8.10 Release Notes

Ability to use partitioning mode on the blueprint filesystem customization

With this update, while using RHEL image builder, you can customize your blueprint with the chosen filesystem customization. You can choose one of the following partition modes while you create an image:

Filesystem customization policy changes in image builder

The following policy changes are in place when using the RHEL image builder filesystem customization in blueprints:

SCAP Security Guide rebased to 0.1.72

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:

OpenSSL now contains protections against Bleichenbacher-like attacks

This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.

librdkafka rebased to 1.6.1

The librdkafka implementation of the Apache Kafka protocol has been rebased to upstream version 1.6.1. This is the first major feature release for RHEL 8. The rebase provides many important enhancements and bug fixes. For all relevant changes, see the CHANGELOG.md document provided in the librdkafka package.

libkcapi rebased to 1.4.0

The libkcapi library, which provides access to the Linux kernel cryptographic API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:

stunnel rebased to 5.71

The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71. This update changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. If OpenSSL is in FIPS mode and stunnel default FIPS configuration is set to no, stunnel adapts to OpenSSL and FIPS mode is enabled.

OpenSSH limits artificial delays in authentication

OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit so that such artificial delays do not become excessively long when remote authentication takes too long, for example in privilege access management (PAM) processing.

libkcapi now provides an option for specifying target file names in hash-sum calculations

This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c option, for example:

audit rebased to 3.1.2

The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:

openCryptoki rebased to version 3.22.0

The opencryptoki package has been updated to version 3.22.0. Notable changes include:

chrony rebased to version 4.5

The chrony suite has been updated to version 4.5. Notable changes include:

linuxptp rebased to version 4.2

The linuxptp protocol has been updated to version 4.2. Notable changes include:

firewalld now avoids unnecessary firewall rule flushes

The firewalld service does not remove all existing rules from the iptables configuration if both following conditions are met:

The ss utility adds visibility improvement to TCP bound-inactive sockets

The iproute2 suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:

nispor rebased to version 1.2.10

The nispor packages have been upgraded to upstream version 1.2.10, which provides several enhancements and bug fixes over the previous version:

Kernel version in RHEL 8.10

Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553.

rtla rebased to version 6.6 of the upstream kernel source code

The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:

rteval was upgraded to the upstream version 3.7

With this update, the rteval utility has been upgraded to the upstream version 3.7. The most significant feature in this update concerns the isolcpus kernel parameter. This includes the ability to detect and use the isolcpus mechanism for measurement modules in rteval. As a result, it is easier for isolcpus users to use rteval to get accurate latency numbers and to achieve best latency results measured on a realtime kernel.

SGX is now fully supported

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.

The Intel data streaming accelerator driver is now fully supported

The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

rteval now supports adding and removing arbitrary CPUs from the default measurement CPU list

With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This options covers the most common usecase of a real-time application running on isolated CPUs. Other usecases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus.

DEP/NX support in the pre-boot stage

The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.

Support for TD RTMR measurement in GRUB and shim

Intel® Trust Domain Extension (Intel® TDX) is a confidential computing technology that deploys hardware-isolated virtual machines (VMs) called Trust Domains (TDs).

The Storage RHEL System Roles now support shared LVM device management

The RHEL System Roles now support the creation and management of shared logical volumes and volume groups.

multipathd now supports detecting FPIN-Li events for NVMe devices

Previously, the multipathd command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.

Python 3.12 available in RHEL 8

RHEL 8.10 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, and the ubi8/python-312 container image.

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

A new module stream: ruby:3.3

RHEL 8.10 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. This version provides several performance improvements, bug and security fixes, and new features over Ruby 3.1 distributed with RHEL 8.7.

A new module stream: php:8.2

RHEL 8.10 adds PHP 8.2, which provides several bug fixes and enhancements over version 8.0.

The name() method of the perl-DateTime-TimeZone module now returns the time zone name

The perl-DateTime-TimeZone module has been updated to version 2.62, which changed the value that is returned by the name() method from the time zone alias to the main time zone name.

A new module stream: nginx:1.24

The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides several bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.

A new module stream: mariadb:10.11

MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available version 10.5 include:

A new module stream: postgresql:16

RHEL 8.10 introduces PostgreSQL 16, which provides several new features and enhancements over version 15.

Git rebased to version 2.43.0

The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.

Git LFS rebased to version 3.4.1

The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.

Increased performance of the Python interpreter

All supported versions of Python in RHEL 8 are now compiled with the -O3 optimization flag, which is the default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter itself.

New GCC Toolset 14

GCC Toolset 14 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

GCC Toolset 14: GCC rebased to version 14.2

In GCC Toolset 14, the GNU Compiler Collection (GCC) has been updated to version 14.2 with the release of the RHEA-2024:8864 advisory.

GCC Toolset 14: GDB rebased to version 14.2

In GCC Toolset 14, GDB has been updated to version 14.2 with the release of the RHBA-2024:8862 advisory. The following paragraphs list notable changes since GDB 12.1.

GCC Toolset 14: annobin rebased to version 12.70

In GCC Toolset 14, annobin has been updated to version 12.70 with the release of the RHBA-2024:8863 advisory. The updated set of the annobin tools for testing binaries provides various bug fixes, introduces new tests, and updates the tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers. With the enhanced tools, you can detect new issues in programs that are built in a non-standard way.

GCC Toolset 13: GCC supports AMD Zen 5

With the release of the RHBA-2024:8829 advisory, the GCC Toolset 13 version of GCC adds support for the AMD Zen 5 processor microarchitecture. To enable the support, use the -march=znver5 command-line option.

LLVM Toolset updated to 18.1.8

LLVM Toolset has been updated to version 18.1.8 with the release of the RHBA-2024:8828 advisory.

Rust Toolset rebased to version 1.79.0

Rust Toolset has been updated to version 1.79.0 with the release of the RHBA-2024:8827 advisory. Notable enhancements since the previously available version 1.75.0 include:

Go Toolset rebased to version 1.22

Go Toolset has been updated to version 1.22 with the release of the RHSA-2024:8876 advisory.

elfutils rebased to version 0.190

The elfutils package has been updated to version 0.190. Notable improvements include:

valgrind updated to 3.22

The valgrind package has been updated to version 3.22. Notable improvements include:

Clang resource directory moved

The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17 to /usr/lib/clang/17.

A new grafana-selinux package

Previously, the default installation of grafana-server ran as an unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t SELinux type.

Updated GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

LLVM Toolset rebased to version 17.0.6

LLVM Toolset has been updated to version 17.0.6.

Rust Toolset rebased to version 1.75.0

Rust Toolset has been updated to version 1.75.0.

Go Toolset rebased to version 1.21.0

Go Toolset has been updated to version 1.21.0.

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

Ant rebased to version 1.10.9

The ant:1.10 module stream has been updated to version 1.10.9. This version provides support for code signing, using a provider class and provider argument.

New package: maven-openjdk21

The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.

cmake rebased to version 3.26

The cmake package has been updated to version 3.26. Notable improvements include:

Identity Management users can now use external identity providers to authenticate to IdM

With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.

ipa rebased to version 4.9.13

The ipa package has been updated from version 4.9.12 to 4.9.13. Notable changes include:

Deleting expired KCM Kerberos tickets

Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy command.

Support for bcrypt password hashing algorithm for local users

With this update, you can enable the bcrypt password hashing algorithm for local users. To switch to the bcrypt hashing algorithm:

The idp Ansible module allows associating IdM users with external IdPs

With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user. 

IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules

With this update, the ansible-freeipa package now contains the following modules:

The delegation of DNS zone management enabled in ansible-freeipa

You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the dnszone module to set a per-zone access delegation permission.

The ansible-freeipa ipauser and ipagroup modules now support a new renamed state

With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change the group name of an existing IdM group.

The runasuser_group parameter is now available in ansible-freeipa ipasudorule

With this update, you can set Groups of RunAs Users for a sudo rule by using the ansible-freeipa ipasudorule module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.

389-ds-base rebased to version 1.4.3.39

The 389-ds-base package has been updated to version 1.4.3.39.

The HAProxy protocol is now supported for the 389-ds-base package

Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.

samba rebased to version 4.19.4

The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:

RHEL web console can now generate Ansible and shell scripts

In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to implement a specific kdump configuration on multiple systems.

Simplified managing storage and resizing partitions on Storage

The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.

The ad_integration RHEL system role now supports configuring dynamic DNS update options

With this update, the ad_integration RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:

The metrics RHEL System Role now supports configuring PMIE webhooks

With this update, you can automatically configure the global webhook_endpoint PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL System Role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.

The bootloader RHEL system role

This update introduces the bootloader RHEL system role. You can use this feature for stable and consistent configuration of boot loaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory.

The logging role supports general queue and general action parameters in output modules

Previously, it was not possible to configure general queue parameters and general action parameters with the logging role. With this update, the logging RHEL System Role supports configuration of general queue parameters and general action parameters in output modules.

Support for new ha_cluster System Role features

The ha_cluster System Role now supports the following features:

New RHEL System Role for configuring fapolicyd

With the new fapolicyd RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.

The network RHEL System role now supports new route types

With this enhancement, you can now use the following route types with the network RHEL System Role:

New rhc_insights.display_name option in the rhc role to set display names

You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.

The RHEL system roles now support LVM snapshot management

With this enhancement, you can use the new snapshot RHEL system roles to create, configure, and manage LVM snapshots.

The postgresql RHEL System Role now supports PostgreSQL 16

The postgresql RHEL System Role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.

New rhc_insights.ansible_host option in the rhc role to set Ansible hostnames

You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host parameter. When set, the parameter changes the ansible_host configuration in the /etc/insights-client/insights-client.conf file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.

ForwardToSyslog flag is now supported in the journald system role

In the journald RHEL System Role, the journald_forward_to_syslog variable controls whether the received messages should be forwarded to the traditional syslog daemon or not. The default value of this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log files.

ratelimit_burst variable is only used if ratelimit_interval is set in logging system role

Previously, in the logging RHEL System Role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also required to set ratelimit_interval.

Use the logging_max_message_size parameter instead of rsyslog_max_message_size in the logging system role

Previously, even though the rsyslog_max_message_size parameter was not supported, the logging RHEL System Role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log messages.

The ad_integration RHEL System Role now supports custom SSSD settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

The ad_integration RHEL System Role now supports custom SSSD domain configuration settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

New logging_preserve_fqdn variable for the logging RHEL System Role

Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog entries.

Support for creation of volumes without creating a file system

With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted option.

The rhc system role now supports RHEL 7 systems

You can now manage RHEL 7 systems by using the rhc system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc system role.

New mssql_ha_prep_for_pacemaker variable

Previously, the microsoft.sql.server RHEL System Role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and you want to use another HA solution.

The sshd role now configures certificate-based SSH authentications

With the sshd RHEL System Role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.

selinux role now supports configuring SELinux in disabled mode

With this update, the selinux RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.

selinux role now prints a message when specifying a non-existent module

With this release, the selinux RHEL System Role prints an error message when you specify a non-existent module in the selinux_modules.path variable.

RHEL now supports Multi-FD migration of virtual machines

With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.

Secure Execution VMs on IBM Z now support cryptographic coprocessors

With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.

You can now replace SPICE with VNC in the web console

With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).

New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

New cloud-init clean option for deleting generated configuration files

The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary configuration files generated by cloud-init on your instance. For example, to delete cloud-init configuration files that define network setup, use the following command:

RHEL instances on EC2 now support IPv6 IMDS connections

With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet.

The Container Tools packages have been updated

The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:

Podman now supports containers.conf modules

You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the Tom’s Obvious Minimal Language (TOML) format.

The Podman v4.9 RESTful API now displays data of progress

With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.

SQLite is now fully supported as a default database backend for Podman

With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 8.10. If you upgrade from a previous RHEL version, the default backend is BoltDB.

Administrators can set up isolation for firewall rules by using nftables

You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables installed. With this enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated firewall rules.

Containerfile now supports multi-line instructions

You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of image layers caused by performing multiple RUN directives.

Toolbx is now available

With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi8.10/toolbox:latest image.

Installer now accepts additional time zone definitions in Kickstart files

Anaconda switched to a different, more restrictive method of validating time zone selections. This caused some time zone definitions, such as Japan, to be no longer valid despite being accepted in previous versions. Legacy Kickstart files with these definitions had to be updated. Otherwise, they would default to the Americas/New_York time zone.

Rules for managing virtual routing with ip vrf are added to the SELinux policy

You can use the ip vrf command to manage virtual routing of other network services. Previously, selinux-policy did not contain rules to support this usage. With this update, SELinux policy rules allow explicit transitions from the ip domain to the httpd, sshd, and named domains. These transitions apply when the ip command uses the setexeccon library call.

SELinux policy allows staff_r confined users to run sudo crontab

Previously, the SELinux policy did not contain rules to allow confined users to run the sudo crontab command. As a consequence, confined users in the staff_r role could not use sudo crontab to edit other users' crontab schedules. This update adds a rule to the policy, and as a result, staff_r users can use sudo crontab to edit other users' crontab schedules.

SELinux policy contains rules for additional services and applications

This version of the selinux-policy package contains additional rules. Most notably, users in the sysadm_r role can enter the following commands:

SELinux policy denies SSH login for unconfined users when unconfined_login is set to off

Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH when the unconfined_login boolean was set to off. As a consequence, with unconfined_login set to off, users still could log in with SSHD as an unconfined domain. This update adds a rule to the SELinux policy, and as a result, users cannot log in via sshd as unconfined when unconfined_login is off.

SELinux policy allows rsyslogd to enter confined commands

Previously, the SELinux policy was missing a rule to allow the rsyslogd daemon to enter SELinux-confined commands, such as systemctl. As a consequence, commands executed as an argument of the omprog directive failed. This update adds rules to the SELinux policy so that executables in the /usr/libexec/rsyslog directory that are run as an argument of omprog are in the syslogd_unconfined_script_t unconfined domain. As a result, commands executed as an argument of omprog finish successfully.

Large SSHD configuration files no longer prevent login

Previously, when the SSHD configuration file was larger than 256 KB, an error occurred when logging into the system. As a consequence, remote systems were unreachable. This update removes the file size limitation, and therefore users can log in to the system when the SSHD configuration file is larger than 256 KB.

The yum needs-restarting --reboothint command now recommends a reboot to update the CPU microcode

To fully update the CPU microcode, you must reboot a system. Previously, when you installed the microcode_ctl package, which contains the updated CPU microcode, the yum needs-restarting --reboothint command did not recommend the reboot. With this update, the issue has been fixed, and yum needs-restarting --reboothint now recommends a reboot to update the CPU microcode.

systemd now correctly manages the /run/user/0 directory created by librepo

Previously, if the librepo functions were called from an Insights client before logging in root, the /run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd from cleaning the directory after you logged out from root.

systemd now correctly manages the /run/user/0 directory created by libdnf

Previously, if the libdnf functions were called from an Insights client before logging in root, the /run/user/0 directory could be created with a wrong SELinux context type. This prevented systemd from cleaning the directory after you logged out from root.

ReaR now determines the presence of a BIOS boot loader when both BIOS and UEFI boot loaders are installed

Previously, in a hybrid boot loader setup (UEFI and BIOS), when UEFI was used to boot, Relax-and-Recover (ReaR) restored only the UEFI boot loader and not the BIOS boot loader. This would result in a system that had a GUID Partition Table (GPT), a BIOS Boot Partition, but not a BIOS boot loader. In this situation, ReaR failed to create the rescue image, the attempt to produce a backup or a rescue image by using the rear mkbackup or rear mkrescue command would fail with the following error message:

ReaR no longer uses the logbsize, sunit and swidth mount options during recovery

Previously, when restoring an XFS file system with the parameters different from the original ones by using the MKFS_XFS_OPTIONS configuration setting, Relax-and-Recover (ReaR) mounted this file system with mount options applicable for the original file system, but not for the restored file system. As a consequence, the disk layout recreation would fail with the following error message when ReaR ran the mount command :

ReaR recovery no longer fails on systems with a small thin pool metadata size

Previously, ReaR did not save the size of the pool metadata volume when saving a layout of an LVM volume group with a thin pool. During recovery, ReaR re-created the pool with the default size even if the system used a non-default pool metadata size.

The pkla-compact binary is executed when the polkit is called on the logind-session-monitor event

Previously, re-verification of the authorizations for polkit actions was triggered by any logind-session-monitor event for all users. Each CheckAuthorization request executes the polkit-pkla-compat binary to check for legacy .pkla configuration files even if no such files are present on the system, which causes CPU usage to increase by the polkit daemon.

crash rebased to version 8.0.4

The crash utility has been upgraded to version 8.0.4, which provides multiple bug fixes. Notable fixes include:

tuna launches GUI when needed

Previously, if you ran the tuna utility without any subcommand, it would launch the GUI. This behavior was desirable if you had a display. In the opposite case, tuna on a machine without a display would not exit gracefully. With this update, tuna detects whether you have a display, and the GUI is launched or not launched accordingly.

Multipathd now checks if a device is incorrectly queuing I/O

Previously, a multipath device restarted queuing I/O, even though it was configured to fail, under the following conditions:

The no_read_workqueue, no_write_workqueue, and try_verify_in_taskle options of the dm-crypt and dm-verity devices are temporarily disabled

Previously, the dm-crypt devices created by using either the no_read_workqueue or no_write_workqueue option and dm-verity devices created by using the try_verify_in_tasklet option caused memory corruption. Consequently, random kernel memory was corrupted, which caused various system problems. With this update, these options are temporarily disabled. Note that this fix can cause dm-verity and dm-crypt to perform slower on some workloads.

Issues with moving and banning clone and bundle resources now corrected

This bug fix addresses two limitations of moving bundled and clone resources:

Output of pcs status command no longer shows warning for expired constraints

Previously, when moving a cluster resource created a temporary location constraint, the pcs status command displayed a warning even after the constraint expired. With this fix, the pcs status command filters out expired constraints and they no longer generate a warning message in the command output.

Disabling the auto_tie_breaker quorum option no longer allowed when SBD fencing requires it

Previously, pcs allowed a user to disable the auto_tie_breaker quorum option even when a cluster configuration required this option for SBD fencing to work correctly. With this fix, pcs generates an error message when a user attempts to disable auto_tie_breaker on a system where SBD fencing requires that the auto_tie_breaker option be enabled.

Configuring the tls and keep_active_partition_tie_breaker quorum device options without specifying --force

Previously, when configuring a quorum device, a user could not configure the tls and keep_active_partition_tie_breaker options for a quorum device model net without specifying the --force option. With this update, configuring these options no longer requires you to specify --force.

ldconfig no longer crashes after an interrupted system upgrade

Previously, the ldconfig utility stopped unexpectedly with a segmentation fault when processing incomplete shared objects left in the /usr/lib64 directory after an interrupted system upgrade. With this update, ldconfig ignores temporary files written during system upgrades. As a result, ldconfig no longer crashes after an interrupted system upgrade.

Improved glibc compatibility with applications using dlclose on shared objects involved in a dependency cycle

Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc, that object’s ELF destructor might not have been called before all other objects were unloaded. As a consequence of this late ELF destructor execution, applications experienced crashes and other errors due to the initial shared object’s dependencies already being deinitialized.

Improved glibc wide-character write performance

Previously, the wide stdio stream implementation in glibc did not treat the default buffer size as large enough for wide-character write operations and used a 16-byte fallback buffer instead, negatively impacting performance. With this update, buffer management is fixed and the entire write buffer is used. As a result, glibc wide-character write performance is improved.

glibc dynamic linker prevents reentrant malloc calls made by applications using TLS access from custom malloc implementations

Some applications provide a custom malloc dynamic memory allocation implementation that uses global-dynamic thread-local storage (TLS) instead of initial-exec TLS. Previously, applications with bundled malloc calls that use global-dynamic TLS could experience reentrant calls into the application’s malloc subsystem. As a consequence, the application malloc call crashed due to stack exhaustion or unexpected state of internal data structures.

certmonger now correctly renews KDC certificates on hidden replicas

Previously, when the certificate was about to expire, certmonger failed to renew the KDC certificate on hidden replicas. This happened because the renewal process only considered non-hidden replicas as active KDCs. With this update, the hidden replicas are treated as active KDCs, and certmonger renews the KDC certificate successfully on these servers.

Automembership plug-in no longer cleans up groups by default

Previously, the automember rebuild task first removed all the memberships values and then rebuilt the memberships from scratch. As a result, the rebuild task was expensive, especially if other be_txn plugins were enabled.

Allocated memory now released when an operation is completed

Previously, memory allocated by the KCM for each operation was not being released until the connection was closed. As a result, for client applications that opened a connection and ran many operations on the same connection, it led to a noticeable memory increase because the allocated memory was not released until the connection closed. With this update, the memory allocated for an operation is now released as soon as the operation is completed.

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

SSSD correctly returns an error if no grace logins remain while changing a password

Previously, if a user’s LDAP password had expired, SSSD tried to change the password even after the initial bind of the user failed as there were no more grace logins left. However, the error returned to the user did not indicate the reason for the failure. With this update, the request to change the password is canceled if the bind fails and SSSD returns an error message indicating there are no more grace logins and the password must be changed by another means.

Removing systems from a domain using the realm leave command

Previously, if multiple names were set for the ad_server option in the sssd.conf file, running the realm leave command resulted in parsing errors and the system was not removed from the domain. With this update, the ad_server option is properly evaluated and the correct domain controller name is used and the system is correctly removed from the domain.

KCM logs to the correct sssd.kcm.log file

Previously, logrotate correctly rotated the Kerberos Credential Manager (KCM) log files but KCM incorrectly wrote the logs to the old log file, sssd_kcm.log.1. If KCM was restarted, it used the correct log file. With this update, after logrotate is invoked, log files are rotated and KCM correctly logs to the sssd_kcm.log file.

The realm leave --remove command no longer asks for credentials

Previously, the realm utility did not correctly check if a valid Kerberos ticket was available when running the realm leave operation. As a result, users were asked to enter a password even though a valid Kerberos ticket was available. With this update, realm now correctly verifies if there is a valid Kerberos ticket and no longer requests the user to enter a password when running the realm leave --remove command.

IdM Vault encryption and decryption no longer fails in FIPS mode

Previously, IdM Vault used OpenSSL RSA-PKCS1v15 as the default padding wrapping algorithm. However, none of the FIPS certified modules in RHEL supported PKCS#1 v1.5 as a FIPS approved algorithm, causing IdM Vault to fail in FIPS mode. With this update, IdM Vault supports the RSA-OAEP padding wrapping algorithm as a fallback. As a result, IdM Vault encryption and decryption now work correctly in FIPS mode.

Non-CA IdM replica installation no longer fails with server affinity configured

In some scenarios, installing an IdM replica without a certificate authority (CA) failed with CA_REJECTED errors. The failure occurred due to the certmonger service attempting to retrieve certificates and resulted in incomplete replication details when adding a new replica to a complex topology.

Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the AD-SIGNTICKET attribute.

SELinux labeling for dirsrv files was moved to DEBUG log level

Previously, SELinux labeling for dirsrv files had the INFO log level. With this update, the DEBUG log level is used for the dirsrv files the same way as it was in previous versions.

Directory Server no longer causes a segmentation fault when a backend is configured without a related suffix

Previously, if a backend was configured without a related suffix, Directory Server had a segmentation fault during startup. With this update, Directory Server checks if the suffix is associated with the backend before trying to access the suffix. As a result, the segmentation fault no longer occurs.

Directory Server no longer fails after abandoning the paged result search

Previously, a race condition was a reason for heap corruption and Directory Server failure during abandoning paged result search. With this update, the race condition was fixed, and Directory Server failure no longer occurs.

Directory Server now starts correctly after an upgrade if you configured a custom value for the connection table size

Previously, if you set a custom value for the connection table size and the nsslapd-conntablesize attribute was present in the dse.ldif file, Directory Server did not start after an upgrade. With this release, Directory Server starts correctly after the upgrade with nsslapd-conntablesize present in the dse.ldif file.

Directory Server no longer fails when Content Synchronization plug-in is enabled dynamically

Previously, if the Content Synchronization plug-in was enabled dynamically, the post-operation plug-in callback caused a segmentation fault because the pre-operation сallback was not registered. With this update, the post-operation plug-in callback verifies that the memory is initialized and Directory Server no longer fails.

Cluster start no longer times out when the SBD delay-start value is high

Previously, when a user configured SBD fencing in a cluster by using the ha_cluster system role and set the delay-start option to a value close to or higher than 90 seconds, the cluster start timed out. This is because the default systemd start timeout is 90 seconds, which the system reached before the SBD start delay value. With this fix, the ha_cluster system role overrides the sbd.service start timeout in systemd so that it is higher than the value of delay-start. This allows the system to start successfully even with high values of the delay-start option.

network role validates routing rules with 0.0.0.0/0 or ::/0

Previously, when the from: or to: settings were set to the 0.0.0.0/0 or ::/0 addresses in the routing rule, the network RHEL system role failed to configure the routing rule and rejected the settings as invalid. With this update, the network role allows 0.0.0.0/0 and ::/0 for from: and to: in routing rule validation. As a result, the role successfully configures the routing rules without raising the validation errors.

The ha_cluster system role now correctly configures a firewall on a qnetd host

Previously, when a user configured a qnetd host and set the ha_cluster_manage_firewall variable to true by using the ha_cluster system role, the role did not enable high-availability services in the firewall. With this fix, the ha_cluster system role now correctly configures a firewall on a qnetd host.

keylime_server role correctly reports registrar service status

Previously, when the keylime_server role playbook provided incorrect information, the role incorrectly reported the start as successful. With this update, the role now correctly reports a failure when incorrect information is provided, and the timeout when waiting for opened ports has been reduced from approximately 300 seconds to approximately 30 seconds.

The postgresql RHEL system role now installs the correct version of PostgreSQL

Previously, if you tried to run the postgresql RHEL system role with the postgresql_version: "15" variable defined on a RHEL managed node, PostgreSQL version 13 was installed instead of version 15. This bug has been fixed, and the postgresql role installs the version set in the variable.

The podman RHEL system role now sets and cancels linger properly for rootless containers

Previously, the podman RHEL system role did not set and cancel linger properly for rootless containers. Consequently, deploying secrets or containers for rootless users produced errors in some cases, and failed to cancel linger when removing resources in some cases. With this update, the podman RHEL system role ensures that linger is enabled for rootless users before doing any secret or container resource management, and ensures that linger is canceled for rootless users when there are no more secrets or container resources to be managed. As a result, the role correctly manages lingering for rootless users.

The podman RHEL system role now sets and cancels linger properly for rootless containers

Previously, the podman RHEL system role did not set and cancel linger properly for rootless containers. Consequently, deploying secrets or containers for rootless users produced errors in some cases, and failed to cancel linger when removing resources in some cases. With this update, the podman RHEL system role ensures that linger is enabled for rootless users before doing any secret or container resource management, and ensures that linger is canceled for rootless users when there are no more secrets or container resources to be managed. As a result, the role correctly manages lingering for rootless users.

Running read-scale clusters and installing mssql-server-ha no longer requires certain variables

Previously, if you used the mssql RHEL system role to configure a read-scale cluster without certain variables (mssql_ha_virtual_ip, mssql_ha_login, mssql_ha_login_password, and mssql_ha_cluster_run_role), the role failed with an error message Variable not defined. However, these variables are not necessary to run a read-scale cluster. The role also tried to install the mssql-server-ha, which is not required for a read-scale cluster. With this fix, the requirement for these variables was removed. As a result, running a read-scale cluster proceeds successfully without the error message.

The Kdump system role works correctly when the kexec_crash_size file is busy

The /sys/kernel/kexec_crash_size file provides the size of the memory region allocated for crash kernel memory.

selinux role no longer uses the item loop variable

Previously, the selinux RHEL system role used the  item loop variable. This might have resulted in the following warning message when you called the selinux role from another role:

Secret data is no longer logged with verbose logging

Previously, some tasks that handle secret data would log the contents. As a consequence, the logs showed secret data if verbose logging was being used. This update adds the no_log: true directive to tasks that can log secret data. As a result, secret data is not logged with verbose logging.

A volume quadlet service name no longer fails

Previously, starting the volume service name produced an error similar to the following one:

nbde_server role now works with socket overrides

Previously, the nbde_server RHEL system role assumed that the only file in the tangd socket override directory was the override.conf file for a custom port. Consequently, the role deleted the directory if there was no port customization without checking other files, and the system re-created the directory in subsequent runs.

A dump failure no longer blocks IBM Z VMs with Secure Execution from running

Previously, when a dump of an IBM Z virtual machine (VM) with Secure Execution failed, the VM remained in a paused state and was blocked from running. For example, dumping a VM by using the virsh dump command fails if there is not enough space on the disk.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

AF_XDP available as a Technology Preview

Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.

XDP features that are available as Technology Preview

Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported Technology Preview:

Multi-protocol Label Switching for TC available as a Technology Preview

The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route traffic flow across enterprise networks. In an MPLS network, the router that receives packets decides the further route of the packets based on the labels attached to the packet. With the usage of labels, the MPLS network has the ability to handle packets with particular characteristics. For example, you can add tc filters for managing packets received from specific ports or carrying specific types of traffic, in a consistent way.

act_mpls module available as a Technology Preview

The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) filters, for example, push and pop MPLS label stack entries with TC filters. The module also allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set independently.

The systemd-resolved service is now available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Soft-RoCE available as a Technology Preview

Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL 8.

eBPF available as a Technology Preview

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

The kexec fast reboot feature is available as a Technology Preview

The kexec fast reboot feature continues to be available as a Technology Preview. The kexec fast reboot significantly speeds the boot process as you can boot directly into the second kernel without passing through the Basic Input/Output System (BIOS) or firmware first. To use this feature:

The accel-config package available as a Technology Preview

The accel-config package is now available on Intel EM64T and AMD64 architectures as a Technology Preview. This package helps in controlling and configuring data-streaming accelerator (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the json format.

File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, a mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

OverlayFS

OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.

Stratis is now available as a Technology Preview

Stratis is a new local storage manager, which provides managed file systems on top of pools of storage with additional features. It is provided as a Technology Preview.

NVMe/TCP host is available as a Technology Preview

Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme_tcp.ko kernel module has been added as a Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included only for testing purposes and is not currently planned for full support.

Setting up a Samba server on an IdM domain member is provided as a Technology Preview

With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on Podman, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat OpenStack.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

sssd-idp sub-package available as a Technology Preview

The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 8.7 and later.

SSSD internal krb5 idp plugin available as a Technology Preview

The SSSD krb5 idp plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 8.7 and later.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines

As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Intel vGPU available as a Technology Preview

As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.

Technology Preview: Select Intel network adapters now provide SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions are met:

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 8.8 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

Sharing files between hosts and VMs using virtiofs

As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can efficiently share files between your host system and its virtual machines (VM).

RHEL confidential VMs are now available on Azure as a Technology Preview

With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL confidential VM images during boot on Azure.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Building multi-architecture images is available as a Technology Preview

The podman farm build command, which you can use to create multi-architecture container images, is available as a Technology Preview.

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs:

The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.

The Kickstart autostep command has been deprecated

The autostep command has been deprecated. The related section about this command has been removed from the RHEL 8 documentation.

NSS SEED ciphers are deprecated

The Mozilla Network Security Services (NSS) library will not support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends enabling support for other cipher suites.

TLS 1.0 and TLS 1.1 are deprecated

The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY level:

DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SSL2 Client Hello has been deprecated in NSS

The Transport Layer Security (TLS) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network Security Services (NSS) library has been deprecated and it is disabled by default.

Runtime disabling SELinux using /etc/selinux/config is now deprecated

Runtime disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config file has been deprecated. In RHEL 9, when you disable SELinux only through /etc/selinux/config, the system starts with SELinux enabled but with no policy loaded.

The ipa SELinux module removed from selinux-policy

The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The functionality is now included in the ipa-selinux subpackage.

TPM 1.2 is deprecated

The Trusted Platform Module (TPM) secure cryptoprocessor standard was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.

crypto-policies derived properties are now deprecated

With the introduction of scopes for crypto-policies directives in custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as well. See the crypto-policies(7) man page for recommended replacements.

RHEL 8 and 9 OpenSSL certificate and signing containers are now deprecated

The OpenSSL portable certificate and signing containers available in the ubi8/openssl and ubi9/openssl repositories in the Red Hat Ecosystem Catalog are now deprecated due to low demand.

The deprecated --token option of subscription-manager register will stop working at the end of November 2024

The deprecated --token=<TOKEN> option of the subscription-manager register command will no longer be a supported authentication method from the end of November 2024. The default entitlement server, subscription.rhsm.redhat.com, will no longer be allowing token-based authentication. As a consequence, if you use subscription-manager register --token=<TOKEN>, the registration will fail with the following error message:

rpmbuild --sign is deprecated

The rpmbuild --sign command is deprecated since RHEL 8.1. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead.

Setting the TMPDIR variable in the ReaR configuration file is deprecated

Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement such as export TMPDIR=…​, is deprecated.

The OpenEXR component has been deprecated

The OpenEXR component has been deprecated. Hence, the support for the EXR image format has been dropped from the imagecodecs module.

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The hidepid=n mount option is not supported in RHEL 8 systemd

The mount option hidepid=n, which controls who can access information in /proc/[pid] directories, is not compatible with systemd infrastructure provided in RHEL 8.

The /usr/lib/udev/rename_device utility has been deprecated

The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been deprecated.

The ABRT tool has been deprecated

The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been deprecated in RHEL 8. As a replacement, use the systemd-coredump tool to log and store core dumps, which are automatically generated files after a program crashes.

The ReaR crontab has been deprecated

The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

The raw command has been deprecated

The raw (/usr/bin/raw) command has been deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error.

The geoipupdate package has been deprecated

The geoipupdate package requires a third-party subscription and it also downloads proprietary content. Therefore, the geoipupdate package has been deprecated, and will be removed in the next major RHEL version.

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running.

The dropwatch tool is deprecated

The dropwatch tool has been deprecated. The tool will not be supported in future releases, thus it is not recommended for new deployments. As a replacement of this package, Red Hat recommends to use the perf command line tool.

The xinetd service has been deprecated

The xinetd service has been deprecated and will be removed in RHEL 9. As a replacement, use systemd. For further details, see How to convert xinetd service to systemd.

The cgdcbxd package is deprecated

Control group data center bridging exchange daemon (cgdcbxd) is a service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major RHEL release.

The WEP Wi-Fi connection method is deprecated

The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8 and will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 (WPA3) or WPA2 connection methods.

The unsupported xt_u32 module is now deprecated

Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. Since RHEL 8.6, the xt_u32 module is deprecated and will be removed in RHEL 9.

The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as a Technology Preview. Furthermore, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.

The Linux firewire sub-system and its associated user-space components are deprecated in RHEL 8

The firewire sub-system provides interfaces to use and maintain any resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as well.

Installing RHEL for Real Time 8 using diskless boot is now deprecated

Diskless booting allows multiple systems to share a root file system through the network. While convenient, diskless boot is prone to introducing network latency in real-time workloads. With the 8.3 minor update of RHEL for Real Time 8, the diskless booting feature is no longer supported.

Kernel live patching now covers all RHEL minor releases

Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently covered kernels and use cases, the support window for each live patch has been decreased from 12 to 6 months for every minor, major, and zStream version of the kernel. It means that on the day a kernel live patch is released, it will cover every minor release and scheduled errata kernel delivered in the past 6 months.

The crash-ptdump-command package is deprecated

The crash-ptdump-command package, which is a ptdump extension module for the crash utility, is deprecated and might not be available in future RHEL releases. The ptdump command fails to retrieve the log buffer when working in the Single Range Output mode and only works in the Table of Physical Addresses (ToPA) mode. crash-ptdump-command is currently not maintained upstream

The kernelopts environment variable has been deprecated

In RHEL 8, the kernel command-line parameters for systems using the GRUB boot loader were defined in the kernelopts environment variable. The variable was stored in the /boot/grub2/grubenv file for each kernel boot entry. However, storing the kernel command-line parameters using kernelopts was not robust. Therefore, with a future major update of RHEL, kernelopts will be removed and the kernel command-line parameters will be stored in the Boot Loader Specification (BLS) snippet instead.

Resilient Storage Add-On has been deprecated

The Red Hat Enterprise Linux (RHEL) Resilient Storage Add-On has been deprecated. The Resilient Storage Add-On will no longer be supported starting with Red Hat Enterprise Linux 10 and any subsequent releases after RHEL 10. The RHEL Resilient Storage Add-On will continue to be supported with earlier versions of RHEL (7, 8, 9) and throughout their respective maintenance support lifecycles.

The elevator kernel command line parameter is deprecated

The elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.

NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).

peripety is deprecated

The peripety package is deprecated since RHEL 8.3.

VDO write modes other than async are deprecated

VDO supports several write modes in RHEL 8:

VDO manager has been deprecated

The python-based VDO management software has been deprecated and will be removed from RHEL 9. In RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create VDO volumes using the lvcreate command.

cramfs has been deprecated

Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution.

pcs commands that support the clufter tool have been deprecated

The pcs commands that support the clufter tool for analyzing cluster configuration formats have been deprecated. These commands now print a warning that the command has been deprecated and sections related to these commands have been removed from the pcs help display and the pcs(8) man page.

The mod_php module provided with PHP for use with the Apache HTTP Server has been deprecated

The mod_php module provided with PHP for use with the Apache HTTP Server in RHEL 8 is available but not enabled in the default configuration. The module is no longer available in RHEL 9.

The gdb.i686 packages are deprecated

In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions of GDB, gdb.x86_64, are fully capable of debugging 32-bit applications.

libdwarf has been deprecated

The libdwarf library has been deprecated in RHEL 8. The library will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for applications that wish to process ELF/DWARF files.

openssh-ldap has been deprecated

The openssh-ldap subpackage has been deprecated in Red Hat Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat recommends using SSSD and the sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.

DES and 3DES encryption types have been removed

Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8.

The SSSD version of libwbclient has been removed

The SSSD implementation of the libwbclient package was deprecated in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of libwbclient has now been removed.

Standalone use of the ctdb service has been deprecated

Since RHEL 8.4, customers are advised to use the ctdb clustered Samba service only when both of the following conditions apply:

Limited support for FreeRADIUS

In RHEL 8, the following external authentication modules are deprecated as part of the FreeRADIUS offering:

Indirect AD integration with IdM via WinSync has been deprecated

WinSync is no longer actively developed in RHEL 8 due to several functional limitations:

Running Samba as a PDC or BDC is deprecated

The classic domain controller mode that enabled administrators to run Samba as an NT4-such as primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and settings to configure these modes will be removed in a future Samba release.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

The libgnome-keyring library has been deprecated

The libgnome-keyring library has been deprecated in favor of the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary security standards.

LibreOffice is deprecated

The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.

Several bitmap fonts have been deprecated

The following bitmap font packages have been deprecated:

AGP graphics cards are no longer supported

Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The web console no longer supports incomplete translations

The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.

The remotectl command is deprecated

The remotectl command has been deprecated and will not be available in future releases of RHEL. You can use the cockpit-certificate-ensure command as a replacement. However, note that cockpit-certificate-ensure does not have feature parity with remotectl. It does not support bundled certificates and keychain files and requires them to be split out.

The network System Role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL System Role on an RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.

Ansible Engine has been deprecated

Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited scope of support, to enable supported RHEL Automation use cases, such as RHEL System Roles and Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no support after September 29, 2023. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 AppStream.

The mssql_ha_cluster_run_role has been deprecated

The mssql_ha_cluster_run_role variable has been deprecated. Instead, use the mssql_manage_ha_cluster variable.

virsh iface-* commands have become deprecated

The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a future major version of RHEL. In addition, these commands frequently fail due to configuration dependencies.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager might not be yet available in the RHEL web console.

Limited support for virtual machine snapshots

Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor might become blocked, which negatively impacts the hypervisor performance for certain workloads.

The Cirrus VGA virtual GPU type has been deprecated

With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA.

SPICE has been deprecated

The SPICE remote display protocol has become deprecated. Note that SPICE will remain supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display streaming:

KVM on IBM POWER has been deprecated

Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM POWER is still supported in RHEL 8, but will become unsupported in a future major release of RHEL.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA-2 algorithm, or later.

Using SPICE to attach smart card readers to virtual machines has been deprecated

The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage of smart cards in VMs has also become deprecated in RHEL 8.

RDMA-based live migration is deprecated

With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.

GIMP flatpak and GIMP modules are deprecated

GIMP flatpak and GIMP modules, both representing GNU Image Manipulation Program for raster graphics, are now marked as deprecated because of the End of Life (EOL) of Python 2 and will be removed in the next major RHEL release. As a replacement, you can use upstream flatpak versions based on Python 3.

The Podman varlink-based API v1.0 has been removed

The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API v1.0 has been completely removed.

container-tools:1.0 has been deprecated

The container-tools:1.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:2.0 or container-tools:3.0.

The container-tools:2.0 module has been deprecated

The container-tools:2.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:3.0.

Flatpak images except GIMP has been deprecated

The rhel8/firefox-flatpak, rhel8/thunderbird-flatpak, rhel8/inkscape-flatpak, and rhel8/libreoffice-flatpak RHEL 8 Flatpak Applications have been deprecated and replaced by the RHEL 9 versions. The rhel8/gimp-flatpak Flatpak Application is not deprecated because there is no replacement yet in RHEL 9.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed from Podman in a future minor release of RHEL. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.

container-tools:3.0 has been deprecated

The container-tools:3.0 module has been deprecated and will no longer receive security updates. To continue to build and run Linux Containers on RHEL, use a newer, stable, and supported module stream, such as container-tools:4.0.

The rhel8/openssl has been deprecated

The rhel8/openssl container image has been deprecated.

The Inkscape and LibreOffice Flatpak images are deprecated

The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as Technology Previews, have been deprecated.

pasta as a network name has been deprecated

The support for pasta as a network name value is deprecated and will not be accepted in the next major release of Podman, version 5.0. You can use the pasta network name value to create a unique network mode within Podman by employing the podman run --network and podman create --network commands.

The BoltDB database backend has been deprecated

The BoltDB database backend is deprecated as of RHEL 8.10. In a future version of RHEL, the BoltDB database backend will be removed and will no longer be available to Podman. For Podman, use the SQLite database backend, which is now the default as of RHEL 8.10.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed in a future release. Use the Netavark network stack instead. For more information, see Switching the network stack from CNI to Netavark.

container-tools:4.0 has been deprecated

The container-tools:4.0 module has been deprecated and will no longer receive security updates. To continue to build and run Linux Containers on RHEL, use the newer, stable, and supported module stream container-tools:rhel8.

During RHEL installation on IBM Z, udev does not assign predictable interface names to RoCE cards enumerated by FID

If you start a RHEL 8.7 or later installation with the net.naming-scheme=rhel-8.7 kernel command-line option, the udev device manager on the RHEL installation media ignores this setting for RoCE cards enumerated by the function identifier (FID). As a consequence, udev assigns unpredictable interface names to these devices. There is no workaround during the installation, but you can configure the feature after the installation. For further details, see Determining a predictable RoCE device name on the IBM Z platform.

Installation fails on IBM Power 10 systems with LPAR and secure boot enabled

RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. Consequently, when logical partition (LPAR) is enabled with the secure boot option, the installation fails with the error, Unable to proceed with RHEL-x.x Installation.

Unexpected SELinux policies on systems where Anaconda is running as an application

When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running.

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Network access is not enabled by default in the installation program

Several installation features require network access, for example, registration of a system using the Content Delivery Network (CDN), NTP server support, and network installation sources. However, network access is not enabled by default, and as a result, these features cannot be used until network access is enabled.

Hard drive partitioned installations with iso9660 filesystem fails

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

IBM Power systems with HASH MMU mode fail to boot with memory allocation failures

IBM Power Systems with HASH memory allocation unit (MMU) mode support kdump up to a maximum of 192 cores. Consequently, the system fails to boot with memory allocation failures if kdump is enabled on more than 192 cores. This limitation is due to RMA memory allocations during early boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled instead of using kdump.

RHEL for Edge installer image fails to create mount points when installing an rpm-ostree payload

When deploying rpm-ostree payloads, used for example in a RHEL for Edge installer image, the installer does not properly create some mount points for custom partitions. As a consequence, the installation is aborted with the following error:

Images built with the stig profile remediation fails to boot with FIPS error

FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with the xccdf_org.ssgproject.content_profile_stig profile remediation, the system fails to boot with the following error:

OpenSC might not detect CardOS V5.3 card objects correctly

The OpenSC toolkit does not correctly read cache from different PKCS #15 file offsets used in some CardOS V5.3 cards. Consequently, OpenSC might not be able to list card objects and prevent using them from different applications.

sshd -T provides inaccurate information about Ciphers, MACs and KeX algorithms

The output of the sshd -T command does not contain the system-wide crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. Crypto policies are applied as command-line arguments to the sshd executable in the sshd.service unit during the service’s start by using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX algorithms differ from sshd -T to what is provided by current crypto policy level. As a result, the output from sshd -T matches the currently configured crypto policy.

RHV hypervisor might not work correctly when hardening the system during installation

When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise Linux 8 STIG profile, OSCAP Anaconda Add-on might harden the system as RHEL instead of RVH-H and remove essential packages for RHV-H. Consequently, the RHV hypervisor might not work. To work around the problem, install the RHV-H system without applying any profile hardening, and after the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV hypervisor works correctly.

CVE OVAL feeds are now only in the compressed format, and data streams are not in the SCAP 1.3 standard

Red Hat provides CVE OVAL feeds in the bzip2-compressed format and are no longer available in the XML file format. Because referencing compressed content is not standardized in the Security Content Automation Protocol (SCAP) 1.3 specification, third-party SCAP scanners can have problems scanning rules that use the feed.

Certain Rsyslog priority strings do not work correctly

Support for the GnuTLS priority string for imtcp that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in the Rsyslog remote logging application:

Server with GUI and Workstation installations are not possible with CIS Server profiles

The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either of these software selections will generate the error message:

Remediating service-related rules during Kickstart installations might fail

During a Kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service enable or disable state remediation is not needed. Consequently, OpenSCAP might set the services on the installed system to a noncompliant state. As a workaround, you can scan and remediate the system after the Kickstart installation. This will fix the service-related issues.

Kickstart uses org_fedora_oscap instead of com_redhat_oscap in RHEL 8

The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary to keep compatibility with Red Hat Enterprise Linux 7.

libvirt overrides xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding

The libvirt virtualization framework enables IPv4 forwarding whenever a virtual network with a forward mode of route or nat is started. This overrides the configuration by the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding rule, and subsequent compliance scans report the fail result when assessing this rule.

The fapolicyd utility incorrectly allows executing changed files

Correctly, the IMA hash of a file should update after any change to the file, and fapolicyd should prevent execution of the changed file. However, this does not happen due to differences in IMA policy setup and in file hashing by the evctml utility. As a result, the IMA hash is not updated in the extended attribute of a changed file. Consequently, fapolicyd incorrectly allows the execution of the changed file.

The semanage fcontext command reorders local modifications

The semanage fcontext -l -C command lists local file context modifications stored in the file_contexts.local file. The restorecon utility processes the entries in the file_contexts.local from the most recent entry to the oldest. However, semanage fcontext -l -C lists the entries in a different order. This mismatch between processing order and listing order might cause problems when managing SELinux rules.

OpenSSL in FIPS mode accepts only specific D-H parameters

In FIPS mode, TLS clients that use OpenSSL return a bad dh value error and cancel TLS connections to servers that use manually generated parameters. This is because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL ignore all other parameters and instead select known parameters of similar size. To work around this problem, use only the compliant groups.

crypto-policies incorrectly allow Camellia ciphers

The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy levels, as stated in the product documentation. However, the Kerberos protocol enables the ciphers by default.

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

The file_caching option is enabled in the default OpenSC configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning process through OpenSC fails.

Connections to servers with SHA-1 signatures do not work with GnuTLS

SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS connection to peers that offer such certificates. This behavior is inconsistent with other system cryptographic libraries.

libselinux-python is available only through its module

The libselinux-python package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python is no longer available in the default RHEL 8 repositories through the yum install libselinux-python command.

udica processes UBI 8 containers only when started with --env container=podman

The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. This prevents the udica tool from analyzing a container JavaScript Object Notation (JSON) file.

Negative effects of the default logging setup on performance

The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald is running with rsyslog.

SELINUX=disabled in /etc/selinux/config does not work properly

Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. This might cause memory leaks.