Chapter 4. New features

download PDF

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.10.

4.1. Installer and image creation

Ability to use partitioning mode on the blueprint filesystem customization

With this update, while using RHEL image builder, you can customize your blueprint with the chosen filesystem customization. You can choose one of the following partition modes while you create an image:

  • Default: auto-lvm
  • LVM: the image uses Logical Volume Manager (LVM) even without extra partitions
  • Raw: the image uses raw partitioning even with extra partitions


Filesystem customization policy changes in image builder

The following policy changes are in place when using the RHEL image builder filesystem customization in blueprints:

Currently, mountpoint and minimum partition minsize can be set. The following image types do not support filesystem customizations: image-installeredge-installeredge-simplified-installer The following image types do not create partitioned operating systems images. Customizing their filesystem is meaningless: edge-commitedge-containertarcontainer The blueprint now supports the mountpoint customization for tpm and its sub-directories.


4.2. Security

SCAP Security Guide rebased to 0.1.72

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:

  • CIS profiles are updated to align with the latest benchmarks.
  • The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
  • STIG profiles are aligned with the latest DISA STIG policies.

For additional information, see the SCAP Security Guide release notes.


OpenSSL now contains protections against Bleichenbacher-like attacks

This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.

You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function on the RSA decryption context, but this makes your system more vulnerable.


librdkafka rebased to 1.6.1

The librdkafka implementation of the Apache Kafka protocol has been rebased to upstream version 1.6.1. This is the first major feature release for RHEL 8. The rebase provides many important enhancements and bug fixes. For all relevant changes, see the document provided in the librdkafka package.


This update changes configuration defaults and deprecates some configuration properties. Read the Upgrade considerations section in for more details. The API (C & C++) and ABI © in this version are compatible with older versions of librdkafka, but some changes to the configuration properties may require changes to existing applications.


libkcapi rebased to 1.4.0

The libkcapi library, which provides access to the Linux kernel cryptographic API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:

  • Added the sm3sum and sm3hmac tools.
  • Added the kcapi_md_sm3 and kcapi_md_hmac_sm3 APIs.
  • Added SM4 convenience functions.
  • Fixed support for link-time optimization (LTO).
  • Fixed LTO regression testing.
  • Fixed support for AEAD encryption of an arbitrary size with kcapi-enc.


stunnel rebased to 5.71

The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71. This update changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. If OpenSSL is in FIPS mode and stunnel default FIPS configuration is set to no, stunnel adapts to OpenSSL and FIPS mode is enabled.

Additional new features include:

  • Added support for modern PostgreSQL clients.
  • You can use the protocolHeader service-level option to insert custom connect protocol negotiation headers.
  • You can use the protocolHost option to control the client SMTP protocol negotiation HELO/EHLO value.
  • Added client-side support for Client-side protocol = ldap.
  • You can now configure session resumption by using the service-level sessionResume option.
  • Added support to request client certificates in server mode with CApath (previously, only CAfile was supported).
  • Improved file reading and logging performance.
  • Added support for configurable delay for the retry option.
  • In client mode, OCSP stapling is requested and verified when verifyChain is set.
  • In server mode, OCSP stapling is always available.
  • Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting OCSPrequire = no.


OpenSSH limits artificial delays in authentication

OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit so that such artificial delays do not become excessively long when remote authentication takes too long, for example in privilege access management (PAM) processing.


libkcapi now provides an option for specifying target file names in hash-sum calculations

This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c option, for example:

$ sha256hmac -c <hmac_file> -T <target_file>


audit rebased to 3.1.2

The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:

  • The auparse library now interprets unnamed and anonymous sockets.
  • You can use the new keyword this-hour in the start and end options of the ausearch and aureport tools.
  • User-friendly keywords for signals have been added to the auditctl program.
  • Handling of corrupt logs in auparse has been improved.
  • The ProtectControlGroups option is now disabled by default in the auditd service.
  • Rule checking for the exclude filter has been fixed.
  • The interpretation of OPENAT2 fields has been enhanced.
  • The audispd af_unix plugin has been moved to a standalone program.
  • The Python binding has been changed to prevent setting Audit rules from the Python API. This change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).


4.3. Shells and command-line tools

openCryptoki rebased to version 3.22.0

The opencryptoki package has been updated to version 3.22.0. Notable changes include:

  • Added support for the AES-XTS key type by using the CPACF protected keys.
  • Added support for managing certificate objects.
  • Added support for public sessions with the no-login option.
  • Added support for logging in as the Security Officer (SO).
  • Added support for importing and exporting the Edwards and Montgomery keys.
  • Added support for importing the RSA-PSS keys and certificates.
  • For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update adds checks to the key generation and import process to ensure this.
  • Various bug fixes have been implemented.


4.4. Infrastructure services

chrony rebased to version 4.5

The chrony suite has been updated to version 4.5. Notable changes include:

  • Added periodic refresh of IP addresses of Network Time Protocol (NTP) sources specified by hostname. The default interval is two weeks and it can be disabled by adding refresh 0 to the chrony.conf file.
  • Improved automatic replacement of unreachable NTP sources.
  • Improved logging of important changes made by the chronyc utility.
  • Improved logging of source selection failures and falsetickers.
  • Added the hwtstimeout directive to configure timeout for late hardware transmit timestamps.
  • Added experimental support for corrections provided by Precision Time Protocol (PTP) transparent clocks to reach accuracy of PTP with hardware timestamping.
  • Fixed the presend option in interleaved mode.
  • Fixed reloading of modified sources specified by IP address from the sourcedir directories.


linuxptp rebased to version 4.2

The linuxptp protocol has been updated to version 4.2. Notable changes include:

  • Added support for multiple domains in the phc2sys utility.
  • Added support for notifications on clock updates and changes in the Precision Time Protocol (PTP) parent dataset, for example, clock class.
  • Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.


4.5. Networking

The ss utility adds visibility improvement to TCP bound-inactive sockets

The iproute2 suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:

  • ss --all: to dump all sockets including TCP bound-inactive ones
  • ss --bound-inactive: to dump only bound-inactive sockets


nispor rebased to version 1.2.10

The nispor packages have been upgraded to upstream version 1.2.10, which provides a number of enhancements and bug fixes over the previous version:

  • Added support for NetStateFilter to use the kernel filter on network routes and interfaces.
  • Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
  • Newly supported bonding options: lacp_active, arp_missed_max, and ns_ip6_target.


4.6. Kernel

Kernel version in RHEL 8.10

Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553.

rtla rebased to version 6.6 of the upstream kernel source code

The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:

  • Added the -C option to specify additional control groups for rtla threads to run in, apart from the main rtla thread.
  • Added the --house-keeping option to place rtla threads on a housekeeping CPU and to put measurement threads on different CPUs.
  • Added support to the timerlat tracer so that you can run timerlat hist and timerlat top threads in user space.


rteval was upgraded to the upstream version 3.7

With this update, the rteval utility has been upgraded to the upstream version 3.7. The most significant feature in this update concerns the isolcpus kernel parameter. This includes the ability to detect and use the isolcpus mechanism for measurement modules in rteval. As a result, it is easier for isolcpus users to use rteval to get accurate latency numbers and to achieve best latency results measured on a realtime kernel.


SGX is now fully supported

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.

The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

  • Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
  • Dynamic addition of regular enclave pages to an initialized enclave.
  • Expanding an initialized enclave to accommodate more threads.
  • Removing regular and TCS pages from an initialized enclave.

In this release, SGX moves from Technology Preview to a fully supported feature.


The Intel data streaming accelerator driver is now fully supported

The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

In this release, IDXD moves from a Technology Preview to a fully supported feature.


rteval now supports adding and removing arbitrary CPUs from the default measurement CPU list

With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This options covers the most common usecase of a real-time application running on isolated CPUs. Other usecases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus.


4.7. Boot loader

DEP/NX support in the pre-boot stage

The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.

This release adds DEP/NX support in the GRUB and shim boot loaders. This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might execute certain attacks without the DEP/NX protection.


Support for TD RTMR measurement in GRUB and shim

Intel® Trust Domain Extension (Intel® TDX) is a confidential computing technology that deploys hardware-isolated virtual machines (VMs) called Trust Domains (TDs).

TDX extends the Virtual Machine Extensions (VMX) instructions and the Multi-key Total Memory Encryption (MKTME) feature with the TD VM guest. In a TD guest VM, all components in the boot chain, such as grub2 and shim, must log the event and measurement hash to runtime measurement registers (RTMR).

TD guest runtime measurement in RTMR is the base for attestation applications. Applications on the TD guest rely on TD measurement to provide trust evidence to get confidential information, such as the key from the relaying part through the attestation service.

With this release, the GRUB and shim boot loaders now support the TD measurement protocol.

For more information about Intel® TDX, see Documentation for Intel® Trust Domain Extensions.


4.8. File systems and storage

The Storage RHEL System Roles now support shared LVM device management

The RHEL System Roles now support the creation and management of shared logical volumes and volume groups.


multipathd now supports detecting FPIN-Li events for NVMe devices

Previously, the multipathd command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.

With this update, multipathd supports detecting FPIN-Li events for both SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric connection, while other paths are available. This helps to avoid IO delays in such situations.


4.9. Dynamic programming languages, web and database servers

Python 3.12 available in RHEL 8

RHEL 8.10 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, as well as the ubi8/python-312 container image.

Notable enhancements compared to the previously released Python 3.11 include:

  • Python introduces a new type statement and new type parameter syntax for generic classes and functions.
  • Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
  • Python now provides a unique per-interpreter global interpreter lock (GIL).
  • You can now use the buffer protocol from Python code.
  • To improve security, the builtin hashlib implementations of the SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code from the HACL* project. The builtin implementations remain available as fallback if OpenSSL does not provide them.
  • Dictionary, list, and set comprehensions in CPython are now inlined. This significantly increases the speed of a comprehension execution.
  • CPython now supports the Linux perf profiler.
  • CPython now provides stack overflow protection on supported platforms.

To install packages from the python3.12 stack, use, for example:

# yum install python3.12
# yum install python3.12-pip

To run the interpreter, use, for example:

$ python3.12
$ python3.12 -m pip --help

See Installing and using Python for more information.

For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application Streams Life Cycle.


A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you set this variable to true, the previous, less strict parsing behavior is the default for the entire system:


However, individual calls to the affected functions can still enable stricter behavior.

You can achieve the same result by creating the /etc/python/email.cfg configuration file with the following content:


For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.


A new module stream: ruby:3.3

RHEL 8.10 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.1 distributed with RHEL 8.7.

Notable enhancements include:

  • You can use the new Prism parser instead of Ripper. Prism is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language.
  • YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it provides major performance improvements.
  • The Regexp matching algorithm has been improved to reduce the impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities.
  • The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
  • A new M:N thread scheduler is now available.

Other notable changes:

  • You must now use the Lrama LALR parser generator instead of Bison.
  • Several deprecated methods and constants have been removed.
  • The Racc gem has been promoted from a default gem to a bundled gem.

To install the ruby:3.3 module stream, use:

# yum module install ruby:3.3

If you want to upgrade from an earlier ruby module stream, see Switching to a later stream.

For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application Streams Life Cycle.


A new module stream: php:8.2

RHEL 8.10 adds PHP 8.2, which provides a number of bug fixes and enhancements over version 8.0.

With PHP 8.2, you can:

  • Define a custom type that is limited to one of a discrete number of possible values using the Enumerations (Enums) feature.
  • Declare a property with the readonly modifier to prevent modification of the property after initialization.
  • Use fibers, full-stack, and interruptible functions.
  • Use readonly classes.
  • Declare several new standalone types.
  • Use a new Random extension.
  • Define constraints in traits.

To install the php:8.2 module stream, use the following command:

# yum module install php:8.2

If you want to upgrade from an earlier php stream, see Switching to a later stream.

For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.

For information about the length of support for the php module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.


The name() method of the perl-DateTime-TimeZone module now returns the time zone name

The perl-DateTime-TimeZone module has been updated to version 2.62, which changed the value that is returned by the name() method from the time zone alias to the main time zone name.

For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API related to time zone name and alias.


A new module stream: nginx:1.24

The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.

New features and changes related to Transport Layer Security (TLS):

  • Encryption keys are now automatically rotated for TLS session tickets when using shared memory in the ssl_session_cache directive.
  • Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
  • You can now disable looking up IPv4 addresses while resolving by using the ipv4=off parameter of the resolver directive.
  • nginx now supports the $proxy_protocol_tlv_* variables, which store the values ​​of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol.
  • The ngx_http_gzip_static_module module now supports byte ranges.

Other changes:

  • Header lines are now represented as linked lists in the internal API.
  • nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and uwsgi back ends in the $r->header_in() method of the ngx_http_perl_module, and during lookups of the $http_..., $sent_http_..., $sent_trailer_..., $upstream_http_..., and $upstream_trailer_... variables.
  • nginx now displays a warning if protocol parameters of a listening socket are redefined.
  • nginx now closes connections with lingering if pipelining was used by the client.
  • The logging level of various SSL errors has been lowered, for example, from Critical to Informational.

To install the nginx:1.24 stream, use:

# yum module install nginx:1.24

To upgrade from an earlier nginx stream, switch to a later stream.

For more information, see Setting up and configuring NGINX.

For information about the length of support for the nginx module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle article.


A new module stream: mariadb:10.11

MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available version 10.5 include:

  • A new sys_schema feature.
  • Atomic Data Definition Language (DDL) statements.
  • A new GRANT ... TO PUBLIC privilege.
  • Separate SUPER and READ ONLY ADMIN privileges.
  • A new UUID database data type.
  • Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires correctly configured SSL to start.
  • Support for the natural sort order through the natural_sort_key() function.
  • A new SFORMAT function for arbitrary text formatting.
  • Changes to the UTF-8 charset and the UCA-14 collation.
  • systemd socket activation files available in the /usr/share/ directory. Note that they are not a part of the default configuration in RHEL as opposed to upstream.
  • Error messages containing the MariaDB string instead of MySQL.
  • Error messages available in the Chinese language.
  • Changes to the default logrotate file.
  • For MariaDB and MySQL clients, the connection property specified on the command line (for example, --port=3306), now forces the protocol type of communication between the client and the server, such as tcp, socket, pipe, or memory.

For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5 and MariaDB 10.11.

For more information about MariaDB, see Using MariaDB.

To install the mariadb:10.11 stream, use:

# yum module install mariadb:10.11

If you want to upgrade from the mariadb:10.5 module stream, see Upgrading from MariaDB 10.5 to MariaDB 10.11.

For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.


A new module stream: postgresql:16

RHEL 8.10 introduces PostgreSQL 16, which provides a number of new features and enhancements over version 15.

Notable enhancements include:

  • Enhanced bulk loading improves performance.
  • The libpq library now supports connection-level load balancing. You can use the new load_balance_hosts option for more efficient load balancing.
  • You can now create custom configuration files and include them in the pg_hba.conf and pg_ident.conf files.
  • PostgreSQL now supports regular expression matching on database and role entries in the pg_hba.conf file.

Other changes include:

  • PostgreSQL is no longer distributed with the postmaster binary. Users who start the postgresql server by using the provided systemd unit file (the systemctl start postgres command) are not affected by this change. If you previously started the postgresql server directly through the postmaster binary, you must now use the postgres binary instead.
  • PostgreSQL no longer provides documentation in PDF format within the package. Use the online documentation instead.

See also Using PostgreSQL.

To install the postgresql:16 stream, use the following command:

# yum module install postgresql:16

If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 8 version of PostgreSQL.

For information about the length of support for the postgresql module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.


Git rebased to version 2.43.0

The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.

Notable enhancements include:

  • You can now use the new --source option with the git check-attr command to read the .gitattributes file from the provided tree-ish object instead of the current working directory.
  • Git can now pass information from the WWW-Authenticate response-type header to credential helpers.
  • In case of an empty commit, the git format-patch command now writes an output file containing a header of the commit instead of creating an empty file.
  • You can now use the git blame --contents=<file> <revision> -- <path> command to find the origins of lines starting at <file> contents through the history that leads to <revision>.
  • The git log --format command now accepts the %(decorate) placeholder for further customization to extend the capabilities provided by the --decorate option.


Git LFS rebased to version 3.4.1

The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.

Notable changes include:

  • The git lfs push command can now read references and object IDs from standard input.
  • Git LFS now handles alternative remotes without relying on Git.
  • Git LFS now supports the WWW-Authenticate response-type header as a credential helper.


4.10. Compilers and development tools

elfutils rebased to version 0.190

The elfutils package has been updated to version 0.190. Notable improvements include:

  • The libelf library now supports relative relocation (RELR).
  • The libdw library now recognizes .debug_[ct]u_index sections.
  • The eu-readelf utility now supports a new -Ds, --use-dynamic --symbol option to show symbols through the dynamic segment without using ELF sections.
  • The eu-readelf utility can now show .gdb_index version 9.
  • A new eu-scrlines utility compiles a list of source files associated with a specified DWARF or ELF file.
  • A debuginfod server schema has changed for a 60% compression in file name representation (this requires reindexing).


valgrind updated to 3.22

The valgrind package has been updated to version 3.22. Notable improvements include:

  • valgrind memcheck now checks that the values given to the C functions memalign, posix_memalign, and aligned_alloc, and the C++17 aligned new operator are valid alignment values.
  • valgrind memcheck now supports mismatch detection for C++14 sized and C++17 aligned new and delete operators.
  • Added support for lazy reading of DWARF debugging information, resulting in faster startup when debuginfo packages are installed.


Clang resource directory moved

The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17 to /usr/lib/clang/17.


A new grafana-selinux package

Previously, the default installation of grafana-server ran as an unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t SELinux type.


Updated GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Notable changes introduced in RHEL 8.10 include:

  • The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
  • binutils now support AMD CPUs based on the znver5 core through the -march=znver5 compiler switch.
  • annobin has been updated to version 12.32.
  • The annobin plugin for GCC now defaults to using a more compressed format for the notes that it stores in object files, resulting in smaller object files and faster link times, especially in large, complex programs.

The following tools and versions are provided by GCC Toolset 13: GCC:: 13.2.1 GDB:: 12.1 binutils:: 2.40 dwz:: 0.14 annobin:: 12.32

To install GCC Toolset 13, run the following command as root:

# yum install gcc-toolset-13

To run a tool from GCC Toolset 13:

$ scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:

$ scl enable gcc-toolset-13 bash

For more information, see GCC Toolset 13.


LLVM Toolset rebased to version 17.0.6

LLVM Toolset has been updated to version 17.0.6.

Notable enhancements include:

  • The opaque pointers migration is now completed.
  • Removed support for the legacy pass manager in middle-end optimization.

Clang changes:

  • C++20 coroutines are no longer considered experimental.
  • Improved code generation for the std::move function and similar in unoptimized builds.

For more information, see the LLVM and Clang upstream release notes.


Rust Toolset rebased to version 1.75.0

Rust Toolset has been updated to version 1.75.0.

Notable enhancements include:

  • Constant evaluation time is now unlimited
  • Cleaner panic messages
  • Cargo registry authentication
  • async fn and opaque return types in traits


Go Toolset rebased to version 1.21.0

Go Toolset has been updated to version 1.21.0.

Notable enhancements include:

  • min, max, and clear built-ins have been added.
  • Official support for profile guided optimization has been added.
  • Package initialization order is now more precisely defined.
  • Type inferencing is improved.
  • Backwards compatibility support is improved.

For more information, see the Go upstream release notes.


papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

  • AMD Zen 4
  • 4th Generation Intel® Xeon® Scalable Processors

Jira:RHEL-9336[1], Jira:RHEL-9320, Jira:RHEL-9337

Ant rebased to version 1.10.9

The ant:1.10 module stream has been updated to version 1.10.9. This version provides support for code signing, using a provider class and provider argument.


The updated ant:1.10 module stream provides only the ant and ant-lib packages. Remaining packages related to Ant are distributed in the javapackages-tools module in the unsupported CodeReady Linux Builder (CRB) repository and have not been updated.

Packages from the updated ant:1.10 module stream cannot be used in parallel with packages from the javapackages-tools module. If you want to use the complete set of Ant-related packages, you must uninstall the ant:1.10 module and disable it, enable the CRB repository, and install the javapackages-tools module.


New package: maven-openjdk21

The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.


cmake rebased to version 3.26

The cmake package has been updated to version 3.26. Notable improvements include:

  • Added support for the C17 and C18 language standards.
  • cmake can now query the /etc/os-release file for operating system identification information.
  • Added support for the CUDA 20 and nvtx3 libraries.
  • Added support for the Python stable application binary interface.
  • Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.


4.11. Identity Management

Identity Management users can now use external identity providers to authenticate to IdM

With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.

If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.


ipa rebased to version 4.9.13

The ipa package has been updated from version 4.9.12 to 4.9.13. Notable changes include:

  • The installation of an IdM replica now occurs against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests.
  • The performance of the cert-find command has been improved dramatically for situations with a large number of certificates.
  • The ansible-freeipa package has been rebased from version 1.11 to 1.12.1.

For more information, see the upstream release notes.


Deleting expired KCM Kerberos tickets

Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy command.


Support for bcrypt password hashing algorithm for local users

With this update, you can enable the bcrypt password hashing algorithm for local users. To switch to the bcrypt hashing algorithm:

  1. Edit the /etc/authselect/system-auth and /etc/authselect/password-auth files by changing the sha512 setting to blowfish.
  2. Apply the changes:

    # authselect apply-changes
  3. Change the password for a user by using the passwd command.
  4. In the /etc/shadow file, verify that the hashing algorithm is set to $2b$, indicating that the bcrypt password hashing algorithm is now used.


The idp Ansible module allows associating IdM users with external IdPs

With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user. 

After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.


IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules

With this update, the ansible-freeipa package now contains the following modules:

Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP server, for example, the user login name, home directory, certificate, or SSH keys.
Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of the group, its GID, or description.
Allows you to organize user and group ID overrides and apply them to specific IdM hosts.

In the future, you will be able to use these modules to enable AD users to use smart cards to log in to IdM.


The delegation of DNS zone management enabled in ansible-freeipa

You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the dnszone module to set a per-zone access delegation permission.


The ansible-freeipa ipauser and ipagroup modules now support a new renamed state

With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change the group name of an existing IdM group.


The runasuser_group parameter is now available in ansible-freeipa ipasudorule

With this update, you can set Groups of RunAs Users for a sudo rule by using the ansible-freeipa ipasudorule module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.


389-ds-base rebased to version

The 389-ds-base package has been updated to version


The HAProxy protocol is now supported for the 389-ds-base package

Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.

If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:

[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4


samba rebased to version 4.19.4

The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:

  • Command-line options in the smbget utility have been renamed and removed for a consistent user experience. However, this can break existing scripts or jobs that use the utility. See the smbget --help command and smbget(1) man page for further details about the new options.
  • If the winbind debug traceid option is enabled, the winbind service now logs, additionally, the following fields:

    • traceid: Tracks the records belonging to the same request.
    • depth: Tracks the request nesting level.
  • Samba no longer uses its own cryptography implementations and, instead, now fully uses cryptographic functionality provided by the GnuTLS library.
  • The directory name cache size option was removed.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.


4.12. The web console

RHEL web console can now generate Ansible and shell scripts

In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to implement a specific kdump configuration on multiple systems.


Simplified managing storage and resizing partitions on Storage

The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.


4.13. Red Hat Enterprise Linux System Roles

The ad_integration RHEL system role now supports configuring dynamic DNS update options

With this update, the ad_integration RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:

  • When the identity provider comes online (always).
  • At a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours.

You can change these and other settings using the new variables in ad_integration. For example, you can set ad_dyndns_refresh_interval to 172800 to change the DNS record refresh interval to 48 hours. For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/ directory.


The metrics RHEL System Role now supports configuring PMIE webhooks

With this update, you can automatically configure the global webhook_endpoint PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL System Role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.


The bootloader RHEL system role

This update introduces the bootloader RHEL system role. You can use this feature for stable and consistent configuration of bootloaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory.


The logging role supports general queue and general action parameters in output modules

Previously, it was not possible to configure general queue parameters and general action parameters with the logging role. With this update, the logging RHEL System Role supports configuration of general queue parameters and general action parameters in output modules.


Support for new ha_cluster System Role features

The ha_cluster System Role now supports the following features:

  • Enablement of the repositories containing resilient storage packages, such as dlm or gfs2. A Resilient Storage subscription is needed to access the repository.
  • Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
  • Configuration of node attributes.

For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL System Role.

Jira:RHEL-4624[1], Jira:RHEL-22108, Jira:RHEL-14090

New RHEL System Role for configuring fapolicyd

With the new fapolicyd RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.


The network RHEL System role now supports new route types

With this enhancement, you can now use the following route types with the network RHEL System Role:

  • blackhole
  • prohibit
  • unreachable


New rhc_insights.display_name option in the rhc role to set display names

You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.


The RHEL system roles now support LVM snapshot management

With this enhancement, you can use the new snapshot RHEL system roles to create, configure, and manage LVM snapshots.


The postgresql RHEL System Role now supports PostgreSQL 16

The postgresql RHEL System Role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.

For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL System Role.


New rhc_insights.ansible_host option in the rhc role to set Ansible hostnames

You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host parameter. When set, the parameter changes the ansible_host configuration in the /etc/insights-client/insights-client.conf file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.


ForwardToSyslog flag is now supported in the journald system role

In the journald RHEL System Role, the journald_forward_to_syslog variable controls whether the received messages should be forwarded to the traditional syslog daemon or not. The default value of this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log files.


ratelimit_burst variable is only used if ratelimit_interval is set in logging system role

Previously, in the logging RHEL System Role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also required to set ratelimit_interval.

With this enhancement, if ratelimit_interval is not set, the role does not set ratelimit.burst. If you want to set ratelimit.burst, you must set both ratelimit_interval and ratelimit_burst variables.


Use the logging_max_message_size parameter instead of rsyslog_max_message_size in the logging system role

Previously, even though the rsyslog_max_message_size parameter was not supported, the logging RHEL System Role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log messages.


The ad_integration RHEL System Role now supports custom SSSD settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.


The ad_integration RHEL System Role now supports custom SSSD domain configuration settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.


New logging_preserve_fqdn variable for the logging RHEL System Role

Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog entries.


Support for creation of volumes without creating a file system

With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted option.

Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode is disabled.


The rhc system role now supports RHEL 7 systems

You can now manage RHEL 7 systems by using the rhc system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc system role.

Using the rhc_insights.remediation parameter has no impact on RHEL 7 systems as the Insights Remediation feature is currently not available on RHEL 7.


New mssql_ha_prep_for_pacemaker variable

Previously, the microsoft.sql.server RHEL System Role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and you want to use another HA solution.


The sshd role now configures certificate-based SSH authentications

With the sshd RHEL System Role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.


selinux role now supports configuring SELinux in disabled mode

With this update, the selinux RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.


selinux role now prints a message when specifying a non-existent module

With this release, the selinux RHEL System Role prints an error message when you specify a non-existent module in the selinux_modules.path variable.


4.14. Virtualization

RHEL now supports Multi-FD migration of virtual machines

With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.

It is recommended to use this feature on high-speed networks (20 Gbps and higher).


Secure Execution VMs on IBM Z now support cryptographic coprocessors

With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.

By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now use hardware encryption without compromising the security of the VM.


You can now replace SPICE with VNC in the web console

With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).

Because the support for the SPICE protocol is deprecated in RHEL 8 and will be removed in RHEL 9, VMs that use the SPICE protocol fail to migrate to RHEL 9. However, RHEL 8 VMs use SPICE by default, so you must switch from SPICE to VNC for a successful migration.


New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

  • Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the ~/.ssh/authorized_keys file of the designated non-root user on the newly created VM, which provides you with an immediate SSH access to the specified user account.
  • Select a pre-formatted block device type when creating a new storage pool. This is a more robust alternative to a physical disk device type, as it prevents unintentional reformatting of a raw disk device.

This update also changes some default behavior in the Virtual Machines page:

  • In the Add disk dialog, the Always attach option is now set by default.


4.15. RHEL in cloud environments

New cloud-init clean option for deleting generated configuration files

The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary configuration files generated by cloud-init on your instance. For example, to delete cloud-init configuration files that define network setup, use the following command:

cloud-init clean --configs network


RHEL instances on EC2 now support IPv6 IMDS connections

With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet.


4.16. Containers

The Container Tools packages have been updated

The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:

Notable changes in Podman v4.9:

  • You can now use Podman to load the modules on-demand by using the podman --module <your_module_name> command and to override the system and user configuration files.
  • A new podman farm command with a set of the create, set, remove, and update subcommands has been added. With these commands, you can farm out builds to machines running podman for different architectures.
  • A new podman-compose command has been added, which runs Compose workloads by using an external compose provider such as Docker compose.
  • The podman build command now supports the --layer-label and --cw options.
  • The podman generate systemd command is deprecated. Use Quadlet to run containers and pods under systemd.
  • The podman build command now supports Containerfiles with the HereDoc syntax.
  • The podman machine init and podman machine set commands now support a new --usb option. Use this option to allow USB passthrough for the QEMU provider.
  • The podman kube play command now supports a new --publish-all option. Use this option to expose all containerPorts on the host.

For more information about notable changes, see upstream release notes.


Podman now supports containers.conf modules

You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the Tom’s Obvious Minimal Language (TOML) format.

These modules are located in the following directories, or their subdirectories:

  • For rootless users: $HOME/.config/containers/containers.conf.modules
  • For root users: /etc/containers/containers.conf.modules, or /usr/share/containers/containers.conf.modules

You can load the modules on-demand with the podman --module <your_module_name> command to override the system and user configuration files. Working with modules involve the following facts:

  • You can specify modules multiple times by using the --module option.
  • If <your_module_name> is the absolute path, the configuration file will be loaded directly.
  • The relative paths are resolved relative to the three module directories mentioned previously.
  • Modules in $HOME override those in the /etc/ and /usr/share/ directories.

For more information, see the upstream documentation.


The Podman v4.9 RESTful API now displays data of progress

With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.


SQLite is now fully supported as a default database backend for Podman

With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 8.10. If you upgrade from a previous RHEL version, the default backend is BoltDB.

If you have explicitly configured the database backend by using the database_backend option in the containers.conf file, then Podman will continue to use the specified backend.


Administrators can set up isolation for firewall rules by using nftables

You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables installed. With this enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated firewall rules.


Containerfile now supports multi-line instructions

You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of image layers caused by performing multiple RUN directives.

For example, the original Containerfile can contain the following RUN directives:

RUN dnf update
RUN dnf -y install golang
RUN dnf -y install java

Instead of multiple RUN directives, you can use the HereDoc notation:

dnf update
dnf -y install golang
dnf -y install java


Toolbx is now available

With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the image.


Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.