8.9 Release Notes

Support to both legacy and UEFI boot for AWS EC2 images

Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with support only for the legacy boot type. As a consequence, it was not possible to take advantage of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which require booting the image with UEFI.

New boot option inst.wait_for_disks= to add wait time for loading a kickstart file or the kernel drivers

Sometimes, it may take a few seconds to load a kickstart file or the kernel drivers from the device with the OEMDRV label during the boot process. To adjust the wait time, you can now use the new boot option, inst.wait_for_disks=. Using this option, you can specify how many seconds to wait before the installation. The default time is set to 5 seconds, however, you can use 0 seconds to minimize the delay. For more information about this option, see Storage boot options.

New network kickstart options to control DNS handling

You can now control DNS handling using the network kickstart command with the following new options. Use these new options with the --device option.

opencryptoki rebased to 3.21.0

The opencryptoki package has been rebased to version 3.21.0, which provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features:

fapolicyd now provides rule numbers for troubleshooting

With this enhancement, new kernel and Audit components allow the fapolicyd service to send the number of the rule that causes a denial to the fanotify API. As a result, you can troubleshoot problems related to fapolicyd more precisely.

ANSSI-BP-028 security profiles updated to version 2.0

The following French National Agency for the Security of Information Systems (ANSSI) BP-028 profiles in the SCAP Security Guide were updated to be aligned with version 2.0:

Better definition of interactive users

The rules in the scap-security-guide package were improved to provide more consistent interactive user configuration. Previously, some rules used different approaches for identifying interactive and non-interactive users. With this update, we have unified the definitions of interactive users. User accounts with UID greater than or equal to 1000 are now considered interactive, with the exception of the nobody and nfsnobody accounts and with the exception of accounts that use /sbin/nologin as the login shell.

The DISA STIG profile now supports audit_rules_login_events_faillock

With this enhancement, the SCAP Security Guide audit_rules_login_events_faillock rule, which references STIG ID RHEL-08-030590, has been added to the DISA STIG profile for RHEL 8. This rule checks if the Audit daemon is configured to record any attempts to modify login event logs stored in the /var/log/faillock directory.

OpenSCAP rebased to 1.3.8

The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various bug fixes and enhancements, most notably:

SCAP Security Guide rebased to version 0.1.69

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This version provides various enhancements and bug fixes, most notably three new SCAP profiles for RHEL 9 which are aligned with three levels of the CCN-STIC-610A22 Guide issued by the National Cryptologic Center of Spain in 2022-10:

FIPS-enabled in-place upgrades from RHEL 8.8 and later to RHEL 9.2 and later are supported

With the release of the RHBA-2023:3824 advisory, you can perform an in-place upgrade of a RHEL 8.8 and later system to a RHEL 9.2 and later system with FIPS mode enabled.

crypto-policies permitted_enctypes no longer break replications in FIPS mode

Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes krb5 configuration broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode.

Audit now supports FANOTIFY record fields

This update of the audit packages introduces support for FANOTIFY Audit record fields. The Audit subsystem now logs additional information in the AUDIT_FANOTIFY record, notably:

New SELinux boolean to allow QEMU Guest Agent executing confined commands

Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the virt_qemu_ga_unconfined_t domain.

Postfix now supports SRV lookups

With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to automatically configure mail clients and balance load of servers. Additionally, you can prevent mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using the following SRV-related options in your Postfix configuration:

You can now specify TLS 1.3 cipher suites in vsftpd

With this enhancement, you can use the new ssl_ciphersuites option to configure which cipher suites vsftpd uses. As a result, you can specify TLS 1.3 cipher suites that differ from the previous TLS versions. To specify multiple cipher suites, separate entries with colons (:).

Generic LF-to-CRLF driver is available in cups-filters

With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, by using this driver, you can send an LF character terminated file from your application to a printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of the text-only driver from RHEL 7. The new name reflects its actual functionality.

iproute rebased to version 6.2.0

The iproute packages have been upgraded to upstream version 6.2.0, which provides a number of enhancements and bug fixes over the previous version. The most notable changes are:

Security improvement of the default nftables service configuration

This enhancement adds the do_masquerade chain to the default nftables service configuration in the /etc/sysconfig/nftables/nat.nft file. This reduces the risk of a port shadow attack, which is described in CVE-2021-3773. The first rule in the do_masquerade chain detects suitable packets and enforces source port randomization to reduce the risk of port shadow attacks.

NetworkManager supports the no-aaaa DNS option

You can now use the no-aaaa option to configure DNS settings on managed nodes by suppressing AAAA queries generated by the stub resolver. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, you can disable IPv6 resolution by using the nmcli utility. After a restart of the NetworkManager service, the no-aaaa setting gets reflected in the /etc/resolv.conf file, with additional control over DNS lookups.

The nm-cloud-setup utility now supports IMDSv2 configuration

Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service Version 2 (IMDSv2) with the nm-cloud-setup utility. To comply with improved security that restricts unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services is necessary to provide advanced features. This enhancement enables the nm-cloud-setup utility to fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available interfaces and IP configuration by using the secured IMDSv2 tokens.

The libnftnl package rebased to version 1.2.2

The Netlink API to the in-kernel nf_tables subsystem (libnftnl) package has been rebased. Notable changes and enhancements include:

Kernel version in RHEL 8.9

Red Hat Enterprise Linux 8.9 is distributed with the kernel version 4.18.0-513.5.1.

The RHEL kernel now supports AutoIBRS

Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability.

The Intel® QAT kernel driver rebased to upstream version 6.2

The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression performance, and other CPU intensive tasks.

makedumpfile rebased to version 1.7.2

The makedumpfile tool, which makes the crash dump file small by compressing pages or excluding memory pages that are not required, has been rebased to version 1.7.2. The rebase includes many bug fixes and enhancements.

Support for specifying a UUID when creating a GFS2 file system

The mkfs.gfs2 command now supports the new -U option, which makes it possible to specify the file system UUID for the file system you create. If you omit this option, the file system’s UUID is generated randomly.

fuse3 now allows invalidating a directory entry without triggering umount

With this update, a new mechanism has been added to fuse3 package, that allows invalidating a directory entry without automatically triggering the umount of any mounts that exists on the entry.

Pacemaker’s scheduler now tries to satisfy all mandatory colocation constraints before trying to satisfy optional colocation constraints

Previously, colocation constraints were considered one by one regardless of whether they were mandatory or optional. This meant that certain resources could be unable to run even though a node assignment was possible. Pacemaker’s scheduler now tries to satisfy all mandatory colocation constraints, including the implicit constraints between group members, before trying to satisfy optional colocation constraints. As a result, resources with a mix of optional and mandatory colocation constraints are now more likely to be able to run.

IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing

The IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing, which enables you to configure complex routing scenarios. Policy-based routing requires that you configure the resource agent’s table parameter.

The Filesystem resource agent now supports the EFS file system type

The ocf:heartbeat:Filesystem cluster resource agent now supports the Amazon Elastic File System (EFS). You can now specify fstype=efs when configuring a Filesystem resource.

The alert_snmp.sh.sample alert agent now supports SNMPv3

The alert_snmp.sh.sample alert agent, which is the sample alert agent provided with Pacemaker, now supports the SNMPv3 protocol as well as SNMPv2. With this update, you can copy the alert_snmp.sh.sample agent without modification to use SNMPv3 with Pacemaker alerts.

New enabled alert meta option to disable a Pacemaker alert

Pacemaker alerts and alert recipients now support an enabled meta option.

Pacemaker Remote nodes now preserve transient node attributes after a brief connection outage

Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its transient node attributes. This was unnecessary if the connection was quickly recoverable and the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now preserve transient node attributes after a brief, recoverable connection outage.

Enhancements to the pcs property command

The pcs property command now supports the following enhancements:

A new nodejs:20 module stream is fully supported

A new module stream, nodejs:20, previously available as a Technology Preview, is fully supported with the release of the RHEA-2023:7249 advisory. The nodejs:20 module stream now provides Node.js 20.9, which is a Long Term Support (LTS) version.

A new filter argument to the Python tarfile extraction functions

To mitigate CVE-2007-4559, Python adds a filter argument to the tarfile extraction functions. The argument allows turning tar features off for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a filter is not specified, the 'data' filter, which is the safest but most limited, is used by default in RHEL. In addition, Python emits a warning when your application has been affected.

The HTTP::Tiny Perl module now verifies TLS certificates by default

The default value for the verify_SSL option in the HTTP::Tiny Perl module has been changed from 0 to 1 to verify TLS certificates when using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny and CVE-2023-31484 for the CPAN Perl module.

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

Improved string and memory routine performance on Intel® Xeon® v5-based hardware in glibc

Previously, the default amount of cache used by glibc for string and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based systems. With this update, the amount of cache to use has been tuned to improve performance.

GCC now supports preserving register arguments

With this update, you can now store argument register content to the stack and generate proper Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting performance.

New GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

GCC Toolset 13: GCC rebased to version 13.1.1

In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable changes include:

GCC Toolset 13: annobin rebased to version 12.20

GCC Toolset 13 provides the annobin package version 12.20. Notable enhancements include:

GCC Toolset 13: GDB rebased to version 12.1

GCC Toolset 13 provides GDB version 12.1.

GCC Toolset 13: bintuils rebased to version 2.40

GCC Toolset 13 provides the binutils package version 2.40. Notable enhancements include:

GCC Toolset 13: annobin rebased to version 12.20

GCC Toolset 13 provides the annobin package version 12.20. Notable enhancements include:

Valgrind rebased to version 3.21.0

Valgrind has been updated to version 3.21.0. Notable enhancements include:

systemtap rebased to version 4.9

The systemtap package has been upgraded to version 4.9. Notable changes include:

elfutils rebased to version 0.189

The elfutils package has been updated to version 0.189. Notable improvements and bug fixes include:

libpfm rebased to version 4.13

The libpfm package has been updated to version 4.13. With this update, libpfm can now access performance monitoring hardware native events for the following processor microarchitectures:

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

papi now supports fast performance event count read operations for 64-bit ARM

Previously on 64-bit ARM processors, all performance event counter read operations required the use of a resource-intensive system call. papi has been updated for 64-bit ARM to let processes monitoring themselves with the performance counters use a faster user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access parameter to 1 reduces the average number of clock cycles for papi to read 2 counters from 724 cycles to 29 cycles.

LLVM Toolset rebased to version 16.0.6

LLVM Toolset has been updated to version 16.0.6.

Rust Toolset rebased to version 1.71.1

Rust Toolset has been updated to version 1.71.1. Notable changes include:

The Rust profiler_builtins runtime component is now available

With this enhancement, the Rust profile_builtins runtime component is now available. This runtime component enables the following compiler options:

Go Toolset rebased to version 1.20.10

Go Toolset has been updated to version 1.20.10.

grafana rebased to version 9.2.10

The grafana package has been updated to version 9.2.10. Notable changes include:

grafana-pcp rebased to version 5.1.1

The grafana-pcp package, which provides the Performance Co-Pilot Grafana Plugin, has been updated to version 5.1.1. Notable changes include:

.NET 8.0 is available

Red Hat Enterprise Linux 8.9 is distributed with .NET version 8.0. Notable improvements include:

samba rebased to version 4.18.4

The samba packages have been upgraded to upstream version 4.18.4, which provides bug fixes and enhancements over the previous version. The most notable changes:

ipa rebased to version 4.9.12

The ipa package has been upgraded to version 4.9.12. For more information, see the upstream FreeIPA release notes.

Multiple IdM groups and services can now be managed in a single Ansible task

With this enhancement in ansible-freeipa, you can add, modify, and delete multiple Identity Management (IdM) user groups and services by using a single Ansible task. For that, use the groups and services options of the ipagroup and ipaservice modules.

ansible-freeipa ipaserver role now supports Random Serial Numbers

With this update, you can use the ipaserver_random_serial_numbers=true option with the ansible-freeipa ipaserver role. This way, you can generate fully random serial numbers for certificates and requests in PKI when installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.

The ipaserver_remove_on_server and ipaserver_ignore_topology_disconnect options are now available in the ipaserver role

If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain option of the ipaserver ansible-freeipa role leads to a disconnected topology, you must now specify which part of the domain you want to preserve. Specifically, you must do the following:

The ipaclient role now allows configuring user subID ranges on the IdM level

With this update, the ipaclient role provides the ipaclient_subid option, using which you can configure subID ranges on the Identity Management (IdM) level. Without the new option set explicitly to true, the ipaclient role keeps the default behavior and installs the client without subID ranges configured for IdM users.

You can now manage IdM certificates using the ipacert Ansible module

You can now use the ansible-freeipa ipacert module to request or retrieve SSL certificates for Identity Management (IdM) users, hosts and services. The users, hosts and services can then use these certificates to authenticate to IdM. You can also revoke the certificates, as well as restore certificates that have been put on hold.

MIT Kerberos now supports the Extended KDC MS-PAC signature

With this update, MIT Kerberos, which is used by Red Hat, implements support for one of the two types of the Privilege Attribute Certificate (PAC) signatures introduced by Microsoft in response to recent CVEs. Specifically, MIT Kerberos in RHEL 8 supports the Extended KDC signature that was released in KB5020805 and that addresses CVE-2022-37967.

RHEL 8.9 provides 389-ds-base 1.4.3.37

RHEL 8.9 is distributed with the 389-ds-base package version 1.4.3.37.

New passwordAdminSkipInfoUpdate: on/off configuration option is now available

You can add a new passwordAdminSkipInfoUpdate: on/off setting under the cn=config entry to provide a fine grained control over password updates performed by password administrators. When you enable this setting, password updates do not update certain attributes, for example, passwordHistory,passwordExpirationTime,passwordRetryCount, pwdReset, and passwordExpWarned.

Intel Arc A-Series graphics is now fully supported

The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware acceleration, mostly used in PC gaming.

Podman health check action is now available

You can select one of the following Podman health check actions when creating a new container:

Accounts page updates for the web console

This update introduces the following updates to the Accounts page:

The postgresql RHEL system role is now available

The new postgresql RHEL system role installs, configures, manages, and starts the PostgreSQL server. The role also optimizes the database server settings to improve performance.

keylime_server RHEL system role

With the new keylime_server RHEL system role, you can use Ansible playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime is a remote machine attestation tool that uses the trusted platform module (TPM) technology.

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

storage system role supports configuring the stripe size for RAID LVM volumes

With this update, you can now specify a custom stripe size when creating RAID LVM devices. For better performance, use the custom stripe size for SAP HANA. The recommended stripe size for RAID LVM volumes is 64 KB.

podman RHEL system role now supports Quadlets, healthchecks, and secrets

Starting with Podman 4.6, you can use the podman_quadlet_specs variable in the podman RHEL system role. You can define a Quadlet by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. Types of a unit can be the following: container, kube, network, and volume. Note that Quadlets work only with root containers on RHEL 8. Quadlets work with rootless containers on RHEL 9.

RHEL system roles now have new volume options for mount point customization

With this update, you can now specify mount_user, mount_group, and mount_permissions parameters for your mount directory.

kdump RHEL system role updates

The kdump RHEL system role has been updated to a newer version, which brings the following notable enhancements:

The ad_integration RHEL system role can now rejoin an AD domain

With this update, you can now use the ad_integration RHEL system role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin variable to true. If the realm_list output shows that host is already in an AD domain, it will leave the existing domain before rejoining it.

The rhc system role now supports setting a proxy server type

The newly introduced attribute scheme under the rhc_proxy parameter enables you to configure the proxy server type by using the rhc system role. You can set two values: http, the default and https.

New option in the ssh role to disable configuration backups

You can now prevent old configuration files from being backed up before they are overwritten by setting the new ssh_backup option to false. Previously, backup configuration files were created automatically, which might be unnecessary. The default value of the ssh_backup option is true, which preserves the original behavior.

The certificate RHEL system role now allows changing certificate file mode when using certmonger

Previously, certificates created by the certificate RHEL system role with the certmonger provider used a default file mode. However, in some use-cases you might require a more restrictive mode. With this update, you can now set a different certificate and a key file mode using the mode parameter.

New RHEL system role for managing systemd units

The rhel-system-role package now contains the systemd RHEL system role. You can use this role to deploy unit files and manage systemd units on multiple systems. You can automate systemd functionality by providing systemd unit files and templates, and by specifying the state of those units, such as started, stopped, masked and other.

The network RHEL system role supports the no-aaaa DNS option

You can now use the no-aaaa option to configure DNS settings on managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, you can now suppress AAAA queries generated by the stub resolver.

The network RHEL system role supports the auto-dns option to control automatic DNS record updates

This enhancement provides support for defined name servers and search domains. You can now use only the name servers and search domains specified in dns and dns_search properties while disabling automatically configured name servers and search domains such as dns record from DHCP. With this enhancement, you can disable automatically auto dns record by changing the auto-dns settings.

firewall RHEL system role supports variables related to ipsets

With this update of the firewall RHEL system role, you can define, modify, and delete ipsets. Also, you can add and remove those ipsets from firewall zones. Alternatively, you can use those ipsets when defining firewall rich rules.

Improved performance of the selinux system role with restorecon -T 0

The selinux system role now uses the -T 0 option with the restorecon command in all applicable cases. This improves the performance of tasks that restore default SELinux security contexts on files.

The firewall RHEL system role has an option to disable conflicting services, and it no longer fails if firewalld is masked

Previously, the firewall system role failed when the firewalld service was masked on the role run or in the presence of conflicting services. This update brings two notable enhancements:

The podman RHEL system role now uses getsubids to get subuids and subgids

The podman RHEL system role now uses the getsubids command to get the subuid and subgid ranges for a user and group, respectively. The podman RHEL system role also uses this command to verify users and groups to work with identity management.

The podman_kube_specs variable now supports pull_image and continue_if_pull_fails fields

The podman_kube_specs variable now supports new fields:

Resetting the firewall RHEL system role configuration now requires minimal downtime

Previously, when you reset the firewall role configuration by using the previous: replaced variable, the firewalld service restarted. Restarting adds downtime and prolongs the period of an open connection in which firewalld does not block traffic from active connections. With this enhancement, the firewalld service completes the configuration reset by reloading instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass firewall rules. As a result, using the previous: replaced variable to reset the firewall role configuration now requires minimal downtime.

cloud-init supports NetworkManager keyfiles

With this update, the cloud-init utility can use a NetworkManager (NM) keyfile to configure the network of the created cloud instance.

cloud-init now uses VMware datasources by default on ESXi

When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such as the VMware vSphere cloud platform. This improves the performance and stability of creating an ESXi instance of RHEL by using cloud-init. Note, however, that ESXi is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF datasource if a VMware one is not available.

sos rebased to version 4.6

The sos utility, for collecting configuration, diagnostic, and troubleshooting data, has been rebased to version 4.6. This update provides the following enhancements:

Podman supports pulling and pushing images compressed with zstd

You can pull and push images compressed with the zstd format. The zstd compression is more efficient and faster than gzip. It can reduce the amount of network traffic and storage involved in pulling and pushing the image.

Quadlet in Podman is now available

Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd service file from a container description. The Quadlets might be easier to use than the podman generate systemd command because the description focuses on the relevant container details and without the technical complexity of running containers under systemd. Note that Quadlets work only with rootful containers.

The Container Tools packages have been updated

The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.

Podman now supports a Podmansh login shell

Beginning with Podman v4.6, you can use the Podmansh login shell to manage user access and control. To switch to CGroups v2, add systemd.unified_cgroup_hierarchy=1 to the kernel command line. Configure the settings for a user to use the /usr/bin/podmansh command as a login shell instead of a standard shell command, for example, /usr/bin/bash. When a user logs into a system setup, the podmansh command runs the user’s session in a Podman container named podmansh. Containers into which users log in are defined using the Quadlet files, which are created in the /etc/containers/systemd/users/ directory. In these files, set the ContainerName field in the [Container] section to podmansh. Systemd automatically starts podmansh when the user session starts and continues running until all user sessions exit.

Clients for sigstore signatures with Fulcio and Rekor are now available

With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology Preview, are now fully supported. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.

The --noverifyssl option for liveimg no longer checks the server’s certificate for images downloaded using HTTPS

Previously, the installer ignored the --noverifyssl option from the liveimg kickstart command. Consequently, if the server’s certificate could not be validated for images downloaded using the HTTPS protocol, the installation process failed. With this update, this issue has been fixed, and the --noverifyssl option of the liveimg kickstart command works as expected.

Booting from an NFS filesystem now works with SELinux set to enforcing mode

Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the server, causing boot failures when SELinux was set to enforcing mode.

The automatic screen lock now works correctly even when a USB smart-card reader is removed

Before RHEL 8.9, the opensc packages incorrectly handled removing USB smart-card readers. Consequently, the system remained unlocked even if the GNOME Display Manager (GDM) was configured to lock the screen when a smart card was removed. Furthermore, after reconnecting the USB reader, the screen also did not lock after removing the smart card. In this release, the code for handling removals of USB smart-card readers has been fixed. As a result, the screen is correctly locked even when a smart card or a USB smart-card reader is removed.

The SCAP enable_fips_mode rule now checks only fips=1 on 64-bit IBM Z architecture

Previously, the SCAP Security Guide rule enable_fips_mode did check the contents of the /boot/grub2/grubenv file. Consequently, the 64-bit IBM Z architecture did not use /boot/grub2/grubenv file for FIPS mode. With this update, the OVAL rule enable_fips_mode now test if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf file on 64-bit IBM Z architecture.

SCAP journald rules no longer remediate to invalid configuration

Previously, the SCAP Security Guide rules journald_compress, journald_forward_to_syslog, and journald_storage contained a bug in the remediation script which added extra quotes to the respective options within the /etc/systemd/journald.conf configuration file. Consequently, the journald service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective and OpenSCAP reported false pass results. With this update, the rules and remediations scripts have been fixed to not add the extra quotes. The rule now create a valid configuration for journald.

Images can now be configured with security profiles

SCAP Security Guide rules that configure mount point options have been reworked, and you can now use them also for hardening images when building an operating system image in image builder. As a result, you can now build images with partition configuration aligned with a specific security profile.

Removed strict requirements from SSG rules related to AIDE configuration

Previously, the SCAP Security Guide (SSG) rule aide_build_database required the existence of both /var/lib/aide/aide.db.new.gz and /var/lib/aide/aide.db.gz files to pass. Because the AIDE utility does not require the /var/lib/aide/aide.db.new.gz file, this update removed the corresponding requirement from the aide_build_database rule. As a result, the rule requires only the /var/lib/aide/aide.db.gz file to pass.

SCAP rules related to pam_faillock have correct descriptions

Previously, the SCAP Security Guide rules related to the pam_faillock contained descriptions that were misaligned with some profile values. Consequently, the descriptions were not correct. With this update, the rules descriptions are now using XCCDF variables.

The file_permissions_efi_user_cfg SCAP rule no longer fails when /boot/efi is mounted

Previously, the default permissions of UEFI files were not accepted. Therefore, it was not possible to change the permissions with the chmod command when the /boot/efi partition used a virtual file allocation table (VFAT) file system. Consequently, the file_permissions_efi_user_cfg rule failed. This update changes the default permissions from 0600 to 0700. Because the 0700 permission is also accepted by CIS, the assessment and remediation are now better aligned with CIS profiles.

SSG remediations are now aligned with configure_openssl_cryptopolicy

Previously, the SCAP Security Guide (SSG) remediation added the = character to the opensslcnf.config file. This syntax dit not match the description of the configure_openssl_cryptopolicy rule. Consequently, compliance checks might fail after remediations that inserted .include = instead of .include to opensslcnf.config. With this release, the remediation scripts are aligned with the rule description, and SSG remediations that use configure_openssl_cryptopolicy no longer fail due to additional =.

The postfix_prevent_unrestricted_relay rule now accepts white spaces around the = sign

Previously, the OVAL check of the SCAP rule xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay was too strict and it did not account for postconf configuration assignment statements which contained white spaces around the = sign. As a consequence, the final report reported this rule as failing even for configurations that technically met the rule’s requirements. With this update, the rule was modified so that the check accepts statements with white spaces around the = sign. As a result, the final report rule now marks this rule as passing for correct configuration statements.

SCAP rules now correctly evaluate whether the /var/log and /var/log/audit partitions exist

Previously, some SCAP rules relevant to the /var/log and /var/log/audit partitions were evaluated and remediated even when the appropriate disk partition did not exist. This affected the following rules:

The SCAP rule accounts_passwords_pam_faillock_interval now covers new STIG IDs

Previously, the SCAP Security Guide rule accounts_passwords_pam_faillock_interval did not cover RHEL-08-020012 and RHEL-08-020013. Consequently, the rule accounts_passwords_pam_faillock_interval checked for faillock configuration in all of these three files: /etc/pam.d/password-auth, /etc/pam.d/system-auth, and /etc/security/faillock.conf. With this update, the rule now covers STIG IDs RHEL-08-020012 and RHEL-08-020013.

Red Hat CVE feeds have been updated

The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at https://access.redhat.com/security/data/oval/ has been sunset and replaced by version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/.

The wget utility no longer fails TLS handshake when accessing restricted resources

Previously, when ticket-based session resumption was enabled in TLS, the wget utility expected a TLS session to be resumed even when the server requested the client to re-authenticate to access restricted resources. This behavior caused wget to fail the second TLS handshake. With this update, wget properly initiates a new handshake and the access to restricted resources no longer fails.

Settings from pam_cap are correctly applied on SELinux-enabled systems

Previously, the SELinux policy did not contain rules for using the pam_cap module. As a consequence, granting login capabilities controlled by pam_cap to users in the /etc/security/capability.conf configuration file did not work when the users logged in by using ssh or the console. This update adds a new rule to the policy. As a result, granting capabilities in /etc/security/capability.conf now works, and user capabilities configured with pam_cap are taken into account when logging in.

The systemd-fsck-root service is now correctly labeled on SELinux-enabled systems

Previously, the /run/fsck directory was created by the systemd-fsck-root service or the fsck command but the SELinux policy did not contain rules for proper labeling of the directory. As a consequence, the systemd-fsck-root service did not work correctly. With this update, the correct label and file transition for /run/fsck were added to the policy. As a result, the systemd-fsck-root service works without reporting errors.

SELinux policy now allows bidirectional communication on D-Bus

Previously, the SELinux policy contained rules to allow only one-way communication between two domains on the D-Bus message bus system. However, such communication must be allowed in both directions. This occurred also when the Pacemaker high-availability cluster resource manager executed the hostnamectl or timedatectl commands. As a consequence, these commands executed by Pacemaker timed out without receiving a response on D-Bus because SELinux blocked it. This update to the SELinux policy allows bidirectional communication on D-Bus. As a result, commands that require bidirectional communication on D-Bus executed by Pacemaker finish successfully.

tangd-keygen now handles non-default umask correctly

Previously, the tangd-keygen script did not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returned the error message Internal Error 500 instead of displaying the keys. With this update, tangd-keygen sets file permissions for generated key files, and therefore the script now works correctly on systems with non-default umask.

Clevis now handles SHA-256 thumbprints

Before this update, the Clevis client did not recognize SHA-256 thumbprints specified through the thp configuration option. Consequently, clients did not bind to Tang servers that used SHA-256 thumbprints, and every corresponding clevis encrypt tang command reported an error. With this update, Clevis recognizes thumbprints using SHA-256 and handles them correctly. As a result, Clevis clients can bind not only to Tang servers using SHA-1 but also SHA-256 thumbprints.

Rsyslog can start even without capabilities

When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog process has no capabilities. Consequently, Rsyslog in this scenario could not drop capabilities and exited at startup. With this update, the process no longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start even when it has no capabilities.

fapolicyd service no longer runs programs that are removed from the trusted database

Previously, the fapolicyd service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update command had no effect, and the program could be executed even after being removed. With this update, the fapolicyd-cli --update command correctly updates the trusted programs database, and removed programs can no longer be executed.

fapolicyd service now creates RPM database files with correct ownership

Previously, the fapolicyd service created and owned RPM database files in the /var/lib/rpm/ directory. As a result, other programs were unable to access the files, which resulted in availability control errors. With this update, fapolicyd creates the files with correct ownership, and the errors no longer occur.

The yum needs-restarting -s command now correctly displays the list of systemd services

Previously, when you used the needs-restarting command with the -s or --services option, an error occurred when a non-systemd or malfunctioning process was detected. With this update, the yum needs-restarting -s command ignores such processes and displays a warning instead with the list of affected systemd services.

The dnf-automatic command now correctly reports the exit status of transactions

Previously, the dnf-automatic command returned a successful exit code of a transaction even if some actions during this transaction were not successfully completed. This could cause a security risk on machines that use dnf-automatic for automatic deployment of errata. With this update, the issue has been fixed, and dnf-automatic now reports every problem with packages during the transaction.

YUM now handles proxy=_none_ correctly

You can use the YUM proxy=_none_ configuration option to prohibit changing proxy settings. Previously, if you set proxy=_none_ in the main configuration file, YUM detected an error. This update fixes the bug, and YUM now handles proxy=_none_ correctly.

The needs-restarting plug-in now correctly requires the system restart when a file owned by dbus is updated by zlib

Previously, when you ran the YUM needs-restarting plug-in, it did not prompt to restart the system when a file owned by the dbus package was updated by the dependent zlib package. With this update, the issue has been fixed, and the needs-restarting plug-in now displays a message that you must restart dbus when zlib is updated.

The which command no longer fails for a long path

Previously, when you executed the which command in a directory with a path longer than 256 characters, the command failed with the Can’t get current working directory error message. With this fix, the which command now uses the PATH_MAX value for the path length limit. As a result, the command no longer fails.

ReaR now supports UEFI Secure Boot with OUTPUT=USB

Previously, the OUTPUT=USB ReaR output method, which stores the rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER setting. Consequently, on systems with UEFI Secure Boot enabled, the disk with the rescue image would not boot because the bootloader was not signed.

ipmievd now recognizes SEL response correctly when a SEL request times out

The ipmievd service sends System Event Log (SEL) requests through the /dev/ipmi0 device. Previously, due to a missing ID check of the returned IPMI message, a timed-out request led to incorrect processing of the next request. For example, if the Baseboard Management Controller (BMC) was reset, the SEL request from the ipmievd service timed out due to no SEL response. Consequently, ipmievd did not work correctly due to a non-corresponding SEL response. As a result, you did not get the correct hardware state, and a large amount of wrong hardware information was output to /var/log/messages. With this fix, ipmitool and ipmievd now check the ID of the returned IPMI message against the ID of the request and skip non-corresponding SEL requests. ipmevd no longer logs incorrect hardware information.

Intel Corporation I350 Gigabit Fiber Network Connection now provides a link after kernel update

Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules without External Thermal Sensor (ETS) caused the igb driver to erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, connections did not obtain links. With this bug fix, the igb driver only initializes I2C when SFP with ETS is available. As a result, connections obtain links.

grubby now passes arguments to a new kernel correctly

When you add a new kernel using the grubby tool and do not specify any arguments, or leave the arguments blank, grubby will not pass any arguments to the new kernel and root will not be set. Using the --args and --copy-default options ensures new arguments are appended to the default arguments.

multipathd adds the persistent reservation registration key to all paths

Previously, when the multipathd daemon started and it recognized a registration key for the persistent reservations on one path of an existing multipath device, not all paths of that device had the registration key. As a consequence, if new paths appeared to a multipath device with persistent reservations while multipathd was stopped, persistent reservations were not set up on those. This allowed IO processing on the paths, even if they were supposed to be forbidden by the reservation key.

LUNs are now visible during the OS installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

Pacemaker Designated Controller elections no longer finalized until all pending actions are complete

When a cluster elects a new Designated Controller (DC), all nodes send their current history to the new DC, which saves it to the CIB. As a consequence, if actions were already in progress when a new DC is elected, and the actions finish after the nodes send their current history to the new DC, the actions' results could be lost. With this fix, DC elections are not finalized until all pending actions are complete and no action results are lost.

The fence_scsi agent is now able to auto-detect shared lvmlockd devices

Previously, the fence_scsi agent did not auto-detect shared lvmlockd devices. With this update, fence_scsi is able to auto-detect lvmlockd devices when the devices attribute is not set.

Resource stickiness now properly compares against colocation scores

Chained resource colocations are resources colocated with the resource that is colocated with the resource being assigned. Previously, if the original colocation had a finite negative score, and the chained colocation was mandatory, the original resource being assigned could be banned from its node even if resource-stickiness was set to INFINITY. With this fix, chained colocations are now taken into account proportionally and stickiness properly compares against colocation scores.

The crm_resource command now allows banning or moving a bundle with only a single active replica

Previously, when the crm_resource command checked where a bundle with a single replica was active, the command counted both the node where the container was active and the guest node that was created for the container itself. As a result, the crm_resource command would not ban or move a bundle with a single active replica. With this fix, the crm_resource command now only counts nodes where a bundle’s containers are active when determining the number of active replicas.

The mysql resource agent now works correctly with promotable clone resources

Previously, the mysql resource agent moved cloned resources that were operating in a Master role between nodes, due to promotion scores changing between promoted and non-promoted values. With this fix, a promoted node stays promoted.

Unpromoted clone instances no longer restart unnecessarily

Previously, promotable clone instances were assigned in numerical order, with promoted instances first. As a result, if a promoted clone instance needed to start, an unpromoted instance in some cases restarted unexpectedly, because the instance numbers changed. With this fix, roles are considered when assigning instance numbers to nodes and as a result no unnecessary restarts occur.

A fence watchdog configured as a second fencing device now fences a node when the first device times out

Previously, when a watchdog fencing device was configured as the second device in a fencing topology, the watchdog timeout would not be considered when calculating the timeout for the fencing operation. As a result, if the first device timed out the fencing operation would time out even though the watchdog would fence the node. With this fix, the watchdog timeout is included in the fencing operation timeout and the fencing operation succeeds if the first device times out.

Location constraints with rules no longer displayed when listing is grouped by nodes

Location constraints with rules cannot have a node assigned. Previously, when you grouped the listing by nodes, location constraints with rules were displayed under an empty node. With this fix, the location constraints with rules are no longer displayed and a warning is given indicating that constraints with rules are not displayed.

pcs command to update multipath SCSI devices now works correctly

Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices command stopped working as designed, causing an unwanted restart of some cluster resources. With this fix, this command works correctly and updates SCSI devices without requiring a restart of other cluster resources running on the same node.

Memory footprint of pcsd-ruby daemon now reduced when pscd Web UI is open

Previously, when the pcsd Web UI was open, memory usage of the pcsd-ruby daemon increased steadily over the course of several hours. With this fix, the web server that runs in the pcsd-ruby daemon now periodically performs a graceful restart. This frees the allocated memory and reduces the memory footprint.

The azure-events-az resource agent no longer produces an error with Pacemaker 2.1 and later

The azure-events-az resource agent executes the crm_simulate -Ls command and parses the output. With Pacemaker 2.1 and later, the output of the crm_simulate command no longer contains the text Transition Summary:, which resulted in an error. With this fix, the agent no longer yields an error when this text is missing.

systemtap scripts using guru mode now compile more quickly

The systemtap guru mode liveness analysis uses the dyninst library to parse binaries. Newer kernels enable mitigation code with CONFIG_RETPOLINE=y, replacing traditional RET instructions, with jumps to a thunk. As a consequence, binary analysis took a much longer time due to the liveness analysis needing to examine all additional edges of the control flow graph introduced by the jumps to the thunk.

eu-addr2line -C now correctly recognizes other arguments

Previously, when you used the -C argument in eu-addr2line command from elfutils, the following single character argument disappeared. Consequently, the eu-addr2line -Ci command behaved the same way as eu-addr2line -C while eu-addr2line -iC worked as expected. This bug has been fixed, and eu-addr2line -Ci now recognizes both arguments.

eu-addr2line -i now correctly handles code compiled with GCC link-time optimization

Previously, the dwarf_getscopes function from the libdw library included in elfutils was unable to find an abstract origin definition of a function that was compiled with GCC link-time optimization. Consequently, when you used the -i argument in the eu-addr2line command, eu-addr2line was unable to show inline functions for code compiled with gcc -flto. With this update, the libdw dwarf_getscopes function looks in the correct compile unit for the inlined scope, and eu-addr2line -i works as expected.

SSSD now uses sAMAccountName when evaluating GPO-based access control

Previously, if ldap_user_name was set to a value other than sAMAccountName on an AD client, GPO-based access control failed. With this update, SSSD now always uses sAMAccountName when evaluating GPO-based access control. Even if ldap_user_name is set to a value different from sAMAccountName on an AD client, GPO-based access control now works correctly.

SSSD now handles duplicate attributes in the user_attributes option when retrieving users

Previously, if sssd.conf contained duplicate attributes in the user_attributes option, SSSD did not handle these duplicates correctly. As a consequence, users with those attributes could not be retrieved. With this update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can now be retrieved.

Changing a security parameter now works correctly

Previously, when you changed a security parameter by using the dsconf instance_name security set command, the operation failed with the error:

Directory Server now calculates the dtablesize based on the maximum number of opened descriptors

Previously, an administrator could set the connection table size manually by using the nsslapd-conntablesize configuration parameter. Consequently, when the connection table size was set too low, it affected the number of connections the server was able to support. With this update, Directory Server now calculates the size of the connection table dynamically effectively resolving the issue with too small connection table size. In addition, you no longer need to manually change the connection table size.

The dsctl healthcheck command now uses the password storage scheme PBKDF2-SHA512 by default

Previously, the dsctl healthcheck command used SSHA512 password storage scheme by default. Consequently, the command reported a warning because it did not detect the new password storage scheme PBKDF2-SHA512. With this update, the dsctl healthcheck command now uses PBKDF2-SHA512 password storage scheme by default and no warnings occur.

Paged searches from a regular user now do not impact performance

Previously, when Directory Server was under the search load, paged searches from a regular user could impact the server performance because a lock conflicted with the thread that polls for network events. In addition, if a network issue occurred while sending the page search, the whole server was unresponsive until the nsslapd-iotimeout parameter expired. With this update, the lock was split into several parts to avoid the contention with the network events. As a result, no performance impact during paged searches from a regular user.

You can now enable and disable ciphers in Directory Server as expected

Previously, when you tried to enable or disable specific ciphers in addition to default ciphers by using the web console, the server enabled or disabled only the specific ciphers and logged an error similar to the following:

Deleting the IdM admin user is now no longer permitted

Previously, nothing prevented you from deleting the Identity Management (IdM) admin user if you were a member of the admins group. The absence of the admin user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the admin user. As a result, the IdM-AD trust works correctly.

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

The installer no longer freezes on servers with ASPEED 2600

Previously, the graphical RHEL 8.8 installer became unresponsive with a black screen when you started the installer on a server with the ASPEED 2600 On System Management Chipset. Consequently, you could not install RHEL 8.8 on the server.

The web console NBDE binding steps now work also on volume groups with a root file system

In RHEL 8.8, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key dialog, you had to perform all the required steps in the command-line interface in the described scenario.

VNC console now works at most resolutions

Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.

The storage role can now resize the mounted file systems without unmounting

Previously, the storage role was unable to resize mounted devices, even if the file system supported online resizing. As a consequence, the storage role unmounted all file systems prior to resizing, which failed for file systems that were in use, for example, while resizing the / directory of the running system.

The certificate RHEL system role now checks for the certificate key size when determining whether to perform a new certificate request

Previously, the certificate RHEL system role did not check the key size of a certificate when evaluating whether to request a new certificate. As a consequence, the role sometimes did not issue new certificate requests in cases where it should. With this update, certificate now checks the key_size parameter to determine if a new certificate request should be performed.

Insights tags created by using the rhc role are now applied correctly

Previously, when you created Insights tags by using the rhc role, tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a result they were not applied to the systems in the Insights inventory.

The firewall RHEL system role on RHEL 7 no longer attempts to install non-existent Python packages

Previously, when the firewall role on RHEL 7 was called from another role, and that role was using python3, the firewall role attempted to install the python3-firewall library for that version of Python. However, that library is not available in RHEL 7. Consequently, the python3-firewall library was not found, and you received the following error message:

Failure to remove data from member disks before creation no longer persists

Previously, when creating RAID volumes, the system did not effectively eliminate existing data from member disks before forming the RAID volume. With this update, RAID volumes remove any per-existing data from member disks as needed.

The podman_registries_conf variable now configures unqualified-search-registries field correctly

Previously, after configuring the podman_registries_conf variable, the podman RHEL system role failed. Consequently, unqualified-search-registries = ["registry.access.redhat.com"] setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf file. With this update, this problem has been fixed.

raid_chunk_size parameter no longer returns an error message

Previously, raid_chunk_size attribute was not allowed for RAID pools and volumes. With this update, you can now configure the raid_chunk_size attribute for RAID pools and volumes without encountering any restrictions.

Running the firewall RHEL system role in check mode with non-existent services no longer fails

Previously, running the firewall role in check mode with non-existent services would fail. This fix implements better compliance with Ansible best practices for check mode. As a result, non-existent services being enabled or disabled no longer fails the role in check mode. Instead, a warning prompts you to confirm that the service is defined in a previous playbook.

The kdump role adds authorized_keys idempotently

Previously, the task to add authorized_key added an extra newline character every time. Consequently the role was not acting idempotent. With this fix, adding a new authorized_key works correctly and adds only a single key value idempotently.

The kdump system role does not fail if authorized_keys are missing

Previously, the kdump system role failed to add SSH authorized keys if the user defined in the kdump_ssh_user variable did not have access to the .ssh directory in the home directory or an empty .ssh/authorized_keys file. With this fix, the kdump system role now correctly adds authorized keys to the SSH configuration. As a result, the key based authentication works reliably in the described scenario.

The firewall RHEL system role correctly reports changes when using previous: replaced in check mode

Previously, the firewall role was not checking whether any files would be changed when using the previous: replaced parameter in check mode. As a consequence, the role gave an error about undefined variables. This fix adds new check variables to the check mode to assess whether any files would be changed by the previous: replaced parameter. The check for the firewalld.conf file assesses the rpm database to determine whether the file has been changed from the version shipped in the package. As a result, the firewall role now correctly reports changes when using the previous: replaced parameter.

Enabling kdump for system role requires using the failure_action configuration parameter on RHEL 9 and later versions

Previously, using the default option during kdump configuration was not successful and printed the following warning in logs:

The firewall RHEL system role correctly reports changes when assigning zones to Network Manager interfaces

Previously, the Network Manager interface assignment reported changes when no changes were present. With this fix, the try_set_zone_of_interface module in the file library/firewall_lib.py returns a second value, which denotes whether the interface’s zone was changed. As a result, the module now correctly reports changes when assigning zones to interfaces handled by Network Manager.

The kdump role successfully updates .ssh/authorized_keys for kdump_ssh_server authentication

Previously, the .ssh directory was not accessible by the kdump role to securely authenticate users to log into kdump_ssh_server. As a consequence, the kdump role did not update the .ssh/authorized_keys file and the SSH mechanism to verify the kdump_ssh_server failed. This update fixes the problem. As a result the kdump_ssh_user authentication on kdump_ssh_server works reliably.

The previous: replaced parameter of the firewall system role now overrides the previous configuration without deleting it

Previously, if you added the previous: replaced parameter to the variable list, the firewall system role removed all existing user-defined settings and reset firewalld to the default settings. This fix uses the fallback configuration in firewalld, which was introduced in the EL7 release, to retain the previous configuration. As a result, when you use the previous: replaced parameter in the variable list, the firewall.conf configuration file is not deleted on reset, but the file and comments in the file are retained.

The kdump role adds multiple keys to authorized_keys idempotently

Previously, adding multiple SSH keys to the authorized_keys file at the same time replaced the key value of one host by another. This update fixes the problem by using the lineinfile module to manage the authorized_keys file. lineinfile iterates the tasks in sequence, checking for an existing key and writing the new key in one atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts works correctly, and does not replace the key value from another host.

Hot plugging a Watchdog card to a virtual machine no longer fails

Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error:

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

AF_XDP available as a Technology Preview

Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It accompanies XDP and grants efficient redirection of programmatically selected packets to user space applications for further processing.

XDP features that are available as Technology Preview

Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported Technology Preview:

Multi-protocol Label Switching for TC available as a Technology Preview

The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route traffic flow across enterprise networks. In an MPLS network, the router that receives packets decides the further route of the packets based on the labels attached to the packet. With the usage of labels, the MPLS network has the ability to handle packets with particular characteristics. For example, you can add tc filters for managing packets received from specific ports or carrying specific types of traffic, in a consistent way.

act_mpls module available as a Technology Preview

The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) filters, for example, push and pop MPLS label stack entries with TC filters. The module also allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set independently.

The systemd-resolved service is now available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

Soft-RoCE available as a Technology Preview

Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL 8.

eBPF available as a Technology Preview

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

The kexec fast reboot feature is available as a Technology Preview

The kexec fast reboot feature continues to be available as a Technology Preview. The kexec fast reboot significantly speeds the boot process as you can boot directly into the second kernel without passing through the Basic Input/Output System (BIOS) or firmware first. To use this feature:

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

The accel-config package available as a Technology Preview

The accel-config package is now available on Intel EM64T and AMD64 architectures as a Technology Preview. This package helps in controlling and configuring data-streaming accelerator (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the json format.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

File system DAX is now available for ext4 and XFS as a Technology Preview

In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX provides a means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, a mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

OverlayFS

OverlayFS is a type of union file system. It enables you to overlay one file system on top of another. Changes are recorded in the upper file system, while the lower file system remains unmodified. This allows multiple users to share a file-system image, such as a container or a DVD-ROM, where the base image is on read-only media.

Stratis is now available as a Technology Preview

Stratis is a new local storage manager, which provides managed file systems on top of pools of storage with additional features. It is provided as a Technology Preview.

NVMe/TCP host is available as a Technology Preview

Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) and its corresponding nvme_tcp.ko kernel module has been added as a Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included only for testing purposes and is not currently planned for full support.

Setting up a Samba server on an IdM domain member is provided as a Technology Preview

With this update, you can now set up a Samba server on an Identity Management (IdM) domain member. The new ipa-client-samba utility provided by the same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the sss ID mapping back end. As a result, administrators can now set up Samba on an IdM domain member.

Pacemaker podman bundles available as a Technology Preview

Pacemaker container bundles now run on Podman, with the container bundle feature being available as a Technology Preview. There is one exception to this feature being Technology Preview: Red Hat fully supports the use of Pacemaker bundles for Red Hat OpenStack.

Heuristics in corosync-qdevice available as a Technology Preview

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

New fence-agents-heuristics-ping fence agent

As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of experimental fence agents that do no actual fencing by themselves but instead exploit the behavior of fencing levels in a new way.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

sssd-idp sub-package available as a Technology Preview

The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 8.7 and later.

SSSD internal krb5 idp plugin available as a Technology Preview

The SSSD krb5 idp plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 8.7 and later.

RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview

As a Technology Preview in RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 8.7 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

VNC remote console available as a Technology Preview for the 64-bit ARM architecture

On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available as a Technology Preview. Note that the rest of the graphics stack is currently unverified for the 64-bit ARM architecture.

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines

As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a Hyper-V host.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Intel vGPU available as a Technology Preview

As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.

Technology Preview: Select Intel network adapters now provide SR-IOV in RHEL guests on Hyper-V

As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions are met:

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 8.8 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

Sharing files between hosts and VMs using virtiofs

As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can efficiently share files between your host system and its virtual machines (VM).

RHEL confidential VMs are now available on Azure as a Technology Preview

With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL confidential VM images during boot on Azure.

SQLite database backend for Podman is available as a Technology Preview

Beginning with Podman v4.6, the SQLite database backend for Podman is available as a Technology Preview. To set the database backend to SQLite, add the database_backend = "sqlite" option in the /etc/containers/containers.conf configuration file. Run the podman system reset command to reset storage back to the initial state before you switch to the SQLite database backend. Note that you have to recreate all containers and pods. The SQLite database guarantees good stability and consistency. Other databases in the containers stack will be moved to SQLite as well. The BoltDB remains the default database backend.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Several Kickstart commands and options have been deprecated

Using the following commands and options in RHEL 8 Kickstart files will print a warning in the logs:

The --interactive option of the ignoredisk Kickstart command has been deprecated

Using the --interactive option in future releases of Red Hat Enterprise Linux will result in a fatal installation error. It is recommended that you modify your Kickstart file to remove the option.

The Kickstart autostep command has been deprecated

The autostep command has been deprecated. The related section about this command has been removed from the RHEL 8 documentation.

NSS SEED ciphers are deprecated

The Mozilla Network Security Services (NSS) library will not support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends enabling support for other cipher suites.

TLS 1.0 and TLS 1.1 are deprecated

The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY level:

DSA is deprecated in RHEL 8

The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SSL2 Client Hello has been deprecated in NSS

The Transport Layer Security (TLS) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network Security Services (NSS) library has been deprecated and it is disabled by default.

NTLM and Krb4 are deprecated in Cyrus SASL

The NTLM and Kerberos 4 authentication protocols have been deprecated and might be removed in a future major version of RHEL. These protocols are no longer considered secure and have already been removed from upstream implementations.

Runtime disabling SELinux using /etc/selinux/config is now deprecated

Runtime disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config file has been deprecated. In RHEL 9, when you disable SELinux only through /etc/selinux/config, the system starts with SELinux enabled but with no policy loaded.

The ipa SELinux module removed from selinux-policy

The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The functionality is now included in the ipa-selinux subpackage.

TPM 1.2 is deprecated

The Trusted Platform Module (TPM) secure cryptoprocessor standard was updated to version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major release.

crypto-policies derived properties are now deprecated

With the introduction of scopes for crypto-policies directives in custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as well. See the crypto-policies(7) man page for recommended replacements.

The --token option of the subscription-manager command is deprecated

The --token=<TOKEN> option of the subscription-manager register command is an authentication method that helps register your system to Red Hat. This option depends on capabilities offered by the entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with the following error message:

rpmbuild --sign is deprecated

The rpmbuild --sign command is deprecated since RHEL 8.1. Using this command in future releases of Red Hat Enterprise Linux can result in an error. It is recommended that you use the rpmsign command instead.

The OpenEXR component has been deprecated

The OpenEXR component has been deprecated. Hence, the support for the EXR image format has been dropped from the imagecodecs module.

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The hidepid=n mount option is not supported in RHEL 8 systemd

The mount option hidepid=n, which controls who can access information in /proc/[pid] directories, is not compatible with systemd infrastructure provided in RHEL 8.

The /usr/lib/udev/rename_device utility has been deprecated

The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been deprecated.

The ABRT tool has been deprecated

The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been deprecated in RHEL 8. As a replacement, use the systemd-coredump tool to log and store core dumps, which are automatically generated files after a program crashes.

The ReaR crontab has been deprecated

The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

The raw command has been deprecated

The raw (/usr/bin/raw) command has been deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an error.

The PF_KEYv2 kernel API is deprecated

Applications can configure the kernel’s IPsec implementation by using the PV_KEYv2 and the newer netlink API. PV_KEYv2 is not actively maintained upstream and misses important security features, such as modern ciphers, offload, and extended sequence number support. As a result, starting with RHEL 8.9, the PV_KEYv2 API is deprecated. If you use this kernel API in your application, migrate it to use the modern netlink API as an alternative.

Network scripts are deprecated in RHEL 8

Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by default. The basic installation provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to run the ifup and the ifdown scripts, NetworkManager must be running.

The dropwatch tool is deprecated

The dropwatch tool has been deprecated. The tool will not be supported in future releases, thus it is not recommended for new deployments. As a replacement of this package, Red Hat recommends to use the perf command line tool.

The xinetd service has been deprecated

The xinetd service has been deprecated and will be removed in RHEL 9. As a replacement, use systemd. For further details, see How to convert xinetd service to systemd.

The cgdcbxd package is deprecated

Control group data center bridging exchange daemon (cgdcbxd) is a service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major RHEL release.

The WEP Wi-Fi connection method is deprecated

The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8 and will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 (WPA3) or WPA2 connection methods.

The unsupported xt_u32 module is now deprecated

Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. Since RHEL 8.6, the xt_u32 module is deprecated and will be removed in RHEL 9.

The term slaves is deprecated in the nmstate API

Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl.

The rdma_rxe Soft-RoCE driver is deprecated

Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is available as an unsupported Technology Preview. However, due to stability issues, this feature has been deprecated and will be removed in RHEL 9.

The Linux firewire sub-system and its associated user-space components are deprecated in RHEL 8

The firewire sub-system provides interfaces to use and maintain any resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as well.

Installing RHEL for Real Time 8 using diskless boot is now deprecated

Diskless booting allows multiple systems to share a root file system through the network. While convenient, diskless boot is prone to introducing network latency in real-time workloads. With a future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be supported.

Kernel live patching now covers all RHEL minor releases

Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently covered kernels and use cases, the support window for each live patch has been decreased from 12 to 6 months for every minor, major, and zStream version of the kernel. It means that on the day a kernel live patch is released, it will cover every minor release and scheduled errata kernel delivered in the past 6 months.

The crash-ptdump-command package is deprecated

The crash-ptdump-command package, which is a ptdump extension module for the crash utility, is deprecated and might not be available in future RHEL releases. The ptdump command fails to retrieve the log buffer when working in the Single Range Output mode and only works in the Table of Physical Addresses (ToPA) mode. crash-ptdump-command is currently not maintained upstream

The kernelopts environment variable has been deprecated

In RHEL 8, the kernel command-line parameters for systems using the GRUB bootloader were defined in the kernelopts environment variable. The variable was stored in the /boot/grub2/grubenv file for each kernel boot entry. However, storing the kernel command-line parameters using kernelopts was not robust. Therefore, with a future major update of RHEL, kernelopts will be removed and the kernel command-line parameters will be stored in the Boot Loader Specification (BLS) snippet instead.

The elevator kernel command line parameter is deprecated

The elevator kernel command line parameter was used in earlier RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated.

NFSv3 over UDP has been disabled

The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. This change affects only NFS version 3 because version 4 requires the Transmission Control Protocol (TCP).

peripety is deprecated

The peripety package is deprecated since RHEL 8.3.

VDO write modes other than async are deprecated

VDO supports several write modes in RHEL 8:

VDO manager has been deprecated

The python-based VDO management software has been deprecated and will be removed from RHEL 9. In RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create VDO volumes using the lvcreate command.

cramfs has been deprecated

Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution.

pcs commands that support the clufter tool have been deprecated

The pcs commands that support the clufter tool for analyzing cluster configuration formats have been deprecated. These commands now print a warning that the command has been deprecated and sections related to these commands have been removed from the pcs help display and the pcs(8) man page.

The mod_php module provided with PHP for use with the Apache HTTP Server has been deprecated

The mod_php module provided with PHP for use with the Apache HTTP Server in RHEL 8 is available but not enabled in the default configuration. The module is no longer available in RHEL 9.

The gdb.i686 packages are deprecated

In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions of GDB, gdb.x86_64, are fully capable of debugging 32-bit applications.

libdwarf has been deprecated

The libdwarf library has been deprecated in RHEL 8. The library will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for applications that wish to process ELF/DWARF files.

openssh-ldap has been deprecated

The openssh-ldap subpackage has been deprecated in Red Hat Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat recommends using SSSD and the sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.

DES and 3DES encryption types have been removed

Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8.

The SSSD version of libwbclient has been removed

The SSSD implementation of the libwbclient package was deprecated in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of libwbclient has now been removed.

Standalone use of the ctdb service has been deprecated

Since RHEL 8.4, customers are advised to use the ctdb clustered Samba service only when both of the following conditions apply:

Indirect AD integration with IdM via WinSync has been deprecated

WinSync is no longer actively developed in RHEL 8 due to several functional limitations:

Running Samba as a PDC or BDC is deprecated

The classic domain controller mode that enabled administrators to run Samba as an NT4-like primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and settings to configure these modes will be removed in a future Samba release.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

Limited support for FreeRADIUS

In RHEL 8, the following external authentication modules are deprecated as part of the FreeRADIUS offering:

The libgnome-keyring library has been deprecated

The libgnome-keyring library has been deprecated in favor of the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary security standards.

LibreOffice is deprecated

The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.

AGP graphics cards are no longer supported

Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The web console no longer supports incomplete translations

The RHEL web console no longer provides translations for languages that have translations available for less than 50 % of the Console’s translatable strings. If the browser requests translation to such a language, the user interface will be in English instead.

The remotectl command is deprecated

The remotectl command has been deprecated and will not be available in future releases of RHEL. You can use the cockpit-certificate-ensure command as a replacement. However, note that cockpit-certificate-ensure does not have feature parity with remotectl. It does not support bundled certificates and keychain files and requires them to be split out.

The geoipupdate package has been deprecated

The geoipupdate package requires a third-party subscription and it also downloads proprietary content. Therefore, the geoipupdate package has been deprecated, and will be removed in the next major RHEL version.

The network system role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL system role on an RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.

Ansible Engine has been deprecated

Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited scope of support, to enable supported RHEL Automation use cases, such as RHEL system roles and Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no support after September 29, 2023. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 AppStream.

virsh iface-* commands have become deprecated

The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a future major version of RHEL. In addition, these commands frequently fail due to configuration dependencies.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager might not be yet available in the RHEL web console.

Limited support for virtual machine snapshots

Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, which negatively impacts the hypervisor performance for certain workloads.

The Cirrus VGA virtual GPU type has been deprecated

With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA.

SPICE has been deprecated

The SPICE remote display protocol has become deprecated. As a result, SPICE will remain supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display streaming:

KVM on IBM POWER has been deprecated

Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM POWER is still supported in RHEL 8, but will become unsupported in a future major release of RHEL.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.

Using SPICE to attach smart card readers to virtual machines has been deprecated

The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage of smart cards in VMs has also become deprecated in RHEL 8.

RDMA-based live migration is deprecated

With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.

The Podman varlink-based API v1.0 has been removed

The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API v1.0 has been completely removed.

container-tools:1.0 has been deprecated

The container-tools:1.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:2.0 or container-tools:3.0.

The container-tools:2.0 module has been deprecated

The container-tools:2.0 module has been deprecated and will no longer receive security updates. It is recommended to use a newer supported stable module stream, such as container-tools:3.0.

Flatpak images except GIMP has been deprecated

The rhel8/firefox-flatpak, rhel8/thunderbird-flatpak, rhel8/inkscape-flatpak, and rhel8/libreoffice-flatpak RHEL 8 Flatpak Applications have been deprecated and replaced by the RHEL 9 versions. The rhel8/gimp-flatpak Flatpak Application is not deprecated because there is no replacement yet in RHEL 9.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed from Podman in a future minor release of RHEL. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.

container-tools:3.0 has been deprecated

The container-tools:3.0 module has been deprecated and will no longer receive security updates. To continue to build and run Linux Containers on RHEL, use a newer, stable, and supported module stream, such as container-tools:4.0.

The Inkscape and LibreOffice Flatpak images are deprecated

The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as Technology Previews, have been deprecated.