Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.10.
4.1. Installer and image creation
Ability to use partitioning mode on the blueprint filesystem customization
With this update, while using RHEL image builder, you can customize your blueprint with the chosen filesystem customization. You can choose one of the following partition modes while you create an image:
-
Default:
auto-lvm - LVM: the image uses Logical Volume Manager (LVM) even without extra partitions
- Raw: the image uses raw partitioning even with extra partitions
Jira:RHELDOCS-16337[1]
Filesystem customization policy changes in image builder
The following policy changes are in place when using the RHEL image builder filesystem customization in blueprints:
Currently, mountpoint and minimum partition minsize can be set. The following image types do not support filesystem customizations: image-installeredge-installeredge-simplified-installer The following image types do not create partitioned operating systems images. Customizing their filesystem is meaningless: edge-commitedge-containertarcontainer The blueprint now supports the mountpoint customization for tpm and its sub-directories.
Jira:RHELDOCS-17261[1]
4.2. Security
SCAP Security Guide rebased to 0.1.72
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:
- CIS profiles are updated to align with the latest benchmarks.
- The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
- STIG profiles are aligned with the latest DISA STIG policies.
For additional information, see the SCAP Security Guide release notes.
Jira:RHEL-25250[1]
OpenSSL now contains protections against Bleichenbacher-like attacks
This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.
You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function on the RSA decryption context, but this makes your system more vulnerable.
Jira:RHEL-17689[1]
librdkafka rebased to 1.6.1
The librdkafka implementation of the Apache Kafka protocol has been rebased to upstream version 1.6.1. This is the first major feature release for RHEL 8. The rebase provides many important enhancements and bug fixes. For all relevant changes, see the CHANGELOG.md document provided in the librdkafka package.
This update changes configuration defaults and deprecates some configuration properties. Read the Upgrade considerations section in CHANGELOG.md for more details. The API (C & C++) and ABI © in this version are compatible with older versions of librdkafka, but some changes to the configuration properties may require changes to existing applications.
Jira:RHEL-12892[1]
libkcapi rebased to 1.4.0
The libkcapi library, which provides access to the Linux kernel cryptographic API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:
-
Added the
sm3sumandsm3hmactools. -
Added the
kcapi_md_sm3andkcapi_md_hmac_sm3APIs. - Added SM4 convenience functions.
- Fixed support for link-time optimization (LTO).
- Fixed LTO regression testing.
-
Fixed support for AEAD encryption of an arbitrary size with
kcapi-enc.
Jira:RHEL-5366[1]
stunnel rebased to 5.71
The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71. This update changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. If OpenSSL is in FIPS mode and stunnel default FIPS configuration is set to no, stunnel adapts to OpenSSL and FIPS mode is enabled.
Additional new features include:
- Added support for modern PostgreSQL clients.
-
You can use the
protocolHeaderservice-level option to insert customconnectprotocol negotiation headers. -
You can use the
protocolHostoption to control the client SMTP protocol negotiation HELO/EHLO value. -
Added client-side support for Client-side
protocol = ldap. -
You can now configure session resumption by using the service-level
sessionResumeoption. -
Added support to request client certificates in server mode with
CApath(previously, onlyCAfilewas supported). - Improved file reading and logging performance.
-
Added support for configurable delay for the
retryoption. -
In client mode, OCSP stapling is requested and verified when
verifyChainis set. - In server mode, OCSP stapling is always available.
-
Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting
OCSPrequire = no.
Jira:RHEL-2340[1]
OpenSSH limits artificial delays in authentication
OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit so that such artificial delays do not become excessively long when remote authentication takes too long, for example in privilege access management (PAM) processing.
libkcapi now provides an option for specifying target file names in hash-sum calculations
This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c option, for example:
$ sha256hmac -c <hmac_file> -T <target_file>
Jira:RHEL-15300[1]
audit rebased to 3.1.2
The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:
-
The
auparselibrary now interprets unnamed and anonymous sockets. -
You can use the new keyword
this-hourin thestartandendoptions of theausearchandaureporttools. -
User-friendly keywords for signals have been added to the
auditctlprogram. -
Handling of corrupt logs in
auparsehas been improved. -
The
ProtectControlGroupsoption is now disabled by default in theauditdservice. - Rule checking for the exclude filter has been fixed.
-
The interpretation of
OPENAT2fields has been enhanced. -
The
audispd af_unixplugin has been moved to a standalone program. - The Python binding has been changed to prevent setting Audit rules from the Python API. This change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).
Jira:RHEL-15001[1]
4.3. Shells and command-line tools
openCryptoki rebased to version 3.22.0
The opencryptoki package has been updated to version 3.22.0. Notable changes include:
-
Added support for the
AES-XTSkey type by using theCPACFprotected keys. - Added support for managing certificate objects.
-
Added support for public sessions with the
no-loginoption. - Added support for logging in as the Security Officer (SO).
-
Added support for importing and exporting the
EdwardsandMontgomerykeys. -
Added support for importing the
RSA-PSSkeys and certificates. - For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update adds checks to the key generation and import process to ensure this.
- Various bug fixes have been implemented.
Jira:RHEL-11413[1]
4.4. Infrastructure services
chrony rebased to version 4.5
The chrony suite has been updated to version 4.5. Notable changes include:
-
Added periodic refresh of IP addresses of Network Time Protocol (NTP) sources specified by hostname. The default interval is two weeks and it can be disabled by adding
refresh 0to thechrony.conffile. - Improved automatic replacement of unreachable NTP sources.
-
Improved logging of important changes made by the
chronycutility. - Improved logging of source selection failures and falsetickers.
-
Added the
hwtstimeoutdirective to configure timeout for late hardware transmit timestamps. - Added experimental support for corrections provided by Precision Time Protocol (PTP) transparent clocks to reach accuracy of PTP with hardware timestamping.
-
Fixed the
presendoption ininterleavedmode. -
Fixed reloading of modified sources specified by IP address from the
sourcedirdirectories.
linuxptp rebased to version 4.2
The linuxptp protocol has been updated to version 4.2. Notable changes include:
-
Added support for multiple domains in the
phc2sysutility. - Added support for notifications on clock updates and changes in the Precision Time Protocol (PTP) parent dataset, for example, clock class.
- Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.
Jira:RHEL-21326[1]
4.5. Networking
The ss utility adds visibility improvement to TCP bound-inactive sockets
The iproute2 suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:
-
ss --all: to dump all sockets including TCP bound-inactive ones -
ss --bound-inactive: to dump only bound-inactive sockets
Jira:RHEL-6113[1]
nispor rebased to version 1.2.10
The nispor packages have been upgraded to upstream version 1.2.10, which provides a number of enhancements and bug fixes over the previous version:
-
Added support for
NetStateFilterto use the kernel filter on network routes and interfaces. - Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
-
Newly supported bonding options:
lacp_active,arp_missed_max, andns_ip6_target.
4.6. Kernel
Kernel version in RHEL 8.10
Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553.
rtla rebased to version 6.6 of the upstream kernel source code
The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added the
-Coption to specify additional control groups forrtlathreads to run in, apart from the mainrtlathread. -
Added the
--house-keepingoption to placertlathreads on a housekeeping CPU and to put measurement threads on different CPUs. -
Added support to the
timerlattracer so that you can runtimerlat histandtimerlat topthreads in user space.
Jira:RHEL-10081[1]
rteval was upgraded to the upstream version 3.7
With this update, the rteval utility has been upgraded to the upstream version 3.7. The most significant feature in this update concerns the isolcpus kernel parameter. This includes the ability to detect and use the isolcpus mechanism for measurement modules in rteval. As a result, it is easier for isolcpus users to use rteval to get accurate latency numbers and to achieve best latency results measured on a realtime kernel.
Jira:RHEL-8967[1]
SGX is now fully supported
Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.
The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:
- Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
- Dynamic addition of regular enclave pages to an initialized enclave.
- Expanding an initialized enclave to accommodate more threads.
- Removing regular and TCS pages from an initialized enclave.
In this release, SGX moves from Technology Preview to a fully supported feature.
Bugzilla:2041881[1]
The Intel data streaming accelerator driver is now fully supported
The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).
In this release, IDXD moves from a Technology Preview to a fully supported feature.
Jira:RHEL-10097[1]
rteval now supports adding and removing arbitrary CPUs from the default measurement CPU list
With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This options covers the most common usecase of a real-time application running on isolated CPUs. Other usecases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus.
Jira:RHEL-21926[1]
4.7. Boot loader
DEP/NX support in the pre-boot stage
The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.
This release adds DEP/NX support in the GRUB and shim boot loaders. This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might execute certain attacks without the DEP/NX protection.
Jira:RHEL-15856[1]
Support for TD RTMR measurement in GRUB and shim
Intel® Trust Domain Extension (Intel® TDX) is a confidential computing technology that deploys hardware-isolated virtual machines (VMs) called Trust Domains (TDs).
TDX extends the Virtual Machine Extensions (VMX) instructions and the Multi-key Total Memory Encryption (MKTME) feature with the TD VM guest. In a TD guest VM, all components in the boot chain, such as grub2 and shim, must log the event and measurement hash to runtime measurement registers (RTMR).
TD guest runtime measurement in RTMR is the base for attestation applications. Applications on the TD guest rely on TD measurement to provide trust evidence to get confidential information, such as the key from the relaying part through the attestation service.
With this release, the GRUB and shim boot loaders now support the TD measurement protocol.
For more information about Intel® TDX, see Documentation for Intel® Trust Domain Extensions.
Jira:RHEL-15583[1]
4.8. File systems and storage
The Storage RHEL System Roles now support shared LVM device management
The RHEL System Roles now support the creation and management of shared logical volumes and volume groups.
multipathd now supports detecting FPIN-Li events for NVMe devices
Previously, the multipathd command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.
With this update, multipathd supports detecting FPIN-Li events for both SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric connection, while other paths are available. This helps to avoid IO delays in such situations.
4.9. Dynamic programming languages, web and database servers
Python 3.12 available in RHEL 8
RHEL 8.10 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, as well as the ubi8/python-312 container image.
Notable enhancements compared to the previously released Python 3.11 include:
-
Python introduces a new
typestatement and new type parameter syntax for generic classes and functions. - Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
- Python now provides a unique per-interpreter global interpreter lock (GIL).
- You can now use the buffer protocol from Python code.
-
To improve security, the builtin
hashlibimplementations of the SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code from the HACL* project. The builtin implementations remain available as fallback if OpenSSL does not provide them. -
Dictionary, list, and set comprehensions in
CPythonare now inlined. This significantly increases the speed of a comprehension execution. -
CPythonnow supports the Linuxperfprofiler. -
CPythonnow provides stack overflow protection on supported platforms.
To install packages from the python3.12 stack, use, for example:
# yum install python3.12 # yum install python3.12-pip
To run the interpreter, use, for example:
$ python3.12 $ python3.12 -m pip --help
See Installing and using Python for more information.
For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new environment variable in Python to control parsing of email addresses
To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.
This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you set this variable to true, the previous, less strict parsing behavior is the default for the entire system:
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
However, individual calls to the affected functions can still enable stricter behavior.
You can achieve the same result by creating the /etc/python/email.cfg configuration file with the following content:
[email_addr_parsing] PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.
Jira:RHELDOCS-17369[1]
A new module stream: ruby:3.3
RHEL 8.10 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.1 distributed with RHEL 8.7.
Notable enhancements include:
-
You can use the new
Prismparser instead ofRipper.Prismis a portable, error tolerant, and maintainable recursive descent parser for the Ruby language. - YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it provides major performance improvements.
-
The
Regexpmatching algorithm has been improved to reduce the impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities. - The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
- A new M:N thread scheduler is now available.
Other notable changes:
-
You must now use the
LramaLALR parser generator instead ofBison. - Several deprecated methods and constants have been removed.
-
The
Raccgem has been promoted from a default gem to a bundled gem.
To install the ruby:3.3 module stream, use:
# yum module install ruby:3.3
If you want to upgrade from an earlier ruby module stream, see Switching to a later stream.
For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-17090[1]
A new module stream: php:8.2
RHEL 8.10 adds PHP 8.2, which provides a number of bug fixes and enhancements over version 8.0.
With PHP 8.2, you can:
- Define a custom type that is limited to one of a discrete number of possible values using the Enumerations (Enums) feature.
-
Declare a property with the
readonlymodifier to prevent modification of the property after initialization. - Use fibers, full-stack, and interruptible functions.
- Use readonly classes.
- Declare several new standalone types.
-
Use a new
Randomextension. - Define constraints in traits.
To install the php:8.2 module stream, use the following command:
# yum module install php:8.2
If you want to upgrade from an earlier php stream, see Switching to a later stream.
For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.
For information about the length of support for the php module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-14705[1]
The name() method of the perl-DateTime-TimeZone module now returns the time zone name
The perl-DateTime-TimeZone module has been updated to version 2.62, which changed the value that is returned by the name() method from the time zone alias to the main time zone name.
For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API related to time zone name and alias.
A new module stream: nginx:1.24
The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.
New features and changes related to Transport Layer Security (TLS):
-
Encryption keys are now automatically rotated for TLS session tickets when using shared memory in the
ssl_session_cachedirective. - Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
-
You can now disable looking up IPv4 addresses while resolving by using the
ipv4=offparameter of theresolverdirective. -
nginx now supports the
$proxy_protocol_tlv_*variables, which store the values of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol. -
The
ngx_http_gzip_static_modulemodule now supports byte ranges.
Other changes:
- Header lines are now represented as linked lists in the internal API.
-
nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and uwsgi back ends in the
$r->header_in()method of thengx_http_perl_module, and during lookups of the$http_...,$sent_http_...,$sent_trailer_...,$upstream_http_..., and$upstream_trailer_...variables. - nginx now displays a warning if protocol parameters of a listening socket are redefined.
- nginx now closes connections with lingering if pipelining was used by the client.
-
The logging level of various SSL errors has been lowered, for example, from
CriticaltoInformational.
To install the nginx:1.24 stream, use:
# yum module install nginx:1.24
To upgrade from an earlier nginx stream, switch to a later stream.
For more information, see Setting up and configuring NGINX.
For information about the length of support for the nginx module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle article.
Jira:RHEL-14714[1]
A new module stream: mariadb:10.11
MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available version 10.5 include:
-
A new
sys_schemafeature. - Atomic Data Definition Language (DDL) statements.
-
A new
GRANT ... TO PUBLICprivilege. -
Separate
SUPERandREAD ONLY ADMINprivileges. -
A new
UUIDdatabase data type. - Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires correctly configured SSL to start.
-
Support for the natural sort order through the
natural_sort_key()function. -
A new
SFORMATfunction for arbitrary text formatting. - Changes to the UTF-8 charset and the UCA-14 collation.
-
systemdsocket activation files available in the/usr/share/directory. Note that they are not a part of the default configuration in RHEL as opposed to upstream. -
Error messages containing the
MariaDBstring instead ofMySQL. - Error messages available in the Chinese language.
- Changes to the default logrotate file.
-
For MariaDB and MySQL clients, the connection property specified on the command line (for example,
--port=3306), now forces the protocol type of communication between the client and the server, such astcp,socket,pipe, ormemory.
For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5 and MariaDB 10.11.
For more information about MariaDB, see Using MariaDB.
To install the mariadb:10.11 stream, use:
# yum module install mariadb:10.11
If you want to upgrade from the mariadb:10.5 module stream, see Upgrading from MariaDB 10.5 to MariaDB 10.11.
For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new module stream: postgresql:16
RHEL 8.10 introduces PostgreSQL 16, which provides a number of new features and enhancements over version 15.
Notable enhancements include:
- Enhanced bulk loading improves performance.
-
The
libpqlibrary now supports connection-level load balancing. You can use the newload_balance_hostsoption for more efficient load balancing. -
You can now create custom configuration files and include them in the
pg_hba.confandpg_ident.conffiles. -
PostgreSQL now supports regular expression matching on database and role entries in the
pg_hba.conffile.
Other changes include:
-
PostgreSQL is no longer distributed with the
postmasterbinary. Users who start thepostgresqlserver by using the providedsystemdunit file (thesystemctl start postgrescommand) are not affected by this change. If you previously started thepostgresqlserver directly through thepostmasterbinary, you must now use thepostgresbinary instead. - PostgreSQL no longer provides documentation in PDF format within the package. Use the online documentation instead.
See also Using PostgreSQL.
To install the postgresql:16 stream, use the following command:
# yum module install postgresql:16
If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 8 version of PostgreSQL.
For information about the length of support for the postgresql module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Git rebased to version 2.43.0
The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.
Notable enhancements include:
-
You can now use the new
--sourceoption with thegit check-attrcommand to read the.gitattributesfile from the provided tree-ish object instead of the current working directory. -
Git can now pass information from the
WWW-Authenticateresponse-type header to credential helpers. -
In case of an empty commit, the
git format-patchcommand now writes an output file containing a header of the commit instead of creating an empty file. -
You can now use the
git blame --contents=<file> <revision> -- <path>command to find the origins of lines starting at<file>contents through the history that leads to<revision>. -
The
git log --formatcommand now accepts the%(decorate)placeholder for further customization to extend the capabilities provided by the--decorateoption.
Jira:RHEL-17103[1]
Git LFS rebased to version 3.4.1
The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.
Notable changes include:
-
The
git lfs pushcommand can now read references and object IDs from standard input. - Git LFS now handles alternative remotes without relying on Git.
-
Git LFS now supports the
WWW-Authenticateresponse-type header as a credential helper.
Jira:RHEL-17102[1]
4.10. Compilers and development tools
elfutils rebased to version 0.190
The elfutils package has been updated to version 0.190. Notable improvements include:
-
The
libelflibrary now supports relative relocation (RELR). -
The
libdwlibrary now recognizes.debug_[ct]u_indexsections. -
The
eu-readelfutility now supports a new-Ds,--use-dynamic --symboloption to show symbols through the dynamic segment without using ELF sections. -
The
eu-readelfutility can now show.gdb_indexversion 9. -
A new
eu-scrlinesutility compiles a list of source files associated with a specified DWARF or ELF file. -
A
debuginfodserver schema has changed for a 60% compression in file name representation (this requires reindexing).
valgrind updated to 3.22
The valgrind package has been updated to version 3.22. Notable improvements include:
-
valgrindmemchecknow checks that the values given to the C functionsmemalign,posix_memalign, andaligned_alloc, and the C++17 alignednewoperator are valid alignment values. -
valgrindmemchecknow supports mismatch detection for C++14 sized and C++17 alignednewanddeleteoperators. -
Added support for lazy reading of DWARF debugging information, resulting in faster startup when
debuginfopackages are installed.
Clang resource directory moved
The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17 to /usr/lib/clang/17.
A new grafana-selinux package
Previously, the default installation of grafana-server ran as an unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t SELinux type.
Updated GCC Toolset 13
GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
Notable changes introduced in RHEL 8.10 include:
- The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
-
binutilsnow support AMD CPUs based on theznver5core through the-march=znver5compiler switch. -
annobinhas been updated to version 12.32. -
The
annobinplugin for GCC now defaults to using a more compressed format for the notes that it stores in object files, resulting in smaller object files and faster link times, especially in large, complex programs.
The following tools and versions are provided by GCC Toolset 13:
| Tool | Version |
|---|---|
| GCC | 13.2.1 |
| GDB | 12.1 |
| binutils | 2.40 |
| dwz | 0.14 |
| annobin | 12.32 |
To install GCC Toolset 13, run the following command as root:
# yum install gcc-toolset-13
To run a tool from GCC Toolset 13:
$ scl enable gcc-toolset-13 toolTo run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:
$ scl enable gcc-toolset-13 bash
For more information, see GCC Toolset 13 and Using GCC Toolset.
Jira:RHEL-25405[1]
LLVM Toolset rebased to version 17.0.6
LLVM Toolset has been updated to version 17.0.6.
Notable enhancements include:
- The opaque pointers migration is now completed.
- Removed support for the legacy pass manager in middle-end optimization.
Clang changes:
- C++20 coroutines are no longer considered experimental.
-
Improved code generation for the
std::movefunction and similar in unoptimized builds.
For more information, see the LLVM and Clang upstream release notes.
Rust Toolset rebased to version 1.75.0
Rust Toolset has been updated to version 1.75.0.
Notable enhancements include:
- Constant evaluation time is now unlimited
- Cleaner panic messages
- Cargo registry authentication
-
async fnand opaque return types in traits
Go Toolset rebased to version 1.21.0
Go Toolset has been updated to version 1.21.0.
Notable enhancements include:
-
min,max, andclearbuilt-ins have been added. - Official support for profile guided optimization has been added.
- Package initialization order is now more precisely defined.
- Type inferencing is improved.
- Backwards compatibility support is improved.
For more information, see the Go upstream release notes.
Jira:RHEL-11872[1]
papi supports new processor microarchitectures
With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:
- AMD Zen 4
- 4th Generation Intel® Xeon® Scalable Processors
Jira:RHEL-9336[1], Jira:RHEL-9320, Jira:RHEL-9337
Ant rebased to version 1.10.9
The ant:1.10 module stream has been updated to version 1.10.9. This version provides support for code signing, using a provider class and provider argument.
The updated ant:1.10 module stream provides only the ant and ant-lib packages. Remaining packages related to Ant are distributed in the javapackages-tools module in the unsupported CodeReady Linux Builder (CRB) repository and have not been updated.
Packages from the updated ant:1.10 module stream cannot be used in parallel with packages from the javapackages-tools module. If you want to use the complete set of Ant-related packages, you must uninstall the ant:1.10 module and disable it, enable the CRB repository, and install the javapackages-tools module.
New package: maven-openjdk21
The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.
Jira:RHEL-17126[1]
cmake rebased to version 3.26
The cmake package has been updated to version 3.26. Notable improvements include:
- Added support for the C17 and C18 language standards.
-
cmakecan now query the/etc/os-releasefile for operating system identification information. -
Added support for the CUDA 20 and
nvtx3libraries. - Added support for the Python stable application binary interface.
- Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.
4.11. Identity Management
Identity Management users can now use external identity providers to authenticate to IdM
With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.
If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.
Jira:RHELPLAN-123140[1]
ipa rebased to version 4.9.13
The ipa package has been updated from version 4.9.12 to 4.9.13. Notable changes include:
- The installation of an IdM replica now occurs against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests.
-
The performance of the
cert-findcommand has been improved dramatically for situations with a large number of certificates. -
The
ansible-freeipapackage has been rebased from version 1.11 to 1.12.1.
For more information, see the upstream release notes.
Deleting expired KCM Kerberos tickets
Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy command.
Support for bcrypt password hashing algorithm for local users
With this update, you can enable the bcrypt password hashing algorithm for local users. To switch to the bcrypt hashing algorithm:
-
Edit the
/etc/authselect/system-authand/etc/authselect/password-authfiles by changing thepam_unix.so sha512setting topam_unix.so blowfish. Apply the changes:
# authselect apply-changes
-
Change the password for a user by using the
passwdcommand. -
In the
/etc/shadowfile, verify that the hashing algorithm is set to$2b$, indicating that thebcryptpassword hashing algorithm is now used.
The idp Ansible module allows associating IdM users with external IdPs
With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user.
After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.
IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules
With this update, the ansible-freeipa package now contains the following modules:
idoverrideuser- Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP server, for example, the user login name, home directory, certificate, or SSH keys.
idoverridegroup- Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of the group, its GID, or description.
idview- Allows you to organize user and group ID overrides and apply them to specific IdM hosts.
In the future, you will be able to use these modules to enable AD users to use smart cards to log in to IdM.
The delegation of DNS zone management enabled in ansible-freeipa
You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the dnszone module to set a per-zone access delegation permission.
The ansible-freeipa ipauser and ipagroup modules now support a new renamed state
With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change the group name of an existing IdM group.
The runasuser_group parameter is now available in ansible-freeipa ipasudorule
With this update, you can set Groups of RunAs Users for a sudo rule by using the ansible-freeipa ipasudorule module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.
389-ds-base rebased to version 1.4.3.39
The 389-ds-base package has been updated to version 1.4.3.39.
The HAProxy protocol is now supported for the 389-ds-base package
Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.
If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
samba rebased to version 4.19.4
The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:
-
Command-line options in the
smbgetutility have been renamed and removed for a consistent user experience. However, this can break existing scripts or jobs that use the utility. See thesmbget --helpcommand andsmbget(1)man page for further details about the new options. If the
winbind debug traceidoption is enabled, thewinbindservice now logs, additionally, the following fields:-
traceid: Tracks the records belonging to the same request. -
depth: Tracks the request nesting level.
-
- Samba no longer uses its own cryptography implementations and, instead, now fully uses cryptographic functionality provided by the GnuTLS library.
-
The
directory name cache sizeoption was removed.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.
After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.
Jira:RHEL-16483[1]
4.12. The web console
RHEL web console can now generate Ansible and shell scripts
In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to implement a specific kdump configuration on multiple systems.
Jira:RHELDOCS-17060[1]
Simplified managing storage and resizing partitions on Storage
The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.
Jira:RHELDOCS-17056[1]
4.13. Red Hat Enterprise Linux System Roles
The ad_integration RHEL system role now supports configuring dynamic DNS update options
With this update, the ad_integration RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:
- When the identity provider comes online (always).
- At a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours.
You can change these and other settings using the new variables in ad_integration. For example, you can set ad_dyndns_refresh_interval to 172800 to change the DNS record refresh interval to 48 hours. For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/ directory.
Jira:RHELDOCS-17372[1]
The metrics RHEL System Role now supports configuring PMIE webhooks
With this update, you can automatically configure the global webhook_endpoint PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL System Role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.
The bootloader RHEL system role
This update introduces the bootloader RHEL system role. You can use this feature for stable and consistent configuration of bootloaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory.
The logging role supports general queue and general action parameters in output modules
Previously, it was not possible to configure general queue parameters and general action parameters with the logging role. With this update, the logging RHEL System Role supports configuration of general queue parameters and general action parameters in output modules.
Support for new ha_cluster System Role features
The ha_cluster System Role now supports the following features:
-
Enablement of the repositories containing resilient storage packages, such as
dlmorgfs2. A Resilient Storage subscription is needed to access the repository. - Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
- Configuration of node attributes.
For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL System Role.
Jira:RHEL-4624[1], Jira:RHEL-22108, Jira:RHEL-14090
New RHEL System Role for configuring fapolicyd
With the new fapolicyd RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.
The network RHEL System role now supports new route types
With this enhancement, you can now use the following route types with the network RHEL System Role:
-
blackhole -
prohibit -
unreachable
Jira:RHEL-21491[1]
New rhc_insights.display_name option in the rhc role to set display names
You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.
The RHEL system roles now support LVM snapshot management
With this enhancement, you can use the new snapshot RHEL system roles to create, configure, and manage LVM snapshots.
The postgresql RHEL System Role now supports PostgreSQL 16
The postgresql RHEL System Role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.
For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL System Role.
New rhc_insights.ansible_host option in the rhc role to set Ansible hostnames
You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host parameter. When set, the parameter changes the ansible_host configuration in the /etc/insights-client/insights-client.conf file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.
ForwardToSyslog flag is now supported in the journald system role
In the journald RHEL System Role, the journald_forward_to_syslog variable controls whether the received messages should be forwarded to the traditional syslog daemon or not. The default value of this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log files.
ratelimit_burst variable is only used if ratelimit_interval is set in logging system role
Previously, in the logging RHEL System Role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also required to set ratelimit_interval.
With this enhancement, if ratelimit_interval is not set, the role does not set ratelimit.burst. If you want to set ratelimit.burst, you must set both ratelimit_interval and ratelimit_burst variables.
Use the logging_max_message_size parameter instead of rsyslog_max_message_size in the logging system role
Previously, even though the rsyslog_max_message_size parameter was not supported, the logging RHEL System Role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log messages.
The ad_integration RHEL System Role now supports custom SSSD settings
Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.
The ad_integration RHEL System Role now supports custom SSSD domain configuration settings
Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.
New logging_preserve_fqdn variable for the logging RHEL System Role
Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog entries.
Support for creation of volumes without creating a file system
With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted option.
Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode is disabled.
The rhc system role now supports RHEL 7 systems
You can now manage RHEL 7 systems by using the rhc system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc system role.
Using the rhc_insights.remediation parameter has no impact on RHEL 7 systems as the Insights Remediation feature is currently not available on RHEL 7.
New mssql_ha_prep_for_pacemaker variable
Previously, the microsoft.sql.server RHEL System Role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and you want to use another HA solution.
The sshd role now configures certificate-based SSH authentications
With the sshd RHEL System Role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.
selinux role now supports configuring SELinux in disabled mode
With this update, the selinux RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
selinux role now prints a message when specifying a non-existent module
With this release, the selinux RHEL System Role prints an error message when you specify a non-existent module in the selinux_modules.path variable.
4.14. Virtualization
RHEL now supports Multi-FD migration of virtual machines
With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.
It is recommended to use this feature on high-speed networks (20 Gbps and higher).
Jira:RHELDOCS-16970[1]
Secure Execution VMs on IBM Z now support cryptographic coprocessors
With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.
By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now use hardware encryption without compromising the security of the VM.
Jira:RHEL-11597[1]
You can now replace SPICE with VNC in the web console
With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).
Because the support for the SPICE protocol is deprecated in RHEL 8 and will be removed in RHEL 9, VMs that use the SPICE protocol fail to migrate to RHEL 9. However, RHEL 8 VMs use SPICE by default, so you must switch from SPICE to VNC for a successful migration.
Jira:RHELDOCS-18289[1]
New virtualization features in the RHEL web console
With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:
-
Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the
~/.ssh/authorized_keysfile of the designated non-root user on the newly created VM, which provides you with an immediate SSH access to the specified user account. -
Select a
pre-formatted block devicetype when creating a new storage pool. This is a more robust alternative to aphysical disk devicetype, as it prevents unintentional reformatting of a raw disk device.
This update also changes some default behavior in the Virtual Machines page:
-
In the
Add diskdialog, theAlways attachoption is now set by default.
Jira:RHELDOCS-18323[1]
4.15. RHEL in cloud environments
New cloud-init clean option for deleting generated configuration files
The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary configuration files generated by cloud-init on your instance. For example, to delete cloud-init configuration files that define network setup, use the following command:
cloud-init clean --configs network
Jira:RHEL-7312[1]
RHEL instances on EC2 now support IPv6 IMDS connections
With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet.
4.16. Containers
The Container Tools packages have been updated
The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:
Notable changes in Podman v4.9:
-
You can now use Podman to load the modules on-demand by using the
podman --module <your_module_name>command and to override the system and user configuration files. -
A new
podman farmcommand with a set of thecreate,set,remove, andupdatesubcommands has been added. With these commands, you can farm out builds to machines running podman for different architectures. -
A new
podman-composecommand has been added, which runs Compose workloads by using an external compose provider such as Docker compose. -
The
podman buildcommand now supports the--layer-labeland--cwoptions. -
The
podman generate systemdcommand is deprecated. Use Quadlet to run containers and pods undersystemd. -
The
podman buildcommand now supportsContainerfileswith the HereDoc syntax. -
The
podman machine initandpodman machine setcommands now support a new--usboption. Use this option to allow USB passthrough for the QEMU provider. -
The
podman kube playcommand now supports a new--publish-alloption. Use this option to expose all containerPorts on the host.
For more information about notable changes, see upstream release notes.
Jira:RHELPLAN-167794[1]
Podman now supports containers.conf modules
You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the Tom’s Obvious Minimal Language (TOML) format.
These modules are located in the following directories, or their subdirectories:
-
For rootless users:
$HOME/.config/containers/containers.conf.modules -
For root users:
/etc/containers/containers.conf.modules, or/usr/share/containers/containers.conf.modules
You can load the modules on-demand with the podman --module <your_module_name> command to override the system and user configuration files. Working with modules involve the following facts:
-
You can specify modules multiple times by using the
--moduleoption. -
If
<your_module_name>is the absolute path, the configuration file will be loaded directly. - The relative paths are resolved relative to the three module directories mentioned previously.
-
Modules in
$HOMEoverride those in the/etc/and/usr/share/directories.
For more information, see the upstream documentation.
Jira:RHELPLAN-167830[1]
The Podman v4.9 RESTful API now displays data of progress
With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.
Jira:RHELPLAN-167822[1]
SQLite is now fully supported as a default database backend for Podman
With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 8.10. If you upgrade from a previous RHEL version, the default backend is BoltDB.
If you have explicitly configured the database backend by using the database_backend option in the containers.conf file, then Podman will continue to use the specified backend.
Jira:RHELPLAN-168179[1]
Administrators can set up isolation for firewall rules by using nftables
You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables installed. With this enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated firewall rules.
Jira:RHELDOCS-16955[1]
Containerfile now supports multi-line instructions
You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of image layers caused by performing multiple RUN directives.
For example, the original Containerfile can contain the following RUN directives:
RUN dnf update RUN dnf -y install golang RUN dnf -y install java
Instead of multiple RUN directives, you can use the HereDoc notation:
RUN <<EOF dnf update dnf -y install golang dnf -y install java EOF
Jira:RHELPLAN-168184[1]
Toolbx is now available
With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi8.10/toolbox:latest image.
Jira:RHELDOCS-16241[1]
