Red Hat SummitChapter 7. Technology Preview features
This part provides a list of all Technology Preview features available in Red Hat Enterprise Linux 10.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
7.1. Installer and image creation
image-builder-cli replaces osbuild-composer and composer-cli (Technology Preview)
With this release, you can install and use the new image-builder-cli package to build an image with one command. The new tool supports containers and enhances your user experience to create a container image that you can use to build other images. This capability is a Technology Preview feature. For more details, see Installing RHEL image builder.
Jira:RHELDOCS-20354[1]
7.2. Software management
Support for signing packages with Sequoia PGP is available as a Technology Preview
The macros.rpmsign-sequoia macro file that configures RPM to use Sequoia PGP instead of GnuPG for signing packages is now available as a Technology Preview. To enable its usage, perform the following steps:
Install the following packages:
dnf install rpm-sign sequoia-sq
# dnf install rpm-sign sequoia-sqCopy to Clipboard Copied! Toggle word wrap Toggle overflow Copy the
macros.rpmsign-sequoiafile to the/etc/rpm/directory:cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/
$ cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Jira:RHEL-56363[1]
7.3. Shells and command-line tools
RHEL 10.1 provides ReaR on aarch64 as a Technology Preview
RHEL 10.1 introduces the Relax and Recover (ReaR) package for the 64-bit ARM architecture (aarch64) as a Technology Preview. ReaR is a disaster recovery tool that produces a bootable image that you can use to restore the system from a backup. You can currently use the following output methods with ReaR on aarch64: ISO, USB, and PXE.
For more information about ReaR, see the article What is Relax and Recover(ReaR) and how to use it for disaster recovery?
Jira:RHEL-84286[1]
7.4. Kernel
The Red Hat Enterprise Linux for Real Time on ARM64 is now available as a Technology Preview
With this Technology Preview, the Red Hat Enterprise Linux for Real Time is now enabled for ARM64. The ARM64 is enabled on ARM (AARCH64), for both 4k and 64k ARM kernels.
Jira:RHELDOCS-19635[1]
7.5. File systems and storage
ublk_drv driver is available as a Technology Preview
The ublk_drv kernel module is now enabled as a technology preview. It provides the ublk framework with which you can create and build high-performance block devices from userspace. Currently, ublk requires userspace implementations, such as the Userspace Block Driver (ublksrv) or the Rust-based ublk (rublk), to function effectively.
Jira:RHELDOCS-19891[1]
NVMe/TCP using TLS is available as a Technology Preview
Encrypting Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) network traffic using TLS configured with Pre-Shared Keys (PSK) has been added as a Technology Preview in RHEL 10.0. For instructions, see Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys.
Jira:RHELDOCS-19968[1]
xfs_scrub utility is available as a Technology Preview
You can check all the metadata on a mounted XFS file system by using the xfs_scrub utility as a Technology Preview. It functions similarly to the xfs_repair -n command for an unmounted XFS filesystem. For details, see the xfs_scrub(8) man page on your system. Note that currently only the scrub feature is available in RHEL 10 kernels and online repair is not enabled.
Jira:RHELDOCS-20041[1]
Limited shrinking of XFS file systems is available as Technology Preview
You can reduce the size of XFS file systems by using the xfs_growfs utility as a Technology Preview. You can remove blocks from the end of the file system by using xfs_growfs, provided that all of the following conditions are true:
- No metadata or data is allocated within the range to be removed.
- The requested size is within the last allocation group.
Jira:RHELDOCS-20042[1]
Mounting XFS file systems with blocks larger than system page is available as Technology preview
You can now mount XFS file systems created with a block size larger than the system page size as a Technology Preview. For example, a file system with 16-KB blocks can now be mounted on a system with a 4-KB page size, such as x86_64.
Jira:RHELDOCS-20043[1]
io-uring interface is available as a Technology Preview
The io_uring, which is an asynchronous I/O interface, is available as a Technology Preview. By default, this feature is disabled in RHEL 10. You can enable this interface by setting the kernel/io_uring_disabled variable:
- For all users:
echo 0 > /proc/sys/kernel/io_uring_disabled
# echo 0 > /proc/sys/kernel/io_uring_disabled- For root only:
echo 1 > /proc/sys/kernel/io_uring_disabled
# echo 1 > /proc/sys/kernel/io_uring_disabled
You can also disable io_uring for all processes:
echo 2 > /proc/sys/kernel/io_uring_disabled
# echo 2 > /proc/sys/kernel/io_uring_disabled7.6. Dynamic programming languages, web and database servers
Node.js 24 is available as a Technology Preview
A new nodejs24 component is available as a Technology Preview in Red Hat Enterprise Linux 10.1. This update introduces Node.js 24, which includes new features, bug fixes, security updates, and performance improvements compared to Node.js 22 in RHEL 10.0.
Currently, the nodejs24 package provides versioned binaries (/usr/bin/node-24, /usr/bin/npm-24, and /usr/bin/npx-24). To use these binaries, update the hashbang lines in your scripts to reference the version-specific paths. The ability for nodejs24 to provide the base binaries (/usr/bin/node and related files) might be included in a future update.
To install the nodejs24 package, enter:
dnf install nodejs24
# dnf install nodejs24
For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
7.7. Compilers and development tools
eu-stacktrace available as a Technology Preview
The eu-stacktrace utility, which has been distributed through the elfutils package since version 0.192, is available as a Technology Preview feature. eu-stacktrace is a prototype utility that uses the elfutils toolkit’s unwinding libraries to support a sampling profiler to unwind frame pointer-less stack sample data.
Jira:RHELDOCS-19072[1]
7.8. Identity Management
DNS over TLS (DoT) in IdM deployments is available as a Technology Preview
Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.
To start using this functionality, install the ipa-server-encrypted-dns package on IdM servers and replicas, and the ipa-client-encrypted-dns package on IdM clients. Administrators can enable DoT during the installation by using the --dns-over-tls option.
IdM configures Unbound as a local caching resolver and BIND to receive DoT requests. This functionality is available through the command-line interface (CLI) and non-interactive installations of IdM.
The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service:
-
--dot-forwarderto specify an upstream DoT-enabled DNS server. -
--dns-over-tls-keyand--dns-over-tls-certto configure DoT certificates. -
--dns-policyto set a DNS security policy to either allow fallback to unencrypted DNS or enforce strict DoT usage.
By default, IdM uses the relaxed DNS policy, which allows fallback to unencrypted DNS. You can enforce encrypted-only communication by using the new --dns-policy option with the enforced setting.
You can also enable DoT on an existing IdM deployment by reconfiguring the integrated DNS service by using ipa-dns-install with the new DoT options.
See Securing DNS with DoT in IdM for more details.
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
Jira:RHELDOCS-20690[1]
Encrypted DNS with DoT is now available in ansible-freeipa installations of IdM as a Technology Preview
You can now use Ansible to ensure that all DNS queries and responses between DNS clients and Identity Management (IdM) DNS servers are encrypted. Encrypted DNS using DNS over TLS (DoT) has been available as a Technology Preview in IdM deployments since RHEL 10. In RHEL 10.1, the functionality is available as a Technology Preview in the freeipa.ansible_freeipa collection.
To enable DoT during a deployment of IdM by using ansible-freeipa use the following options:
-
ipaserver_dns_over_tlswith thefreeipa.ansible_freeipa.ipaserverrole for a new server. -
ipareplica_dns_over_tlswith thefreeipa.ansible_freeipa.ipareplicarole for a replica. -
dot_forwarderto specify an upstream DoT-enabled DNS server. -
dns_over_tls_keyanddns_over_tls_certto configure DoT certificates.
Additionally, you can set the dns_policy variable to enforce DoT-only communication, overriding the default behavior that allows fallback to unencrypted DNS.
Jira:RHELDOCS-20258[1]
7.9. Virtualization
VDUSE for RHEL networking is available as a Technology Preview
The virtio Data Path Acceleration (vDPA) device in userspace (VDUSE) feature is now available as a Technology Preview for RHEL networking. VDUSE is a Linux kernel mechanism, which allocates user-space for vDPA devices specifically. This mechanism enables a user-space process to register a virtio-class device, such as a NIC or block device, with the kernel in a controlled manner. As a result, you can use it on virtual machines or the host through standard vDPA or virtio interfaces.
Jira:RHEL-76477[1]
AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines are available as a Technology Preview
As a Technology Preview, RHEL provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the VM security.
In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.
RHEL also provides the Secure Nested Paging (SEV-SNP) feature as Technology Preview. SNP enhances SEV and SEV-ES by improving its memory integrity protection, which helps to prevent hypervisor-based attacks, such as data replay or memory re-mapping.
Note that:
- SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later.
- SEV-SNP works only on 3rd generation AMD EPYC CPUs (codenamed Milan) or later.
Also note that RHEL includes SEV, SEV-ES, and SEV-SNP encryption, but not the SEV, SEV-ES, and SEV-SNP security attestation and live migration.
Jira:RHELDOCS-16800[1]
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 10. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 10 host can act as a hypervisor, and host its own VMs.
Jira:RHELDOCS-20080[1]
New package: trustee-guest-components
As a Technology Preview, this update adds the trustee-guest-components package. This makes it possible for confidential virtual machines to attest themselves and get confidential resources from a Trustee server.
Jira:RHEL-73770[1]
Virtual Socket to TCP bridge is available as a Technology Preview
As a Technology Preview, you can use a Virtual Socket (vsock) to TCP bridge. By using this bridge, you can securely expose a virtual machine (VM) service, like SSH, to the host machine without configuring any IP networking.
To bridge your host’s connection directly to the SSH service inside the VM over the hypervisor’s private vsock channel, you can use a relay tool such as socat.
CCA in ARM virtual machines is available as a Technology Preview
As a Technology Preview, you can enable Confidential Compute Architecture (CCA) in RHEL 10.1 virtual machines (VMs). CCA, built on top of Realm Management Extension (RME), helps to maintain data privacy while it is in use within a virtual machine.
Currently, CCA can only be enabled in ARM VMs as a Technology Preview and not in a RHEL host.
7.10. Containers
Partial pulls for zstd:chunked are available as a Technology Preview
You can pull only the changed parts of the container images compressed with the zstd:chunked format, reducing network traffic and necessary storage. You can enable partial pulls by adding the enable_partial_images = "true" setting to the /etc/containers/storage.conf file. This functionality is available as a Technology Preview.
The podman artifact command is available as a Technology Preview
The podman artifact command, which you can use to work with OCI artifacts at the command-line level, is available as a Technology Preview. For further informal, reference the man page.
The vrf option for the podman network create is available as a Technology Preview
The podman network create command now provides the vrf value for the --opt option, as a Technology Preview. The vrf value assigns a virtual routing and forwarding instance (VRF) to the bridge interface. It accepts the name of the VRF and defaults to none.
This option can only be used with the Netavark network backend.
Podman compatibility with Docker API is available as a Technology Preview
Podman supports the following Docker API versions as a Technology Preview:
- Docker API 1.41
- Docker API 1.43
7.11. Technology Preview features identified in previous releases
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 10.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
7.11.1. Networking
WireGuard VPN is available as a Technology Preview
WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.
For further details, see Setting up a WireGuard VPN.
Jira:RHELDOCS-20056[1]
KTLS available as a Technology Preview
In RHEL, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records by using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.
Note that specific uses cases of kernel TLS offload might have a higher support status. For details see the release notes in the New features and enhancements chapter.
Jira:RHELDOCS-20440[1]
The PRP and HSR protocols are now available as a Technology Preview
This update adds the hsr kernel module that provides the following protocols:
- Parallel Redundancy Protocol (PRP)
- High-availability Seamless Redundancy (HSR)
The IEC 62439-3 standard defines these protocols, and you can use this feature to configure redundancy with zero-time recovery in Ethernet networks.
Jira:RHELDOCS-20472[1]
NetworkManager enables configuring HSR and PRP interfaces
High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}