8.8 Release Notes

A new and improved way to create blueprints and images in the image builder web console

With this enhancement, you have access to a unified version of the image builder tool and a significant improvement in your user experience.

Support for 64-bit ARM for .vhd images built with image builder

Previously, Microsoft Azure .vhd images created with the image builder tool were not supported on 64-bit ARM architectures. This update adds support for 64-bit ARM Microsoft Azure .vhd images and now you can build your .vhd images using image builder and upload them to the Microsoft Azure cloud.

Ability to specify user in a blueprint for simplified-installer images

Previously, when creating a blueprint for a simplified-installer image, you could not specify a user in the blueprint customization, because the customization was not used and was discarded. With this update, when you create an image from the blueprint, this blueprint creates a user under the /usr/lib/passwd directory and a password under the /usr/etc/shadow directory during installation time. You can log in to the device with the username and the password you created for the blueprint. Note that after you access the system, you need to create users, for example, using the useradd command.

Red Hat build of MicroShift enablement for RHEL for Edge images

With this enhancement, you can enable Red Hat build of MicroShift services in a RHEL for Edge system. By using the [[customizations.firewalld.zones]] blueprint customization, you can add support for firewalld sources in the blueprint customization. For that, specify a name for the zone and a list of sources in that specific zone. Sources can be of the form source[/mask]|MAC|ipset:ipset.

New yum offline-upgrade command for offline updates on RHEL

With this enhancement, you can apply offline updates to RHEL by using the new yum offline-upgrade command from the YUM system-upgrade plug-in.

Applying advisory security filters to yum offline-upgrade is now supported

With this enhancement, the new functionality for advisories filtering has been added. As a result, you can now download packages and their dependencies only from the specified advisory by using the yum offline-upgrade command with advisory security filters (--advisory, --security, --bugfix, and other filters).

The unload_plugins function is now available for the YUM API

With this enhancement, a new unload_plugins function has been added to the YUM API to allow plug-ins unloading.

New --nocompression option for rpm2archive

With this enhancement, the --nocompression option has been added to the rpm2archive utility. You can use this option to avoid compression when directly unpacking an RPM package.

ReaR is now fully supported also on the 64-bit IBM Z architecture

Basic Relax and Recover (ReaR) functionality, previously available on the 64-bit IBM Z architecture as a Technology Preview, is fully supported with the rear package version 2.6-9.el8 or later. You can create a ReaR rescue image on the IBM Z architecture in the z/VM environment only. Backing up and recovering logical partitions (LPARs) is not supported at the moment. ReaR supports saving and restoring disk layout only on Extended Count Key Data (ECKD) direct access storage devices (DASDs). Fixed Block Access (FBA) DASDs and SCSI disks attached through Fibre Channel Protocol (FCP) are not supported for this purpose. The only output method currently available is Initial Program Load (IPL), which produces a kernel and an initial ramdisk (initrd) compatible with the zIPL bootloader.

New synce4l package for frequency synchronization is now available

SyncE (Synchronous Ethernet) is a hardware feature that enables PTP clocks to achieve precise synchronization of frequency at the physical layer. SyncE is supported in certain network interface cards (NICs) and network switches.

powertop rebased to version 2.15

The powertop package for improving the energy efficiency has been updated to version 2.15. Notable changes and enhancements include:

tuned rebased to version 2.20.0

The TuneD utility for optimizing the performance of applications and workloads has been updated to version 2.20.0. Notable changes and enhancements over version 2.19.0 include:

FIPS mode now has more secure settings that target FIPS 140-3

The FIPS mode settings in the kernel have been adjusted to conform to the Federal Information Processing Standard (FIPS) 140-3. This change introduces stricter settings to many cryptographic algorithms, functions, and cipher suites. Most notably:

Libreswan rebased to 4.9

The libreswan packages have been upgraded to version 4.9. Notable changes over the previous version include:

SELinux now confines udftools

With this update of the selinux-policy packages, SELinux confines the udftools service.

New SELinux policy for systemd-socket-proxyd

Because the systemd-socket-proxyd service requires particular resources usage, a new policy with the required rules was added to the selinux-policy packages. As a result, the service runs in its SELinux domain.

OpenSCAP rebased to 1.3.7

The OpenSCAP packages have been rebased to upstream version 1.3.7. This version provides various bug fixes and enhancements, most notably:

scap-security-guide rules for Rsyslog log files are compatible with RainerScript

Rules in scap-security-guide for checking and remediating ownership, group ownership, and permissions of Rsyslog log files are now also compatible with log files defined by using the RainerScript syntax. Modern systems already use the RainerScript syntax in Rsyslog configuration files and the respective rules were not able to recognize this syntax. As a result, scap-security-guide rules can now check and remediate ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.

STIG security profile updated to version V1R9

The DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP Security Guide has been updated to align with the latest version V1R9. This release also includes changes published in V1R8.

RHEL 8 STIG profiles are better aligned with the benchmark

Four existing rules that satisfy RHEL 8 STIG requirements were part of the data stream but were previously not included in the STIG profiles (stig and stig_gui). With this update, the following rules are now included in the profiles:

SCAP Security Guide rebased to 0.1.66

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.66. This version provides various enhancements and bug fixes, most notably:

OpenSSL driver can now use certificate chains in Rsyslog

The NetstreamDriverCaExtraFiles directive allows configuring multiple additional certificate authority (CA) files. With this update, you can specify multiple CA files and the OpenSSL library can validate them, which is necessary for SSL certificate chains. As a result, you can use certificate chains in Rsyslog with the OpenSSL driver.

opencryptoki rebased to 3.19.0

The opencryptoki package has been rebased to version 3.19.0, which provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features:

New SCAP rule for idle session termination

New SCAP rule logind_session_timeout has been added to the scap-security-guide package in ANSSI-BP-028 profiles for Enhanced and High levels. This rule uses a new feature of the systemd service manager and terminates idle user sessions after a certain time. This rule provides automatic configuration of a robust idle session termination mechanism which is required by multiple security policies. As a result, OpenSCAP can automatically check the security requirement related to terminating idle user sessions and, if necessary, remediate it.

fapolicyd now provides filtering of the RPM database

With the new configuration file /etc/fapolicyd/rpm-filter.conf, you can customize the list of RPM-database files that the fapolicyd software framework stores in the trust database. This way, you can block certain applications installed by RPM or allow an application denied by the default configuration filter.

The default MPTCP subflow limit is 2

A subflow is a single TCP connection that is part of a Multipath TCP (MPTCP) connection. A subflow limit in MPTCP refers to the maximum number of additional connections that can be created between two MPTCP endpoints. You can use the limit to restrict the number of additional parallel subflows that can be created between the endpoints, to avoid overloading the network and the endpoints. For example the value of 0 allows only the initial subflow.

The kernel now logs the listening address in SYN flood messages

This enhancement adds the listening IP address to SYN flood messages:

The nm-initrd-generator profiles now have lower priority than autoconnect profiles

The nm-initrd-generator early boot NetworkManager configuration generator utility generates and configures connection profiles by using the NetworkManager instance running in the boot loader’s initialized initrd RAM disk. The nm-initrd-generator utility generated profiles now have a lower autoconnect priority than the default connection autoconnect priority. This enables generated network profiles in initrd to coexist with user configuration in default root account.

nispor rebased to version 1.2.10

The nispor packages have been upgraded to upstream version 1.2.10, which provides a number of enhancements and bug fixes over the previous version:

NetworkManager rebased to version 1.40.16

The NetworkManager packages have been upgraded to upstream version 1.40.16, which provides a number of bug fixes over the previous version:

Kernel version in RHEL 8.8

Red Hat Enterprise Linux 8.8 is distributed with the kernel version 4.18.0-477.10.

Secure Execution guest dump encryption with customer keys

This new feature allows Secure Execution guests to use hypervisor-initiated dumps to collect kernel crash information from KVM when the kdump utility does not work. Note that hypervisor-initiated dumps for Secure Execution are designed for the IBM Z Series z16 and LinuxONE Emperor 4 hardware.

The sfc driver has split into sfc and sfc_siena

Following the changes in the upstream driver, the sfc NIC driver is now split into 2 different drivers: sfc and sfc_siena. sfc_siena supports the deprecated Siena family devices.

The stmmac driver is now fully supported

Red Hat now fully supports the stmmac driver for Intel® Elkhart Lake systems on a chip (SoCs).

The rtla meta-tool adds the osnoise and timerlat tracers for improved tracer capabilities

The Real-Time Linux Analysis (rtla) is a meta-tool that includes a set of commands that analyze the real-time properties of Linux. rtla leverages kernel tracing capabilities to provide accurate information about the properties and root causes of unexpected system results. rtla currently adds support for osnoise and timerlat tracer commands. The osnoise tracer reports a kernel thread per CPU. The timerlat tracer periodically prints the timer latency at the timer IRQ handler and the thread handler.

The output format for cgroups and irqs has been improved to provide better readability

With this enhancement, the tuna show_threads command output for the cgroup utility is now structured based on the terminal size. You can also configure additional spacing to the cgroups output by adding the new -z or --spaced option to the show_threads command. As a result, you can now view the cgroups output in an improved readable format that is adaptable to your terminal size.

The rteval command output now includes the program loads and measurement threads information

The rteval command now displays a report summary with the number of program loads, measurement threads, and the corresponding CPU that ran these threads. This information helps to evaluate the performance of a real-time kernel under load on specific hardware platforms.

The -W and --bucket-width options have been added to the oslat program to measure latency

With this enhancement, you can specify a latency range for a single bucket at nanosecond accuracy. Widths that are not multiples of 1000 nanoseconds indicate nanosecond precision. By using the new options, -W or --bucket-width, you can modify the latency interval between buckets to measure latency within sub-microseconds delay time.

The Ethernet Port Configuration Tool (EPCT) utility support enabled in E810 with Intel ice driver

With this enhancement, the devlink port split command now supports the Intel ice driver. The Ethernet Port Configuration Tool (EPCT) is a command line utility that allows you to change the link type of a device. The devlink utility, which displays device information and resources of devices, is dependent on EPCT. As a result of this enhancement, the ice driver implements support for EPCT, which enables you to list and view the configurable devices using Intel ice drivers.

The Intel ice driver rebased to version 6.0.0

The Intel ice driver has been upgraded to upstream version 6.0.0, which provides a number of enhancements and bug fixes over previous versions. The notable enhancements include:

Hosting Secure Boot certificates for IBM zSystems

Starting with IBM z16 A02/AGZ and LinuxONE Rockhopper 4 LA2/AGL, you can manage certificates used to validate Linux kernels when starting the system with Secure Boot enabled on the Hardware Management Console (HMC). Notably:

zipl support for Secure Boot IPL and dump on 64-bit IBM Z

With this update, the zipl utility supports List-Directed IPL and List-Directed dump from Extended Count Key Data (ECKD) Direct Access Storage Devices (DASD) on the 64-bit IBM Z architecture. As a result, Secure Boot for RHEL on IBM Z also works with the ECKD type of DASDs.

New enable-authfile Booth configuration option

When you create a Booth configuration to use the Booth ticket manager in a cluster configuration, the pcs booth setup command now enables the new enable-authfile Booth configuration option by default. You can enable this option on an existing cluster with the pcs booth enable-authfile command. Additionally, the pcs status and pcs booth status commands now display warnings when they detect a possible enable-authfile misconfiguration.

pcs can now run the validate-all action of resource and stonith agents

When creating or updating a resource or a STONITH device, you can now specify the --agent-validation option. With this option, pcs uses an agent’s validate-all action, when it is available, in addition to the validation done by pcs based on the agent’s metadata.

Python 3.11 available in RHEL 8

RHEL 8.8 introduces Python 3.11, provided by the new package python3.11 and a suite of packages built for it, as well as the ubi8/python-311 container image.

nodejs:18 rebased to version 18.14 with npm rebased to version 9

Node.js 18.14, released in RHSA-2023:1583, includes a SemVer major upgrade of npm from version 8 to version 9. This update was necessary due to maintenance reasons and may require you to adjust your npm configuration.

git rebased to version 2.39.1

The Git version control system has been updated to version 2.39.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.31.

git-lfs rebased to version 3.2.0

The Git Large File Storage (LFS) extension has been updated to version 3.2.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.13.

A new module stream: nginx:1.22

The nginx 1.22 web and proxy server is now available as the nginx:1.22 module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.20.

mod_security rebased to version 2.9.6

The mod_security module for the Apache HTTP Server has been updated to version 2.9.6, which provides new features, bug fixes, and security fixes over the previously available version 2.9.2.

New packages: tomcat

RHEL 8.8 introduces the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.

A new module stream: postgresql:15

RHEL 8.8 introduces PostgreSQL 15, which provides a number of new features and enhancements over version 13. Notable changes include:

A new module stream: swig:4.1

RHEL 8.8 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.1, available as a new module stream, swig:4.1.

A new module stream: jaxb:4

RHEL 8.8 introduces Jakarta XML Binding (JAXB) 4 as the new jaxb:4 module stream. JAXB is a framework that enables developers to map Java classes to and from XML representations.

Updated GCC Toolset 12

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Security improvements added for glibc

The SafeLinking feature has been added to glibc. As a result, it improves protection for the malloc family of functions against certain single-linked list corruption including the allocator’s thread-local cache.

Improved glibc dynamic loader algorithm

The glibc dynamic loader’s O(n³) algorithm for processing shared objects could result in slower application startup and shutdown times when shared object dependencies are deeply nested. With this update, the dynamic loader’s algorithm has been improved to use a depth-first search (DFS). As a result, application startup and shutdown times are greatly improved in cases where shared object dependencies are deeply nested.

LLVM Toolset rebased to version 15.0.7

LLVM Toolset has been updated to version 15.0.7. Notable changes include:

Rust Toolset rebased to version 1.66.1

Rust Toolset has been updated to version 1.66.1. Notable changes include:

Go Toolset rebased to version 1.19.4

Go Toolset has been updated to version 1.19.4. Notable changes include:

The tzdata package now includes the /usr/share/zoneinfo/leap-seconds.list file

Previously, the tzdata package only shipped the /usr/share/zoneinfo/leapseconds file. Some applications rely on the alternate format provided by the /usr/share/zoneinfo/leap-seconds.list file and, as a consequence, would experience errors.

SSSD support for converting home directories to lowercase

With this enhancement, you can now configure SSSD to convert user home directories to lowercase. This helps to integrate better with the case-sensitive nature of the RHEL environment. The override_homedir option in the [nss] section of the /etc/sssd/sssd.conf file now recognizes the %h template value. If you use %h as part of the override_homedir definition, SSSD replaces %h with the user’s home directory in lowercase.

The ipapwpolicy ansible-freeipa module now supports new password policy options

With this update, the ipapwpolicy module included in the ansible-freeipa package supports additional libpwquality library options:

IdM now supports the ipanetgroup Ansible management module

As an Identity Management (IdM) system administrator, you can integrate IdM with NIS domains and netgroups. Using the ipanetgroup ansible-freeipa module, you can achieve the following:

New ipaclient_configure_dns_resolver and ipaclient_dns_servers Ansible ipaclient role variables specifying the client’s DNS resolver  

Previously, when using the ansible-freeipa ipaclient role to install an Identity Management (IdM) client, it was not possible to specify the DNS resolver during the installation process. You had to configure the DNS resolver before the installation.   

Using the ipaclient role to install an IdM client with an OTP requires no prior modification of the Ansible controller

Previously, the kinit command on the Ansible controller was a prerequisite for obtaining a one-time-password (OTP) for Identity Management (IdM) client deployment. The need to obtain the OTP on the controller was a problem for Red Hat Ansible Automation Platform (AAP), where the krb5-workstation package was not installed by default.

SSSD now supports changing LDAP user passwords with the shadow password policy

With this enhancement, if you set ldap_pwd_policy to shadow in the /etc/sssd/sssd.conf file, LDAP users can now change their password stored in LDAP. Previously, password changes were rejected if ldap_pwd_policy was set to shadow as it was not clear if the corresponding shadow LDAP attributes were being updated.

Configure pam_pwhistory using a configuration file

With this update, you can configure the pam_pwhistory module in the /etc/security/pwhistory.conf configuration file. The pam_pwhistory module saves the last password for each user in order to manage password change history. Support has also been added in authselect which allows you to add the pam_pwhistory module to the PAM stack.

getcert add-scep-ca now checks if user-provided SCEP CA certificates are in a valid PEM format

To add a SCEP CA to certmonger using the getcert add-scep-ca command, the provided certificate must be in a valid PEM format. Previously, the command did not check the user-provided certificate and did not return an error in case of an incorrect format. With this update, getcert add-scep-ca now checks the user-provided certificate and returns an error if the certificate is not in the valid PEM format.

IdM now supports new Active Directory certificate mapping templates

Active Directory (AD) domain administrators can manually map certificates to a user in AD using the altSecurityIdentities attribute. There are six supported values for this attribute, though three mappings are now considered insecure. As part of May 10,2022 security update, once this update is installed on a domain controller, all devices are in compatibility mode. If a certificate is weakly mapped to a user, authentication occurs as expected but a warning message is logged identifying the certificates that are not compatible with full enforcement mode. As of November 14, 2023 or later, all devices will be updated to full enforcement mode and if a certificate fails the strong mapping criteria, authentication will be denied.

samba rebased to version 4.17.5

The samba packages have been upgraded to upstream version 4.17.5, which provides bug fixes and enhancements over the previous version. The most notable changes:

ipa-client-install now supports authentication with PKINIT

Previously, the ipa-client-install supported only password based authentication. This update provides support to ipa-client-install for authentication with PKINIT.

Directory server now supports ECDSA private keys for TLS

Previously, you could not use cryptographic algorithms that are stronger than RSA to secure Directory Server connections. With this enhancement, Directory Server now supports both ECDSA and RSA keys.

New pamModuleIsThreadSafe configuration option is now available

When a PAM module is thread-safe, you can improve the PAM authentication throughput and response time of that specific module, by setting the new pamModuleIsThreadSafe configuration option to yes:

New nsslapd-auditlog-display-attrs configuration parameter for the Directory Server audit log

Previously, the distinguished name (DN) was the only way to identify the target entry in the audit log event. With the new nsslapd-auditlog-display-attrs parameter, you can configure Directory Server to display additional attributes in the audit log, providing more details about the modified entry..

The inkscape1 package replaces inkscape

With this release, the new, non-modular inkscape1 package replaces the legacy, modular inkscape package. This also upgrades the Inkscape application from version 0.92 to version 1.0.

Kiosk mode supports an on-screen keyboard

You can now use the GNOME on-screen keyboard (OSK) in the kiosk mode session.

Support for NTLMv2 in libsoup and Evolution

The libsoup library can now authenticate with the Microsoft Exchange Server using the NT LAN Manager version 2 (NTLMv2) protocol. Previously, libsoup supported only the NTLMv1 protocol, which might be disabled in certain configurations due to security issues.

Custom right-click menu on the desktop

You can now customize the menu that opens when you right-click the desktop background. You can create custom entries in the menu that run arbitrary commands.

Disable swipe to switch workspaces

Previously, swiping up or down with three fingers always switched the workspace on a touch screen. With this release, you can disable the workspace switching.

The web console now performs additional steps for binding LUKS-encrypted root volumes to NBDE

With this update, the RHEL web console performs additional steps required for binding LUKS-encrypted root volumes to Network-Bound Disk Encryption (NBDE) deployments. After you select an encrypted root file system and a Tang server, you can skip adding the rd.neednet=1 parameter to the kernel command line, installing the clevis-dracut package, and regenerating an initial ramdisk (initrd). For non-root file systems, the web console now enables the remote-cryptsetup.target and clevis-luks-akspass.path systemd units, installs the clevis-systemd package, and adds the _netdev parameter to the fstab and crypttab configuration files. As a result, you can now use the graphical interface for all Clevis-client configuration steps when creating NBDE deployments for automated unlocking of LUKS-encrypted root volumes.

Certain cryptographic subpolicies are now available in the web console

This update of the RHEL web console extends the options in the Change crypto policy dialog. Besides the four system-wide cryptographic policies, you can also apply the following subpolicies through the graphical interface now:

New IPsec customization parameters for the vpn RHEL system role

Because certain network devices require IPsec customization to work correctly, the following parameters have been added to the vpn RHEL system role:

The ha_cluster system role now supports automated execution of the firewall, selinux, and certificate system roles

The ha_cluster RHEL system role now supports the following features:

The ha_cluster system role now supports quorum device configuration

A quorum device acts as a third-party arbitration device for a cluster. A quorum device is recommended for clusters with an even number of nodes. With two-node clusters, the use of a quorum device can better determine which node survives in a split-brain situation. You can now configure a quorum device with the ha_cluster system role, both qdevice for a cluster and qnetd for an arbitration node.

The metrics system role does not work with disabled fact gathering

Ansible fact gathering might be disabled in your environment for performance or other reasons. In such configurations, it is not currently possible to use the metrics system role. To work around this problem, enable fact caching, or do not use the metrics system role if it is not possible to use fact gathering.

The postfix RHEL system role can now use the firewall and selinux RHEL system roles to manage port access

With this enhancement, you can automate managing port access by using the new role variables postfix_manage_firewall and postfix_manage_selinux:

The vpn RHEL system role can now use the firewall and selinux roles to manage port access

With this enhancement, you can automate managing port access in the vpn RHEL system role through the firewall and selinux roles. If you set the new role variables vpn_manage_firewall and vpn_manage_selinux to true, the roles manage port access.

The metrics RHEL system role now can use the firewall role and the selinux role to manage port access

With this enhancement, you can control access to ports. If you set the new role variables metrics_manage_firewall and metrics_manage_firewall to true, the roles will manage port access. You can now automate and perform these operations directly by using the metrics role.

The nbde_server RHEL system role now can use the firewall and selinux roles to manage port access

With this enhancement, you can use the firewall and selinux roles to manage ports access. If you set the new role variables nbde_server_manage_firewall and nbde_server_manage_selinux to true, the roles manage port access. You can now automate these operations directly by using the nbde_server role.

The initscripts network provider supports route metric configuration of the default gateway

With this update, you can use the initscripts network provider in the rhel-system-roles.network RHEL system role to configure the route metric of the default gateway.

The network system role supports setting a DNS priority value

This enhancement adds the dns_priority parameter to the RHEL network system role. You can set this parameter to a value from -2147483648 to 2147483647. The default value is 0. Lower values have a higher priority. Note that negative values cause the system role to exclude other configurations with a greater numeric priority value. Consequently, in presence of at least one negative priority value, the system role uses only DNS servers from connection profiles with the lowest priority value.

Added support for the cloned MAC address

Cloned MAC address is the MAC address of the device WAN port which is the same as the MAC address of the machine. With this update, users can specify the bonding or bridge interface with the MAC address or the strategy such as random or preserve to get the default MAC address for the bonding or bridge interface.

The cockpit RHEL system role integration with the firewall, selinux, and certificate roles

This enhancement enables you to integrate the cockpit role with the firewall role and the selinux role to manage port access and the certificate role to generate certificates.

The selinux RHEL system role now supports the local parameter

This update of the selinux RHEL system role introduces support for the local parameter. By using this parameter, you can remove only your local policy modifications and preserve the built-in SELinux policy.

New RHEL system role for direct integration with Active Directory

The new rhel-system-roles.ad_integration RHEL system role was added to the rhel-system-roles package. As a result, administrators can now automate direct integration of a RHEL system with an Active Directory domain.

New Ansible Role for Red Hat Insights and subscription management

The rhel-system-roles package now includes the remote host configuration (rhc) system role. This role enables administrators to easily register RHEL systems to Red Hat Subscription Management (RHSM) and Satellite servers. By default, when you register a system by using the rhc system role, the system connects to Red Hat Insights. With the new rhc system role, administrators can now automate the following tasks on the managed nodes:

Microsoft SQL Server Ansible role supports asynchronous high availability replicas

Previously, Microsoft SQL Server Ansible role supported only primary, synchronous, and witness high availability replicas. Now, you can set the mssql_ha_replica_type variable to asynchronous to configure it with asynchronous replica type for a new or existing replica.

Microsoft SQL Server Ansible role supports the read-scale cluster type

Previously, Microsoft SQL Ansible role supported only the external cluster type. Now, you can configure the role with a new variable mssql_ha_ag_cluster_type. The default value is external, use it to configure the cluster with Pacemaker. To configure the cluster without Pacemaker, use the value none for that variable.

Microsoft SQL Server Ansible role can generate TLS certificates

Previously, you needed to generate a TLS certificate and a private key on the nodes manually before configuring the Microsoft SQL Ansible role. With this update, the Microsoft SQL Server Ansible role can use the redhat.rhel_system_roles.certificate role for that purpose. Now, you can set the mssql_tls_certificates variable in the format of the certificate_requests variable of the certificate role to generate a TLS certificate and a private key on the node.

Microsoft SQL Server Ansible role supports configuring SQL Server version 2022

Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and version 2019. This update provides you with the support for SQL Server version 2022 for Microsoft SQL Ansible role. Now, you can set mssql_version value to 2022 for configuring a new SQL Server 2022 or upgrading SQL Server from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to version 2022 is unavailable.

Microsoft SQL Server Ansible role supports configuration of the Active Directory authentication

With this update, the Microsoft SQL Ansible role supports configuration of the Active Directory authentication for an SQL Server. Now, you can configure the Active Directory authentication by setting variables with the mssql_ad_ prefix.

The logging RHEL system role integration with the firewall, selinux, and certificate roles

This enhancement enables you to integrate the logging role with the firewall role and the selinux role to manage port access and the certificate role to generate certificates.

Routing rule is able to look up a route table by its name

With this update, the rhel-system-roles.network RHEL system role supports looking up a route table by its name when you define a routing rule. This feature provides quick navigation for complex network configurations where you need to have different routing rules for different network segments.

Microsoft SQL Server Ansible role supports configuring SQL Server version 2022

Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and version 2019. This update provides you with the support for SQL Server version 2022 for Microsoft SQL Ansible role. Now, you can set mssql_version value to 2022 for configuring a new SQL Server 2022 or upgrading SQL Server from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to version 2022 is unavailable.

The journald RHEL system role is now available

The journald service collects and stores log data in a centralized database. With this enhancement, you can use the journald system role variables to automate the configuration of the systemd journal, and configure persistent logging by using the Red Hat Ansible Automation Platform.

The sshd RHEL system role can now use the firewall and selinux RHEL system roles to manage port access

With this enhancement, you can automate managing port access by using the new role variables sshd_manage_firewall and sshd_manage_selinux. If they are set to true, each role is used to manage the port access. If they are set to false, which is default, the roles do not engage.

Hardware cryptographic devices can now be automatically hot-plugged

Previously, it was only possible to define cryptographic devices for passthrough if they were present on the host before the mediated device was started. Now, you can define a mediated device matrix that lists all the cryptographic devices that you want to pass through to your virtual machine (VM). As a result, the specified cryptographic devices are automatically passed through to the running VM if they become available later. Also, if the devices become unavailable, they are removed from the VM, but the guest operating system keeps running normally.

Improved performance for PCI passthrough devices on IBM Z

With this update, the PCI passthrough implementation on IBM Z hardware has been enhanced through multiple improvements to I/O handling. As a result, PCI devices passed through to KVM virtual machines (VMs) on IBM Z hosts now have significantly better performance.

RHEL 8 guests now support SEV-SNP

On virtual machines (VMs) that use RHEL 8 as a guest operating system, you can now use AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. Among other benefits, SNP enhances SEV by improving its memory integrity protection, which helps prevent hypervisor-based attacks such as data replay or memory re-mapping. Note that for SEV-SNP to work on a RHEL 8 VM, the host running the VM must support SEV-SNP as well.

zPCI device assignment

It is now possible to attach zPCI devices as pass-through devices to virtual machines (VMs) hosted on RHEL running on IBM Z hardware. For example, thís enables the use of NVMe flash drives in VMs.

The sos utility is moving to a 4-week update cadence

Instead of releasing sos updates with RHEL minor releases, the sos utility release cadence is changing from 6 months to 4 weeks. You can find details about the updates for the sos package in the RPM changelog every 4 weeks or you can read a summary of sos updates in the RHEL Release Notes every 6 months.

The sos clean command now obfuscates IPv6 addresses

Previously, the sos clean command did not obfuscate IPv6 addresses, leaving some customer-sensitive data in the collected sos report. With this update, sos clean detects and obfuscates IPv6 addresses as expected.

New podman RHEL System Role is now available

Beginning with Podman 4.2, you can use the podman System Role to manage Podman configuration, containers, and systemd services that run Podman containers.

Podman now supports events for auditing

Beginning with Podman v4.4, you can gather all relevant information about a container directly from a single event and journald entry. To enable Podman auditing, modify the container.conf configuration file and add the events_container_create_inspect_data=true option to the [engine] section. The data is in JSON format, the same as from the podman container inspect command. For more information, see How to use new container events and auditing features in Podman 4.4.

The Container Tools packages have been updated

The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.

Aardvark and Netavark now support custom DNS server selection

The Aardvark and Netavark network stack now support custom DNS server selection for containers instead of the default DNS servers on the host. You have two options for specifying the custom DNS server:

Skopeo now supports generating sigstore key pairs

You can use the skopeo generate-sigstore-key command to generate a sigstore public/private key pair. For more information, see skopeo-generate-sigstore-key man page.

Toolbox is now available

With the toolbox utility, you can use the containerized command-line environment without installing troubleshooting tools directly on your system. Toolbox is built on top of Podman and other standard container technologies from OCI. For more information, see toolbx.

The capability for multiple trusted GPG keys for signing images is available

The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted keys. Because of this, the container images signed with Red Hat’s General Availability and Beta GPG keys are now accepted in the default configuration.

RHEL 8 Extended Update Support

The RHEL Container Tools are now supported in RHEL 8 Extended Update Support (EUS) releases. More information on Red Hat Enterprise Linux EUS is available in Container Tools AppStream - Content Availability, Red Hat Enterprise Linux (RHEL) Extended Update Support (EUS) Overview.

The sigstore signatures are now available

Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The sigstore signatures are stored in the container registry together with the container image without the need to have a separate signature server to store image signatures.

Podman now supports the pre-execution hooks

The root-owned plugin scripts located in the /usr/libexec/podman/pre-exec-hooks and /etc/containers/pre-exec-hooks directories define a fine-control over container operations, especially blocking unauthorized actions.

Installer now lists all PPC PreP Boot or BIOS Boot partitions during custom partitioning

Previously, when adding multiple PPC PreP Boot or BIOS Boot partitions during custom partitioning, the Custom Partitioning screen displayed only one partition of a related type. As a consequence, the Custom Partitioning screen did not reflect the real state of the intended partitioning layout, making the partitioning process difficult and non-transparent.

The installer now adds configuration options correctly into the yum repo files

Previously, the installer did not add configuration options correctly into yum repo files while including and excluding packages from additional installation repositories. With this update, yum repo files are created correctly. As a result, using the --excludepkgs= or --includepkgs= options in the repo kickstart command now excludes or includes the specified packages during installation as expected.

Using the filename DHCP option no longer blocks downloading the kickstart file for installation

Previously, when building a path for getting the kickstart file from an NFS server, the installer did not consider the filename DHCP option. As a consequence, the installer did not download the kickstart file and was blocking the installation process. With this update, the filename DHCP option correctly constructs a path to the kickstart file. As a result, the kickstart file is downloaded properly, and the installation process starts correctly.

The installer now creates a new GPT disk layout while custom partitioning

Previously, the installer did not change the disk layout to GPT when inst.gpt was specified on the kernel command line, and the user removed all partitions from a disk with the MBR disk layout on the custom partitioning spoke. As a consequence, the MBR disk layout remained on the disk.

The --size parameter of the composer-cli compose start command now treats its values as MiB

Previously, when using the composer-cli compose start --size size_value blueprint_name image_type command, the composer-cli tool treated the --size parameter values as byte units. This update fixes the issue, and the --size parameter values are now correctly used in the MiB format.

RPM no longer hangs during a transaction involving the fapolicyd service restart

Previously, if you tried to update a package that caused the fapolicyd service to be restarted, for example, systemd, the RPM transaction stopped responding because the fapolicyd plug-in failed to communicate with the fapolicyd daemon.

Security YUM upgrade is now possible for packages that change their architecture through the upgrade

Patch for BZ#2088149 introduced with RHBA-2022:7711 caused a regression where YUM upgrade using security filters skipped packages that changed their architecture from or to noarch through the upgrade. Consequently, the missing security upgrades for these packages could leave the system in a vulnerable state.

Reverting a YUM upgrade transaction is now possible for a package group or environment

Previously, the yum history rollback command failed when attempting to revert an upgrade transaction for a package group or an environment.

wsmancli handles HTTP 401 Unauthorized statuses correctly

The wsmancli utility for managing systems using Web Services Management protocol now handles authentication to better conform to RFC 2616.

The translator.sty LaTeX style document has been added

Previously, the translator.sty LaTeX style document, which is necessary for certain tools that depend on texlive-beamer, was missing. As a consequence, these tools failed with a LaTeX Error: File `translator.sty' not found. error. This update adds the missing texlive-translator package that contains the translator.sty LaTeX style document. As a result, tools that depend on texlive-beamer work correctly.

ReaR handles excluded DASDs on the IBM Z architecture correctly

Previously on the IBM Z architecture, ReaR reformatted all connected Direct Access Storage Devices (DASD) during the recovery process, including those DASDs that users excluded from the saved layout and did not intend to restore their content. As a consequence, if you excluded some DASDs from the saved layout, their data were lost during system recovery. With this update, ReaR no longer formats excluded DASDs during system recovery, including the device from which the ReaR rescue system was booted (using the zIPL bootloader). You are also prompted to confirm the DASD formatting script before ReaR reformats DASDs. This ensures that the data on excluded DASDs survive a system recovery.

ReaR no longer fails to restore non-LVM XFS filesystems

Previously, when you used ReaR to restore a non-LVM XFS filesystems with certain settings and disk mapping, ReaR created the file system with the default settings instead of the specified settings.

rsync no longer fails while using regular expressions for extended attributes

Previously, the rsync utility for transferring and synchronizing files was not able to handle extended attributes in RHEL 8 correctly. For example, if you passed the --delete option together with the --filter '-x string.*' option for extended attributes to the rsync command, and a file on your system satisfied the regular expression, this resulted in an error message stating protocol incompatibilities. With this update, the rsync utility handles extended attributes correctly and you can use regular expressions for these attributes.

Scans and remediations correctly ignore SCAP Audit rules Audit key

Previously, Audit watch rules that were defined without an Audit key (-k or -F key) encountered the following problems:

crypto-policies no longer creates unnecessary symlink

During system installation, the crypto-policies scriptlet creates symlinks from the /usr/share/crypto-policies/DEFAULT file or /usr/share/crypto-policies/FIPS in FIPS mode and saves them in the /etc/crypto-policies/back-ends directory. Previously, crypto-policies incorrectly included directories, and created a /etc/crypto-policies/back-ends/.config symlink that pointed to the /usr/share/crypto-policies/DEFAULT or /usr/share/crypto-policies/FIPS directories. With this update, crypto-policies does not create symlinks from directories, and therefore does not create this unnecessary symlink.

crypto-policies now disable NSEC3DSA for BIND

Previously, the system-wide cryptographic policies did not control the NSEC3DSA algorithm in the BIND configuration. Consequently, NSEC3DSA, which does not meet current security requirements, was not disabled on DNS servers. With this update, all cryptographic policies disable NSEC3DSA in the BIND configuration by default.

Libreswan no longer rejects SHA-1 signature verification in the FUTURE and FIPS cryptographic policies

Previously, from update to 4.9, Libreswan rejected SHA-1 signature verification in the FUTURE and FIPS cryptographic policies, and peer authentication failed when authby=rsasig or authby=rsa-sha1 connection options were used. This update reverts this behavior by relaxing how Libreswan handles the crypto-policies settings. As a consequence, you can now use the authby=rsasig and authby=rsa-sha1 connection options using SHA-1 signature verification.

crontab bash scripts no longer execute in incorrect context

Previously, a bug fix published in erratum RHBA-2022:7691 used too general transition rule. Consequently, a bash script executed from the crontab file was executed in the rpm_script_t context instead of the system_cronjob_t context. With this update, bash scripts are now executed in the correct context.

selinux-policy supports service execution in SAP Host Agent

Previously, the SELinux policy did not support the insights-client service interacting with SAP Host Agent and other services. As a consequence, some commands did not work correctly when started from Red Hat Insights. With this update, the SELinux policy supports SAP service execution. As a result, SAP services started from Insights run successfully.

selinux-policy now allows pmcd to execute its private memfd: objects

Previously, the SELinux policy did not allow the pmcd process from the Performance Co-Pilot (PCP) framework to execute its private memory file-system objects (memfd:). Consequently, SELinux denied the Performance Metric Domain Agent (PMDA) BPF Compiler Collection (BCC) service to execute memfd: objects. In this update, the SELinux policy contains new rules for pcmd. As a result, pmcd can now execute memfd: objects with SELinux in enforcing mode.

SELinux policy allows sysadm_r to use subscription-manager

Previously, users in the sysadm_r SELinux role were not allowed to execute some subcommands of the subscription-manager utility. Consequently, the subcommands failed to read the memory device. This update adds a new rule to the SELinux policy that allows the sysadm_t type to read /dev/mem. As a consequence, the subscription-manager subcommands do not fail.

samba-dcerpcd process now works correctly with nscd

Previously, the samba-dcerpcd process could not communicate with the nscd process because of the SELinux policy. Consequently, the samba-dcerpcd service did not work properly when the nscd service was enabled. With this update, the SELinux policy has been updated with new rules for samba-dcerpcd.

vlock now works properly for confined users

Previously, the confined user could not use vlock due to SELinux policy. Consequently, the vlock command did not work properly for confined users. With this update, the SELinux policy has been updated with new rules for confined users.

Confined users now can log in without a reported denial

Previously, SELinux policy did not allow all permissions needed to log in a SELinux confined user using GUI. Consequently, AVC denials were audited and some services like dbus or pulseaudio did not work properly. With this update, the SELinux policy has been updated with new rules for confined users.

insights-client now has additional permissions in the SELinux policy

The updated insights-client service requires additional permissions, which were not included in the previous versions of the selinux-policy packages. As a consequence, certain components of insights-client did not work correctly with SELinux in enforcing mode, and the system reported access vector cache (AVC) error messages. This update adds the missing permissions to the SELinux policy. As a result, insights-client now works correctly without reporting AVC errors.

The SELinux policy allows smb access to user shares

Previously, the samba-dcerpcd process was separated from the smb service, but did not have access to user shares. As a consequence, smb clients could not access files on user smb shares. This update adds rules to the SELinux policy for managing user home content for the samba-dcerpcd binary when the samba_enable_home_dirs boolean is enabled. As a result, samba-dcerpcd can access user shares when samba_enable_home_dirs is on.

The SELinux policy now allows confined administrators to access ipmi devices when IPMItool runs

Previously, the SELinux policy did not allow confined administrators to read and write ipmi devices when the IPMItool utility is run. As a consequence, when a confined administrator ran ipmitool, it failed. This update adds allow rules to selinux-policy for administrators assigned to the sysadm_r SELinux role. As a result, if a confined administrator runs ipmitool it works correctly.

SCAP Security Guide rule file_permissions_sshd_private_key is aligned with STIG configuration RHEL-08-010490

Previously, the implementation of rule file_permissions_sshd_private_key allowed private SSH keys to be readable by the ssh_keys group with mode 0644, while DISA STIG version RHEL-08-010490 required private SSH keys to have mode 0600. As a consequence, evaluation with DISA’s automated STIG benchmark failed for configuration RHEL-08-010490.

The sudo_require_reauthentication SCAP Security Guide rule accepts correct spacing in sudoers

Previously, a bug in the checking of the xccdf_org.ssgproject.content_rule_sudo_require_reauthentication rule caused it to require specific spacing between the timestamp_timeout key and its value in the /etc/sudoers file and the /etc/sudoers.d directory. Consequently, valid and compliant syntax caused the rule to fail incorrectly. With this update, the check for xccdf_org.ssgproject.content_rule_sudo_require_reauthentication has been updated to accept blank spaces around the equal sign. As a result, the rule accepts correct and compliant definitions of timestamp_timeout with any of the following spacing formats:

Old Kerberos rules changed to notapplicable in new versions of RHEL

Previously, some Kerberos-related rules failed while scanning against the DISA STIG profile on RHEL 8.8 and later systems in FIPS mode, even though the system should have been compliant. This was caused by the following rules:

scap-security-guide STIG profiles no longer require specific text in /etc/audit/rules.d/11-loginuid.rules

Previously, the SCAP rule audit_immutable_login_uids used in RHEL 8 profiles stig and stig_gui passed only if file /etc/audit/rules.d/11-loginuid.rules contained exact text. This is, however, not necessary to fulfill the STIG requirement (RHEL-08-030122). With this update, the new rule audit_rules_immutable_login_uids replaces audit_immutable_login_uids in RHEL 8 stig and stig_gui profiles. As a result, you can now specify the --loginuid-immutable parameter that fulfills the rule in any file with the .rules extension within the /etc/audit/rules.d directory or in the /etc/audit/audit.rules file, depending on usage of auditctl or augen-rules.

Rules for CIS profiles in scap-security-guide are better aligned

Previously, some rules were incorrectly assigned to certain Center for Internet Security (CIS) profiles (cis, cis_server_l1, cis_workstation_1, and cis_workstation_l2). As a consequence, scanning according to some CIS profiles could skip rules from the CIS benchmark or check for unnecessary rules.

Clevis ignores commented devices in crypttab

Previously, Clevis tried to unlock commented devices in the crypttab file, causing the clevis-luks-askpass service to run even if the device was not valid. This caused unnecessary service runs and made it difficult to troubleshoot.

Clevis no longer requests too much entropy from pwmake

Previously, the pwmake password generation utility displayed unwanted warnings when Clevis used pwmake to create passwords for storing data in LUKS metadata, which caused Clevis to use lower entropy. With this update, Clevis is limited to 256 entropy bits provided to pwmake, which eliminates an unwanted warning and uses the correct amount of entropy.

logrotate no longer incorrectly signals Rsyslog in log rotation

Previously, the argument order was incorrectly set in the logrotate script, which caused a syntax error. This resulted in logrotate not correctly signaling Rsyslog during log rotation.

Rsyslog no longer crashes due to a bug in imklog

Previously, Rsyslog could encounter a segmentation fault if the imklog module was enabled and a free() call using an invalid object was freed during use. With this update, the freed object is correctly deallocated at the correct place. As a result, the segmentation fault no longer occurs.

USBGuard no longer causes a confusing warning

Previously, a race condition could happen in USBGuard when a parent process finished sooner than the first child process. As a consequence, systemd reported that a process was present with a wrongly identified parent PID (PPID). With this update, a parent process waits for the first child process to finish in working mode. As a result, systemd no longer reports such warnings.

The usbguard service file did not define OOMScore

Previously, the usbguard service file did not define the OOMScoreAdjust option. Consequently, the process could be identified as a candidate for killing before unprivileged processes when the system resources are closed to running out. With this update, the new OOMScoreAdjust setting was introduced to the usbguard.service file, to disable OOM killing processes of the usbguard unit.

USBGuard saves rules even if RuleFile is not defined

Previously, if the RuleFile configuration directive in USBGuard was set but RuleFolder was not, the rule set could not be changed. With this update, you can now change the rule set even if RuleFolder is set but RuleFile is not. As a result, you can modify the permanent policy in USBGuard to permanently save newly added rules.

xdp-tools rebased to version 1.2.10

The xdp-tools packages have been upgraded to upstream version 1.2.10, which provides a number of bug fixes over the previous version.

conntrackd functions properly even if HashSize and HashLimit are not set manually

Previously, the conntrackd service did not set default values for the HashSize and HashLimit configuration variables. Consequently, conntrackd could become unstable or stop functioning entirely if you did not specify those values. The problem has been fixed by making the configuration reader set the default values for HashSize and HashLimit before conntrackd parses the configuration file. As a result, conntrackd now functions correctly even if you do not specify the values.

The nm-cloud-setup service no longer removes routes and manually-configured secondary IP addresses from interfaces

Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Previously, administrators had to disable nm-cloud-setup to manually configure routes and secondary IP addresses on interfaces to avoid that the service removes them. This update adds a flag to the Reapply() function to preserve externally added addresses and routes. As a result, administrators no longer need to disable the nm-cloud-setup service in the mentioned scenario.

kpatch-patch works correctly on systems with an idle isolated CPU

Previously, when you attempted to install kpatch-patch CVE mitigation packages on systems with the kernel CPU isolation feature, the kpatch-patch RPMs did install, but failed to load their CVE mitigation kernel module. With this fix, the two features co-exist, and you can now successfully deploy kpatch CVE fixes when CPU isolation is in place.

Enabling VMD works again

Previously, the operating system would fail to boot if Volume Management Device (VMD) was enabled. This update provides numerous bug fixes essential for VMD to work as expected.

System works correctly without the soft lockup while starting a VDO volume

Due to fixing a Kernel Application Binary Interface (kABI) bug in the pv_mmu_ops structure, RHEL 8.7 systems with kernel version 4.18.0-425.10.1.el8_7, that is RHEL-8.7.0.2-BaseOS, hung or encountered a kernel panic due to soft lockup while starting a Virtual Data Optimizer (VDO) volume.

VDO driver bug no longer causing device freezes through journal blocks

Previously, a bug in the VDO driver caused the system to mark some journal blocks as waiting for metadata updates. This problem was triggered when increasing the size of the VDO pool or the logical volume on top of it, or when using the pvmove and lvchange operations on LVM tools managed VDO devices. The bug was caused by incomplete resets that left some journal pages unavailable for use, and an incorrect notion of how many slots in the recovery journal were available to be filled. As a result, the device would freeze.

pcs no longer allows you to modify cluster properties that should not be changed

Previously, the pcs command line interface allowed you to modify cluster properties that should not be changed or for which change does not take effect. With this fix, pcs no longer allows you to modify these cluster properties: cluster-infrastructure, cluster-name, dc-version, have-watchdog, and last-lrm-refresh.

pcs now displays cluster properties that are not explicitly configured

Previously, a pcs command to display the value of a specific cluster property did not list values that are not explicitly configured in the CIB. With this fix, if a cluster property is not set pcs displays the default value for the property.

Cluster resources that call crm_mon now stop cleanly at shutdown

Previously, the crm_mon utility returned a nonzero exit status while Pacemaker was in the process of shutting down. Resource agents that called crm_mon in their monitor action, such as ocf:heartbeat:pqsql, could incorrectly return a failure at cluster shutdown. With this fix, crm_mon returns success even if the cluster is in the process of shutting down. Resources that call crm_mon now stop cleanly at cluster shutdown.

OCF resource agent metadata actions can now call crm_node without causing unexpected fencing

As of RHEL 8.5, OCF resource agent metadata actions blocked the controller and crm_node queries performed controller requests. As a result, if an agent’s metadata action called crm_node, it blocked the controller for 30 seconds until the action timed out. This could cause other actions to fail and the node to be fenced.

Enabling a single resource and monitoring operation no longer enables monitoring operations for all resources in a resource group

Previously, after unmanaging all resources and monitoring operations in a resource group, managing one of the resources in that group along with its monitoring operation re-enabled the monitoring operations for all resources in the resource group. This could trigger unexpected cluster behavior.

Pacemaker now rechecks resource assignments immediately when resource order changes

As of RHEL 8.7, Pacemaker did not recheck resource assignments when the order of resources in the CIB changed with no changes to the resource definition. If configuration reordering would cause resources to move, that would not take place until the next natural transition, up to the value of cluster-recheck-interval-property. This could cause issues if resource stickiness is not configured for a resource.

You can install SciPy using pip on all architectures

Previously, the openblas-devel package did not contain a pkg-config file for the OpenBLAS library. As a consequence, in certain scenarios, it was impossible to determine the compiler and linker flags using the pkgconf utility while compiling with OpenBLAS. For example, this caused a failure of the pip install scipy command on the 64-bit IBM Z and IBM Power Systems, Little Endian architectures.

Functions in go no longer cause memory leak

Previously, the EVP_PKEY_sign_raw and EVP_PKEY_verify_raw functions did not call free to clean the memory. Consequently, the memory leaked and has not been recovered. With this updated, the EVP_PKEY_sign_raw and EVP_PKEY_verify_raw functions now call free and memory is not leaking.

golang now supports 4096 bit keys in x509 FIPS mode

Previously, golang did not support the 4096 bit keys in x509 FIPS mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, golang now supports 4096 bit keys in x509 FIPS mode.

libffi can now probe for executable memory with SELinux enabled

By default, libffi does not probe for executable memory when SELinux is enabled. As a consequence, programs which use libffi closures and fork() without immediately executing some other processes terminate unexpectedly when SELinux is enabled. With this update, libffi looks for a /etc/sysconfig/libffi-force-shared-memory-check-first file and, if it exists, probes for executable memory regardless of if SELinux is enabled. As a result, programs using libffi can safely fork() without crashing with SELinux enabled.

Implemented big endian support in OpenSSL bindings for golang

Previously, the OpenSSL bindings for golang did not have support for big-endian, leading to potential issues with the conversion of BigInt values. As a result, the crypto routines were unable to perform this conversion. To fix this issue, big-endian support was implemented in the OpenSSL bindings for golang. As a result, conversions from BigInt are now successful, and the tests pass as expected.

Authentication to external IdPs that require a client secret is now possible

Previously, SSSD did not properly pass client secrets to external identity providers (IdPs). Consequently, authentication failed against external IdPs that you previously configured with the ipa idp-add --secret command to require a client secret. With this update, SSSD passes the client secret to the IdP and users can authenticate.

IdM now supports setting hostmasks for sudo rules using Ansible

Previously, the ipa sudorule-add-host command allowed setting a hostmask to be used by the sudo rule, but this option was not present in the ansible-freeipa package. With this update, you can now use the ansible-freeipa hostmask variable to define a list of hostmasks to which a particular sudo rule, defined in Identity Management (IdM), applies.

The scheduled time of the changelog compaction now works correctly

Previously, when you configured a custom scheduled time for the changelog compaction, the server did not apply the new setting, and the changelog compaction could start during peak times. With this release, the server now correctly applies the custom time of the changelog compaction.

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

Matrox G200e now works correctly with a VGA display

Previously, your display might have shown no graphical output if you used the following system configuration:

The web console NBDE binding steps now work also on volume groups with a root file system

In RHEL 8.8.0, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key dialog, you had to perform all the required steps in the command-line interface in the described scenario.

The nbde_client system role now correctly handles different names of clevis-luks-askpass

The nbde_client system role has been updated to handle the systems on which the clevis-luks-askpass systemd unit has a different name. The role now correctly works with different names of clevis-luks-askpass on managed nodes, which requires unlocking also LUKS-encrypted volumes that mount late in the boot process.

The ha_cluster system role logs no longer display unencrypted passwords and secrets

The ha_cluster system role accepts parameters that can be passwords or other secrets. Previously, some of the tasks would log their inputs and outputs. As a result, the role logs could contain unencrypted passwords and other secrets.

Clusters configured with ha_cluster system role to use SBD and not start on boot now work correctly

Previously, if a user configured a cluster using the ha_cluster system role to use SBD and not start on boot, then the SBD service was disabled and SBD did not start. With this fix, the SBD service is always enabled if a cluster is set to use SBD whether or not the cluster is configured to start on boot.

Setting stonith-watchdog-timeout property with the ha_cluster system role now works in a stopped cluster

Previously, when you set the stonith-watchdog-timeout property with the ha_cluster system role in a stopped cluster, the property reverted to its previous value and the role failed. With this fix, configuring the stonith-watchdog-timeout property by using the ha_cluster system role works properly.

Enabling implicit files provider to fix rhel-system-roles SSSD configuration

A disabled SSSD implicit files provider caused the rhel-system-roles modules to create an invalid System Security Services Daemon (SSSD) configuration. This update unconditionally enables the files provider and as a result, the SSSD configuration created by rhel-system-roles now works as expected.

Network traffic is now directed through the intended network interface when using initscripts with the networking RHEL system role

Previously, when using the initscripts provider, the routing configuration for network connections did not specify the output device that the traffic should go through. Consequently, the kernel could use a different output device than the user intended. Now, if the network interface name is specified in the playbook for the connection, it is used as the output device in the route configuration file. This aligns the behavior with NetworkManager, which configures the output device in routes when activating profiles on devices. As a result, the users can ensure that the traffic is directed through the intended network interface.

The nbde_client_clevis role no longer reports traceback to users

Previously, the nbde_client_clevis role sometimes failed in exception, causing a traceback and reporting sensitive data, such as the encryption_password field, back to the user. With this update, the role no longer reports sensitive data, only the appropriate error messages.

System time on nested VMs now works reliably

Previously, system time on nested virtual machines (VMs) in some cases desynchronised from the Level 0 and level 1 hosts. This also sometimes caused the nested VM to become unresponsive or terminate unexpectedly.

Network traffic performance in virtual machines is no longer reduced

Previously, RHEL virtual machines had, in some cases, decreased performance when handling high levels of network traffic. The underlying code has been fixed and the network traffic performance is not affected anymore.

Virtual machines using memfd run as expected

Previously, virtual machines (VMs) running on the 64-bit IBM Z processor architecture that used memfd to back memory with hugepages failed to run. With this update, the problem has been fixed and VMs using memfd can now be defined on the 64-bit IBM Z processor architecture. As a result, you can now run VMs which use memfd to back the memory with hugepages.

System time in VMs now synchronizes correctly with the host

Previously, the KVM module performed the real-time clock (RTC) synchronization less frequently than intended. As a consequence, the system time in VMs hosted on RHEL 8 sometimes did not correctly reflect the system time on the host. This update fixes the RTC scheduling in KVM, which prevents the described problem from occurring.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through Unix domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

AF_XDP available as a Technology Preview

Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.

XDP features that are available as Technology Preview

Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported Technology Preview:

Multi-protocol Label Switching for TC available as a Technology Preview

The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route traffic flow across enterprise networks. In an MPLS network, the router that receives packets decides the further route of the packets based on the labels attached to the packet. With the usage of labels, the MPLS network has the ability to handle packets with particular characteristics. For example, you can add tc filters for managing packets received from specific ports or carrying specific types of traffic, in a consistent way.

act_mpls module available as a Technology Preview

The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) filters, for example, push and pop MPLS label stack entries with TC filters. The module also allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set independently.

The systemd-resolved service is now available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

KTLS available as a Technology Preview

RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

Soft-RoCE available as a Technology Preview

Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL 8.

eBPF available as a Technology Preview

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

The kexec fast reboot feature is available as a Technology Preview

The kexec fast reboot feature continues to be available as a Technology Preview. The kexec fast reboot significantly speeds the boot process as you can boot directly into the second kernel without passing through the Basic Input/Output System (BIOS) or firmware first. To use this feature:

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

The accel-config package available as a Technology Preview

The accel-config package is now available on Intel EM64T and AMD64 architectures as a Technology Preview. This package helps in controlling and configuring data-streaming accelerator (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the json format.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, a mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

OverlayFS

OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.

Stratis is now available as a Technology Preview

Stratis is a new local storage manager, which provides managed file systems on top of pools of storage with additional features. It is provided as a Technology Preview.

NVMe/TCP host is available as a Technology Preview

Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme_tcp.ko kernel module has been added as a Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included only for testing purposes and is not currently planned for full support.

Setting up a Samba server on an IdM domain member is provided as a Technology Preview

With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on Podman, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat OpenStack.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

sssd-idp sub-package available as a Technology Preview

The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 8.7 and later.

SSSD internal krb5 idp plugin available as a Technology Preview

The SSSD krb5 idp plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 8.7 and later.

RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview

As a Technology Preview in RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 8.7 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.

Intel Arc A-Series graphics available as a Technology Preview

Intel Arc A-Series graphics, also known as Alchemist or DG2, are now available as a Technology Preview.

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines

As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Intel vGPU

As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.

Technology Preview: Select Intel network adapters now provide SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions are met:

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 8.8 guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

Sharing files between hosts and VMs using virtiofs

As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can efficiently share files between your host system and its virtual machines (VM).

RHEL confidential VMs are now available on Azure as a Technology Preview

With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL confidential VM images during boot on Azure.

Clients for sigstore signatures with Fulcio and Rekor are now available as a Technology Preview

With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor are now available as a Technology Preview. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.

Quadlet in Podman is now available as a Technology Preview

Beginning with Podman v4.4, you can use Quadlet to automatically generate a systemd service file from the container description as a Technology Preview. The container description is in the systemd unit file format. The description focuses on the relevant container details and hides the technical complexity of running containers under systemd. The Quadlets are easier to write and maintain than the systemd unit files.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs:

The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.

The Kickstart autostep command has been deprecated

The autostep command has been deprecated. The related section about this command has been removed from the RHEL 8 documentation.

The --token option of the subscription-manager command is deprecated

The --token=<TOKEN> option of the subscription-manager register command is an authentication method that helps register your system to Red Hat. This option depends on capabilities offered by the entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with the following error message:

rpmbuild --sign is deprecated

The rpmbuild --sign command is deprecated since RHEL 8.1. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead.

The OpenEXR component has been deprecated

The OpenEXR component has been deprecated. Hence, the support for the EXR image format has been dropped from the imagecodecs module.

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The hidepid=n mount option is not supported in RHEL 8 systemd

The mount option hidepid=n, which controls who can access information in /proc/[pid] directories, is not compatible with systemd infrastructure provided in RHEL 8.

The /usr/lib/udev/rename_device utility has been deprecated

The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been deprecated.

The ABRT tool has been deprecated

The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been deprecated in RHEL 8. As a replacement, use the systemd-coredump tool to log and store core dumps, which are automatically generated files after a program crashes.

The ReaR crontab has been deprecated

The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

The raw command has been deprecated

The raw (/usr/bin/raw) command has been deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error.

NSS SEED ciphers are deprecated

The Mozilla Network Security Services (NSS) library will not support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends enabling support for other cipher suites.

TLS 1.0 and TLS 1.1 are deprecated

The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY level:

DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SSL2 Client Hello has been deprecated in NSS

The Transport Layer Security (TLS) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network Security Services (NSS) library has been deprecated and it is disabled by default.

Runtime disabling SELinux using /etc/selinux/config is now deprecated

Runtime disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config file has been deprecated. In RHEL 9, when you disable SELinux only through /etc/selinux/config, the system starts with SELinux enabled but with no policy loaded.

The ipa SELinux module removed from selinux-policy

The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The functionality is now included in the ipa-selinux subpackage.

TPM 1.2 is deprecated

The Trusted Platform Module (TPM) secure cryptoprocessor standard was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.

crypto-policies derived properties are now deprecated

With the introduction of scopes for crypto-policies directives in custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as well. See the crypto-policies(7) man page for recommended replacements.

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running.

The dropwatch tool is deprecated

The dropwatch tool has been deprecated. The tool will not be supported in future releases, thus it is not recommended for new deployments. As a replacement of this package, Red Hat recommends to use the perf command line tool.

The xinetd service has been deprecated

The xinetd service has been deprecated and will be removed in RHEL 9. As a replacement, use systemd. For further details, see How to convert xinetd service to systemd.

The cgdcbxd package is deprecated

Control group data center bridging exchange daemon (cgdcbxd) is a service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major RHEL release.

The WEP Wi-Fi connection method is deprecated

The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8 and will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 (WPA3) or WPA2 connection methods.

The unsupported xt_u32 module is now deprecated

Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. Since RHEL 8.6, the xt_u32 module is deprecated and will be removed in RHEL 9.

The term slaves is deprecated in the nmstate API

Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl.

The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.

The Linux firewire sub-system and its associated user-space components are deprecated in RHEL 8

The firewire sub-system provides interfaces to use and maintain any resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as well.

Installing RHEL for Real Time 8 using diskless boot is now deprecated

Diskless booting allows multiple systems to share a root file system through the network. While convenient, diskless boot is prone to introducing network latency in real-time workloads. With a future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be supported.

Kernel live patching now covers all RHEL minor releases

Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently covered kernels and use cases, the support window for each live patch has been decreased from 12 to 6 months for every minor, major, and zStream version of the kernel. It means that on the day a kernel live patch is released, it will cover every minor release and scheduled errata kernel delivered in the past 6 months.

The crash-ptdump-command package is deprecated

The crash-ptdump-command package, which is a ptdump extension module for the crash utility, is deprecated and might not be available in future RHEL releases. The ptdump command fails to retrieve the log buffer when working in the Single Range Output mode and only works in the Table of Physical Addresses (ToPA) mode. crash-ptdump-command is currently not maintained upstream

The kernelopts environment variable has been deprecated

In RHEL 8, the kernel command-line parameters for systems using the GRUB bootloader were defined in the kernelopts environment variable. The variable was stored in the /boot/grub2/grubenv file for each kernel boot entry. However, storing the kernel command-line parameters using kernelopts was not robust. Therefore, with a future major update of RHEL, kernelopts will be removed and the kernel command-line parameters will be stored in the Boot Loader Specification (BLS) snippet instead.

The elevator kernel command line parameter is deprecated

The elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.

NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).

peripety is deprecated

The peripety package is deprecated since RHEL 8.3.

VDO write modes other than async are deprecated

VDO supports several write modes in RHEL 8:

VDO manager has been deprecated

The python-based VDO management software has been deprecated and will be removed from RHEL 9. In RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create VDO volumes using the lvcreate command.

cramfs has been deprecated

Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution.

pcs commands that support the clufter tool have been deprecated

The pcs commands that support the clufter tool for analyzing cluster configuration formats have been deprecated. These commands now print a warning that the command has been deprecated and sections related to these commands have been removed from the pcs help display and the pcs(8) man page.

The mod_php module provided with PHP for use with the Apache HTTP Server has been deprecated

The mod_php module provided with PHP for use with the Apache HTTP Server in RHEL 8 is available but not enabled in the default configuration. The module is no longer available in RHEL 9.

The gdb.i686 packages are deprecated

In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions of GDB, gdb.x86_64, are fully capable of debugging 32-bit applications.

libdwarf has been deprecated

The libdwarf library has been deprecated in RHEL 8. The library will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for applications that wish to process ELF/DWARF files.

openssh-ldap has been deprecated

The openssh-ldap subpackage has been deprecated in Red Hat Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat recommends using SSSD and the sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.

DES and 3DES encryption types have been removed

Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8.

The SSSD version of libwbclient has been removed

The SSSD implementation of the libwbclient package was deprecated in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of libwbclient has now been removed.

Standalone use of the ctdb service has been deprecated

Since RHEL 8.4, customers are advised to use the ctdb clustered Samba service only when both of the following conditions apply:

Indirect AD integration with IdM via WinSync has been deprecated

WinSync is no longer actively developed in RHEL 8 due to several functional limitations:

The SSSD implicit files provider domain is disabled by default

The default value of the enable_files_domain setting in the /etc/sssd/sssd.conf configuration file has been changed from true to false. This means that the SSSD implicit files provider domain, which retrieves user and group information from local files /etc/passwd and /etc/group, is now disabled by default.

Running Samba as a PDC or BDC is deprecated

The classic domain controller mode that enabled administrators to run Samba as an NT4-like primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and settings to configure these modes will be removed in a future Samba release.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

Limited support for FreeRADIUS

In RHEL 8, the following external authentication modules are deprecated as part of the FreeRADIUS offering:

The libgnome-keyring library has been deprecated

The libgnome-keyring library has been deprecated in favor of the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary security standards.

AGP graphics cards are no longer supported

Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The web console no longer supports incomplete translations

The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.

The geoipupdate package has been deprecated

The geoipupdate package requires a third-party subscription and it also downloads proprietary content. Therefore, the geoipupdate package has been deprecated, and will be removed in the next major RHEL version.

The network system role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL system role on an RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.

Ansible Engine has been deprecated

Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited scope of support, to enable supported RHEL Automation use cases, such as RHEL system roles and Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no support after September 29, 2023. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 AppStream.

virsh iface-* commands have become deprecated

The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a future major version of RHEL. In addition, these commands frequently fail due to configuration dependencies.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available in the RHEL web console.

Limited support for virtual machine snapshots

Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, which negatively impacts the hypervisor performance for certain workloads.

The Cirrus VGA virtual GPU type has been deprecated

With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA.

SPICE has been deprecated

The SPICE remote display protocol has become deprecated. As a result, SPICE will remain supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display streaming:

KVM on IBM POWER has been deprecated

Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM POWER is still supported in RHEL 8, but will become unsupported in a future major release of RHEL.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.

Using SPICE to attach smart card readers to virtual machines has been deprecated

The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage of smart cards in VMs has also become deprecated in RHEL 8.

RDMA-based live migration is deprecated

With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.

The Podman varlink-based API v1.0 has been removed

The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API v1.0 has been completely removed.

container-tools:1.0 has been deprecated

The container-tools:1.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:2.0 or container-tools:3.0.

The container-tools:2.0 module has been deprecated

The container-tools:2.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:3.0.

Flatpak images except GIMP has been deprecated

The rhel8/firefox-flatpak, rhel8/thunderbird-flatpak, rhel8/inkscape-flatpak, and rhel8/libreoffice-flatpak RHEL 8 Flatpak Applications have been deprecated and replaced by the RHEL 9 versions. The rhel8/gimp-flatpak Flatpak Application is not deprecated because there is no replacement yet in RHEL 9.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack will be deprecated in a future minor version. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.

container-tools:3.0 has been deprecated

The container-tools:3.0 module has been deprecated and will no longer receive security updates. To continue to build and run Linux Containers on RHEL, use a newer, stable, and supported module stream, such as container-tools:4.0.

During RHEL installation on IBM Z, udev does not assign predictable interface names to RoCE cards enumerated by FID

If you start a RHEL 8.7 or later installation with the net.naming-scheme=rhel-8.7 kernel command-line option, the udev device manager on the RHEL installation media ignores this setting for RoCE cards enumerated by the function identifier (FID). As a consequence, udev assigns unpredictable interface names to these devices. There is no workaround during the installation, but you can configure the feature after the installation. For further details, see Determining a predictable RoCE device name on the IBM Z platform.

Installation fails on IBM Power 10 systems with LPAR and secure boot enabled

RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. Consequently, when logical partition (LPAR) is enabled with the secure boot option, the installation fails with the error, Unable to proceed with RHEL-x.x Installation.

Unexpected SELinux policies on systems where Anaconda is running as an application

When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running. To work around this problem, do not run Anaconda on the production system and execute it in a temporary virtual machine. So that the SELinux policy on a production system is not modified. Running anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this issue.

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Network access is not enabled by default in the installation program

Several installation features require network access, for example, registration of a system using the Content Delivery Network (CDN), NTP server support, and network installation sources. However, network access is not enabled by default, and as a result, these features cannot be used until network access is enabled.

Hard drive partitioned installations with iso9660 filesystem fails

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

IBM Power systems with HASH MMU mode fail to boot with memory allocation failures

IBM Power Systems with HASH memory allocation unit (MMU) mode support kdump up to a maximum of 192 cores. Consequently, the system fails to boot with memory allocation failures if kdump is enabled on more than 192 cores. This limitation is due to RMA memory allocations during early boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled instead of using kdump.

RHEL for Edge installer image fails to create mount points when installing an rpm-ostree payload

When deploying rpm-ostree payloads, used for example in a RHEL for Edge installer image, the installer does not properly create some mount points for custom partitions. As a consequence, the installation is aborted with the following error:

syspurpose addons have no effect on the subscription-manager attach --auto output

In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to set values to the addons argument will not observe any effect on the subscriptions that are auto-attached.

cr_compress_file_with_stat() can cause a memory leak

The createrepo_c C library has the API cr_compress_file_with_stat() function. This function is declared with char **dst as a second parameter. Depending on its other parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. This unpredictable behavior can cause a memory leak, because it does not inform the user when to free dst contents.

YUM transactions reported as successful when a scriptlet fails

Since RPM version 4.6, post-install scriptlets are allowed to fail without being fatal to the transaction. This behavior propagates up to YUM as well. This results in scriptlets which might occasionally fail while the overall package transaction reports as successful.

ipmitool is incompatible with certain server platforms

The ipmitool utility serves for monitoring, configuring, and managing devices that support the Intelligent Platform Management Interface (IPMI). The current version of ipmitool uses Cipher Suite 17 by default instead of the previous Cipher Suite 3. Consequently, ipmitool fails to communicate with certain bare metal nodes that announced support for Cipher Suite 17 during negotiation, but do not actually support this cipher suite. As a result, ipmitool aborts with the no matching cipher suite error message.

ReaR fails to recreate a volume group when you do not use clean disks for restoring

ReaR fails to perform recovery when you want to restore to disks that contain existing data.

coreutils might report misleading EPERM error codes

GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter returns an EPERM error code for unknown system calls, coreutils might consequently report misleading EPERM error codes because EPERM can not be distinguished from the actual Operation not permitted error returned by a working statx() syscall.

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to SHA-256

By default in RHEL 8, postfix uses MD5 fingerprints with the TLS for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, which may cause TLS to incorrectly function in the default postfix configuration. To workaround this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration file.

The brltty package is not multilib compatible

It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is recommended.

tangd-keygen does not handle non-default umask correctly

The tangd-keygen script does not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returns the error message Internal Error 500 instead of displaying the keys.

sshd -T provides inaccurate information about Ciphers, MACs and KeX algorithms

The output of the sshd -T command does not contain the system-wide crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. Crypto policies are applied as command-line arguments to the sshd executable in the sshd.service unit during the service’s start by using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX algorithms differ from sshd -T to what is provided by current crypto policy level. As a result, the output from sshd -T matches the currently configured crypto policy.

RHV hypervisor may not work correctly when hardening the system during installation

When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work around the problem, install the RHV-H system without applying any profile hardening, and after the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV hypervisor works correctly.

CVE OVAL feeds are now only in the compressed format, and data streams are not in the SCAP 1.3 standard

Red Hat provides CVE OVAL feeds in the bzip2-compressed format and are no longer available in the XML file format. Because referencing compressed content is not standardized in the Security Content Automation Protocol (SCAP) 1.3 specification, third-party SCAP scanners can have problems scanning rules that use the feed.

Certain Rsyslog priority strings do not work correctly

Support for the GnuTLS priority string for imtcp that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in the Rsyslog remote logging application:

Server with GUI and Workstation installations are not possible with CIS Server profiles

The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either of these software selections will generate the error message:

Kickstart uses org_fedora_oscap instead of com_redhat_oscap in RHEL 8

The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary to keep compatibility with Red Hat Enterprise Linux 7.

libvirt overrides xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding

The libvirt virtualization framework enables IPv4 forwarding whenever a virtual network with a forward mode of route or nat is started. This overrides the configuration by the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding rule, and subsequent compliance scans report the fail result when assessing this rule.

OpenSSL in FIPS mode accepts only specific D-H parameters

In FIPS mode, TLS clients that use OpenSSL return a bad dh value error and abort TLS connections to servers that use manually generated parameters. This is because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL ignore all other parameters and instead select known parameters of similar size. To work around this problem, use only the compliant groups.

crypto-policies incorrectly allow Camellia ciphers

The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy levels, as stated in the product documentation. However, the Kerberos protocol enables the ciphers by default.

OpenSC might not detect CardOS V5.3 card objects correctly

The OpenSC toolkit does not correctly detect serial numbers of smart cards using the CardOS V5.3 system. Consequently, the pkcs11-tool utility might not list card objects.

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

The file_caching option is enabled in the default OpenSC configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning process through OpenSC fails.

Connections to servers with SHA-1 signatures do not work with GnuTLS

SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS connection to peers that offer such certificates. This behavior is inconsistent with other system cryptographic libraries.

libselinux-python is available only through its module

The libselinux-python package contains only Python 2 bindings for developing SELinux applications and it is used for backward compatibility. For this reason, libselinux-python is no longer available in the default RHEL 8 repositories through the yum install libselinux-python command.

udica processes UBI 8 containers only when started with --env container=podman

The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. This prevents the udica tool from analyzing a container JavaScript Object Notation (JSON) file.

Negative effects of the default logging setup on performance

The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald is running with rsyslog.