8.6 Release Notes

Image Builder supports customized file system partition on LVM

With this enhancement, if you have more than one partition, you can create images with a customized file system partition on LVM and resize those partitions at runtime. For that, you can specify a customized filesystem configuration in your blueprint and then create images with the desired disk layout. The default filesystem layout remains unchanged - if you use plain images without file system customization, the root partition is resized by cloud-init.

RHEL for Edge now supports Greenboot built-in health checks by default

With this update, RHEL for Edge Greenboot now includes built-in health checks with watchdog feature to ensure that the hardware does not hang or freeze while rebooting. With that, you can benefit from the following features:

RHEL 8 rebased to rpm-ostree v2022.2

RHEL 8 is distributed with the rpm-ostree version v2022.2, which provides multiple bug fixes and enhancements. Notable changes include:

Merged system purpose commands under subscription-manager syspurpose

Previously, there were multiple subscription-manager modules (addons, role, service-level, and usage) for setting attributes related to system purpose. These modules have been moved under the new subscription-manager syspurpose module.

The modulesync command is now available to replace certain workflows in RHEL 8

In Red Hat Enterprise Linux 8, modular packages cannot be installed without modular metadata. Previously, you could use the yum command to download packages, and then use the createrepo_c command to redistribute those packages.

A new --path CLI option is added to RPM

With this update, you can query packages by a file that is currently not installed using a new --path CLI option. This option is similar to the existing --file option, but matches packages solely based on the provided path. Note that the file at that path does not need to exist on disk.

The lsvpd package rebased to version 1.7.13

The lsvpd package has been rebased to version 1.7.13. Notable bug fixes and enhancements include:

The net-snmp-cert gencert tool now uses the SHA512 encryption algorithm instead of SHA1

In order to increase security, the net-snmp-cert gencert tool has been updated to generate certificates using SHA512 encryption algorithm by default.

The dnn and text modules are available in the opencv package

The dnn module containing Deep Neural Networks for image classification inference and the text module for scene text detection and recognition are now available in the opencv package.

The powerpc-utils package rebased to version 1.3.9

The powerpc-utils package has been upgraded to version 1.3.9. Notable bug fixes, and enhancements include:

The powerpc-utils package now supports vNIC as a backup device

The powerpc-utils package now supports Virtual Network Interface cards (vNIC) as a backup vdevice for Hybrid Network Virtualization (HNV).

The opencryptoki package rebased to version 3.17.0

The opencryptoki package has been rebased to version 3.17.0. Notable bug fixes and enhancements include:

Certain network interfaces and IP addresses can be excluded when creating a rescue image

You can use the EXCLUDE_IP_ADDRESSES variable to ignore certain IP addresses, and the EXCLUDE_NETWORK_INTERFACES variable to ignore certain network interfaces when creating a rescue image.

New bind9.16 package version 9.16.23 introduced

A new bind9.16 package version 9.16.23 has been introduced as an alternative to bind component version 9.11.36. Notable enhancements include:

CUPS is available as a container image

The Common Unix Printing System (CUPS) is now available as a container image, and you can deploy it from the Red Hat Container Catalog.

The bind component rebased to version 9.11.36

The bind component has been updated to version 9.11.36. Notable bug fixes and enhancements include:

CUPS driverless printing is available in CUPS Web UI

CUPS driverless printing, based on the IPP Everywhere model, is available in the CUPS Web UI. In addition to the lpadmin command used in the CLI, you can create an IPP Everywhere queue in the CUPS Web UI to print to network printers without special software.

The pcsc-lite packages rebased to 1.9.5

The pcsc-lite packages have been rebased to upstream version 1.9.5. This update provides new enhancements and bug fixes, most notably:

Crypto policies support diffie-hellman-group14-sha256

You can now use the diffie-hellman-group14-sha256 key exchange (KEX) algorithm for the libssh library in RHEL system-wide cryptographic policies. This update also provides parity with OpenSSH, which also supports this KEX algorithm. With this update, libssh has diffie-hellman-group14-sha256 enabled by default, but you can disable it by using a custom crypto policy.

OpenSSH servers now support drop-in configuration files

The sshd_config file supports the Include directive, which means you can include configuration files in another directory. This makes it easier to apply system-specific configurations on OpenSSH servers by using automation tools such as Ansible Engine. It is also more consistent with the capabilities of the ssh_config file. In addition, drop-in configuration files also make it easier to organize different configuration files for different uses, such as filter incoming connections.

sshd_config:ClientAliveCountMax=0 disables connection termination

Setting the SSHD configuration option ClientAliveCountMax to 0 now disables connection termination. This aligns the behavior of this option with the upstream. As a consequence, OpenSSH no longer disconnects idle SSH users when it reaches the timeout configured by the ClientAliveInterval option.

libssh rebased to 0.9.6

The libssh package has been rebased to upstream version 0.9.6. This version provides bug fixes and enhancements, most notably:

Libreswan rebased to 4.5

Libreswan has been rebased to upstream version 4.5. This version provides many bug fixes and enhancements, most notably:

New option to verify SELinux module checksums

With the newly added --checksum option to the semodule command, you can verify the versions of installed SELinux policy modules.

OpenSCAP can read local files

OpenSCAP can now consume local files instead of remote SCAP source data stream components. Previously, you could not perform a complete evaluation of SCAP source data streams containing remote components on systems that have no internet access. On these systems, OpenSCAP could not evaluate some of the rules in these data streams because the remote components needed to be downloaded from the internet. With this update, you can download and copy the remote SCAP source data stream components to the target system before performing the OpenSCAP scan and provide them to OpenSCAP by using the --local-files option with the oscap command.

SSG now scans and remediates rules for home directories and interactive users

OVAL content to check and remediate all existing rules related to home directories used by interactive users was added to the SCAP Security Guide (SSG) suite. Many benchmarks require verification of properties and content usually found within home directories of interactive users. Because the existence and the number of interactive users in a system may vary, there was previously no robust solution to cover this gap using the OVAL language. This update adds OVAL checks and remediations that detect local interactive users in a system and their respective home directories. As a result, SSG can safely check and remediate all related benchmark requirements.

SCAP rules now have a warning message to configure Audit log buffer for large systems

The SCAP rule xccdf_org.ssgproject.content_rule_audit_basic_configuration now displays a performance warning that suggests users of large systems where the Audit log buffer configured by this rule might be too small and can override the custom value. The warning also describes the process to configure a larger Audit log buffer. With this enhancement, users of large systems can stay compliant and have their Audit log buffer set correctly.

SSG now supports the /etc/security/faillock.conf file

This enhancement adds support for the /etc/security/faillock.conf file in SCAP Security Guide (SSG). With this update, SSG can assess and remediate the /etc/security/faillock.conf file for definition of pam_faillock settings. The authselect tool is also used to enable the pam_faillock module while ensuring the integrity of pam files. As a result, the assessment and remediation of the pam_faillock module is aligned with the latest versions and best practices.

SCAP Security Guide rebased to 0.1.60

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.60. This version provides various enhancements and bug fixes, most notably:

DISA STIG profile supports Red Hat Virtualization 4.4

The DISA STIG for Red Hat Enterprise Linux 8 profile version V1R5 has been enhanced to support Red Hat Virtualization 4.4. This profile aligns with the RHEL 8 Security Technical Implementation Guide (STIG) manual benchmark provided by the Defense Information Systems Agency (DISA). However, some configurations are not applied on hosts where Red Hat Virtualization (RHV) is installed because they prevent Red Hat Virtualization from installing and working properly.

OpenSCAP rebased to 1.3.6

The OpenSCAP packages have been rebased to upstream version 1.3.6. This version provides various bug fixes and enhancements, most notably:

clevis-systemd no longer depends on nc

With this enhancement, the clevis-systemd package no longer depends on the nc package. The dependency did not work correctly when used with Extra Packages for Enterprise Linux (EPEL).

audit rebased to 3.0.7

The audit packages have been upgraded to version 3.0.7 which introduces many enhancements and bug fixes. Most notably:

Audit now provides options for specifying the end of the event timeout

With this release, the ausearch tool supports the --eoe-timeout option, and the auditd.conf file contains the end_of_event_timeout option. You can use these options to specify the end of the event timeout to avoid problems with parsing co-located events. The default value for the end of the event timeout is set to two seconds.

Adding sudoers to Audit base rules

With this enhancement, the /etc/sudoers and the etc/sudoers.d/ directories are added to Audit base rules such as the Payment Card Industry Data Security Standard (PCI DSS) and the Operating Systems Protection Profile (OSPP). This increases the security by monitoring configuration changes in privileged areas such as sudoers.

Rsyslog includes the mmfields module for higher-performance operations and CEF

Rsyslog now includes the rsyslog-mmfields subpackage which provides the mmfields module. This is an alternative to using the property replacer field extraction, but in contrast to the property replacer, all fields are extracted at once and stored inside the structured data part. As a result, you can use mmfields particularly for processing field-based log formats, for example Common Event Format (CEF), and if you need a large number of fields or reuse specific fields. In these cases, mmfields has better performance than existing Rsyslog features.

libcap rebased to version 2.48

The libcap packages have been upgraded to upstream version 2.48, which provides a number of bug fixes and enhancements over the previous version, most notably:

fapolicyd rebased to 1.1

The fapolicyd packages have been upgraded to the upstream version 1.1, which contains many improvements and bug fixes. Most notable changes include the following:

libseccomp rebased to 2.5.2

The libseccomp packages have been rebased to upstream version 2.5.2. This version provides bug fixes and enhancements, most notably:

CleanUpModulesOnExit firewalld global configuration option is now available

Previously, when restarting or otherwise shutting down firewalld, firewalld recursively unloaded kernel modules. As a result, other packages attempting to use these modules or dependent modules would fail. With this upgrade, users can set the CleanUpModulesOnExit option to no to stop firewalld from unloading these kernel modules.

Restoring large nftables sets requires less memory

With this enhancement, the nftables framework requires significantly less memory when you restore large sets. The algorithm which prepares the netlink message has been improved, and, as a result, restoring a set can use up to 40% less memory.

The nmstate API now supports OVS-DPDK

This enhancement adds the schema for the Open vSwitch (OVS) Data Plane Development Kit (DPDK) to the nmstate API. As a result, you can use nmstate to configure OVS devices with DPDK ports.

The nmstate API now supports VLAN and QoS ID in SR-IOV virtual functions

This update enhances the nmstate API with support for local area network (VLAN) and quality of service (QoS) in single root I/O virtualization (SR-IOV) virtual functions. As a result, you can use nmstate to configure these features.

NetworkManager rebased to version 1.36.0

The NetworkManager packages have been upgraded to upstream version 1.36.0, which provides a number of enhancements and bug fixes over the previous version:

The hostapd package has been added to RHEL 8.6

With this release, RHEL provides the hostapd package. However, Red Hat supports hostapd only to set up a RHEL host as an 802.1X authenticator in Ethernet networks. Other scenarios, such as Wi-Fi access points or authenticators in Wi-Fi networks, are not supported.

NetworkManager now supports setting the number of receiving queues (rx_queue) on OVS-DPDK interfaces

With this enhancement, you can use NetworkManager to configure the n_rxq setting of Open vSwitch (OVS) Data Plane Development Kit (DPDK) interfaces. Use the ovs-dpdk.n-rxq attribute in NetworkManager to set the number of receiving queues on OVS-DPDK interfaces.

The nftables framework now supports nft set elements with attached counters

Previously, in the netfilter framework, nftables set counters were not supported. The nftables framework is configurable by the nft tool. The kernel allows this tool to count the network packets from a given source address with a statement add @myset {ip saddr counter}. In this update, you can count packets that match a specific criteria with a dynamic set and elements with attached counters.

The nispor packages are now fully supported

The nispor packages, previously available as a Technology Preview, are now fully supported. This enhancement adds support for NetStateFilter to use the kernel filter on network routes and interfaces.

Kernel version in RHEL 8.6

Red Hat Enterprise Linux 8.6 is distributed with the kernel version 4.18.0-372.

Extended Berkeley Packet Filter for RHEL 8.6

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.

Red Hat, by default, enables eBPF in all RHEL versions for privileged users only

Extended Berkeley Packet Filter (eBPF) is a complex technology which allows users to execute custom code inside the Linux kernel. Due to its nature, the eBPF code needs to pass through the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures (CVE) instances, where bugs in this code could be misused for unauthorized operations. To mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users only. It is possible to enable eBPF for unprivileged users by using the kernel.command-line parameter unprivileged_bpf_disabled=0.

The osnoise and timerlat tracers were added in RHEL 8

The osnoise tracer measures operating system noise. That is, the interruptions of applications by the OS and hardware interrupts. It also provides a set of tracepoints to help find the source of the OS noise. The timerlat tracer measures the wakeup latencies and helps to identify the causes of such latencies of real-time (RT) threads. In RT computing, latency is absolutely crucial and even a minimal delay can be detrimental. The osnoise and timerlat tracers enable you to investigate and find causes of OS interference with applications and wakeup delay of RT threads.

The strace utility can now display mismatches between the actual SELinux contexts and the definitions extracted from the SELinux context database

An existing --secontext option of strace has been extended with the mismatch parameter. This parameter enables to print the expected context along with the actual one upon mismatch only. The output is separated by double exclamation marks (!!), first the actual context, then the expected one. In the examples below, the full,mismatch parameters print the expected full context along with the actual one because the user part of the contexts mismatches. However, when using a solitary mismatch, it only checks the type part of the context. The expected context is not printed because the type part of the contexts matches.

The --cyclictest-threshold option has been added to the rteval utility

With this enhancement, the --cyclictest-threshold=USEC option has been added to the rteval test suite. Using this option you can specify a threshold value. The rteval test run ends immediately if any latency measurements exceed this threshold value. When latency expectations are not met, the run aborts with a failure status.

RHEL 8.6 is compatible with RHEL 9 XFS images

With this update, RHEL 8.6 is now able to use RHEL 9 XFS images. RHEL 9 XFS guest images must have bigtime and inode btree counters (inobtcount) on-disk capabilities allowed in order to mount the guest image with RHEL 8.6. Note that file systems created with bigtime and inobtcount features are not compatible with versions earlier than RHEL 8.6.

Options in Samba utilities have been renamed and removed for a consistent user experience

The Samba utilities have been improved to provide a consistent command-line interface. These improvements include renamed and removed options. Therefore, to avoid problems after the update, review your scripts that use Samba utilities, and update them, if necessary.

Compiler barrier changed to static inline function compiler_barrier to avoid name conflict with function pointers

This enhancement provides additional features and a patch for a potential data corruption bug. The compiler barrier is now set to a static inline function compiler_barrier. No name conflict occurs with the hardware store barrier, when implementing hardware fencing for non-temporal memcpy variants, while using a function pointer. As a result, RHEL 8.6 now includes pmdk version 1.11.1.

The pcmk_delay_base parameter may now take different values for different nodes

When configuring a fence device, you now can specify different values for different nodes with the pcmk_delay_base parameter. This allows a single fence device to be used in a two-node cluster, with a different delay for each node. This helps prevent a situation where each node attempts to fence the other node at the same time. To specify different values for different nodes, you map the host names to the delay value for that node using a similar syntax to pcmk_host_map. For example, node1:0;node2:10s would use no delay when fencing node1 and a 10-second delay when fencing node2.

Specifying automatic removal of location constraint following resource move

When you execute the pcs resource move command, this adds a constraint to the resource to prevent it from running on the node on which it is currently running. A new --autodelete option for the pcs resource move command, previously available as a Technology Preview, is now fully supported. When you specify this option, the location constraint that the command creates is automatically removed once the resource has been moved.

Detailed Pacemaker status display for internal errors

If Pacemaker can not execute a resource or fence agent for some reason, for example the agent is not installed or there has been an internal timeout, the Pacemaker status displays now show a detailed exit reason for the internal error.

Support for special characters inside pcmk_host_map values

The pcmk_host_map property now supports special characters inside pcmk_host_map values using a backslash (\) in front of the value. For example, you can specify pcmk_host_map="node3:plug\ 1" to include a space in the host alias.

pcs suppport for OCF Resource Agent API 1.1 standard

The pcs command-line interface now supports OCF 1.1 resource and STONITH agents. An OCF 1.1 agent’s metadata must comply with the OCF 1.1 schema. If an OCF 1.1 agent’s metadata does not comply with the OCF 1.1 schema, pcs considers the agent invalid and will not create or update a resource of the agent unless the --force option is specified. The pcsd Web UI and pcs commands for listing agents omit OCF 1.1 agents with invalid metadata from the listing.

New fencing agent for OpenShift

The fence_kubevirt fencing agent is now available for use with RHEL High Availability on Red Hat OpenShift Virtualization. For information on the fence_kubevirt agent, see the fence_kubevirt(8) man page.

A new module stream: php:8.0

RHEL 8.6 adds PHP 8.0, which provides a number of bug fixes and enhancements over version 7.4

A new module stream: perl:5.32

RHEL 8.6 introduces Perl 5.32, which provides a number of bug fixes and enhancements over Perl 5.30 distributed in RHEL 8.3.

A new package: nginx-mod-devel

A new nginx-mod-devel package has been added to the nginx:1.20 module stream. The package provides all necessary files, including RPM macros and nginx source code, for building external dynamic modules for nginx.

MariaDB Galera now includes an upstream version of the garbd systemd service and a wrapper script

MariaDB 10.3 and MariaDB 10.5 in RHEL 8 include a Red Hat version of garbd systemd service and a wrapper script for the galera package in the /usr/lib/systemd/system/garbd.service and /usr/sbin/garbd-wrapper files, respectively.

New command for capturing glibc optimization data

The new ld.so --list-diagnostics command captures data that influences glibc optimization decisions, such as IFUNC selection and glibc-hwcaps configuration, in a single machine-readable file.

glibc string functions are now optimized for Fujitsu A64FX

With this update, glibc string functions exhibit increased throughput and reduced latency on A64FX CPUs.

New UTF-8 locale en_US@ampm with 12-hour clock

With this update, you can now use a new UTF-8 locale en_US@ampm with a 12-hour clock. This new locale can be combined with other locales by using the LC_TIME environment variable.

New location for libffi's self-modifying code

With this update libffi's self-modifying code takes advantage of a feature in the RHEL 8 kernel to create a suitable file independent of any file system. As a result, libffi's self-modifying code no longer depends on making part of the filesystem insecure.

Updated GCC Toolset 11

GCC Toolset 11 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

GDB disassembler now supports the new arch14 instructions

With this update, GDB is able to disassemble new arch14 instructions.

LLVM Toolset rebased to version 13.0.1

LLVM Toolset has been upgraded to version 13.0.1. Notable changes include:

Rust Toolset rebased to 1.58.1

The Rust Toolset has been rebased to version 1.58.1. Notable changes include:

Go Toolset rebased to version 1.17.7

Go Toolset has been upgraded to version 1.17.7. Notable changes include:

pcp rebased to 5.3.5

The pcp package has been rebased to version 5.3.5. Notable changes include:

The grafana package rebased to version 7.5.11

The grafana package has been rebased to version 7.5.11. Notable changes include:

grafana-pcp rebased to 3.2.0

The grafana-pcp package has been rebased to version 3.2.0. Notable changes include:

js-d3-flame-graph rebased to 4.0.7

The js-d3-flame-graph package has been rebased to version 4.0.7. Notable changes include:

Power consumption metrics now available in PCP

The new pmda-denki Performance Metrics Domain Agent (PMDA) reports metrics related to power consumption. Specifically, it reports:

A new module: log4j:2

A new log4j:2 module is now available in the AppStream repository. This module contains Apache Log4j 2, which is a Java logging utility and a library enabling you to output log statements to a variety of output targets.

ansible-freeipa is now available in the AppStream repository with all dependencies

Previously in RHEL 8, before installing the ansible-freeipa package, you first had to enable the Ansible repository and install the ansible package. In RHEL 8.6 and RHEL 9, you can install ansible-freeipa without any preliminary steps. Installing ansible-freeipa automatically installs the ansible-core package, a more basic version of ansible, as a dependency. Both ansible-freeipa and ansible-core are available in the rhel-9-for-x86_64-appstream-rpms repository.

IdM now supports the automountlocation, automountmap, and automountkey Ansible modules

With this update, the ansible-freeipa package contains the ipaautomountlocation, ipaautomountmap, and ipaautomountkey modules. You can use these modules to configure directories to be mounted automatically for IdM users logged in to IdM clients in an IdM location. Note that currently, only direct maps are supported.

The support for managing subID ranges is available in the shadow-utils

Previously, shadow-utils configured the subID ranges automatically from the /etc/subuid and /etc/subgid files. With this update, the configuration of subID ranges is available in the /etc/nsswitch.conf file by setting a value in the subid field. For more information, see man subuid and man subgid. Also, with this update, an SSSD implementation of the shadow-utils plugin is available, which provides the subID ranges from the IPA server. To use this functionality, add the subid: sss value to the /etc/nsswitch.conf file. This solution might be useful in the containerized environment to facilitate rootless containers.

An alternative to the traditional RHEL ansible-freeipa repository: Ansible Automation Hub

With this update, you can download ansible-freeipa modules from the Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By using AAH, you can benefit from the faster updates of the ansible-freeipa modules available in this repository.

ansible-freeipa modules can now be executed remotely on IdM clients

Previously, ansible-freeipa modules could only be executed on IdM servers. This required your Ansible administrator to have SSH access to your IdM server, causing a potential security threat. With this update, you can execute ansible-freeipa modules remotely on systems that are IdM clients. As a result, you can manage IdM configuration and entities in a more secure way.

The ipadnsconfig module now requires action: member to exclude a global forwarder

With this update, excluding global forwarders in Identity Management (IdM) by using the ansible-freeipa ipadnsconfig module requires using the action: member option in addition to the state: absent option. If you only use state: absent in your playbook without also using action: member, the playbook fails. Consequently, to remove all global forwarders, you must specify all of them individually in the playbook. In contrast, the state: present option does not require action: member.

Identity Management now supports SHA384withRSA signing by default

With this update, the Certificate Authority (CA) in IdM supports the SHA-384 With RSA Encryption signing algorithm. SHA384withRSA is compliant with the Federal Information Processing Standard (FIPS).

SSSD default SSH hashing value is now consistent with the OpenSSH setting

The default value of ssh_hash_known_hosts has been changed to false. It is now consistent with the OpenSSH setting, which does not hash host names by default.

samba rebased to version 4.15.5

The samba packages have been upgraded to upstream version 4.15.5, which provides bug fixes and enhancements over the previous version:

Directory Server rebased to version 1.4.3.28

The 389-ds-base packages have been upgraded to upstream version 1.4.3, which provides a number of bug fixes and enhancements over the previous version:

Directory Server now stores memory-mapped files of databases on a tmpfs file system

In Directory Server, the nsslapd-db-home-directory parameter defines the location of memory-mapped files of databases. This enhancement changes the default value of the parameter from /var/lib/dirsrv/slapd-instance_name/db/ to /dev/shm/. As a result, with the internal databases stored on a tmpfs file system, the performance of Directory Server increases.

Security classification banners at login and in the desktop session

You can now configure classification banners to state the overall security classification level of the system. This is useful for deployments where the user must be aware of the security classification level of the system that they are logged into.

Intel Alder Lake-P GPUs are now supported

This release adds support for the Intel Alder Lake-P CPU microarchitecture with integrated graphics. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:

Smart card authentication for sudo and SSH from the web console

Previously, it was not possible to use smart card authentication to obtain sudo privileges or use SSH in the web console. With this update, Identity Management users can use a smart card to gain sudo privileges or to connect to a different host with SSH.

RHEL web console provides Insights registration by default

With this update, when you use the Red Hat Enterprise Linux web console to register a RHEL system, the Connect this system to Red Hat Insights. check box is checked by default. If you do not want to connect to the Insights service, uncheck the box.

Cockpit now supports using an existing TLS certificate

With this enhancement, the certificate does not have strict file permission requirements any more (such as root:cockpit-ws 0640), and thus it can be shared with other services.

The Firewall RHEL system role has been added in RHEL 8

The rhel-system-roles.firewall RHEL system role was added to the rhel-system-roles package. As a result, administrators can automate their firewall settings for managed nodes.

Full Support for HA Cluster RHEL system role

The High Availability Cluster (HA Cluster) role, previously available as a Technology Preview, is now fully supported. The following notable configurations are available:

The Networking system role now supports OWE

Opportunistic Wireless Encryption (OWE) is a mode of opportunistic security for Wi-Fi networks that provides encryption of the wireless medium but no authentication, such as public hot spots. OWE uses encryption between Wi-Fi clients and access points, protecting them from sniffing attacks. With this enhancement, the Networking RHEL system role supports OWE. As a result, administrators can now use the Networking system role to configure connections to Wi-Fi networks which use OWE.

The Networking system role now supports SAE

In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the Networking RHEL system role supports SAE. As a result, administrators can now use the Networking system role to configure connections to Wi-Fi networks, which use WPA-SAE.

The Cockpit RHEL system role is now supported

With this enhancement, you can install and configure the web console in your system. Consequently, you can manage web console in an automated manner.

Add support for raid_level for LVM volumes

The Storage RHEL system role can now specify the raid_level parameter for LVM volumes. As a result, LVM volumes can be grouped into RAIDs using the lvmraid feature.

The NBDE client system role supports systems with static IP addresses

Previously, restarting a system with a static IP address and configured with the NBDE client system role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE client system role, and their IP addresses do not change after a reboot.

Support for cached volumes is available in the Storage system role

Storage RHEL system role can now create and manage cached LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes by temporarily storing subsets of an LV’s data on a smaller, faster device, for example an SSD.

Support to add Elasticsearch username and password for authentication from rsyslog

This update adds the Elasticsearch username and password parameters to the logging system role, to enable the rsyslog to authenticate to Elasticsearch using username and password.

Ansible Core support for the RHEL system roles

As of RHEL 8.6 GA release, Ansible Core is provided, with a limited scope of support, to enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was previously provided in a separate repository. Ansible Core is available in the AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. Users must manually migrate their systems from Ansible Engine to Ansible Core.

The network RHEL system role now supports both named and numeric routing tables in static routes.

This update adds support for both the named and numeric routing tables in static routes, which is a prerequisite for supporting the policy routing (for example, source routing). The users can define policy routing rules later to instruct the system which table to use to determine the correct route. As a result, after the user specifies the table attribute in the route, the system can add routes into the routing table.

The Certificate role consistently uses "Ansible_managed" comment in its hook scripts

With this enhancement, the Certificate role generates pre-scripts and post-scripts to support providers, to which the role inserts the "Ansible managed" comment using the Ansible standard "ansible_managed" variable:

The Terminal session recording system role uses the "Ansible managed" comment in its managed configuration files

The Terminal session recording role generates 2 configuration files:

Microsoft SQL system role now supports customized repository for disconnected or Satellite subscriptions

Previously, users in disconnected environments that needed to pull packages from a custom server or Satellite users that needed to point to Satellite or Capsule had no support from Microsoft SQL Role . This update fixes it, by enabling users to provide a customized URL to use for RPM key, client and server mssql repositories. If no URL is provided, the mssql role uses the official Microsoft servers to download RPMs.

The Microsoft SQL system role consistently uses "Ansible_managed" comment in its managed configuration files

The mssql role generates the following configuration file:

Support to all bonding options added to the Networking system role

This update provides support to all bonding options to the Networking RHEL system role. Consequently, it enables you to flexibly control the network transmission over the bonded interface. As a result, you can control the network transmission over the bonded interface by specifying several options to that interface.

NetworkManager supports specifying a network card using its PCI address

Previously, during setting a connection profile, NetworkManager was only allowed to specify a network card using either its name or MAC address. In this case, the device name is not stable and the MAC address requires inventory to maintain record of used MAC addresses. Now, you can specify a network card based on its PCI address in a connection profile.

A new option auto_gateway controls the default route behavior

Previously, the DEFROUTE parameter was not configurable with configuration files but only manually configurable by naming every route. This update adds a new auto_gateway option in the ip configuration section for connections, with which you can control the default route behavior. You can configure auto_gateway in the following ways:

The VPN role consistently uses Ansible_managed comment in its managed configuration files

The VPN role generates the following configuration file:

New source parameter in the Firewall system role

You can now use the source parameter of the Firewall system role to add or remove sources in the firewall configuration.

The Networking system role now uses the ‘Ansible managed’ comment in its managed configuration files

When using the initscripts provider, the Networking system role now generates commented ifcfg files in the /etc/sysconfig/network-scripts directory. The Networking role inserts the Ansible managed comment using the Ansible standard ansible_managed variable. The comment declares that an ifcfg file is managed by Ansible, and indicates that the ifcfg file should not be edited directly as the Networking role will overwrite the file. The Ansible managed comment is added when the provider is initscripts. When using the Networking role with the nm (NetworkManager) provider, the ifcfg file is managed by NetworkManager and not by the Networking role.

The Firewall system role now supports setting the firewall default zone

You can now set a default firewall zone in the Firewall system role. Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. Firewall rules for each zone are managed independently enabling the administrator to define complex firewall settings and apply them to the traffic. This feature allows setting the default zone used as the default zone to assign interfaces to, same as firewall-cmd --set-default-zone zone-name.

The Metrics system role now generates files with the proper ansible_managed comment in the header

Previously, the Metrics role did not add an ansible_managed header comment to files generated by the role. With this fix, the Metrics role adds the ansible_managed header comment to files it generates, and as a result, users can easily identify files generated by the Metrics role.

The Postfix system role now generates files with the proper ansible_managed comment in the header

Previously, the Postfix role did not add an ansible_managed header comment to files generated by the role. With this fix, the Postfix role adds the ansible_managed header comment to files it generates, and as a result, users can easily identify files generated by the Postfix role.

Mediated devices are now supported by virtualization CLIs on IBM Z

Using virt-install or virt-xml, you can now attach mediated devices to your virtual machines (VMs), such as vfio-ap and vfio-ccw. This for example enables more flexible management of DASD storage devices and cryptographic coprocessors on IBM Z hosts. In addition, using virt-install, you can create a VM that uses an existing DASD mediated device as its primary disk. For instructions to do so, see the Configuring and Managing Virtualization in RHEL 8 guide.

Virtualization support for Intel Atom P59 series processors

With this update, virtualization on RHEL 8 adds support for the Intel Atom P59 series processors, formerly known as Snow Ridge. As a result, virtual machines hosted on RHEL 8 can now use the Snowridge CPU model and utilise new features that the processors provide.

ESXi hypervisor and SEV-ES is now fully supported

You can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to secure RHEL virtual machines (VMs) on VMware’s ESXi hypervisor, versions 7.0.2 and later. This feature was previously introduced in RHEL 8.4 as a Technology Preview. It is now fully supported.

Windows 11 and Windows Server 2022 guests are supported

RHEL 8 now supports using Windows 11 and Windows Server 2022 as the guest operating systems on KVM virtual machines.

RHEL 8 virtual machines are now supported on certain ARM64 hosts on Azure

Virtual machines that use RHEL 8.6 or later as the guest operating system are now supported on Microsoft Azure hypervisors running on Ampere Altra ARM-based processors.

New SSH module for cloud-init

With this update, an SSH module has been added to the cloud-init utility, which automatically generates host keys during instance creation.

cloud-init supports user data on Microsoft Azure

The --user-data option has been introduced for the cloud-init utility. Using this option, you can pass scripts and metadata from the Azure Instance Metadata Service (IMDS) when setting up a RHEL 8 virtual machine on Azure.

cloud-init supports the VMware GuestInfo datasource

With this update, the cloud-init utility is able to read the datasource for VMware guestinfo data. As a result, using cloud-init to set up RHEL 8 virtual machines on VMware vSphere is now more efficient and reliable.

A new package: rig

RHEL 8 introduces the rig package, which provides the rig system monitoring and event handling utility.

sos report now offers an estimate mode run

This sos report update adds the --estimate-only option with which you can approximate the disk space required for collecting an sos report from a RHEL server. Running the sos report --estimate-only command:

Red Hat Support Tool now uses Hydra APIs

The Red Hat Support Tool has moved from the deprecated Strata APIs to the new Hydra APIs. This has no impact on functionality. However, if you have configured the firewall to allow only the Strata API /rs/ path explicitly, update it to /support/ to ensure the firewall works correctly.

Red Hat Support Tool now supports Red Hat Secure FTP

When using Red Hat Support Tool, you can now upload files to the case by the Red Hat Secure FTP. Red Hat Secure FTP is a more secure replacement of the deprecated Dropbox utility that Red Hat Support Tool used to support in its earlier versions.

Red Hat Support Tool now supports S3 APIs

The Red Hat Support Tool now uses S3 APIs to upload files to the Red Hat Technical Support case. As a result, users can upload a file greater than 1 GB to the case directly.

container-tools:4.0 stable stream is now available

The container-tools:4.0 stable module stream, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and enhancements over the previous version.

The NFS storage is now available

You can now use the NFS file system as a backend storage for containers and images if your file system has xattr support.

The container-tools:rhel8 module has been updated

The container-tools:rhel8 module, which contains the Podman, Buildah, Skopeo, crun, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.

Universal Base Images are now available on Docker Hub

Previously, Universal Base Images were only available from the Red Hat container catalog. With this enhancement, Universal Base Images are also available from Docker Hub as a Verified Publisher image.

A podman container image is now available

The registry.redhat.io/rhel8/podman container image, previously available as a Technology Preview, is now fully supported. The registry.redhat.io/rhel8/podman container image is a containerized implementation of the podman package. The podman tool manages containers and images, volumes mounted into those containers, and pods made of groups of containers.

Podman now supports auto-building and auto-running pods using a YAML file

The podman play kube command automatically builds and runs multiple pods with multiple containers in the pods using a YAML file.

Podman now has ability to source subUID and subGID ranges from IdM

The subUID and subGID ranges can now be managed by IdM. Instead of deploying the same /etc/subuid and /etc/subgid files onto every host, you can now define range in a single central storage. You have to modify the /etc/nsswitch.conf file and add sss to the services map line: services: files sss.

The openssl container image is now available

The openssl image provides an openssl command-line tool for using the various functions of the OpenSSL crypto library. Using the OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and display certificate information.

Netavark network stack is now available

The new network stack available starting with Podman 4.1.1-7 consists of two tools, the Netavark network setup tool and the Aardvark DNS server. The Netavark stack, previously available as a Technology Preview, is with the release of the RHBA-2022:7127 advisory fully supported.

Podman now supports the --health-on-failure option

With the release of the RHBA-2022:7127 advisory. the podman run and podman create commands now support the --health-on-failure option to determine the actions to be performed when the status of a container becomes unhealthy.

The network --defroute option now works correctly in the %include script

Previously, the network --defroute option got ignored when used in the %include script during the kickstart installation. As a consequence, the device was set as the default route.

Users can now specify user accounts in the RHEL for Edge Installer blueprint

Previously, performing an update on your blueprint without a user account defined in the RHEL for Edge Commit for the upgrade, such as adding a rpm package, would cause users to be locked out of their system, after the upgrade was applied. It caused users to have redefine user accounts when upgrading an existing system. This issue has been fixed to allow users to specify user accounts in the RHEL for Edge Installer blueprint, that creates a user on the system at installation time, rather than having the user as part of the ostree commit.

osbuild no longer fails to build an ISO image bigger than 4GB

Image Builder users can create a customized image by adding additional packages. If the total size of the packages and their dependencies exceeded 4GB size, users of RHEL 8.5 and earlier releases would see the following error:

Running createrepo_c --update on a modular repository now preserves modular metadata in it

Previously, when running the createrepo_c --update command on an already existing modular repository without the original source of modular metadata present, the default policy was to remove all additional metadata including modular metadata from this repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update command with the additional --keep-all-metadata option.

Errors during the installation of the info subpackage do not happen anymore

Previously the fix-info-dir script expected the existence of a /dev/null file. With a new version of the texinfo package for software documentation, the installation of the info subpackage does not fail on systems that do not contain the /dev/null special file. Now the fix-info-dir script does not expect the existence of the /dev/null file, and avoids the possibility of an infinite loop.

ReaR backs up a system with an unused LVM physical volume correctly

Previously, ReaR produced an incorrect disk layout when an unused LVM physical volume (PV) was present on the system. As a result, ReaR commands that need to produce the disk layout, such as the mkrescue, mkbackup, mkbackuponly, savelayout commands, aborted with the error message:

ReaR does not incorrectly exclude multipath devices from the backup

Previously, ReaR was incorrectly excluding certain multipath devices whose names contained the names of multipath devices that should have been excluded from the backup.

Remote users are no longer repetitively prompted to access smart cards

Previously, the polkit policy for the pcscd daemon incorrectly requested user interaction. As a consequence, non-local and non-privileged users could not access smart cards and encountered large numbers of prompts. With this update, the pcsc-lite package policy no longer includes the interactive prompts. As a result, remote card users are no longer repeatedly asked for privilege escalation.

64-bit IBM Z systems no longer become unbootable when installing in FIPS mode

Previously, the fips-mode-setup command with the --no-bootcfg option did not execute the zipl tool. Because fips-mode-setup regenerates the initial RAM disk (initrd), and the resulting system needs an update of zipl internal state to boot, this put 64-bit IBM Z systems into an unbootable state after installing in FIPS mode. With this update, fips-mode-setup now executes zipl on 64-bit IBM Z systems even if invoked with --no-bootcfg, and as a result, the newly installed system boots successfully.

crypto-policies can disable ChaCha20 in OpenSSL

Previously, the crypto-policies component used a wrong keyword to disable the ChaCha20 cipher in OpenSSL. As a consequence, use of ChaCha20 in TLS 1.2 in OpenSSL could not be disabled through crypto-policies. With this update, crypto-policies use the -CHACHA20 keyword instead of the -CHACHA20-POLY1305 keyword. As a result, you can now use crypto-policies to disable the use of the ChaCha20 cipher in OpenSSL for both TLS 1.2 and TLS 1.3.

systemd can now execute files from /home/user/bin

Previously, systemd services could not execute files from the /home/user/bin/ directory because the SELinux policy did not include the policy rules that allow such access. Consequently, the systemd services failed and eventually logged the Access Vector Cache (AVC) denial Audit messages. This update adds the missing SELinux rules that allow access, and systemd services can now correctly execute commands from /home/user/bin/.

STIG-specific default banner text removed from other profiles

Previously, banner text from the STIG profile was used as default by other profiles that did not have a default text defined, such as CIS. As a consequence, systems using these profiles were configured with the specific text required by DISA. With this update, a generic default text was created and a standard CIS banner aligned with the guidelines was defined. As a result, profiles based on guidelines which explicitly require a text banner are now aligned with the requirements and set the correct text.

ANSSI Enhanced Profile correctly selects the "Ensure SELinux State is Enforcing" rule

Previously, the ANSSI Enhanced profile (anssi_bp28_enhanced) did not select the "Ensure SELinux State is Enforcing" (selinux_state) rule. This update modified the rule selection and now the ANSSI Enhanced Profile selects the "Ensure SELinux State is Enforcing" rule.

Descriptions for restorecon and seunshare SSG rules fixed

Previously, descriptions for rules "Record Any Attempts to Run restorecon" (CCE-80699-2) and "Record Any Attempts to Run seunshare" (CCE-80933-5) were incorrect. With this update, the descriptions of these rules are aligned with the automated OVAL check. As a result, applying the fix recommended in the description now correctly fixes these rules.

The CIS profile no longer automatically disables IPv6

Previously, the CIS profile for RHEL 8 provided inappropriate automated remediation for recommendation “3.6 Disable IPv6”, which disabled IPv6 by configuring /etc/modprobe.d/ipv6.conf to prevent the IPv6 module from loading. This could have undesired effects on the dependent features and services. In RHEL 8 CIS Benchmark v1.0.1, the recommendation 3.6 must be implemented manually, and therefore the RHEL8 CIS profiles do not apply any remediation for this configuration item. As a result, the CIS profile is aligned with the benchmark and does not disable IPv6 automatically. To disable IPv6 manually by configuring GRUB2 or sysctl settings as recommended by CIS, see How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?.

CIS profile no longer blocks the SSH service

Previously, the xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key rule by default set the permissions to 640 on SSH private keys. As a consequence, the SSH daemon did not start. This update removes the file_permissions_sshd_private_key rule from the CIS profile and as a result, the SSH service works correctly.

Files in /usr/share/audit/sample-rules are now accepted by SCAP rules

Previously, according to the description of SCAP rules xccdf_org.ssgproject.content_rule_audit_ospp_general and xccdf_org.ssgproject.content_rule_audit_immutable_login_uids, users were able to make systems compliant by copying appropriate files from the /usr/share/audit/sample-rules directory. However, OVAL checks of these rules failed, and the system was consequently marked as non-compliant after the scan. With this update, the OVAL checks now accept the files from /usr/share/audit/sample-rules, and the SCAP rules pass successfully.

ANSSI Kickstart now reserves enough disk space

Previously, GUI installation required more disk space than ANSSI Kickstart reserved in the /usr partition. As a consequence, RHEL 8.6 GUI installations failed, with an error message stating that At least 429 MB more space needed on the /usr filesystem. This update increases the disk space for the /usr partition, and RHEL 8.6 installations using the ANSSI Kickstarts provided in the scap-security-guide now completes successfully.

Remediations of GRUB2 arguments are now persistent

Previously, the remediations for GRUB2 rules that set kernel arguments were using incorrect procedures and the configuration changes were not persistent across kernel upgrades. As a consequence, the remediations had to be reapplied with every kernel upgrade. With this update, remediations use the grubby tool that configures GRUB2 in a persistent way.

scap-workbench no longer hangs when scanning remote systems from RHEL 8 hosts

Previously, sending content files to the scanned system would hang and the scap-workbench utility could not complete the scan. This was due to a bug in the kernel which blocked executed Qt subprocesses. As a consequence, scanning of remote systems using the scap-workbench command from RHEL 8 hosts did not work. With this update, the underlying kernel bug is fixed, and therefore remote scans no longer hang on copying files to a remote system and successfully finish.

usbguard-notifier no longer logs too many error messages to the Journal

Previously, the usbguard-notifier service did not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier failed to connect to the interface, and it wrote a corresponding error message to the Journal. Because usbguard-notifier started with the --wait option, which ensured that usbguard-notifier attempted to connect to the IPC interface each second after a connection failure, by default, the log contained an excessive amount of these messages soon.

Ambient capabilities are now applied correctly to non-root users

As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, effective, and ambient sets of capabilities.

The usbguard-selinux package is no longer dependent on usbguard

Previously, the usbguard-selinux package was dependent on the usbguard package. This, in combination with other dependencies of these packages, led to file conflicts when installing usbguard. As a consequence, this prevented the installation of usbguard on certain systems. With this version, usbguard-selinux no longer depends on usbguard, and as a result, yum can install usbguard correctly.

audisp-remote now correctly detects the availability of the remote locations

Previously, the audisp-remote plugin did not detect that remote services became unavailable. As a consequence, the audisp-remote process would enter a state with high CPU usage. With this update, audisp-remote can properly detect remote services becoming unavailable. As a result, the process no longer enters a high-CPU-usage state.

Clevis no longer stops on certain configurations before automated unlocking

Previously, the Clevis utility, which performs automated unlocking of LUKS-encrypted volumes, stopped on certain system configurations. Consequently, encrypted volumes were not unlocked automatically, and the administrator had to provide a passphrase manually. In some cases, Clevis restarted after the administrator pressed Enter and unlocked the encrypted volumes. With this update, the utility has been fixed to not stop on these configurations, and the process of automated unlocking now works properly.

NetworkManager now uses a static IPv4 IP address as primary

The main purpose of primary and secondary addresses is to enable source address selection for connections that are not yet bound to an IP address. For these connections, the kernel automatically chooses an address. In a NetworkManager connection profile, you can configure a static IPv4 address and DHCP at the same time for one connection. Previously, if you configured a connection with DHCP and a static IPv4 address from the same range as the one provided by the DHCP server, NetworkManager incorrectly assigned the IP address that it received from the DHCP server as primary and the static IP address as secondary.

The dmidecode --type 17 command now successfully decodes DDR5 memory information

Previously, the dmidecode command failed to decode the DDR5 memory information. Consequently, dmidecode --type 17 returned the <OUT OF SPEC> message. The latest update of the package (dmidecode-3.3-3.el8) has fixed this problem. As a result, dmidecode --type 17 now successfully decodes DDR5 memory information.

kdump no longer fails on KVM virtual machines that use the default amount of memory

Previously, kdump failed on some kernel-based virtual machines (KVM) that uses the default amount of memory. Consequently, the crash kernel failed to capture the crash dump file with following error:

Tunnel offloading now works as expected and supports the available hardware

Previously, the driver was not setting certain feature flags. Hence, tunnel offloading was not working as expected. In this update, the driver sets the required flags to enable tunnel offloading and works as expected.

Fixed the kernel warning while setting the rx ring buffer to max

Previously, an internal function expecting clean input was called with a reused and already initialized structure. It caused the kernel to give the warning message: “missing unregister, handled but fix driver”. This update fixes the bug, reinitializing the structure before trying to register it again.

xfsrestore command works correctly while restoring a backup

Previously, while restoring a backup created using the xfsdump command, xfsrestore created an orphanage directory. As a consequence, a few files were moved into the created orphanage directory with the following messages:

The multipathd.socket unit file no longer disables multipathd after too many startup attempts

Previously, the starting conditions for multipathd in the multipath.service unit file differed from the triggering conditions in multipathd.socket. Consequently, the unit file repeatedly tried to start multipathd and failed. This resulted in disabling multipathd after too many failed attempts. With this fix, the starting conditions for multipathd.socket and multipathd.service have been set to the same values. As a result, the multipathd.socket unit file no longer attempts to start multipathd where the starting conditions for multipathd.service are not met.

Protection uevents no longer cause reload failure of multipath devices

Previously, when a read-only path device was rescanned, the kernel sent out two write protection uevents - one with the device set to read/write, and the following with the device set to read-only. Consequently, upon detection of the read/write uevent on a path device, multipathd tried to reload the multipath device, which caused a reload error message. With this update, multipathd now checks that all the paths are set to read/write before reloading a device read/write. As a result, multipathd no longer tries to reload read/write whenever a read-only device is rescanned.

The -j flag now works when used in a Makefile

Previously, when you added the -j flag to MAKEFLAGS inside the Makefile, the targets were built sequentially instead of in parallel. This bug has been fixed, and now the targets are built at the same time when you use the -j flag in the Makefile.

Statically linked applications no longer crash

Previously, the initialization code of the dynamic loader, which is linked into statically linked binaries, did not initialize a link map variable correctly. Consequently, statically linked applications crashed if LD_LIBRABY__PATH contained a dynamic token string. With this update statically linked applications no longer crash.

pthread_once() in glibc has been fixed to correctly support C++ exceptions

Previously, the pthread_once() implementation could result in a hang when using libstdc++ library functions. For example libstdc++'s std::call_once() called a function that threw an exception which would result in a hang. With this update, pthread_once() is fixed and no longer hangs when an exception is thrown.

Certmonger can now automatically renew SCEP certificates with AD when challengePassword is required for enrollment

Previously, requests for renewal of SCEP certificates sent by certmonger to an Active Directory (AD) Network Device Enrollment Service (NDES) server included the challengePassword used to originally obtain the certificate. However, AD treats challengePassword as a one-time password (OTP). As a consequence, the renewal request was rejected.

FreeRADIUS proxy server no longer stops working when a second FreeRADIUS server is unavailable

When a FreeRADIUS server is configured as a proxy server it forwards request messages to another FreeRADIUS server. Previously, if the connection between these two servers was interrupted, the FreeRADIUS proxy server stopped working. With this fix, the FreeRADIUS proxy server is now able to reestablish a connection when the other server becomes available.

Authenticating to Directory Server in FIPS mode with PBKDF2-hashed passwords now works as expected

When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue() function is not available. As a consequence, users with a password-based key derivation function 2 (PBKDF2) hashed password could not authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the PK11_Decrypt() function to get the password hash data. As a result, authenticating to Directory Server in FIPS mode now works for users with PBKDF2-hashed passwords.

Socket activation of SSSD succeeds when the SSSD cache is mounted in tmpfs as the SSSD user

Previously, socket activation of SSSD would fail if the SSSD cache was mounted in a tmpfs temporary file system because the /var/lib/sss/db/config.ldb SSSD configuration file was not owned by the sssd user. With this fix, SSSD creates the config.ldb file as the sssd user and socket activation succeeds. If you have mounted the /var/lib/sssd/db/ SSSD cache directory in tpmfs, you must remount it as the sssd user so SSSD can create the config.ldb file in that location.

Matrox GPU with a VGA display now works as expected

Prior to this release, your display showed no graphical output if you used the following system configuration:

A playbook using the Metrics role completes successfully on multiple runs even if the Grafana admin password is changed

Previously, changes to the Grafana admin user password after running the Metrics role with the metrics_graph_service: yes boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks using the Metrics role, and the affected systems were only partially set up for performance analysis. Now, the Metrics role uses the Grafana deployment API when it is available and no longer requires knowledge of username or password to perform the necessary configuration actions. As a result, a playbook using the Metrics role completes successfully on multiple runs even if the administrator changes the Grafana admin password.

The SSHD system role uses the correct template file

In RHEL 8.5, the SSHD system role used a wrong template file. As a consequence, the generated sshd_config file did not contain the # Ansible managed comment. The missing comment did not affect any functionality on the system. With this update, the system role uses the correct template file and sshd_config contains the correct # Ansible managed comment.

The Networking system role no longer fails to set a DNS search domain if IPv6 is disabled

Previously, the nm_connection_verify() function of the libnm library did not ignore the DNS search domain if the IPv6 protocol was disabled. As a consequence, when you used the Networking RHEL system role and set dns_search together with ipv6_disabled: true, the system role failed with the following error:

The nm provider in the Networking system role now correctly manages bridges

Previously, if you used the initscripts provider, the Networking system role created an ifcfg file which configured NetworkManager to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript actions. For example, the down and absent actions of initscript provider will not change the NetworkManager’s understanding on unmanaged state of this interface if not reloading the connection after the down and absent actions. With this fix, the Networking system role uses the NM.Client.reload_connections_async() function to reload NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages the bridge interface when switching the provider from initscript to nm.

The SSH server role now detects FIPS mode and handles tasks correctly in FIPS mode

Previously, when managing RHEL8 and older systems in FIPS mode, one of the default hostkeys was not allowed to be created. As a consequence, the SSH server role operation failed to generate the not allowed key type when invoked. With this fix, the SSH server role detects FIPS mode and adjusts default hostkey list accordingly. As a result, the SSH server role can now manage systems in FIPS mode with default hostkeys configuration.

The Logging system role no longer calls tasks multiple times

Previously, the Logging role was calling tasks multiple times that should have been called only once. As a consequence, the extra task calls slowed down the execution of the role. With this fix, the Logging role was changed to call the tasks only once, improving the Logging role performance.

RHEL system roles now handle multi-line ansible_managed comments in generated files

Previously, some of the RHEL system roles were using # {{ ansible_managed }} to generate some of the files. As a consequence, if a customer had a custom multi-line ansible_managed setting, the files would be generated incorrectly. With this fix, all of the system roles use the equivalent of {{ ansible_managed | comment }} when generating files so that the ansible_managed string is always properly commented, including multi-line ansible_managed values. Consequently, generated files have the correct multi-line ansible_managed value.

The Logging role no longer misses quotes for the immark module interval value

Previously, the "interval" field value for the immark module was not properly quoted, because the immark module was not properly configured. This fix ensures that the "interval" value is properly quoted. Now, the immark module works as expected.

The group option no longer keeps certificates inaccessible to the group

Previously, when setting the group for a certificate, the mode was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.

The /etc/tuned/kernel_settings/tuned.conf file has a proper ansible_managed header

Previously, the Kernel settings RHEL system role had a hard-coded value for the ansible_managed header in the /etc/tuned/kernel_settings/tuned.conf file. Consequently, users could not provide their custom ansible_managed header. In this update, the problem has been fixed so that kernel_settings updates the header of /etc/tuned/kernel_settings/tuned.conf with user’s ansible_managed setting. As a result, /etc/tuned/kernel_settings/tuned.conf has a proper ansible_managed header.

The logging_purge_confs option no longer fails to delete unnecessary configuration files

Previously, the logging_purge_confs variable was prepared to delete unnecessary logging configuration files, but failed to clean them up. Consequently, even though the logging_purge_confs variable was set to true, unnecessary configuration files were not cleaned up, but left in the configuration directory. This issue is now fixed and the logging_purge_confs variable has been redefined to work as follows.

Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.

Configuration by the Metrics role now follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the Metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the Metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The issue is now fixed and the follow: yes option to follow the symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the symbolic links and correctly configures the main configuration file.

The Kernel settings system role now correctly installs python3-configobj

Previously, the Kernel settings role returned an error that the python3-configobj package could not be found. The role failed to find the package because it did not install python3-configobj on managed hosts. With this update, the role now installs python3-configobj on managed hosts and works correctly.

The Kdump system role does not ignore hosts anymore

Previously, the Kdump role ignored managed nodes that do not have memory reserved for crash kernel, and consequently completed with the “Success” status even when not configuring the system correctly. The role has been redesigned to fail in cases where managed nodes do not have memory reserved for crash kernel, and to prompt the user to set the kdump_reboot_ok variable to true to correctly configure kdump on managed nodes. As a result, the Kdump role now does not ignore hosts, and either completes successfully with the correct configuration, or fails with an error message describing what users need to do to fix the issue.

The Firewall system role now reloads the firewall immediately when target changes

Previously, the Firewall system role was not reloading the firewall when the target parameter has been changed. With this fix, the Firewall role reloads the firewall when the target changes, and as a result, the target change is immediate and available for subsequent operations.

Default pcsd permissions for HA Cluster system role now allow access for group haclient

Previously, when a user ran the HA Cluster system role with the default pcsd permissions that were set with the ha_cluster_pcs_permission_list variable, only members of the group hacluster had access to the cluster. With this fix, the default pcsd permissions allow the group haclient to manage the cluster and all members of haclient can now access and manage the cluster.

strict NUMA binding policy no longer allows for moving runtime memory

Previously, when the strict NUMA binding policy was enabled in a VM (<memory mode='strict'/>), attempting to move runtime memory from that VM to another NUMA node in some cases partly or completely failed. To avoid this problem, the strict policy now completely prohibits moving runtime memory.

multifd migration now works reliably

Previously, attempting to migrate a virtual machine (VM) using the multifd feature of QEMU caused the migration to fail and the VM to terminate unexpectedly. The underlying code has been fixed, and multifd migration now works as expected.

VM migration and snapshots no longer failing due to virtio-balloon

Previously, attempting to migrate a virtual machine (VMs) with a more recent guest operating system (such as RHEL 9) failed if the VM was using the virtio-balloon device. Similarly, creating a snapshot of such a VM failed. This update fixes a bug in the page poison feature of virtio-balloon, which prevents the described problem from occurring.

Hot unplugging an IBMVFC device on PowerVM now works as expected

Previously, when using a virtual machine (VM) with a RHEL 8 guest operating system on the PowerVM hypervisor, attempting to remove an IBM Power Virtual Fibre Channel (IBMVFC) device from the running VM failed. Instead, it displayed an outstanding translation error. The underlying code has been fixed and live hot unplugs of IBMVFC device now work correctly on PowerVM.

Rootless containers created in RHEL 8.5 and earlier using fuse-overlayfs now recognize removed files

Previously, in RHEL 8.4 and earlier, rootless images and containers were created or stored using the fuse-overlayfs file system. Using such images and containers in RHEL 8.5 and later introduced problems for unprivileged users using the overlayfs implementation provided by the kernel and who had removed files or directories from a container or from an image in RHEL 8.4. This problem did not apply to containers created by the root account.

FDO process available as a Technology Preview

The FDO process for automatic provisioning and onboarding RHEL for Edge images is available as a Technology Preview. With that, you can build a RHEL for Edge Simplified Installer image, provision it to a RHEL for Edge image, and use the FDO (FIDO device onboarding) process to automatically provision and onboard your Edge devices, exchange data with other devices and systems connected on the networks. As a result, the FIDO device onboarding protocol performs device initialization at the manufacturing stage and then late binding to actually use the device.

ReaR available on the 64-bit IBM Z architecture as a Technology Preview

Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM environment. Backing up and recovering logical partitions (LPARs) has not been tested.

KTLS available as a Technology Preview

RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

AF_XDP available as a Technology Preview

Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.

XDP features that are available as Technology Preview

Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported Technology Preview:

Multi-protocol Label Switching for TC available as a Technology Preview

The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route traffic flow across enterprise networks. In an MPLS network, the router that receives packets decides the further route of the packets based on the labels attached to the packet. With the usage of labels, the MPLS network has the ability to handle packets with particular characteristics. For example, you can add tc filters for managing packets received from specific ports or carrying specific types of traffic, in a consistent way.

The systemd-resolved service is now available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, an Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

The kexec fast reboot feature is available as a Technology Preview

The kexec fast reboot feature continues to be available as a Technology Preview. The kexec fast reboot significantly speeds the boot process as the kernel enables booting directly into the second kernel without passing through the Basic Input/Output System (BIOS) first. To use this feature:

The accel-config package available as a Technology Preview

The accel-config package is now available on Intel EM64T and AMD64 architectures as a Technology Preview. This package helps in controlling and configuring data-streaming accelerator (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the json format.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology.

eBPF available as a Technology Preview

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

Soft-RoCE available as a Technology Preview

Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL 8.

The stmmac driver is available as a Technology Preview

Red Hat provides the usage of stmmac for Intel® Elkhart Lake systems on a chip (SoCs) as an unsupported Technology Preview.

File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, a mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

OverlayFS

OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.

Stratis is now available as a Technology Preview

Stratis is a new local storage manager. It provides managed file systems on top of pools of storage with additional features to the user.

Setting up a Samba server on an IdM domain member is provided as a Technology Preview

With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.

NVMe/TCP host is available as a Technology Preview

Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme_tcp.ko kernel module has been added as a Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included only for testing purposes and is not currently planned for full support.

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on Podman, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat Openstack.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

Automatic removal of location constraint following resource move available as a Technology Preview

When you execute the pcs resource move command, this adds a constraint to the resource to prevent it from running on the node on which it is currently running. A new --autodelete option for the pcs resource move command is now available as a Technology Preview. When you specify this option, the location constraint that the command creates is automatically removed once the resource has been moved.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology Preview. This enables administrators to configure and manage servers from a graphical user interface (GUI) remotely, using the VNC session.

GNOME desktop on IBM Z is available as a Technology Preview

The GNOME desktop, including the Firefox web browser, is now available as a Technology Preview on the IBM Z architecture. You can now connect to a remote graphical session running GNOME using VNC to configure and manage your IBM Z servers.

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.

Stratis available as a Technology Preview in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage as a Technology Preview.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Intel vGPU

As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.

Technology Preview: Select Intel network adapters now provide SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions are met:

Sharing files between hosts and VMs using virtiofs

As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can efficiently share files between your host system and its virtual machines (VM).

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines

As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.

Toolbox is available as a Technology Preview

Previously, the Toolbox utility was based on RHEL CoreOS github.com/coreos/toolbox. With this release, Toolbox has been replaced with github.com/containers/toolbox.

The Netavark network stack is available as a Technology Preview

Before Podman version 4.1.1-7, the Netavark network stack for containers is available as a Technology Preview.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs:

The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.

The Kickstart autostep command has been deprecated

The autostep command has been deprecated. The related section about this command has been removed from the RHEL 8 documentation.

rpmbuild --sign is deprecated

The rpmbuild --sign command is deprecated since RHEL 8.1. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead.

The OpenEXR component has been deprecated

The OpenEXR component has been deprecated. Hence, the support for the EXR image format has been dropped from the imagecodecs module.

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The ABRT tool has been deprecated

The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been deprecated in RHEL 8. As a replacement, use the systemd-coredump tool to log and store core dumps, which are automatically generated files after a program crashes.

The ReaR crontab has been deprecated

The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened.

The hidepid=n mount option is not supported in RHEL 8 systemd

The mount option hidepid=n, which controls who can access information in /proc/[pid] directories, is not compatible with systemd infrastructure provided in RHEL 8.

The /usr/lib/udev/rename_device utility has been deprecated

The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been deprecated.

NSS SEED ciphers are deprecated

The Mozilla Network Security Services (NSS) library will not support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends enabling support for other cipher suites.

TLS 1.0 and TLS 1.1 are deprecated

The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY level:

DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level.

SSL2 Client Hello has been deprecated in NSS

The Transport Layer Security (TLS) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network Security Services (NSS) library has been deprecated and it is disabled by default.

TPM 1.2 is deprecated

The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.

crypto-policies derived properties are now deprecated

With the introduction of scopes for crypto-policies directives in custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as well. See the crypto-policies(7) man page for recommended replacements.

Runtime disabling SELinux using /etc/selinux/config is now deprecated

Runtime disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config file has been deprecated. In RHEL 9, when you disable SELinux only through /etc/selinux/config, the system starts with SELinux enabled but with no policy loaded.

The ipa SELinux module removed from selinux-policy

The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The functionality is now included in the ipa-selinux subpackage.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running.

The dropwatch tool is deprecated

The dropwatch tool has been deprecated. The tool will not be supported in future releases, thus it is not recommended for new deployments. As a replacement of this package, Red Hat recommends to use the perf command line tool.

The cgdcbxd package is deprecated

Control group data center bridging exchange daemon (cgdcbxd) is a service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major RHEL release.

The xinetd service has been deprecated

The xinetd service has been deprecated and will be removed in RHEL 9. As a replacement, use systemd. For further details, see How to convert xinetd service to systemd.

The WEP Wi-Fi connection method is deprecated

The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8.6 and will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 (WPA3) or WPA2 connection methods.

The unsupported xt_u32 module is now deprecated

Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. In RHEL 8.6, the xt_u32 module is deprecated and will be removed in RHEL 9.

The term slaves is deprecated in the nmstate API

Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl.

Kernel live patching now covers all RHEL minor releases

Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently covered kernels and use cases, the support window for each live patch will be decreased from 12 to 6 months for every minor, major and zStream version of the kernel. It means that on the day a kernel live patch is released, it will cover every minor release and scheduled errata kernel delivered in the past 6 months. For example, 8.4.x will have a one-year support window, but 8.4.x+1 will have 6 months.

Installing RHEL for Real Time 8 using diskless boot is now deprecated

Diskless booting allows multiple systems to share a root file system through the network. While convenient, diskless boot is prone to introducing network latency in real-time workloads. With a future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be supported.

The Linux firewire sub-system and its associated user-space components are deprecated in RHEL 8

The firewire sub-system provides interfaces to use and maintain any resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as well.

The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.

The kernelopts environment variable has been deprecated

In RHEL 8, the kernel command-line parameters for systems using the GRUB2 bootloader were defined in the kernelopts environment variable. The variable was stored in the /boot/grub2/grubenv file for each kernel boot entry. However, storing the kernel command-line parameters using kernelopts was not robust. Therefore, with a future major update of RHEL, kernelopts will be removed and the kernel command-line parameters will be stored in the Boot Loader Specification (BLS) snippet instead.

VDO write modes other than async are deprecated

VDO supports several write modes in RHEL 8:

NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).

cramfs has been deprecated

Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution.

VDO manager has been deprecated

The python-based VDO management software has been deprecated and will be removed from RHEL 9. In RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create VDO volumes using the lvcreate command.

The elevator kernel command line parameter is deprecated

The elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.

LVM mirror is deprecated

The LVM mirror segment type is now deprecated. Support for mirror will be removed in a future major release of RHEL.

peripety is deprecated

The peripety package is deprecated since RHEL 8.3.

pcs commands that support the clufter tool have been deprecated

The pcs commands that support the clufter tool for analyzing cluster configuration formats have been deprecated. These commands now print a warning that the command has been deprecated and sections related to these commands have been removed from the pcs help display and the pcs(8) man page.

The mod_php module provided with PHP for use with the Apache HTTP Server has been deprecated

The mod_php module provided with PHP for use with the Apache HTTP Server in RHEL 8 is available but not enabled in the default configuration. The module is no longer available in RHEL 9.

libdwarf has been deprecated

The libdwarf library has been deprecated in RHEL 8. The library will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for applications that wish to process ELF/DWARF files.

The gdb.i686 packages are deprecated

In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions of GDB, gdb.x86_64, are fully capable of debugging 32-bit applications.

openssh-ldap has been deprecated

The openssh-ldap subpackage has been deprecated in Red Hat Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat recommends using SSSD and the sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.

DES and 3DES encryption types have been removed

Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8.

Standalone use of the ctdb service has been deprecated

Since RHEL 8.4, customers are advised to use the ctdb clustered Samba service only when both of the following conditions apply:

Running Samba as a PDC or BDC is deprecated

The classic domain controller mode that enabled administrators to run Samba as an NT4-like primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and settings to configure these modes will be removed in a future Samba release.

Indirect AD integration with IdM via WinSync has been deprecated

WinSync is no longer actively developed in RHEL 8 due to several functional limitations:

The SSSD version of libwbclient has been removed

The SSSD implementation of the libwbclient package was deprecated in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of libwbclient has now been removed.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

Limited support for FreeRADIUS

In RHEL 8, the following external authentication modules are deprecated as part of the FreeRADIUS offering:

The libgnome-keyring library has been deprecated

The libgnome-keyring library has been deprecated in favor of the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary security standards.

AGP graphics cards are no longer supported

Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The web console no longer supports incomplete translations

The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.

The remotectl command is deprecated

The remotectl command has been deprecated and will not be available in future releases of RHEL. You can use the cockpit-certificate-ensure command as a replacement. However, note that cockpit-certificate-ensure does not have feature parity with remotectl. It does not support bundled certificates and keychain files and requires them to be split out.

The networking system role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL system role on an RHEL 8 controller to configure a network team on RHEL 9 nodes, shows a warning about its deprecation.

Ansible Engine has been deprecated

Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited scope of support, to enable supported RHEL Automation use cases, such as RHEL system roles and Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no support after September 29, 2023. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 AppStream.

The geoipupdate package has been deprecated

The geoipupdate package requires a third-party subscription and it also downloads proprietary content. Therefore, the geoipupdate package has been deprecated, and will be removed in the next major RHEL version.

SPICE has been deprecated

The SPICE remote display protocol has become deprecated. As a result, SPICE will remain supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display streaming:

virsh iface-* commands have become deprecated

The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a future major version of RHEL. In addition, these commands frequently fail due to configuration dependencies.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available in the RHEL web console.

Limited support for virtual machine snapshots

Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, which negatively impacts the hypervisor performance for certain workloads.

The Cirrus VGA virtual GPU type has been deprecated

With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA.

KVM on IBM POWER has been deprecated

Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM POWER is still supported in RHEL 8, but will become unsupported in a future major release of RHEL.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.

Using SPICE to attach smart card readers to virtual machines has been deprecated

The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage of smart cards in VMs has also become deprecated in RHEL 8.

The Podman varlink-based API v1.0 has been removed

The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API v1.0 has been completely removed.

container-tools:1.0 has been deprecated

The container-tools:1.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:2.0 or container-tools:3.0.

The container-tools:2.0 module has been deprecated

The container-tools:2.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:3.0.

Installation fails on IBM Power 10 systems with LPAR and secure boot enabled

RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. Consequently, when logical partition (LPAR) is enabled with the secure boot option, the installation fails with the error, Unable to proceed with RHEL-x.x Installation.

Unexpected SELinux policies on systems where Anaconda is running as an application

When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running. To work around this problem, do not run Anaconda on the production system and execute it in a temporary virtual machine. So that the SELinux policy on a production system is not modified. Running anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this issue.

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Network access is not enabled by default in the installation program

Several installation features require network access, for example, registration of a system using the Content Delivery Network (CDN), NTP server support, and network installation sources. However, network access is not enabled by default, and as a result, these features cannot be used until network access is enabled.

Hard drive partitioned installations with iso9660 filesystem fails

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

IBM Power systems with HASH MMU mode fail to boot with memory allocation failures

IBM Power Systems with HASH memory allocation unit (MMU) mode support kdump up to a maximum of 192 cores. Consequently, the system fails to boot with memory allocation failures if kdump is enabled on more than 192 cores. This limitation is due to RMA memory allocations during early boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled instead of using kdump.

syspurpose addons have no effect on the subscription-manager attach --auto output.

In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to set values to the addons argument will not observe any effect on the subscriptions that are auto-attached.

cr_compress_file_with_stat() can cause a memory leak

The createrepo_c C library has the API cr_compress_file_with_stat() function. This function is declared with char **dst as a second parameter. Depending on its other parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. This unpredictable behavior can cause a memory leak, because it does not inform the user when to free dst contents.

YUM transactions reported as successful when a scriptlet fails

Since RPM version 4.6, post-install scriptlets are allowed to fail without being fatal to the transaction. This behavior propagates up to YUM as well. This results in scriptlets which might occasionally fail while the overall package transaction reports as successful.

A security DNF upgrade can skip obsoleted packages

The patch for BZ#2095764, released with the RHBA-2022:5816 advisory, introduced the following regression: The DNF upgrade using security filters, such as the --security option, can skip upgrading obsoleted packages. This issue happens specifically when an installed package is obsoleted by a different available package, and an advisory exists for the available package.

coreutils might report misleading EPERM error codes

GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter returns an EPERM error code for unknown system calls, coreutils might consequently report misleading EPERM error codes because EPERM can not be distinguished from the actual Operation not permitted error returned by a working statx() syscall.

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to SHA-256

By default in RHEL 8, postfix uses MD5 fingerprints with the TLS for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, which may cause TLS to incorrectly function in the default postfix configuration. To workaround this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration file.

The brltty package is not multilib compatible

It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is recommended.

File permissions of /etc/passwd- are not aligned with the CIS RHEL 8 Benchmark 1.0.0

Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures permissions on the /etc/passwd- backup file configures permissions to 0644. However, the CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0 requires file permissions 0600 for that file. As a consequence, the file permissions of /etc/passwd- are not aligned with the benchmark after remediation.

libselinux-python is available only through its module

The libselinux-python package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python is no longer available in the default RHEL 8 repositories through the yum install libselinux-python command.

udica processes UBI 8 containers only when started with --env container=podman

The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. This prevents the udica tool from analyzing a container JavaScript Object Notation (JSON) file.

SELINUX=disabled in /etc/selinux/config does not work properly

Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. This might cause memory leaks.

sshd -T provides inaccurate information about Ciphers, MACs and KeX algorithms

The output of the sshd -T command does not contain the system-wide crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. Crypto policies are applied as command-line arguments to the sshd executable in the sshd.service unit during the service’s start by using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX algorithms differ from sshd -T to what is provided by current crypto policy level. As a result, the output from sshd -T matches the currently configured crypto policy.

OpenSSL in FIPS mode accepts only specific D-H parameters

In FIPS mode, TLS clients that use OpenSSL return a bad dh value error and abort TLS connections to servers that use manually generated parameters. This is because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL ignore all other parameters and instead select known parameters of similar size. To work around this problem, use only the compliant groups.

crypto-policies incorrectly allow Camellia ciphers

The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy levels, as stated in the product documentation. However, the Kerberos protocol enables the ciphers by default.

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

The file_caching option is enabled in the default OpenSC configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning process through OpenSC fails.

Connections to servers with SHA-1 signatures do not work with GnuTLS

SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS connection to peers that offer such certificates. This behavior is inconsistent with other system cryptographic libraries.

IKE over TCP connections do not work on custom TCP ports

The tcp-remoteport Libreswan configuration option does not work properly. Consequently, an IKE over TCP connection cannot be established when a scenario requires specifying a non-default TCP port.

Remediating service-related rules during kickstart installations might fail

During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service enable or disable state remediation is not needed. Consequently, OpenSCAP might set the services on the installed system to a non-compliant state. As a workaround, you can scan and remediate the system after the kickstart installation. This will fix the service-related issues.

RHV hypervisor may not work correctly when hardening the system during installation

When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work around the problem, install the RHV-H system without applying any profile hardening, and after the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV hypervisor works correctly.

Red Hat provides the CVE OVAL reports in compressed format

Red Hat provides CVE OVAL feeds in the bzip2-compressed format, and they are no longer available in the XML file format. The location of feeds for RHEL 8 has been updated accordingly to reflect this change. Because referencing compressed content is not standardized, third-party SCAP scanners can have problems with scanning rules that use the feed.

Certain sets of interdependent rules in SSG can fail

Remediation of SCAP Security Guide (SSG) rules in a benchmark can fail due to undefined ordering of rules and their dependencies. If two or more rules need to be executed in a particular order, for example, when one rule installs a component and another rule configures the same component, they can run in the wrong order and remediation reports an error. To work around this problem, run the remediation twice, and the second run fixes the dependent rules.

Server with GUI and Workstation installations are not possible with CIS Server profiles

The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either of these software selections will generate the error message:

Kickstart uses org_fedora_oscap instead of com_redhat_oscap in RHEL 8

The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary for backwards compatibility backward compatibility with Red Hat Enterprise Linux 7.

SSH timeout rules in STIG profiles configure incorrect options

An update of OpenSSH affected the rules in the following Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) profiles:

Certain rsyslog priority strings do not work correctly

Support for the GnuTLS priority string for imtcp that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in rsyslog:

Negative effects of the default logging setup on performance

The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald is running with rsyslog.

Ansible remediations require additional collections

With the replacement of Ansible Engine by the ansible-core package, the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, running remediations that use Ansible content included within the scap-security-guide package requires collections from the rhc-worker-playbook package.

The nm-cloud-setup service removes manually-configured secondary IP addresses from interfaces

Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain cases, other services on the host can configure interfaces as well. For example, these services could add secondary IP addresses. To avoid that nm-cloud-setup removes secondary IP addresses:

The primary IP address of an instance changes after starting the nm-cloud-setup service in Alibaba Cloud

After launching an instance in the Alibaba Cloud, the nm-cloud-setup service assigns the primary IP address to an instance. However, if you assign multiple secondary IP addresses to an instance and start the nm-cloud-setup service, the former primary IP address gets replaced by one of the already assigned secondary IP addresses. The returned list of metadata verifies the same. To work around the problem, configure secondary IP addresses manually to avoid that the primary IP address changes. As a result, an instance retains both IP addresses and the primary IP address does not change.

NetworkManager does not support activating bond and team ports in a specific order

NetworkManager activates interfaces alphabetically by interface names. However, if an interface appears later during the boot, for example, because the kernel needs more time to discover it, NetworkManager activates this interface later. NetworkManager does not support setting a priority on bond and team ports. Consequently, the order in which NetworkManager activates ports of these devices is not always predictable. To work around this problem, write a dispatcher script.

Systems with the IPv6_rpfilter option enabled experience low network throughput

Systems with the IPv6_rpfilter option enabled in the firewalld.conf file currently experience suboptimal performance and low network throughput in high traffic scenarios, such as 100-Gbps links. To work around the problem, disable the IPv6_rpfilter option. To do so, add the following line in the /etc/firewalld/firewalld.conf file.

RoCE interfaces lose their IP settings due to an unexpected change of the network interface name

The RDMA over Converged Ethernet (RoCE) interfaces lose their IP settings due to an unexpected change of the network interface name if both conditions are met:

Using net_prio or net_cls controllers in v1 mode deactivates some controllers of the cgroup-v2 hierarchy

In cgroup-v2 environments, using either net_prio or net_cls controllers in v1 mode disables the hierarchical tracking of socket data. As a result, the cgroup-v2 hierarchy for socket data tracking controllers is not active, and the dmesg command reports the following message:

Anaconda in some cases fails after entering the passphrase for encrypted devices

If kdump is disabled when preparing an installation and the user selects encrypted disk partitioning, the Anaconda installer fails with a traceback after entering the passphrase for the encrypted device.

Reloading an identical crash extension may cause segmentation faults

When you load a copy of an already loaded crash extension file, it might trigger a segmentation fault. Currently, the crash utility detects if an original file has been loaded. Consequently, due to two identical files co-existing in the crash utility, a namespace collision occurs, which triggers the crash utility to cause a segmentation fault.

vmcore capture fails after memory hot-plug or unplug operation

After performing the memory hot-plug or hot-unplug operation, the event comes after updating the device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. The problem appears if all of the following conditions meet:

Debug kernel fails to boot in crash capture environment on RHEL 8

Due to the memory-intensive nature of the debug kernel, a problem occurs when the debug kernel is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to boot as the capture kernel and a stack trace is generated instead. To work around this problem, increase the crash kernel memory as required. As a result, the debug kernel boots successfully in the crash capture environment.

Allocating crash kernel memory fails at boot time

On some Ampere Altra systems, allocating the crash kernel memory during boot fails when the 32-bit region is disabled in BIOS settings. Consequently, the kdump service fails to start. This is caused by memory fragmentation in the region below 4 GB with no fragment being large enough to contain the crash kernel memory.

The kernel ACPI driver reports it has no access to a PCIe ECAM memory region

The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus device. Consequently, the following warning message occurs during the system boot:

The tuned-adm profile powersave command causes the system to become unresponsive

Executing the tuned-adm profile powersave command leads to an unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx (CN88xx) processors. Consequently, reboot the system to resume working. To work around this problem, avoid using the powersave profile if your system matches the mentioned specifications.

The HP NMI watchdog does not always generate a crash dump

In certain cases, the hpwdt driver for the HP NMI watchdog is not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI was instead consumed by the perfmon driver.

Using irqpoll causes vmcore generation failure

Due to an existing problem with the nvme driver on the 64-bit ARM architecture that run on the Amazon Web Services Graviton 1 processor, causes vmcore generation to fail when you provide the irqpoll kernel command line parameter to the first kernel. Consequently, no vmcore file is dumped in the /var/crash/ directory upon a kernel crash. To work around this problem:

Connections fail when attaching a virtual function to virtual machine

Pensando network cards that use the ionic device driver silently accept VLAN tag configuration requests and attempt configuring network connections while attaching network virtual functions (VF) to a virtual machine (VM). Such network connections fail as this feature is not yet supported by the card’s firmware.

The OPEN MPI library may trigger run-time failures with default PML

In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x series deprecated openib Byte Transfer Layer (BTL).

The Solarflare fails to create maximum number of virtual functions (VFs)

The Solarflare NICs fail to create a maximum number of VFs due to insufficient resources. You can check the maximum number of VFs that a PCIe device can create in the /sys/bus/pci/devices/PCI_ID/sriov_totalvfs file. To workaround this problem, you can either adjust the number of VFs or the VF MSI interrupt value to a lower value, either from Solarflare Boot Manager on startup, or using Solarflare sfboot utility. The default VF MSI interrupt value is 8.

Memory allocation for kdump fails on the 64-bit ARM architectures

On certain 64-bit ARM based systems, the firmware uses the non-contiguous memory allocation method, which reserves memory randomly at different scattered locations. Consequently, due to the unavailability of consecutive blocks of memory, the crash kernel cannot reserve memory space for the kdump mechanism.

Hardware certification of the real-time kernel on systems with large core-counts might require passing the skew-tick=1 boot parameter to avoid lock contentions

Large or moderate sized systems with numerous sockets and large core-counts can experience latency spikes due to lock contentions on xtime_lock, which is used in the timekeeping system. As a consequence, latency spikes and delays in hardware certifications might occur on multiprocessing systems. As a workaround, you can offset the timer tick per CPU to start at a different time by adding the skew_tick=1 boot parameter.

Limitations of LVM writecache

The writecache LVM caching method has the following limitations, which are not present in the cache method:

XFS quota warnings are triggered too often

Using the quota timer results in quota warnings triggering too often, which causes soft quotas to be enforced faster than they should. To work around this problem, do not use soft quotas, which will prevent triggering warnings. As a result, the amount of warning messages will not enforce soft quota limit anymore, respecting the configured timeout.

LVM mirror devices that store a LUKS volume sometimes become unresponsive

Mirrored LVM devices with a segment type of mirror that store a LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject all I/O operations.

The /boot file system cannot be placed on LVM

You cannot place the /boot file system on an LVM logical volume. This limitation exists for the following reasons:

LVM no longer allows creating volume groups with mixed block sizes

LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the physical volumes (PVs) have different logical block sizes. LVM has adopted this change because file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a different block size.

Using Device mapper multipath with the NVMe/TCP driver causes system instability

DM multipath is not supported with the NVMe/TCP driver. Using it causes sleeping functions in the kernel to be called in an atomic context, which then results in system instability.

The blk-availability systemd service deactivates complex device stacks

In systemd, the default block deactivation code does not always handle complex stacks of virtual block devices correctly. In some configurations, virtual devices might not be removed during the shutdown, which causes error messages to be logged. To work around this problem, deactivate complex block device stacks by executing the following command:

getpwnam() might fail when called by a 32-bit application

When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, manually install the missing package by using the yum install nss_nis.i686 command.

MariaDB 10.5 does not warn about dropping a non-existent table when the OQGraph plug-in is enabled

When the OQGraph storage engine plug-in is loaded to the MariaDB 10.5 server, MariaDB does not warn about dropping a non-existent table. In particular, when the user attempts to drop a non-existent table using the DROP TABLE or DROP TABLE IF EXISTS SQL commands, MariaDB neither returns an error message nor logs a warning.

PAM plug-in version 1.0 does not work in MariaDB

MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 and 2.0, version 2.0 is the default.

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

When both the libldap and libldap_r libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts between these libraries might occur. Consequently, Apache httpd child processes using the PHP ldap extension might terminate unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration.

Windows Server 2008 R2 and earlier no longer supported

In RHEL 8.4 and later, Identity Management (IdM) does not support establishing trust to Active Directory with Active Directory domain controllers running Windows Server 2008 R2 or earlier versions. RHEL IdM now requires SMB encryption when establishing the trust relationship, which is only available with Windows Server 2012 or later.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

The /var/log/lastlog sparse file on IdM hosts can cause performance problems

During the IdM installation, a range of 200,000 UIDs from a total of 10,000 possible ranges is randomly selected and assigned. Selecting a random range in this way significantly reduces the probability of conflicting IDs in case you decide to merge two separate IdM domains in the future.

FIPS mode does not support using a shared secret to establish a cross-forest trust

Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP authentication is not FIPS-compliant. To work around this problem, authenticate with an Active Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS mode enabled and an AD domain.

FreeRADIUS server fails to run in FIPS mode

By default, in FIPS mode, OpenSSL disables the use of the MD5 digest algorithm. As the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, this causes the FreeRADIUS server to fail in FIPS mode.

Actions required when running Samba as a print server and updating from RHEL 8.4 and earlier

With this update, the samba package no longer creates the /var/spool/samba/ directory. If you use Samba as a print server and use /var/spool/samba/ in the [printers] share to spool print jobs, SELinux prevents Samba users from creating files in this directory. Consequently, print jobs fail and the auditd service logs a denied message in /var/log/audit/audit.log. To avoid this problem after updating your system from 8.4 and earlier:

Downgrading authselect after the rebase to version 1.2.2 breaks system authentication

The authselect package has been rebased to the latest upstream version 1.2.2. Downgrading authselect is not supported and breaks system authentication for all users, including root.

The default keyword for enabled ciphers in the NSS does not work in conjunction with other ciphers

In Directory Server you can use the default keyword to refer to the default ciphers enabled in the network security services (NSS). However, if you want to enable the default ciphers and additional ones using the command line or web console, Directory Server fails to resolve the default keyword. As a consequence, the server enables only the additionally specified ciphers and logs the following error:

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

Disabling flatpak repositories from Software Repositories is not possible

Currently, it is not possible to disable or remove flatpak repositories in the Software Repositories tool in the GNOME Software utility.

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V Server 2016 hosts

When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. In addition, the following error is logged in the Hyper-V event log:

Drag-and-drop does not work between desktop and applications

Due to a bug in the gnome-shell-extensions package, the drag-and-drop functionality does not currently work between desktop and applications. Support for this feature will be added back in a future release.

radeon fails to reset hardware correctly

The radeon kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail.

Multiple HDR displays on a single MST topology may not power on

On systems using NVIDIA Turing GPUs with the nouveau driver, using a DisplayPort hub (such as a laptop dock) with multiple monitors which support HDR plugged into it may result in failure to turn on. This is due to the system erroneously thinking there is not enough bandwidth on the hub to support all of the displays.

GUI in ESXi might crash due to low video memory

The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect multiple consoles or high-resolution monitors to the VM, the GUI requires at least 16 MB of video memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly.

VNC Viewer displays wrong colors with the 16-bit color depth on IBM Z

The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z server with the 16-bit color depth.

Unable to run graphical applications using sudo command

When trying to run graphical applications as a user with elevated privileges, the application fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority file to use regular user credentials for authentication.

Hardware acceleration is not supported on ARM

Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit ARM architecture.

Removing USB host devices using the web console does not work as expected

When you attach a USB device to a virtual machine (VM), the device number and bus number of the USB device might change after they are passed to the VM. As a consequence, using the web console to remove such devices fails due to the incorrect correlation of the device and bus numbers. To workaround this problem, remove the <hostdev> part of the USB device, from the VM’s XML configuration.

Attaching multiple host devices using the web console does not work

When you select multiple devices to attach to a virtual machine (VM) using the web console, only a single device is attached and the rest are ignored. To work around this problem, attach only one device at a time.

Unable to manage localhost by using the localhost hostname in the playbook or inventory

With the inclusion of the ansible-core 2.12 package in RHEL, if you are running Ansible on the same host you manage your nodes, you cannot do it by using the localhost hostname in your playbook or inventory. This happens because ansible-core 2.12 uses the python38 module, and many of the libraries are missing, for example, blivet for the storage role, gobject for the network role. To workaround this problem, if you are already using the localhost hostname in your playbook or inventory, you can add a connection, by using ansible_connection=local, or by creating an inventory file that lists localhost with the ansible_connection=local option. With that, you are able to manage resources on localhost. For more details, see the article RHEL system roles playbooks fail when run on localhost.

Network traffic performance in virtual machines might be reduced

In some cases, RHEL 8.6 guest virtual machines (VMs) have somewhat decreased performance when handling high levels of network traffic.

Using a large number of queues might cause Windows virtual machines to fail

Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device is enabled and the multi-queue virtio-net feature is configured to use more than 250 queues.

Live post-copy migration of VMs with failover VFs does not work

Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a device with the virtual function (VF) failover capability enabled. To work around the problem, use the standard migration type, rather than post-copy migration.

Live migrating VMs to a RHEL 8.6 Intel host from an earlier minor version of RHEL 8 does not work

Because the Intel Transactional Synchronization Extensions (TSX) feature has become deprecated, RHEL 8.6 hosts on Intel hardware no longer use the hle and rtm CPU flags. As a consequence, live migrating a virtual machine (VM) to a RHEL 8.6 host fails if the source host uses RHEL 8.5 or an earlier minor version of RHEL 8.

The Milan VM CPU type is sometimes not available on AMD Milan systems

On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS by default. Consequently, the 'Milan' CPU type might not be available on these systems. In addition, VM live migration between Milan hosts with different feature flag settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host.

Attaching LUN devices to virtual machines using virtio-blk does not work

The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller.

Virtual machines with iommu_platform=on fail to start on IBM POWER

RHEL 8 currently does not support the iommu_platform=on parameter for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process.

IBM POWER hosts may crash when using the ibmvfc driver

When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors may currently occur due to problems with the ibmvfc driver. As a consequence, the host’s kernel may panic under certain circumstances, such as: