasus
Previously, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.
With this update, two new files /etc/pki/Pegasus/server-fallback.pem and /etc/pki/Pegasus/file-fallback.pem are provided for tog-pegasus server. These files are used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time. For more information, see /usr/share/doc/tog-pegasus/README.RedHat.SSL .
Jira:RHEL-93093[1]
Support added for post-quantum cryptography in sblim-sfcb
Previously, the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.
With this update, two new configuration options sslKeyFallbackFilePath and sslCertificateFallbackFilePath are introduced in sblim-sfcb server configuration file. These options are disabled by default, but can be used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time.
The ECDH ephemeral key generation which prevents post-quantum key exchange by default was disabled in the sblim-sfcb server.
Jira:RHEL-93092[1]
Support added for post-quantum cryptography in openwsman
Previously,the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.
With this update, two new configuration options ssl_cert_fallback_file and ssl_key_fallback_file are introduced in openwsman server configuration file. These options are disabled by default, but can be used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time.
The outdated SSL initialization which prevents post-quantum key exchange by default was removed from the openwsman server.
Jira:RHEL-93091[1]
openCryptoki provided in version 3.25.0
The openCryptoki packages are provided in version 3.25.0. Support has been added for the following:
In EP11:
- PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms
- PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP
- PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms
- Opaque secure key blob import via C_CreateObject
In ICA/Soft:
- PKCS#11 v3.0 SHAKE key derivation
- The CKM_AES_KEY_WRAP[_*] mechanisms
- The CKM_ECDH_AES_KEY_WRAP mechanism
- Key wrapping with AES-GCM
In CCA:
- CCA AES CIPHER secure key types
- The CKM_ECDH1_DERIVE mechanism
- Newer CCA versions on s390x and non-s390x platforms
- CKM_AES_GCM for single-part operations only
- CCA/Soft/ICA: The CKM_RSA_AES_KEY_WRAP mechanism.
- P11KMIP: Added a tool for importing and exporting PKCS#11 keys to a KMIP server.
- ICA: Report mechanisms depending on whether libica is in FIPS mode.
Jira:RHEL-73343[1]
6.5. Infrastructure services
RHEL is now equipped with dyninst version 13.0.0
The dyninst framework is rebased to upstream version 13.0.0 This version offers the following list of enhancements:
- improved support for AMD GPU binaries.
- improved parsing of x86 instructions and C++ DWARF constructs.
For more information, see the upstream documentation.
RHEL is now equipped with SystemTap version 5.3
SystemTap is rebased to version 5.3, and its multithreaded parsing capability now improves startup performance by reducing initialization time by several seconds.
elfutils is now rebased to version 0.193
elfutils 0.193 is now available in RHEL 10.1. The notable changes in this update include:
-
debuginfodnow supports CORS (webapp access) in the web API and provides a--corsoption. The new--listen-addressoption enables binding the HTTP listen socket to a specific IPv4 or IPv6 address. Thedebuginfodclient now cachesx-debuginfod-*HTTP headers alongside downloaded files. -
libdwlibrary adds thedwarf_languageanddwarf_language_lower_boundfunctions, with improved support for DWARF6 language metadata and new language constants for Nim, Dylan, Algol68, V, and Mojo. Thedwarf_srclangfunction is forward-compatible with DWARF6 language constants. -
libdwfl_stacktraceexperimental interface can unwind stack samples into call chains and cache ELF data for multiple processes. This interface initially supportsperf_eventsstack sample data and is provided as a Technology Preview. -
libelflibrary has a more robust implementation ofelf_scnshndxfor ELF files with more than 64K sections. -
readelftool improves handling of corrupt ELF data. The output of the--section-headersoption now includes a key to explain section flag meanings.
valgrind has been upgraded to upstream version 3.25.1
The upgrade from version 3.24.0 (RHEL 10.0) to the upstream version 3.25.1 (RHEL 10.1) provides the following notable enhancements:
- Added support for zstd-compressed debug sections.
- Extended to Linux syscalls: landlock*, io_pgetevents, open_tree, move_mount, fsopen, fsconfig, fsmount, fspick, userfaultfd.
-
Enhanced file-descriptor tracking:
--track-fds=yesand--track-fds=allapply the same behavior to inherited file descriptors as to standard input, standard output, and standard error. -
New option
--modify-fds=high(use with--track-fds=yes) allocates higher-numbered descriptors first to help detect descriptor reuse issues. -
Helgrind configuration: warnings for
pthread_cond_signalandpthread_cond_broadcastwith an unlocked mutex are now controlled by--check-cond-signal-mutex=yes|no(default: no).
Architecture-specific enhancements:
-
New IBM Z (
s390x) NNPA hardware support.
valgrind package split into subpackages for flexible installation
Before this update, the valgrind package included all core functionality, post-processing scripts, GDB integration, and documentation in a single package which required you to install all components, even if you only needed specific features.
With this update, the valgrind package has been split into multiple subpackages. You can install only the components you require, such as the core valgrind functionality, post-processing scripts, GDB integration, or documentation.
Jira:RHEL-75470[1]
jemalloc 5.3.0 is integrated within Varnish
Before this update, some users reported excessive memory usage in Varnish following upgrades to newer versions of Red Hat Enterprise Linux. Despite setting explicit memory limits (for example, -s malloc,1G), memory consumption continued to grow over time.
With this enhancement, the jemalloc memory allocator library (version 5.3.0) is integrated within the Varnish package, replacing default glibc malloc. The integration of jemalloc 5.3.0 results in lower memory consumption, better performance, and greater memory stability for Varnish deployments, especially in high-load or long-running environments.
Jira:RHEL-45756[1]
The BrowseOptionsUpdate directive is now available in RHEL
The BrowseOptionsUpdate directive determines the source and update frequency of default printing options. It specifies whether the system retrieves options from a local system or a remote printing server, and if it updates them at service startup, at certain intervals, or not at all.
You can now add the BrowseOptionsInterval directive and its value to the /etc/cups/cups-browsed.conf file to achieve the required behavior. The directive offers these values:
-
None(default): A local file, created from previous sessions, loads default options. -
Static: Thecups-browsedservice retrieves default options from the remote server when it starts. -
Dynamic: The system updates default options according to theBrowseIntervalvalue, also defined in the/etc/cups/cups-browsed.conffile.
Note: You need to restart the service after changing the BrowseOptionsInterval directive values.
Jira:RHEL-87180[1]
6.6. Networking
NetworkManager and Nmstate support configuring IPv4 forwarding per interface
With this enhancement, NetworkManager can enable and disable IPv4 forwarding per network interface. This enables granular control directly in NetworkManager connection profiles, and updating sysctl kernel settings is no longer required. If you enable the ipv4.forwarding parameter in a profile, the corresponding interface acts as a router and forwards IPv4 packets. With the default value auto, NetworkManager enables IPv4 forwarding if any shared connection is active and, in other cases, it uses the kernel default value.
This feature is also available in Nmstate.
KTLS now supports rekeying for TLS 1.3
Kernel Transport Layer Security (KTLS), which is an unsupported Technology Preview in RHEL, now supports in-kernel rekeying for TLS 1.3. Previously, long-lived sessions with large data transfers were not possible because only a limited number of bytes could be sent with the initial key. With this enhancement, updates now occur seamlessly during an active session, supporting the transfer of large amounts of data without applications needing to restart connections. Note that, to use this feature, user-space libraries, such as OpenSSL and GnuTLS, must also support KTLS rekeying capability.
This enhancement supports rekeying only for TLS 1.3 and not renegotiation in TLS 1.2.
Jira:RHEL-86020[1]
Nmstate now supports the mtu and quickack route options
With this enhancement, you can use Nmstate to set the mtu and quickack route options. These settings are important for optimizing the network performance if the maximum transmission unit is different from the default and for tuning the TCP acknowledgment behavior. As a result, you now have more precise control over network traffic behavior.
Nmstate now supports configuring FEC settings for network interfaces
With this enhancement, you can now use Nmstate to apply Forward Error Correction (FEC) modes, such as RS-FEC, Base-R and Disabled to interfaces. These settings are crucial for improving data transmission reliability by detecting and correcting errors without retransmission. As a result, you can now use Nmstate to apply FEC settings instead of manually configuring them or using platform-specific tools.
An NBFT parser was added to nm-initrd-generator
NVMe Boot Firmware Table (NBFT) is a standard method for firmware to pass network and storage configuration from the pre-boot environment directly to the operating system by using an ACPI table. The nm-initrd-generator utility now uses this parser to automatically detect and apply this configuration, and creates the necessary connections without manual setup. This implementation replaces the 95nvmf module in dracut and relies on systemd automation for a more streamlined and robust boot sequence.
NetworkManager now supports fixed subnet IDs for downstream interfaces when using IPv6 prefix delegation
With this enhancement, you can now specify a fixed subnet ID for downstream interfaces in NetworkManager when you use IPv6 prefix delegation. In previous releases, when you rebooted the system, the subnet ID for these interfaces could change. With a fixed subnet ID, IPv6 addresses assigned to devices in the downstream network do not change when you reboot the RHEL host.
Nmstate now supports configuring routes by using a MAC address instead of an interface name
With Nmstate, you can create a network connection by assigning it to the MAC address of an interface. With this enhancement, you can use the profile name instead of the interface name in the next-hop-interface parameter in the routing configuration. With this feature, you can create static routes without knowing the interface name.
Jira:RHEL-80547[1]
Nmstate can assign settings to network interfaces based on PCI addresses
With this enhancement, you can use Nmstate to set up network interfaces based on their PCI address instead of a device name. Use this feature to ensure consistent configuration across nodes in a cluster. For further details, see Configuring an Ethernet connection with a dynamic IP address by using nmstatectl with a device path and Configuring an Ethernet connection with a static IP address by using nmstatectl with a device path.
Nmstate now supports egress and ingress priority mapping for VLAN interfaces
NetworkManager already supports configuring traffic priority mapping for VLAN interfaces. With this enhancement, the Nmstate library can also handle both egress and ingress priority quality of service (QoS) mapping rules. As a result, you can use Nmstate to create VLANs and define bidirectional priority mapping, helping manage traffic more precisely and efficiently.
Jira:RHEL-78334[1]
nmtui now supports configuring the loopback interface
NetworkManager already supports configuring the loopback interface by using the nmcli utility. This enhancement adds the same functionality to the nmtui application. As a result, you can configure IP addresses and routes on the loopback interface.
The NetworkManager-libreswan plugin supports using the Libreswan default values
With this enhancement, you can set the no-nm-default property in Libreswan VPN connection profiles to true to use Libreswan’s instead of NetworkManager’s default values. This ensures the compatibility with configurations defined for native Libreswan. As a result, you can now, for example, configure subnet-to-subnet tunnels.
Bond configurations in Nmstate support optimization settings
With this enhancement, the Nmstate API supports the following bond options:
-
lacp_active: Defines whether or not the Linux kernel periodically sends Link Aggregation Control Protocol Data Unit (LACPDU) frames. You can use this setting only in the 802.3ad bond mode. -
ns_ip6_target: Lists the IPv6 addresses to use as IPv6 monitoring peers when you set thearp_intervalparameter to a value larger than 0.
As a result, administrators can use these settings to optimize a network bond to ensure stable connections, efficient bandwidth, and IPv6 compatibility.
iproute rebased to version 6.14.0
The iproute package has been updated to upstream version 6.14.0.
Notable enhancements:
-
The
ip nexthopcommand supports 16-bitnexthopweights. -
The
ip link rmnetcommand supports flag handling. -
The
ip lwtunnelcommand supports setting and getting the 'tunsrc' attribute. -
The
ip monitorcommand adds support for monitoring multicast addresses (ip monitor maddress). -
The
ip rulecommand supports the 'dscp' selector. -
The
ip rulecommand supports flow labels. -
The
ip routecommand supports IPv6 flow labels. -
The
ip addressandip link showcommands support the 'down' filter. -
The
tc flowerfilter supports matching on tunnel metadata. -
The
tc fqqueuing discipline supports theTCA_FQ_OFFLOAD_HORIZONattribute. -
The
tcutility supports theHold/Releasemechanism in Time-Sensitive Networking (TSN) as specified in the IEEE 802.1Q-2018 standard. -
The
rdma monitorcommand adds support for monitoring Remote Direct Memory Access (RDMA) events. -
The
vdpautility supports setting the MAC address. - Several man pages were improved.
Notable bug fixes:
- Some memory leaks were fixed.
-
The error checking of the
ip netconfcommand was fixed to prevent unnecessarily strict errors. -
Custom
iproute2settings in the/etc/iproute2/directory work as expected.
New network packet drop reasons and MIB counters
The kernel’s networking stack now provides more detailed reasons when it drops network packets. This enhancement also adds two new Management Information Base (MIB) counters: LINUX_MIB_PAWS_TW_REJECTED and LINUX_MIB_PAWS_OLD_ACK. As a result, debugging and diagnosing network problems, is now easier.
Jira:RHEL-88891[1]
The nft monitor trace command now displays connection tracking information
You can now use the nft monitor trace command to display details about connection tracking. This feature simplifies debugging connections and helps to better understand connection states.
Jira:RHEL-87758[1]
The fwctl subsystem has been added to the kernel
If the kernel lock-down feature is enabled, the kernel does not allow access to resource0 files in the /sys/ directory and PCI config spaces for security reasons. The fwctl kernel subsystem manages communication with the firmware in software-defined devices, such as the mlx5 network interface controller. This subsystem establishes a standardized and secure Remote Procedure Call (RPC) interface, that enables user-space applications to interact with device firmware for diagnostics, configuration, and updates. In addition to the new subsystem, the mstflint utility now also uses the fwctl subsystem, and the utility functions fully in these secure environments.
Jira:RHEL-86015[1]
The ice driver now supports reducing the MSI-X vector usage for a PF to free vectors for associated VF
With this enhancement, you can now reduce the Message Signaled Interrupts eXtended (MSI-X) vectors allocated to a physical function (PF) to ensure that a sufficient number of vectors are available for associated virtual functions (VFs). For details, see Reducing the MSI-X vector usage for a physical function to free vectors for associated virtual functions.
Jira:RHEL-80554[1]
The named and dnssec utilities now support OpenSSL providers for hardware tokens
Before this update, support for using hardware security tokens to store private keys for DNSSEC zone signing was unavailable after the removal of OpenSSL ENGINEs. This functionality was required both for directly using hardware tokens with the named service and for the DNSSEC feature in the ipa-server-dns package.
With this update, the named and dnssec command-line utilities have been updated to support OpenSSL providers.
As a result, you can use OpenSSL providers to access both hardware and software tokens to store private keys. This restores the ability to use hardware tokens directly in the named service and enables the DNSSEC zone signing feature in the ipa-server-dns package.
NetworkManager and Nmstate support configuring IPv4 forwarding per interface
With this enhancement, NetworkManager can enable and disable IPv4 forwarding per network interface. This enables granular control directly in NetworkManager connection profiles, and updating sysctl kernel settings is no longer required. If you enable the ipv4.forwarding parameter in a profile, the corresponding interface acts as a router and forwards IPv4 packets. With the default value auto, NetworkManager enables IPv4 forwarding if any shared connection is active and, in other cases, it uses the kernel default value.
This feature is also available in Nmstate.
6.7. Kernel
Kernel version in RHEL 10.1
Red Hat Enterprise Linux 10.1 is distributed with the kernel version 6.12.0-124.8.1.
Perf core counters supported on Intel Panther Lake CPUs
Previously, users could not monitor hardware events using perf core counters on Intel Panther Lake CPUs. With the addition of Panther Lake support in the perf package, users can access hardware event monitoring on this microarchitecture.
Jira:RHEL-47451[1]
The default measurement module for rteval is now rtla timerlat for better tracing of problem latencies
With this enhancement, you should be able to easily identify the source of problem latencies. The desired cyclictest measurement module can be chosen using the rteval.config file.
Jira:RHEL-97541[1]
kpatch-dnf plugin is updated with improved kernel management
Before this update, the kpatch-dnf plugin did not align kernel upgrades with kpatch support. As a consequence, administrators might install or upgrade to kernels that were not supported by kpatch, thereby increasing the risk of running unsupported kernels and reducing system stability.
With this update, the kpatch-dnf plugin enables administrators to focus kernel updates on those supported by kpatch. As a result, system upgrades are more reliable, and overall stability is improved.
Jira:RHEL-85686[1]
perf tool rebased to upstream v6.14
The perf tool and its kernel backend are rebased to align with upstream version v6.14. This update introduces several enhancements and bug fixes. Most notably, the following:
- Fixed the memory leak issue in the RAPL code.
- Added the per-core energy tracking support for AMD.
-
Addressed memory leaks in
perf trace. -
Added Processor Trace Trigger Tracing (PTTT) support in the
perftool. - Supports the RDPMC metrics in clear mode.
-
Added RAPL energy events support in the
perftool for the ARL-U platform.
These changes improve performance analysis and resolve known issues in the perf tool.
Jira:RHEL-77936[1]
Added support for virtio devices
Before this update, virtio devices inside of KVM guests were all listed as type generic-ccw. With this enhancement, you can easily identify which device type is connected at which device number by using the lszdev command:
This enhancement also introduces additional chpstat fixes for Red Hat Enterprise Linux 10.0.z, improving DPU utilization scaling in reports (s390utils and s390-tools).
Jira:RHEL-73341[1]
Intel Arrow Lake U RAPL energy events support in kernel
The kernel package now supports RAPL (Running Average Power Limit) energy performance counters for the Intel Arrow Lake U microarchitecture. With this enhancement, the perf tool identifies power-consumption events for Arrow Lake U platforms to monitor energy usage for CPU cores, GPUs, packages, and system domains.
Jira:RHEL-53584[1]
Adaptive PEBS enables counter snapshotting support in perf on Intel Panther Lake
Before this update, the Linux kernel’s perf tool relied on software-based sample reads to collect performance event data. This approach introduced minor timing gaps and additional overhead when reading counters after an event overflow. With this update, adaptive PEBS counter snapshotting is available on Intel Panther Lake CPUs. With this feature, the kernel captures programmable counters, fixed-function counters, and performance metrics directly in the PEBS record by using the PEBS format version 6.
As a result, counter snapshotting provides a more accurate and lower-overhead alternative to software sample reads, improving performance monitoring and analysis capabilities.
Jira:RHEL-47443[1]
Intel Trace Hub supports Intel Panther Lake
Before this update, the kernel package did not support Intel Panther Lake (P, H, U variants) in Intel Trace Hub. With this update, device IDs for Panther Lake platforms are added to Intel Trace Hub in the kernel package.
As a result, systems based on Panther Lake can use Intel Trace Hub features for enhanced debugging and tracing capabilities.
Jira:RHEL-47423[1]
Perf uncore event support for Intel Clearwater Forest
The perf package adds uncore event monitoring on Clearwater Forest microarchitecture. With this enhancement, the perf package supports the uncore event monitoring on Clearwater Forest systems. As a result, users can perform advanced performance analysis and debugging on supported hardware.
Jira:RHEL-45094[1]
Perf core event support for Intel Clearwater Forest
The perf package adds core event monitoring on Clearwater Forest microarchitecture. As a result, users can monitor and analyze core-level performance events on Intel Clearwater Forest systems using perf.
Jira:RHEL-45092[1]
AMD Milan CPUs support per-core energy tracking with RAPL perf events
Before this update, energy monitoring on AMD systems was limited to package-level measurements. With this update, the kernel package supports per-core energy tracking through Running Average Power Limit (RAPL) performance events on AMD Milan CPUs. As a result, you can measure and analyze energy consumption at the individual core level for more granular performance and power management.
Jira:RHEL-24184[1]
Intel Arrow Lake H microarchitecture support added to intel_th
Before this update, Intel Trace Hub did not recognize Arrow Lake H NPK device IDs, which limited trace and debugging capabilities for systems using this hardware. With this update, the intel_th package supports the Intel Arrow Lake H microarchitecture in Intel Trace Hub. With the new support, users have enhanced tracing and debugging features on Arrow Lake H platforms.
Jira:RHEL-20109[1]
PerfMon support enabled for Intel Arrow Lake H in kernel
With this update, the kernel package provides PerfMon support for Core, Uncore, Cstate, and MSR features on the Intel Arrow Lake H microarchitecture. As a result, you can monitor and analyze performance metrics specific to Arrow Lake H systems by using the perf tool.
Jira:RHEL-20093[1]
KVM modules are integrated into the Realtime Kernel package
This update removes the generation of KVM module packages for the Realtime Kernel in RHEL, aligning with the decision to make the Realtime Kernel a deployment option for base RHEL. This change streamlines the deployment process, integrating KVM modules directly into the Realtime Kernel package and eliminating the separate kernel-rt-kvm package. As a result, users will experience a more seamless and efficient setup when deploying the Realtime Kernel on RHEL, improving the overall user experience.
Jira:RHEL-62687[1]
Added Processor Trace Trigger Tracing (PTTT) support in the perf tool
With this update, performance analysis is elevated through the introduction of Processor Trace (PT) Trigger tracing. This enables software to select specific events as trigger points for pausing and resuming tracing activity, thereby enhancing the efficiency and accuracy of performance monitoring. This leads to more efficient and targeted tracing, ultimately offering a clearer comprehension of their application’s performance.
Jira:RHEL-45090[1]
python-drgn rebased to version 0.0.31
python-drgn has been rebased to version 0.0.31. This update introduces several enhancements and new features:
-
Added support for
debuginfod, which enables automatic retrieval of debugging information from debuginfod servers. - A new Module API, which provides improved extensibility and integration capabilities.
- Kernel stack unwinding without debugging symbols, allowing stack traces to be generated even when debug symbols are unavailable.
For a complete list of changes, see the upstream changelogs:
eBPF subsystem rebased to version 6.14.
The eBPF subsystem is rebased to the Linux kernel upstream version v6.14. This version includes the following changes and enhancements:
-
Support for
uprobesession probes. -
Support for
bpf_fastcall, a special annotation for eBPF helpers and kernel functions (kfuncs), which allows optimizing the execution of such helpers and functions. -
New
kmem_cacheeBPF iterator to allow eBPF programs to iterate over entries in/proc/slabinfoor/sys/kernel/slab. - Support for a private stack in eligible eBPF programs, which allows preventing the kernel stack overflows in nested eBPF programs.
- eBPF verifier improvement, which allows programs to avoid a NULL check on statically known map lookup keys.
-
Removal of
"helper that may corrupt user memory!"warning message when usingbpf_probe_write_user. -
Prevent infinite loops when using a combination of tail calls and
freplace. - Avoid potential kernel crashes when attaching eBPF programs to raw tracepoints with NULL arguments.
-
The
bpf_timerdestroy procedure used to cause the issues but that has been fixed by the rebase. -
The
bpf_local_storagein preventing thekmalloc, causing"sleeping function called from invalid context"issues while using eBPF on the real-time kernel.
Jira:RHEL-78201[1]
perf tool rebased to upstream v6.15
The perf tool and its kernel backend are rebased to align with upstream version v6.15. This update introduces several enhancements and bug fixes. Most notably, the following:
-
Added the
--code-with-typeoption toperf annotate, enabling decoding of data structures from pointers. -
Refactored s390
cpum_sfandcpum_cfcomponents. -
Addressed memory leaks in
perf trace. - Introduced hardware event support for RISCV CPUs.
-
Extended functionality for the
python-perfmodule. -
Enhanced
perf reportto display workload per parent and child processes. - Updated PMU events and metrics for various Intel CPUs.
- Enabled Processor Trace (PT) Trigger tracing on Intel platforms.
These changes improve performance analysis, extend hardware support, and resolve known issues in the perf tool.
Jira:RHEL-78197[1]
crash rebased to 9.0.0
The crash package, which provides a kernel analysis utility for live systems and various types of dump files, has been rebased to upstream version 9.0.0. This version provides a number of fixes and enhancements, most notably the following:
-
The internal
gdbdatabase has been updated to version 16.2. -
The
crashutility now supports cross-compilations.
Default configuration now disables jitter entropy source in rng-tools
The jitter entropy source is now disabled by default in rng-tools. Modern CPUs provide a hardware entropy source, and most virtual machines offer the /dev/hwrng device as an entropy source from the virtual host. In these environments, the jitter entropy source consumes unnecessary CPU cycles. For older hardware without a hardware entropy source, you can explicitly enable the jitter entropy source in /etc/sysconfig/rngd.
As a result, the rngd daemon no longer consumes CPU cycles unnecessarily on systems that have hardware entropy sources.
stalld no longer conflicts with the working of the dl-server
With this release, the stalld functionality detects the dl-server in the host kernel and boosts only the tasks that the dl-server fails to run. Currently, dl-server does not boost FIFO tasks. You might prefer to keep using stalld in a system upgrade and disable dl-server. The dl-server is the only entity responsible for running the starving tasks.
6.8. Boot loader
Secure boot shim signing for RHEL 10 on x86_64 and aarch64
RHEL 10 requires a signed shim binary to enable secure boot on AMD and Intel 64-bit architectures and on the 64-bit ARM architecture. Without a signed and trusted shim, systems with enforced secure boot did not boot, which affected both enterprise and cloud deployments.
With this release, the shim package was signed and updated for x86_64 and aarch64. On x86_64, shim is signed by Microsoft Windows UEFI Driver Publisher and includes Red Hat Secure Boot CA 5 and CA 8 in the vendor database. On aarch64, shim is signed by Microsoft UEFI CA 2023 and includes Red Hat Secure Boot CA 8. The SBAT entries were updated to the latest levels.
As a result, RHEL boots with the secure boot feature enabled. Additionally, the fallback works properly, and all other bootloader components are correctly signed.
6.9. File systems and storage
multipathd supports file-based sockets
With this update, the multipathd daemon listens for commands on a file-based socket /run/multipathd.socket in addition to the abstract namespace socket. You can communicate with the host’s multipathd daemon from within a container by using a bind mount for the new socket file.
Jira:RHEL-82180[1]
LVM RAID repairs volumes after multiple simultaneous device failures
With this enhancement, you can use the lvconvert --repair /dev/VG-name/LV-name command to reintegrate missing RAID devices back into a striped RAID (raid4, raid5, and raid6). This repair process works even when the number of temporarily missing devices exceeds the fault tolerance of the RAID level, allowing for recovery once the devices reappear. Note that you must unmount and deactivate the volume and the file system on top before repairing them.
6.10. High availability and clusters
The IPaddr2 resource agent now detects network link failures
Before this update, the IPaddr2 resource agent did not monitor the link state of the network interface. As a consequence, an IPaddr2 resource continued to report success on a node even if the underlying interface was in a DOWN or LOWERLAYERDOWN state, preventing the cluster from recovering the resource on another node.
With this release, the IPaddr2 agent has been enhanced to check the interface’s link status.
As a result, an IPaddr2 resource correctly fails if its network interface goes down, allowing for a proper failover. You can disable this new default behavior by setting the check_link_status=false parameter in the resource configuration.
Jira:RHEL-85014[1]
AWS resource agents reuse IMDS tokens to improve reliability
Before this update, the AWS resource agents requested a new Instance Metadata Service (IMDS) token for every operation. This could lead to a large number of API calls on a single node, which increased the risk of resource failures, especially in environments with many AWS resources.
With this update, the AWS resource agents cache and reuse IMDS tokens until they expire.
As a result, the volume of API calls to the AWS metadata service is significantly reduced. This improves the performance and reliability of AWS resources in high-availability clusters.
Jira:RHEL-81237[1]
The awsvip resource agent allows specifying a network interface
Before this update, the awsvip resource agent always assigned the virtual IP address to the primary network interface of an EC2 instance. It was not possible to use a secondary network interface for the resource.
With this enhancement, an interface parameter has been added to the awsvip agent.
By using this parameter, you can specify to which network interface the agent should assign the virtual IP, which enables more flexible network configurations in AWS.
Jira:RHEL-81236[1]
The fence_sbd agent can automatically detect the SBD device
Before this update, when configuring a fence_sbd resource, you were required to explicitly specify the SBD device path by using the devices parameter.
With this update, the fence_sbd agent can now retrieve the device configuration from the system.
As a result, if you do not set the devices parameter when creating the fence_sbd resource, the agent automatically uses the device specified in the SBD_DEVICE variable within the /etc/sysconfig/sbd file.
Jira:RHEL-79799[1]
Watchdog device listing provides more detailed information
Before this update, when listing available watchdog devices, the output only displayed the device path, such as /dev/watchdog0. This made it difficult for administrators to distinguish between multiple devices on the same system.
With this update, the output includes the device path, identity, and driver for each watchdog. This allows for easy identification and selection of the correct device.
New fence agent for Nutanix AHV virtualization is now available
Previously, Red Hat High Availability Add-On did not provide a dedicated fence agent for Nutanix Acropolis Hypervisor (AHV) environments.
With this enhancement, the fence_nutanix agent is added.
As a result, you can now configure STONITH for cluster nodes running on the Nutanix AHV platform, enabling fully supported high-availability deployments.
Jira:RHEL-68322[1]
pcs warns users before removing the last fencing device
Before this update, pcs allowed users to disable or remove the last fencing device from a cluster without a warning. This could inadvertently leave the cluster in an unsupported state without any STONITH or SBD fencing configured.
With this enhancement, pcs now includes a safety check to prevent the accidental removal of all fencing mechanisms.
As a result, if you attempt an action that would leave the cluster without any fencing, pcs displays an error and blocks the change by default. For example, this occurs when you try to remove the last STONITH resource while SBD is disabled. You can override this safety check to force the change if needed.
pcs provides more detailed error messages for failed CIB updates
Previously, when a CIB update failed when using the pcs cluster edit or pcs cluster cib-push commands, the error message provided by Pacemaker was generic. It did not explain the specific reason for the failure, which made troubleshooting the invalid configuration difficult.
With this enhancement, pcs is updated to request a detailed validation check from Pacemaker upon a failed CIB push.
As a result, when a CIB update is rejected, pcs now displays a specific error message explaining what is wrong with the configuration.
The pcs alert config command now supports multiple output formats
Previously, the pcs alert config command displayed its output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.
With this enhancement, a new --output-format option has been added to the pcs alert config command.
As a result, you can now display the configured alerts in one of three formats:
-
text: Displays the output in plain text. This is the default format. -
json: Displays the output in a machine-readable JSON format, which is useful for scripting and automation. -
cmd: Displays the output as a series ofpcscommands, which you can use to recreate the same alert configuration on a different system.
The pcs resource meta command is improved to support bundles and prevent guest node misconfiguration
Previously, the pcs resource meta command did not support managing meta attributes for bundle resources. Additionally, the command did not prevent users from incorrectly modifying the connection parameters of a guest node, which could lead to a misconfigured resource.
With this enhancement, the pcs resource meta command has been rewritten.
As a result, you can now use pcs resource meta to update meta attributes for bundle resources. In addition to this, when using the command on a guest node, it now prevents unintended changes to connection parameters, avoiding potential misconfigurations.
A new pcs command is available for renaming a cluster
Previously, it was not possible to change the name of an existing cluster using pcs commands. Administrators had to perform a series of manual steps, which were complex and could lead to errors.
With this enhancement, the pcs cluster rename command has been introduced.
As a result, you can now easily change the name of an existing cluster. To rename your cluster, run the following command:
pcs cluster rename <new-name>
pcs cluster rename <new-name>The pcs node attribute and pcs node utilization commands now support multiple output formats
Previously, the pcs node attribute and pcs node utilization commands displayed their output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.
With this enhancement, a new --output-format option has been added to the pcs node attribute and pcs node utilization commands.
As a result, you can now display the configured node attributes and utilization in one of three formats:
-
text: Displays the output in plain text. This is the default format. -
json: Displays the output in a machine-readable JSON format, which is useful for scripting and automation. -
cmd: Displays the output as a series ofpcscommands, which you can use to recreate the same configuration on a different system.
pcs automatically validates the CIB for potential issues
Previously, the pcs utility did not automatically run advanced validation checks on the Cluster Information Base (CIB). As a consequence, certain cluster misconfigurations could remain undetected during routine operations.
With this enhancement, pcs has been updated to integrate Pacemaker’s CIB validation tool into its workflow.
As a result, pcs now automatically performs a validation check and displays the results when you run the pcs status, pcs cluster edit, or pcs cluster cib-push commands.
New crypt resource agent for managing encrypted volumes
Previously, Red Hat High Availability Add-On did not provide a resource agent for managing encrypted devices. This made it difficult to configure volumes encrypted with cryptsetup as highly available resources within a Pacemaker cluster.
With this update, the new crypt resource agent has been introduced.
As a result, you can configure encrypted local or network volumes as cluster resources. The crypt agent uses cryptsetup to manage these devices. It supports unlocking volumes with a standard key_file and also supports network-bound unlocking using tang/clevis.
Jira:RHEL-13089[1]
6.11. Dynamic programming languages, web and database servers
The PostGIS extension is available for PostgreSQL
This enhancement adds the PostGIS extension to PostgreSQL. With this extension, PostgreSQL supports geographic objects, enabling spatial queries and analysis for Geographic Information System (GIS) applications, such as mapping, geolocation, and distance calculations within a relational database.
Jira:RHEL-81633[1]
6.12. Compilers and development tools
glibc now supports sched_setattr and sched_getattr for advanced scheduler options
Previously, glibc provided access to only a limited set of Linux scheduler options through functions defined in <sched.h>. This limitation required applications to use direct system calls or Linux kernel headers to access advanced scheduling features.
With this enhancement, the extensible scheduler configuration mechanism from sched_setattr and sched_getattr is now available through the glibc <sched.h> header file. This change includes support for additional scheduling policies, such as SCHED_DEADLINE.
As a result, applications can select from a wider range of scheduling options without relying on direct system calls or kernel-specific headers, improving portability and flexibility for developers.
Geomap support added for PCP Valkey datasource in grafana-pcp
Previously, users could not visualize PCP metrics on a map in Grafana because the PCP Valkey data source did not provide the longitude and latitude labels required for geomap panels. This limitation made it difficult to compare the performance of monitored systems across different locations.
To create a geomap visualization for PCP metrics in Grafana:
- Create a new panel.
- Select the geomap panel type.
- Enter the metric you want to visualize in the query window, as you would for other PCP visualizations.
- In the Format drop-down menu below the query window, select Geomap.
- Grafana will automatically detect the longitude and latitude labels and place the data on the map.
- For additional options and customization, see the Grafana documentation.
With this enhancement, the PCP Valkey datasource in grafana-pcp includes longitude and latitude labels from PCP metrics, allowing instances to be accurately placed on a geomap. Users can create geomap visualizations in Grafana to compare system performance geographically.
Jira:RHEL-77946[1]
llvm-toolset rebased to LLVM 20
The llvm-toolset is updated to LLVM 20, delivering improved code generation, performance optimizations, and expanded language front‑end and library support across C, C++, and Rust workflows. This rebase aligns dependent components in RHEL, including rebuilds for rust, annobin, bcc, bpftrace, qt5-qttools, and mesa. The build is validated with llvm-20.1.8-1.el10.
The notable changes are:
-
Backend improvements, including fixes for the
ppc64le - Optimizations and diagnostics enhancements in Clang and LLVM passes for general performance and reliability
- Toolchain ecosystem refresh with coordinated package rebuilds for compatibility with LLVM 20
- Continued deprecation of older targets, consistent with upstream direction for ARM and MIPS in this stream
GDB now supports IBM’s z17 CPU architecture
The gdb package is enhanced to support binaries that use new hardware instructions introduced with IBM’s z17 CPU architecture. This update enables developers and system administrators to debug applications compiled for the latest IBM Z hardware on RHEL 10.1.
Jira:RHEL-56897[1]
GCC Toolset 15 is now available
With this update, gcc-toolset-15 is now available in RHEL 10.1. The toolset includes the latest supported versions of GCC and related utilities, enabling developers to build, test, and deploy applications using up-to-date compiler technology.
Jira:RHEL-81745[1]
glibc provides the GLIBC_ABI_GNU2_TLS symbol on x86_64
glibc includes the GLIBC_ABI_GNU2_TLS symbol on x86_64 systems. Programs that use the gnu2 thread-local storage access convention might require this symbol to start. Before this update, if glibc did not provide this symbol, affected programs would fail to launch. With this update, programs that depend on GLIBC_ABI_GNU2_TLS start and run as expected.
glibc adds GLIBC_ABI_DT_X86_64_PLT symbol support for x86_64
Before this update, programs that required the GLIBC_ABI_DT_X86_64_PLT symbol failed to start when it was not available in glibc. With this enhancement, glibc includes the GLIBC_ABI_DT_X86_64_PLT symbol for x86_64 systems. With this enhancement, programs requiring this symbol to start now run as expected.
glibc header files updated to align with Linux 6.12 UAPI
The glibc header files in Red Hat Enterprise Linux 10 are updated to incorporate the latest Linux User-space API (UAPI)constants for MAP_*, PIDFD_*, SCHED_*, and SYS_*, from Linux kernel version 6.12. As a result, developers can access new and revised UAPI constants when building applications, ensuring consistency and compatibility with the latest kernel features.
gdb is rebased to version 16.3
This update of gdb to version 16.3 in RHEL 10.1 provides the following notable enhancements:
- Removed support for Intel MPX.
- Added support for tagged data pointers, including Intel’s Linear Address Masking (LAM) and aarch64’s Memory Tagging Extension (MTE).
- Enabled background DWARF reading for improved performance.
Enhanced Intel Process Trace (
record btrace):-
Asynchronous event printing enabled with
set record btrace pt event-tracing. -
Ptwrite payloads can now be accessed in Python as
RecordAuxiliaryobjects.
-
Asynchronous event printing enabled with
Improved Python integration:
-
Stop events now include a
detailsattribute, mirroring MI "*stopped" events. -
gdb.Progspace()no longer creates objects directly; objects must be obtained with other APIs. -
User-defined attributes can be added to
gdb.Inferiorandgdb.InferiorThreadobjects. -
Introduced new event source:
gdb.tui_enabled. -
Added
gdb.record.clear, which clears the current recording’s trace data. - Added modules for handling missing objfiles and debug information.
-
New class
gdb.missing_debug.MissingDebugInfocan be subclassed to handle missing debug information. -
New attribute
gdb.Symbol.is_artificial. - New constants for symbol lookup across multiple domains.
-
New function
gdb.notify_mi(NAME, DATA)emits custom async notifications. -
New attribute
gdb.Value.bytesfor reading and writing value contents. -
Added
gdb.interruptto simulate a CTRL-C interrupt. -
New attribute
gdb.InferiorThread.ptid_stringprovides the target ID.
-
Stop events now include a
Debug Adapter Protocol (DAP) changes:
- Updated "scopes" request to include global variables and last return value.
- "launch" and "attach" requests can be used at any time, effective after "configurationDone".
- "variables" request no longer returns artificial symbols.
- Added "process" event and support for the "cancel" request.
- "attach" request now supports specifying the program.
- Introduced new commands for styling, language frame mismatch warnings, missing objfile handlers, and function call timeouts.
-
Enhanced and renamed several commands, including improved error handling for
disassembleand renamingset unwindonsignaltoset unwind-on-signal. -
Expanded remote packet support, including new packets for file status and memory fetch, and new stop reasons such as
clone. - Introduced per-thread event reporting options and address tagging checks.
GCC tuning for IBM z16 is default on s390x
The default tuning for code generated by the gcc compiler on the s390x architecture in RHEL 10.1 now aligns with IBM z16.
Before this update, the default tuning for s390x code generation in gcc was set for older IBM architectures.
With this update, code compiled with gcc on s390x in RHEL 10.1 is tuned for IBM z16 by default. If you need to optimize for a different architecture, you can override this setting by specifying the desired architecture with the -mtune flag during gcc invocation.
Jira:RHEL-86679[1]
Initial support for IBM Z z17 added to glibc
The dynamic loader in glibc is enhanced to support detecting IBM z17 CPUs or their specific features. As a result, any IBM z17-optimized libraries installed in the /usr/lib64/glibc-hwcap/z17/ directory are loaded automatically on z17 systems. This update improves hardware compatibility and performance for IBM Z z17 platforms.
Jira:RHEL-72564[1]
Rust Toolset rebased to version 1.88.0
RHEL 10.1 is distributed with Rust Toolset in version 1.88.0. This update includes the following notable enhancements:
- Rust 2024 Edition is now stable. This is a major opt-in release that enables significant language changes and is the largest edition released to date.
-
Leverage the 2024 Edition with
letchains, allowing fluent&&-chaining ofletstatements withinifandwhileconditions to reduce nesting and improve readability. -
For high-performance computing, when you enable target features, you can call multiple
std::archintrinsics directly in safe Rust, which gives you direct access to specific CPU features. -
asyncclosures are now supported, providing first-class solutions for asynchronous programming. These closures allow borrowing from captures and properly express higher-ranked function signatures with the AsyncFn traits. -
Trait upcasting allows coercing a reference to a trait object to a reference of its supertrait, simplifying common patterns, especially with the
Anytrait. - Cargo now automatically cleans its cache, removing old downloaded files not accessed in 1-3 months, which helps manage disk space.
Rust Toolset is a rolling Application Stream, and Red Hat only supports the latest version. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
tzdata includes the NEWS file
With this update, the tzdata package includes its NEWS file with each release to provide precise descriptions of timezone data changes. As a result, you can review what changed in detail. Users can review the included NEWS file to understand what changed in the update.
Jira:RHEL-105042[1]
Red Hat build of OpenJDK 25 is available
Red Hat introduces the latest long term support (LTS) release of the Red Hat build of OpenJDK (Open Java Development Kit) 25, a free and open source implementation of the Java Platform, Standard Edition (Java SE). Red Hat build of OpenJDK 25 is available starting from RHEL 10.1. For more information about OpenJDK Life Cycle, Support Policy, and all supported configurations, see the OpenJDK Life Cycle and Support Policy.
OpenJDK 25 includes a number of enhancements and additions to the Java specification, multiple bug and stabilization fixes, and general performance improvements and new features, such as the following improvements:
- Java Flight Recorder enhancements (cooperative sampling, method timing and tracing)
- Generational Shenandoah garbage collector
- Late barrier expansion and region pinning for the G1 garbage collector
- Ahead-Of-Time class loading and linking
- Compact object headers
- Synchronize virtual threads without pinning
- Compact source files and instance main methods
- Unnamed variables and patterns
- Scoped values
- Stream Gatherers
- Launch multi-file source-code programs
For the complete list of new features since the last LTS release, see JEPs in JDK 25 integrated since JDK 21.
Jira:RHEL-100678[1]
6.13. Identity Management
ipa-healthcheck now warns about expiring certificates
With this update, the ipa-healthcheck tool now evaluates user-provided HTTP, DS, and PKINIT certificates for expiration and provides warnings 28 days prior to their expiration date. This is to prevent certificate expirations going potentially unnoticed, which can lead to downtime.
Jira:RHELDOCS-20303[1]
ansible-freeipa rebased to 1.15.1
The ansible-freeipa package, which provides modules and roles to manage Red Hat Identity Management (IdM) environments, has been rebased from version 1.13.2 to 1.15.1. The update includes the following enhancement:
-
The
freeipa.ansible_freeipacollection that theansible-freeipaRPM package provides is now compatible with the namespace and name of theredhat.rhel_idmcollection provided by Red Hat Ansible Automation Hub (RH AAH). If you have installed the RPM package, you can now run playbooks that reference the AAH roles and modules. Note that internally, the namespace and names from the RPM package are used.
Jira:RHELDOCS-20257[1]
Healthcheck warns if krbLastSuccessfulAuth is enabled
Enabling the krbLastSuccessfulAuth setting in the ipaConfigString attribute can lead to performance issues if large numbers of users are authenticating at the same time. Therefore, it is disabled by default. With this update, Healthcheck displays a message if krbLastSuccessfulAuth is enabled, warning about the possible performance problems.
Jira:RHEL-84771[1]
IdM now supports UIDs up to Linux maximum UID limit for legacy systems compatibility
With this update, you can now use User and Group IDs up to 4,294,967,293, or 2^32-1. This aligns IdM’s maximum with the Linux UID limit and can be useful in rare cases where the standard IdM range, up to 2,147,483,647, is insufficient. Specifically, it enables IdM deployment alongside legacy systems that require the full 32-bit POSIX ID space.
In standard deployments, IdM reserves the 2,147,483,648 - 4,294,836,223 range for subIDS. Using the 2^31 to 2^32-1 UID range requires disabling the subID feature and therefore conflicts with modern Linux capabilities.
To enable UIDs up to 2^32-1:
Disable the subordinate ID feature:
ipa config-mod --addattr ipaconfigstring=SubID:Disable
$ ipa config-mod --addattr ipaconfigstring=SubID:DisableCopy to Clipboard Copied! Toggle word wrap Toggle overflow Remove any existing subordinate ID ranges:
ipa idrange-del <id_range>
$ ipa idrange-del <id_range>Copy to Clipboard Copied! Toggle word wrap Toggle overflow On the IdM server, ensure the internal DNA plugin configuration is correctly removed:
ipa-server-upgrade
# ipa-server-upgradeCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add a new local ID range that covers the 2^31 to 2^32-1 space. Ensure that you define RID bases for this new range so that IdM can generate SIDs properly for users and groups.
You can only disable the subordinate ID feature if no subordinate IDs have been allocated yet.
Jira:RHEL-67686[1]
samba rebased to version 4.22.4
The samba package has been updated to upstream version 4.22.4. This version provides bug fixes and enhancements, most notably the following:
- Samba supports Server message block version 3 (SMB3) directory leases. With this enhancement, clients can cache directory listings, which reduces network traffic and improves performance.
-
Samba supports querying domain controller (DC) information by using TCP-based LDAP or LDAPS, as an alternative to the traditional UDP method on port 389. This enhancement improves compatibility with firewall-restricted environments. You can configure the protocol by using the
client netlogon ping protocolparameter (default value:CLADP). The following configuration parameters are removed:
-
nmbd_proxy_logon: This setting was used to forward NetLogon authentication requests to a Windows NT4 primary domain controller (PDC) before Samba introduced its own NetBIOS over TCP/IP (NBT) server. -
cldap port: Connectionless Lightweight Directory Access Protocol (CLDAP) always uses UDP port 389. Additionally, the Samba code did not use this parameter consistently, so the behavior was inconsistent. -
fruit:posix_rename: This option of thevfs_fruitmodule is removed because it could result in problems with Windows clients. As a possible workaround to prevent the creation of.DS_Storefiles on network mounts, use thedefaults write com.apple.desktopservices DSDontWriteNetworkStores truecommand on MacOS.
-
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Before starting Samba, back up the database files. Samba automatically updates its tdb database files when the smbd, nmbd, or winbind services start. Red Hat does not support downgrading tdb database files.
After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.
Identity Management Upgrade Helper
The Identity Management Upgrade Helper is a new application that simplifies upgrading your IdM environment to a newer RHEL version. It provides an upgrade plan with step-by-step instructions that are specific to your upgrade path. As a result, you can use the app to prepare your deployment, set up a new replica, and decommission an old server with clear instructions.
To use this app, see Identity Management Upgrade Helper on the Red Hat Customer Portal.
Jira:RHELDOCS-21103[1]
You can now use dsconf or the web console to exclude subtrees from the attribute uniqueness verification
With this update, you can configure the uniqueness-exclude-subtrees parameter for the Attribute Uniqueness plug-in directly through the dsconf utility and web console. Before this update, uniqueness-exclude-subtrees was set only by using the ldapmodify utility.
Use the --exclude-subtree option for the dsconf plugin attr-uniq set command to set the distinguished name (DN) under which the plug-in skips uniqueness verification of the attribute’s value. Alternatively, go to the Plugins menu in the web console, add or edit the Attribute Uniqueness plug-in configuration and set the Excluded Subtrees field.
389-ds-base rebased to version 3.1.3
The 389-ds-base package has been updated to version 3.1.3. This version provides various bug fixes and enhancements, most notably:
- Support of Session Tracking Control internet draft
-
The
nsslapd-pwdPBKDF2NumIterationsconfiguration attribute for PBKDF2-* plugins - Log buffering for the error log
-
Support of
CRYPT-YESCRYPTas a password storage scheme - JSON format for access and error logs
Various
dsidmbug fixes:-
dsidmno longer fails with theargument must be a string or a numbererror. -
dsidm get_dnno longer fails for an organizational unit, service and POSIX group. -
dsidm uniquegroup memberscorrectly displays the unique group members. -
dsidm role rename-by-dncorrectly renames a role. -
dsidm -j account get-by-dnanddsidm -j role get-by-dnreturns the output in JSON format. -
dsidm role subtree-statuscorrectly displays a subtree status. -
dsidm role create-nestedanddsidm role create-filteredcreate nested and filtered roles. -
dsidm role deleteproperly deletes a role. -
dsidm user renamerenames the user correctly. -
dsidm account unlockre-enables user accounts that reached the inactivity limit correctly.
-
Custom matching rules in the Attribute Uniqueness plug-in to search uniqueness attributes
With this update, in Attribute Uniqueness plug-in configuration, you can specify a matching rule for the attribute you want to enforce uniqueness on. For example, when you want to override the attribute’s syntax from case exact or case ignore.
Specify attributes and their matching rules in the plugin configuration, as follows:
uniqueness-attribute-name: <attribute>:<Matching rule OID>:
uniqueness-attribute-name: <attribute>:<Matching rule OID>:
Before this update, if you used the attribute cn with a case exact syntax, the Attribute Uniqueness plug-in could not find a matching value if the case was different between the two values being compared. Now you can set the matching rule and make it case ignore and the plug-in will see that the values match:
uniqueness-attribute-name: cn:caseIgnoreMatch:
uniqueness-attribute-name: cn:caseIgnoreMatch:Jira:RHEL-109018[1]
JSON format is available for the access and error logs in 389-ds-base
With this update, you can use the following commands to configure JSON format for the access and error log files:
dsconf <instance_name> logging access set log-format json dsconf <instance_name> logging error set log-format json
# dsconf <instance_name> logging access set log-format json
# dsconf <instance_name> logging error set log-format json
These commands set the nsslapd-accesslog-log-format or nsslapd-errorlog-json-format configuration attributes to json. As a result, access and error logging becomes more consumable by standard parsing tools.
Note that when you change the format setting, Directory Server rotates the current log file.
The new list --full-dn option is available for the dsidm utility
With this update, you can use the list --full-dn option to get the list of full distinguished names (DN) of the entries of the same type. For example, to see the role DNs, use the following command:
dsidm <instance_name> -b dc=example,dc=com role list --full-dn
# dsidm <instance_name> -b dc=example,dc=com role list --full-dn
Before this update, you had no option to determine DNs of these entries with the dsidm tool because the existing list option only displays relative distinguished name (RDN) values.
389-ds-base log files now contain a session identifier for bind or modify operations
With this enhancement, the replication plugin works with the session tracking feature, correlating consumer activities with supplier server operations in 389-ds-base.
On the supplier side, when the replication debug level is enabled, the supplier error log contains messages as follows:
[time_stamp] - DEBUG - NSMMReplicationPlugin - repl5_inc_run - "EWBpte8J8Wx 2" - agmt="cn=004" (localhost:39004): State: wait_for_changes -> ready_to_acquire_replica
[time_stamp] - DEBUG - NSMMReplicationPlugin - repl5_inc_run - "EWBpte8J8Wx 2" - agmt="cn=004" (localhost:39004): State: wait_for_changes -> ready_to_acquire_replicaOn the consumer side, without any debug log level, the access logs contain messages as follows:
[time_stamp] conn=2 op=7 SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=\*)" attrs="distinguishedName" [time_stamp]] conn=2 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000189515 optime=0.000171470 etime=0.000358345 notes=U,P details="Partially Unindexed Filter,Paged Search" pr_idx=0 pr_cookie=-1 sid="EWBpte8J8Wx 2"
[time_stamp] conn=2 op=7 SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=\*)" attrs="distinguishedName"
[time_stamp]] conn=2 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000189515 optime=0.000171470 etime=0.000358345 notes=U,P details="Partially Unindexed Filter,Paged Search" pr_idx=0 pr_cookie=-1 sid="EWBpte8J8Wx 2"As a result, you can trace the origin of connections or operations more effectively. This improves the overall efficiency and troubleshooting capabilities in connections or operations deployments.
Jira:RHEL-31959[1]
ACME server adds support for the ES256 signature algorithm
Previously, the Automatic Certificate Management Environment (ACME) server did not support the ES256 signature algorithm for JSON Web Key (JWK) validation. This lack of support prevented certain clients, such as the Caddy web server, from successfully obtaining certificates.
With this update, the ACME server has been enhanced to support the ES256 signature algorithm for JWK validation.
As a result, the server can interoperate with clients that use ES256, such as the Caddy web server, allowing them to successfully obtain certificates and establish secure HTTPS communication.
Jira:RHEL-98721[1]
IdM-to-IdM migration now available
IdM-to-IdM migration, previously available as a Technology Preview, is now fully supported with this release. You can use the ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, from one IdM server to another. This can be useful, for example, when moving IdM from a development or staging environment into a production one.
Jira:RHELDOCS-19500[1]
HSM is now fully supported in IdM
Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.
IdM relies on the networking features of the HSM to share the keys between machines to create replicas. The HSM provides additional security without visibly affecting most IdM operations. When using low-level tooling the certificates and keys are handled differently but this is seamless for most users.
Migration of an existing CA or KRA to an HSM-based setup is not supported. You need to reinstall the CA or KRA with keys on the HSM.
You need the following:
- A supported HSM.
- The HSM Public-Key Cryptography Standard (PKCS) #11 library.
- An available slot, token, and the token password.
To install a CA or KRA with keys stored on an HSM, you must specify the token name and the path to the PKCS #11 library. For example:
ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra
ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kraJira:RHELDOCS-17465[1]
6.14. SSSD
Improved smart card authentication for environments with multiple PKCS#11 tokens
SSSD smart card authentication has been enhanced to handle authentication in environments that have multiple PKCS#11 tokens inserted simultaneously. This improves authentication, especially in STIG compliant environments that require multiple user accounts, each with distinct privileges and often tied to a separate PKI token.
Previously, SSSD might fail to authenticate if the first checked token did not contain a matching certificate, because SSSD did not continue searching for the appropriate certificate on other available tokens. With this update, SSSD scans all inserted PKCS#11 tokens for a matching authentication certificate, so that users can authenticate successfully.
The new SSSD option ldap_read_rootdse to control RootDSE reads
With this update, SSSD provides a new option, ldap_read_rootdse, to control how SSSD reads Root Directory Service Entry (RootDSE) from the LDAP server. By default, SSSD attempts to read the RootDSE anonymously before the user authenticates. However, this default behavior might conflict with strict security policies that typically restrict all anonymous binds to the LDAP server.
To manage this behavior, you can configure the ldap_read_rootdse option to authenticated to instruct SSSD to read the RootDSE only after a successful user authentication, or set it to never to completely prevent SSSD from attempting the read.
Jira:RHEL-13086[1]
6.15. Desktop
OpenGL and Vulkan are supported by default in Toolbx containers based on UBI
Before this update, you had to manually install Mesa-related packages to enable OpenGL and Vulkan support, which was not intuitive or documented.
With this enhancement, OpenGL and Vulkan work by default inside Toolbx containers created from updated UBI-based toolbox images, matching the behavior on Red Hat Enterprise Linux Workstation hosts. This includes only the free software drivers provided by Mesa, not proprietary ones like NVIDIA.
As a result, OpenGL and Vulkan applications can run inside Toolbx containers without additional configuration, improving usability and consistency with the host system.
6.16. The web console
cockpit rebased to version 344
The cockpit packages have been rebased to version 344, which provides many improvements and fixes compared to version 334 in RHEL 10.0, most notably:
- Improved UI to the new style based on the PatternFly 6 design system.
- Added support for the SMART (Self-Monitoring, Analysis and Reporting Technology) standard and the Stratis 3.8+ pool format in the Storage component.
- Improved graphical VNC, control VNC, and serial consoles in the Virtual machines component.
- Added support for IPv6 addresses for WireGuard VPNs in the Networking component.
-
All web console pages can be branded through the
branding.cssstyle-sheet file.
new subpackage: cockpit-ws-selinux
The SELinux policy for the cockpit_ws processes is provided in a separate subpackage cockpit-ws-selinux. This prevents the RHEL web console from failing when run on a system without SELinux installed, because the package manager installs the selinux_policy packages as dependencies. See the cockpit_ws_selinux(8) man page on your system for more information.
6.17. Red Hat Enterprise Linux System Roles
Introduced a variable MaxRetention to configure the maximum retention parameter
With this update, users can configure the maximum retention parameter for journald, enabling time-based deletion of journal files. This enhancement provides flexibility in managing log data according to specific data retention policies, allowing both time-based log deletion and size-based deletion. It helps with compliance with data retention requirements and improves overall system performance by preventing excessive log storage.
metrics role supports enabling additional PCP PMDA
With this update, the rhel-system-roles package adds the metrics_optional_domains variable to the metrics system role. A domain is a set of metrics managed by a Performance Metrics Domain Agent (PMDA), such as a database, specialized hardware, or an application. Use this variable to enable additional PMDAs. The role adds these PMDAs to the default set (for example, the kernel) and the PMDAs that the role manages explicitly (for example, SQL Server databases). As a result, users can enable the domains they require for their specific use cases, improving flexibility in data collection and monitoring.
Ability to configure the default kernel in rhel-system-roles
Previously, users could not specify which kernel should be set as the default during system boot. This limitation prevented administrators from managing the default kernel selection through automation.
With this update, the rhel-system-roles package introduces the ability to configure the default bootloader kernel using a new default option. Users can now designate a single kernel as the default by setting the default boolean parameter in the kernel settings. The system validates that only one kernel can be marked as default, and applies the selection using grubby --set-default as required.
This enhancement improves flexibility and simplifies automation when managing kernel versions in RHEL.
Jira:RHEL-101671[1]
The ad_integration RHEL system role can control the SSSD domain section naming and consolidate duplicates
With this update, users can control the name of the section used in the SSSD config file for the domain or realm-specific settings, as managed by the ad_dyndns_update and ad_integration_sssd_custom_settings parameters. By default, the ad_integration role uses the lower case of the ad_integration_realm variable. However if users want to use the actual case of ad_integration_realm, users can use a new option ad_integration_sssd_realm_preserve_case = true to preserve the case of the realm. This may leave the SSSD config file with multiple sections for the realm. Use the new ad_integration_sssd_remove_duplicate_sections setting to consolidate all of the settings from the multiple sections into the chosen section. As a result, the ad_integration system role can manage domain and realm sections in the SSSD config file correctly.
The journald RHEL system role can monitor disk space
With this update, you can configure the SystemKeepFree option in the journald.conf journal service to set a maximum size for the system journal. This improves overall system stability and performance. As a result, you can use the journald_system_keep_free variable to configure size limit. The value is specified in megabytes. There is no default value - by default, it will use the journald default value.
Introducing flexibility for package installation in ad_integration role
Previously, the ad_integration role always attempted to install the required packages, for example, realmd, sssd-ad, adcli, and many more that are listed in __ad_integration_packages. In environments where external systems handled package management, for example, via configuration management outside of this role, pre-baked images, or immutable systems, this step was redundant and undesirable.
With this update, users can now manage package installations through other means and only want this role to join a domain, offering them flexibility. The notable enhancements are:
-
New Variable: Introduced a new boolean variable
ad_integration_manage_packagesto control whether the role installs packages. -
Default Value: The default value is set to
trueindefaults/main.ymlto ensure backward compatibility. Existing playbooks using this role will continue to function as before without modification. -
Conditional Task: Added a
when: ad_integration_manage_packages | boolcondition to the "Ensure required packages are installed" task intasks/main.yml. The task will now only run if the flag istrue(the default). -
Documentation: Updated
README.mdto include the newad_integration_manage_packagesvariable, explaining its purpose and default value.
The firewall RHEL system role now supports including other services
With this enhancement, you can include other services when you use the firewall RHEL system role to create firewalld service definitions. For example, you can create a service webserver that includes the http and https services. If you then enable the webserver service, firewalld open the ports defined in http and https services. For further details, see Creating a custom firewalld service by using the firewall RHEL system role.
Jira:RHEL-84953[1]
The podman role generates all TOML compliant configuration file
Before this update, the current Jinja-based formatter did not support many TOML features, including tables and inline tables, which were required to configure all aspects of podman. With this enhancement, all features of TOML are supported by using a true TOML formatter instead of a simple Jinja template. As a result, the podman role can generate any TOML compliant configuration file that podman can use.
The podman role needs to preserve certain features of the old formatter. Therefore, the TOML formatter is disabled by default. For the particular use cases that you need to use the old formatter for and information about how you can convert your inventory data in order to use the new and improved formatter, see the README file.
To use the new TOML formatter in all cases, set the podman_use_new_toml_formatter to true:
podman_use_new_toml_formatter: true
podman_use_new_toml_formatter: trueJira:RHEL-84932[1]
Metrics role now supports Apache Spark metric collection and export
Previously, users could not directly collect or export Apache Spark metrics using the metrics role. With this update, the rhel-system-roles package adds support to gather and update metrics from Apache Spark. Two new boolean parameters are introduced:
-
metrics_into_spark: false This enables exporting metric values into Spark. -
metrics_from_spark: false This enables gathering metrics from Spark.
You can now both retrieve metrics from Spark and send metrics information into Spark, improving integration and monitoring capabilities for Spark workloads.
Jira:RHEL-78262[1]
Enables IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role
With this update, users can customize the chronyd configuration on RHEL 10.1 when IPv6 is disabled on a node. The enhancement provides two options: add a setting to the timesync role to disable IPv6, or pass a parameter to set the OPTIONS value for chronyd. These options enable IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role. This improves time synchronization accuracy and stability for environments where IPv6 is disabled.
Jira:RHEL-85689[1]
The ha_cluster RHEL System Role can now export resource definitions
Previously, the ha_cluster RHEL System Role’s export functionality did not include variables related to cluster resources, such as primitives, groups, and clones. This made it difficult to use the role to get a complete, reusable definition of an existing cluster’s configuration.
With this enhancement, the export functionality of the ha_cluster RHEL System Role has been updated to gather and export cluster resource definitions.
As a result, you can now use the ha_cluster RHEL System Role to export a complete cluster configuration that is compatible with the role’s input format. The exported data now includes the following variables:
-
ha_cluster_resource_primitives -
ha_cluster_resource_groups -
ha_cluster_resource_clones -
ha_cluster_resource_bundles
The ha_cluster RHEL System Role can now export OS and pcsd configurations
Previously, when using the ha_cluster RHEL System Role to export the configuration of an existing cluster, the export did not include important OS-level settings such as repository, firewall, or SELinux configurations. This resulted in an incomplete definition, making it difficult to fully recreate a cluster from the exported data.
With this enhancement, the ha_cluster role’s export functionality now gathers and exports OS-level and pcsd daemon configurations from cluster nodes.
As a result, you can generate a more complete cluster definition from an existing deployment. This is useful for recreating the cluster or for bringing a cluster that was not created with the ha_cluster role under its management. The exported data now includes the following variables:
-
ha_cluster_enable_repos -
ha_cluster_enable_repos_resilient_storage -
ha_cluster_manage_firewall -
ha_cluster_manage_selinux -
ha_cluster_install_cloud_agents -
ha_cluster_pcs_permission_list
postfix provided in version 3.8.5
RHEL 10.0 provides the postfix in version 3.8.5. Notable changes include:
- The Simple Mail Transfer Protocol (SMTP) and Local Mail Transfer Protocol (LMTP) clients support looking up DNS SRV records.
-
In previous releases, the PostgreSQL client encoding was hardcoded and set to
LATIN1. With this release, you can use theencodingparameter to configure the encoding. Default:UTF8 - Postfix supports threaded bounces. With these features, mail readers can display a non-delivery, delayed delivery, or successful delivery notification in the same email thread as the original message.
-
Postfix logs
Application errorinstead ofSuccessorUnknown error: 0when an operation fails witherrno == 0, indicating the error originated from non-kernel code. - Postfix randomizes the initial state of in-memory hash tables to prevent hash collision attacks involving a large number of attacker-chosen lookup keys.
-
The
postqueuecommand sanitizes non-printable characters, such as new lines, in strings before they are formatted as JSON or as legacy output. - By default, Postfix uses the Lightning Memory-Mapped Database (LMDB) backend. The previous default backend, Berkeley DB (BDB), is not available in RHEL 10. If you used BDB and upgrade from an earlier RHEL version to RHEL 10, you must convert the databases. For details, see Postfix fails with unsupported dictionary type: hash after upgrading to RHEL 10.
Jira:RHELDOCS-20766[1]
6.18. Virtualization
virtio-mem is available on IBM Z
With this update, virtio-mem, a paravirtualized memory device, can be used on IBM Z hardware. By using virtio-mem, you can dynamically add or remove host memory in virtual machines.
Jira:RHEL-72994[1]
New command for IBM Z hosts: virsh hypervisor-cpu-models
This update introduces the virsh hypervisor-cpu-models command. You can use this command on the IBM Z architecture to display which CPU models your hypervisor recognizes.
Jira:RHEL-58151[1]
virt-v2v can now convert VMware VMs that use NVMe disks
With this update, the libvirt toolset can correctly detect non-volatile memory express (NVMe) disks when analyzing the configuration of virtual machines (VMs) created on the VMware hypervisor. As a result, it is now possible to use the virt-v2v utility to convert such VMs for the KVM hypervisor.
Fast initialization NetKVM parameter
This update adds a Fast Initialization (FastInit) parameter for NetKVM drivers. Enabling this parameter ensures that the driver allocates only a part of the required memory blocks to virtual queues, and then indicates readiness to the kernel. The remaining memory blocks are then initialized in the background.
This makes starting or restarting the network in Windows virtual machines significantly faster, especially when the network back end uses a high number of virtual queues. However, it might also negatively impact performance before the background memory allocation is finished.
FastInit is enabled by default, but you can disable it by using the Device Manager app in the Windows guest operating system.
Performance-enhanced PCI translation for IBM Z guests
With this update, virtual machines (VMs) on IBM Z hosts can use identity-mapped direct memory access (DMA) for PCI devices. This feature significantly improves the performance of PCI device passthrough. Note that to use the feature, your system must be configured as follows:
-
The
iommu.passthrough=1parameter must be set up on the kernel command line of the VM. - The VM must have fully NUMA-pinned memory.
- The RHEL host system must not be using logical partitioning (LPAR).
Jira:RHEL-52964[1]
virtio based keyboard driver improvements
With this update, the new virtio based keyboard driver enables capturing early keyboard input in a virtual machine, especially in firmware setup screens and in GRUB bootloader.
Jira:RHEL-50[1]
New option for VM live migration: --available-switchover-bandwidth
When live-migrating a virtual machine (VM) by using the virsh migrate --live command, you can now add the --available-switchover-bandwidth option to specify the bandwidth at which the migration switches over to the destination host in the pre-copy process. By default, the hypervisor measures the available bandwidth automatically, but when this might not reliably ensure that the live migration finishes successfully, using --available-switchover-bandwidth can fix the issue.
VMs can now use MSDM ACPI tables
On certain Windows guest operating systems, license activation requires the guest to be configured with a Microsoft Data Management (MSDM) Advanced Configuration and Power Interface (ACPI) table. For this purpose, you can now set up a MSDM ACPI table on virtual machines (VMs) hosted on RHEL. To do so, use the following lines in the XML configuration of the VM:
<acpi>
<table type="msdm">/path/to/table</table>
</acpi>
<acpi>
<table type="msdm">/path/to/table</table>
</acpi>Fine-grained configuration of VM actions on host shutdown
With this update, it is possible to configure the libvirt drivers on how to handle virtual machines (VMs) when the host shuts down. For example, you can configure the VM memory to be saved when the host shuts down, and for VMs to be automatically started from the saved memory when the host starts. For the specific configuration options, see the auto_shutdown parameters in the /etc/libvirt/virtqemud.conf file.
Note that this feature implements the same functionality provided by the libvirt-guests service, as configured in the /etc/sysconfig/libvirt-guests file. As a consequence, you cannot use auto_shutdown configuration in virtqemud.conf at the same time as libvirt-guests.service.
For new deployments, using auto_shutdown in virtqemud.conf is recommended instead of libvirt-guests.service, and it will replace libvirt-guests.service completely in a future major release of RHEL.
New QEMU configuration parameter: migrate_tls_priority
With this update, you can configure the migrate_tls_priority parameter in the /etc/libvirt/qemu.conf file. You can use this parameter to work around QEMU issues with TLS when live migrating virtual machines. To obtain the recommended value to set if the default does not work on your deployment, contact Red Hat customer support.
New features for virtual machines on 64-bit ARM hosts
The following features are now supported for virtual machines on RHEL hosts that use the 64-bit ARM architecture (aarch64):
- Live snapshots
Pre-copy migration with the following options:
- TLS encryption and XBZRLE compression
- Dirty rate monitoring
- Auto-converge
Multi-FD migration with the following options:
- TLS encryption and XBZRLE compression
- Auto-converge
- Zero-copy
Post-copy migration with the following options:
- TLS encryption and XBZRLE compression
- Recovery
- Preemption
-
Live migration with
virtiofs
Jira:RHELDOCS-20674[1]
Direct kernel boot supported for SecureBoot VMs
With this update, you can set up direct kernel boot in virtual machines (VM) that are configured with the SecureBoot feature. To do so, use the <shim> parameter in the XML configuration of the VM, for example as follows:
<os firmware="efi"> ... <shim>/var/lib/libvirt/images/BOOTX64.EFI</shim> </os>
<os firmware="efi">
...
<shim>/var/lib/libvirt/images/BOOTX64.EFI</shim>
</os>Support for multiple I/O threads in virtio-scsi devices
With this update, you can configure multiple I/O threads for a single virtio-scsi device. To do so, use the <iothreads> parameter in the XML configuration of the virtual machine to which the device is attached. This provides additional options for fine-tuning the performance and scalability of your virtual SCSI devices.
6.19. RHEL in cloud environments
Enhanced automatic registration for eligible RHEL images
With this update, RHEL instances based on eligible images from eligible marketplaces automatically receive content and updates from Red Hat content delivery network (CDN) instead of the Red Hat Update Infrastructure (RHUI). The RHUI repositories are turned off by default.
This ensures automatic access to latest updates for users of subscribed RHEL instances.
For additional details, see Understanding auto-registration.
Jira:RHELDOCS-21241[1]
RHEL is available on Azure confidential VMs
You can create and run RHEL confidential virtual machines (CVMs) on Microsoft Azure by using RHEL CVM images. The images support full disk encryption through the Confidential OS disk encryption feature in Azure.
Jira:RHELDOCS-21373[1]
New package: azure-vm-utils
This update adds the azure-vm-utils package, which provides a collection of utilities and udev rules to optimize the experience of using RHEL 10 as a guest operating system on Microsoft Azure.
Jira:RHEL-73904[1]
6.20. Supportability
sos now collects the Satellite metrics file for improved support diagnostics
The foreman-installer plugin of sos now collects the satellite_metrics.yml file located at /var/lib/foreman-maintain/ directory. It provides insight into which features of Satellite are in use and in what scale.
6.21. Containers
A new rhel10/valkey-8 container image is generally available in RHEL
The newly available rhel10/valkey-8 container image allows atomic operations and supports various data types like strings, hashes, lists, sets, and sorted sets. The image offers high performance because of its in-memory dataset, which can be persisted to disk or by appending commands to a log.
Jira:RHELDOCS-20640[1]
Improved support for reproducible container builds
Reproducible builds ensure that a given set of inputs consistently generates the same output. This enhancement addresses several factors that previously complicated reproducibility in container image builds. While using -source-date-epoch and -rewrite-timestamp improves the reproducibility of builds and better aligns with common practices like setting and looking for $SOURCE_DATE_EPOCH, it cannot guarantee complete reproducibility.
New artifact endpoints for Podman RESTFUL API
Podman RESTFUL API now includes new artifact endpoints, enabling programmatic management of OCI artifacts. This enhancement simplifies integration of OCI artifact operations into existing systems and scripts.
The Container Tools packages have been updated
The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version v1.41.0, and Skopeo has been updated to version 1.20.0.
Podman release v5.6 contains the following notable bug fixes and enhancements over the previous version:
-
A new set of commands for managing Quadlets has been added as
podman quadlet install(install a new Quadlet for the current user),podman quadlet list(list installed Quadlets),podman quadlet print(print the contents of a Quadlet file), andpodman quadlet rm(remove a Quadlet). -
The
podman kube playcommand can restrict container execution to specific CPU cores and specific memory nodes using theio.podman.annotations.cpuset/$ctrnameandio.podman.annotations.memory-nodes/$ctrnameannotations. -
The
podman kube playcommand supports thelifecycle.stopSignalfield in Pod YAML, allowing the signal used to stop containers to be specified. -
The
podman volume importandpodman volume exportcommands are available in the remote Podman client. -
The
podman volume createcommand accepts two new options,--uidand--gid, to set the UID and GID the volume will be created with. -
The
podman secret createcommand has a new option,--ignore, causing the command to succeed even if a secret with the given name already exists. -
The
podman pullcommand has a new option,--policy, to configure pull policy. -
The
podman updatecommand has a new option,--latest, to update the latest container instead of specifying a specific container. -
A full set of API endpoints for interacting with artifacts has been added, including inspecting artifacts (
GET /libpod/artifacts/{name}/json), listing all artifacts (GET /libpod/artifacts/json), pulling an artifact (POST /libpod/artifacts/pull), removing an artifact (DELETE /libpod/artifacts/{name}), adding an artifact (or appending to an existing artifact) from a tar file in the request body (POST /libpod/artifacts/add), pushing an artifact to a registry (/libpod/artifacts/{name}/push), and retrieving the contents of an artifact (GET /libpod/artifacts/{name}/extract). -
A new command has been added,
podman artifact extract, to copy some or all of the contents of an OCI artifact to a location on disk. -
The
--mountoption topodman create,podman run, andpodman pod createsupports a new mount type,--mount type=artifact, to mount OCI artifacts into containers. -
The
podman artifact addcommand features two new options,--appendto add new files to an existing artifact, and--file-typeto specify the MIME type of the file added to the artifact. -
The
podman artifact rmcommand features a new option,--all, to remove all artifacts in the local store. -
The
podman kube generateandpodman kube playcommands supports a new annotation,io.podman.annotation.pids-limit/$containername, preserving the PID limit for containers acrosskube generateandkube play. -
Quadlet
.containerunits support three new keys,Memory=(set maximum memory for the created container),ReloadCmd(execute a command via systemdExecReload), andReloadSignal(kill the container with the given signal via systemdExecReload). -
Quadlet
.container,.image, and.buildunits support two new keys,Retry(number of times to retry pulling image on failure) andRetryDelay(delay between retries). -
Quadlet
.podunits support a new key,HostName=, to set the pod’s hostname. -
Quadlet files support a new option,
UpheldBy, in theInstallsection, corresponding to the systemdUpholdsoption. -
The names of Quadlet units specified as systemd dependencies are automatically translated, for example
Wants=my.containeris valid.
For more information about notable changes, see upstream release notes.
The ADD and COPY instructions now support the --link option
Buildah and Podman now support the --link flag for ADD and COPY instructions in Containerfiles, which causes the new content to be added as its own layer in the built image.
StrictForwardPorts is now available in firewalld
When the StrictForwardPorts option in the /etc/firewalld/firewalld.conf configuration file is set to yes, port forwarding from Podman is no longer possible, and attempting to start a container or pod with the -p or -P options returns errors. All ports must be forwarded by using firewalld. This ensures that containers cannot allow traffic through the firewall without administrator intervention. See the netavark-firewalld man page for more details.
New rhel10/nodejs-24 and rhel10/nodejs-24-minimal container images available
The real-time registry.redhat.io/rhel10/nodejs-24 and registry.redhat.io/rhel10/nodejs-24-minimal container images are now available in the Red Hat Container Registry.
Node.js is a platform built on Chrome’s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, ideal for data-intensive real-time applications that run across distributed systems.
Jira:RHELDOCS-20749[1]
RHEL image mode supports creating root-level directories and symlinks at runtime
With this release, you can use RHEL image mode to create root-level directories and symbolic links after system deployment, then return the filesystem to read-only mode. As a result, you can use a single base image across multiple deployment environments with different file system requirements.
Jira:RHELDOCS-21230[1]
bootc-image-builder uses the local container storage by default
With this release, the bootc-image-builder tool operates in local mode by default, which means it no longer pulls container images from remote registries. To build disk images, you must pre-load the base bootc container image in the local container registry of the system before building disk images. If you have existing workflows that relied on automatic image pulling, you must update them. This change improves security by reducing external network dependencies during the build process.
Jira:RHELDOCS-21218[1]
6.22. RHEL Lightspeed
The command-line assistant supports image mode for RHEL
With this enhancement, you can customize your Containerfile to include the command-line-assistant package, create a disk image from a container image, and boot a system with that image. As a result, the system image has the command-line assistant preinstalled, and you can use it after you register your system with subscription-manager.
Jira:RHELDOCS-20546[1]
The command-line assistant context limit increased to 32KB input
Before this update, the command-line assistant had a 2KB input context limit, causing it to fail when input exceeded this limit. As a consequence, user experience was limited, preventing thorough log analysis due to the 2KB input context limit. With this release, the command-line assistant input context limit has been increased from 2KB to 32KB. As a result, the command-line assistant now supports larger input contexts, enabling better log analysis and potential issue detection.
Jira:RHELDOCS-20421[1]
The command-line assistant for RHEL Lightspeed has better error handling and exit codes
With this enhancement, the command-line assistant brings better error handling and exit codes, such as:
- Output different error messages based on different types of errors that can occur during CLA runtime.
- Try to output an error message that corresponds to the actual cause of the error, and log it.
- Implement different exit codes based on different types of issues.
Jira:RHELDOCS-21313[1]
Command-line assistant -w option displays current output
Before this update, when you tried to use the -w option without the current enable-capture mode, the command-line assistant incorrectly displayed output from an earlier session. With this update, the terminal capture log file is actively verified before outputting from the -w option. As a result, the mentioned problem is fixed, and the displayed output is accurate.
Jira:RHELDOCS-21315[1]
6.23. AI accelerator driver availability
Accelerator drivers available through Red Hat
With RHEL 10.1, third-party accelerator drivers and compute stacks, for example CUDA from NVIDIA and ROCm from AMD, are directly available to install from Red Hat. The kernel drivers are built and signed within the Red Hat infrastructure and work with secure boot. In addition, a new AppStream component, rhel-drivers, eases the installation of these third-party drivers and regular updates are through the existing dnf update process.
For instructions about installing AI accelerator drivers on RHEL, see the following Red Hat blog post: The new and simplified AI accelerator driver experience on Red Hat Enterprise Linux.
Jira:RHELDOCS-21377[1]
Simplified third-party driver installation with rhel-drivers
RHEL 10.1 introduces the rhel-drivers installer, which is available in the AppStream repository. With this tool, you can more easily install third-party hardware drivers for GPUs and AI accelerators by using a single, uniform command-line interface. The rhel-drivers tool manages the installation of complex driver stacks, such as the NVIDIA kernel module and CUDA libraries, by pulling packages directly from the RHEL Extensions and Supplementary channels.
Before this release, installing specialized hardware drivers on RHEL was a manual and inconsistent process. You had to find, download, and manage driver installations from various vendor websites. This approach created significant friction when setting up systems for high-performance computing or AI and machine learning workloads. With rhel-drivers, you can more easily, consistently, and reliably install and manage RHEL-distributed partner drivers. This streamlines system provisioning, ensures that you receive the latest supported driver versions directly from Red Hat repositories, and eliminates the need for manual downloads.
For example, you can install all necessary drivers with just two commands:
dnf install rhel-drivers rhel-drivers install --auto-detect
# dnf install rhel-drivers
# rhel-drivers install --auto-detectJira:RHEL-113198[1]
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}