Chapter 4. New features


This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.10.

4.1. Installer and image creation

Ability to use partitioning mode on the blueprint filesystem customization

With this update, while using RHEL image builder, you can customize your blueprint with the chosen filesystem customization. You can choose one of the following partition modes while you create an image:

  • Default: auto-lvm
  • LVM: the image uses Logical Volume Manager (LVM) even without extra partitions
  • Raw: the image uses raw partitioning even with extra partitions

Jira:RHELDOCS-16337[1]

Filesystem customization policy changes in image builder

The following policy changes are in place when using the RHEL image builder filesystem customization in blueprints:

Currently, mountpoint and minimum partition minsize can be set. The following image types do not support filesystem customizations: image-installeredge-installeredge-simplified-installer The following image types do not create partitioned operating systems images. Customizing their filesystem is meaningless: edge-commitedge-containertarcontainer The blueprint now supports the mountpoint customization for tpm and its sub-directories.

Jira:RHELDOCS-17261[1]

4.2. Security

SCAP Security Guide rebased to 0.1.72

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:

  • CIS profiles are updated to align with the latest benchmarks.
  • The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
  • STIG profiles are aligned with the latest DISA STIG policies.

For additional information, see the SCAP Security Guide release notes.

Jira:RHEL-25250[1]

OpenSSL now contains protections against Bleichenbacher-like attacks

This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.

You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function on the RSA decryption context, but this makes your system more vulnerable.

Jira:RHEL-17689[1]

librdkafka rebased to 1.6.1

The librdkafka implementation of the Apache Kafka protocol has been rebased to upstream version 1.6.1. This is the first major feature release for RHEL 8. The rebase provides many important enhancements and bug fixes. For all relevant changes, see the CHANGELOG.md document provided in the librdkafka package.

Note

This update changes configuration defaults and deprecates some configuration properties. Read the Upgrade considerations section in CHANGELOG.md for more details. The API (C & C++) and ABI © in this version are compatible with older versions of librdkafka, but some changes to the configuration properties might require changes to existing applications.

Jira:RHEL-12892[1]

libkcapi rebased to 1.4.0

The libkcapi library, which provides access to the Linux kernel cryptographic API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:

  • Added the sm3sum and sm3hmac tools.
  • Added the kcapi_md_sm3 and kcapi_md_hmac_sm3 APIs.
  • Added SM4 convenience functions.
  • Fixed support for link-time optimization (LTO).
  • Fixed LTO regression testing.
  • Fixed support for AEAD encryption of an arbitrary size with kcapi-enc.

Jira:RHEL-5366[1]

stunnel rebased to 5.71

The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71. This update changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. If OpenSSL is in FIPS mode and stunnel default FIPS configuration is set to no, stunnel adapts to OpenSSL and FIPS mode is enabled.

Additional new features include:

  • Added support for modern PostgreSQL clients.
  • You can use the protocolHeader service-level option to insert custom connect protocol negotiation headers.
  • You can use the protocolHost option to control the client SMTP protocol negotiation HELO/EHLO value.
  • Added client-side support for Client-side protocol = ldap.
  • You can now configure session resumption by using the service-level sessionResume option.
  • Added support to request client certificates in server mode with CApath (previously, only CAfile was supported).
  • Improved file reading and logging performance.
  • Added support for configurable delay for the retry option.
  • In client mode, OCSP stapling is requested and verified when verifyChain is set.
  • In server mode, OCSP stapling is always available.
  • Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting OCSPrequire = no.

Jira:RHEL-2340[1]

OpenSSH limits artificial delays in authentication

OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit so that such artificial delays do not become excessively long when remote authentication takes too long, for example in privilege access management (PAM) processing.

Jira:RHEL-1684

libkcapi now provides an option for specifying target file names in hash-sum calculations

This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c option, for example:

$ sha256hmac -c <hmac_file> -T <target_file>

Jira:RHEL-15300[1]

audit rebased to 3.1.2

The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:

  • The auparse library now interprets unnamed and anonymous sockets.
  • You can use the new keyword this-hour in the start and end options of the ausearch and aureport tools.
  • User-friendly keywords for signals have been added to the auditctl program.
  • Handling of corrupt logs in auparse has been improved.
  • The ProtectControlGroups option is now disabled by default in the auditd service.
  • Rule checking for the exclude filter has been fixed.
  • The interpretation of OPENAT2 fields has been enhanced.
  • The audispd af_unix plugin has been moved to a standalone program.
  • The Python binding has been changed to prevent setting Audit rules from the Python API. This change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).

Jira:RHEL-15001[1]

4.3. Shells and command-line tools

openCryptoki rebased to version 3.22.0

The opencryptoki package has been updated to version 3.22.0. Notable changes include:

  • Added support for the AES-XTS key type by using the CPACF protected keys.
  • Added support for managing certificate objects.
  • Added support for public sessions with the no-login option.
  • Added support for logging in as the Security Officer (SO).
  • Added support for importing and exporting the Edwards and Montgomery keys.
  • Added support for importing the RSA-PSS keys and certificates.
  • For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update adds checks to the key generation and import process to ensure this.
  • Various bug fixes have been implemented.

Jira:RHEL-11413[1]

4.4. Infrastructure services

chrony rebased to version 4.5

The chrony suite has been updated to version 4.5. Notable changes include:

  • Added periodic refresh of IP addresses of Network Time Protocol (NTP) sources specified by hostname. The default interval is two weeks and it can be disabled by adding refresh 0 to the chrony.conf file.
  • Improved automatic replacement of unreachable NTP sources.
  • Improved logging of important changes made by the chronyc utility.
  • Improved logging of source selection failures and falsetickers.
  • Added the hwtstimeout directive to configure timeout for late hardware transmit timestamps.
  • Added experimental support for corrections provided by Precision Time Protocol (PTP) transparent clocks to reach accuracy of PTP with hardware timestamping.
  • Fixed the presend option in interleaved mode.
  • Fixed reloading of modified sources specified by IP address from the sourcedir directories.

Jira:RHEL-21069

linuxptp rebased to version 4.2

The linuxptp protocol has been updated to version 4.2. Notable changes include:

  • Added support for multiple domains in the phc2sys utility.
  • Added support for notifications on clock updates and changes in the Precision Time Protocol (PTP) parent dataset, for example, clock class.
  • Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.

Jira:RHEL-21326[1]

4.5. Networking

firewalld now avoids unnecessary firewall rule flushes

The firewalld service does not remove all existing rules from the iptables configuration if both following conditions are met:

  • firewalld is using the nftables backend.
  • There are no firewall rules created with the --direct option.

This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration with other software.

Jira:RHEL-47595

The ss utility adds visibility improvement to TCP bound-inactive sockets

The iproute2 suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:

  • ss --all: to dump all sockets including TCP bound-inactive ones
  • ss --bound-inactive: to dump only bound-inactive sockets

Jira:RHEL-6113[1]

nispor rebased to version 1.2.10

The nispor packages have been upgraded to upstream version 1.2.10, which provides several enhancements and bug fixes over the previous version:

  • Added support for NetStateFilter to use the kernel filter on network routes and interfaces.
  • Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
  • Newly supported bonding options: lacp_active, arp_missed_max, and ns_ip6_target.

Bugzilla:2153166

4.6. Kernel

Kernel version in RHEL 8.10

Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553.

rtla rebased to version 6.6 of the upstream kernel source code

The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:

  • Added the -C option to specify additional control groups for rtla threads to run in, apart from the main rtla thread.
  • Added the --house-keeping option to place rtla threads on a housekeeping CPU and to put measurement threads on different CPUs.
  • Added support to the timerlat tracer so that you can run timerlat hist and timerlat top threads in user space.

Jira:RHEL-10081[1]

rteval was upgraded to the upstream version 3.7

With this update, the rteval utility has been upgraded to the upstream version 3.7. The most significant feature in this update concerns the isolcpus kernel parameter. This includes the ability to detect and use the isolcpus mechanism for measurement modules in rteval. As a result, it is easier for isolcpus users to use rteval to get accurate latency numbers and to achieve best latency results measured on a realtime kernel.

Jira:RHEL-8967[1]

SGX is now fully supported

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.

The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

  • Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
  • Dynamic addition of regular enclave pages to an initialized enclave.
  • Expanding an initialized enclave to accommodate more threads.
  • Removing regular and TCS pages from an initialized enclave.

In this release, SGX moves from Technology Preview to a fully supported feature.

Bugzilla:2041881[1]

The Intel data streaming accelerator driver is now fully supported

The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

In this release, IDXD moves from a Technology Preview to a fully supported feature.

Jira:RHEL-10097[1]

rteval now supports adding and removing arbitrary CPUs from the default measurement CPU list

With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This options covers the most common usecase of a real-time application running on isolated CPUs. Other usecases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus.

Jira:RHEL-21926[1]

4.7. Boot loader

DEP/NX support in the pre-boot stage

The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.

This release adds DEP/NX support in the GRUB and shim boot loaders. This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might execute certain attacks without the DEP/NX protection.

Jira:RHEL-15856[1]

Support for TD RTMR measurement in GRUB and shim

Intel® Trust Domain Extension (Intel® TDX) is a confidential computing technology that deploys hardware-isolated virtual machines (VMs) called Trust Domains (TDs).

TDX extends the Virtual Machine Extensions (VMX) instructions and the Multi-key Total Memory Encryption (MKTME) feature with the TD VM guest. In a TD guest VM, all components in the boot chain, such as grub2 and shim, must log the event and measurement hash to runtime measurement registers (RTMR).

TD guest runtime measurement in RTMR is the base for attestation applications. Applications on the TD guest rely on TD measurement to provide trust evidence to get confidential information, such as the key from the relaying part through the attestation service.

With this release, the GRUB and shim boot loaders now support the TD measurement protocol.

For more information about Intel® TDX, see Documentation for Intel® Trust Domain Extensions.

Jira:RHEL-15583[1]

4.8. File systems and storage

The Storage RHEL System Roles now support shared LVM device management

The RHEL System Roles now support the creation and management of shared logical volumes and volume groups.

Jira:RHEL-14022

multipathd now supports detecting FPIN-Li events for NVMe devices

Previously, the multipathd command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.

With this update, multipathd supports detecting FPIN-Li events for both SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric connection, while other paths are available. This helps to avoid IO delays in such situations.

Jira:RHEL-6677

4.9. Dynamic programming languages, web and database servers

Python 3.12 available in RHEL 8

RHEL 8.10 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, and the ubi8/python-312 container image.

Notable enhancements compared to the previously released Python 3.11 include:

  • Python introduces a new type statement and new type parameter syntax for generic classes and functions.
  • Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
  • Python now provides a unique per-interpreter global interpreter lock (GIL).
  • You can now use the buffer protocol from Python code.
  • To improve security, the built-in hashlib implementations of the SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code from the HACL* project. The built-in implementations remain available as fallback if OpenSSL does not provide them.
  • Dictionary, list, and set comprehensions in CPython are now inlined. This significantly increases the speed of a comprehension execution.
  • CPython now supports the Linux perf profiler.
  • CPython now provides stack overflow protection on supported platforms.

To install packages from the python3.12 stack, use, for example:

# yum install python3.12
# yum install python3.12-pip

To run the interpreter, use, for example:

$ python3.12
$ python3.12 -m pip --help

See Installing and using Python for more information.

For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-14942

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you set this variable to true, the previous, less strict parsing behavior is the default for the entire system:

export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true

However, individual calls to the affected functions can still enable stricter behavior.

You can achieve the same result by creating the /etc/python/email.cfg configuration file with the following content:

[email_addr_parsing]
PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true

For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.

Jira:RHELDOCS-17369[1]

A new module stream: ruby:3.3

RHEL 8.10 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. This version provides several performance improvements, bug and security fixes, and new features over Ruby 3.1 distributed with RHEL 8.7.

Notable enhancements include:

  • You can use the new Prism parser instead of Ripper. Prism is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language.
  • YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it provides major performance improvements.
  • The Regexp matching algorithm has been improved to reduce the impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities.
  • The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
  • A new M:N thread scheduler is now available.

Other notable changes:

  • You must now use the Lrama LALR parser generator instead of Bison.
  • Several deprecated methods and constants have been removed.
  • The Racc gem has been promoted from a default gem to a bundled gem.

To install the ruby:3.3 module stream, use:

# yum module install ruby:3.3

If you want to upgrade from an earlier ruby module stream, see Switching to a later stream.

For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-17090[1]

A new module stream: php:8.2

RHEL 8.10 adds PHP 8.2, which provides several bug fixes and enhancements over version 8.0.

With PHP 8.2, you can:

  • Define a custom type that is limited to one of a discrete number of possible values using the Enumerations (Enums) feature.
  • Declare a property with the readonly modifier to prevent modification of the property after initialization.
  • Use fibers, full-stack, and interruptible functions.
  • Use readonly classes.
  • Declare several new standalone types.
  • Use a new Random extension.
  • Define constraints in traits.

To install the php:8.2 module stream, use the following command:

# yum module install php:8.2

If you want to upgrade from an earlier php stream, see Switching to a later stream.

For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.

For information about the length of support for the php module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-14705[1]

The name() method of the perl-DateTime-TimeZone module now returns the time zone name

The perl-DateTime-TimeZone module has been updated to version 2.62, which changed the value that is returned by the name() method from the time zone alias to the main time zone name.

For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API related to time zone name and alias.

Jira:RHEL-35685

A new module stream: nginx:1.24

The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides several bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.

New features and changes related to Transport Layer Security (TLS):

  • Encryption keys are now automatically rotated for TLS session tickets when using shared memory in the ssl_session_cache directive.
  • Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
  • You can now disable looking up IPv4 addresses while resolving by using the ipv4=off parameter of the resolver directive.
  • nginx now supports the $proxy_protocol_tlv_* variables, which store the values ​​of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol.
  • The ngx_http_gzip_static_module module now supports byte ranges.

Other changes:

  • Header lines are now represented as linked lists in the internal API.
  • nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and uwsgi back ends in the $r->header_in() method of the ngx_http_perl_module, and during lookups of the $http_..., $sent_http_..., $sent_trailer_..., $upstream_http_..., and $upstream_trailer_... variables.
  • nginx now displays a warning if protocol parameters of a listening socket are redefined.
  • nginx now closes connections with lingering if pipelining was used by the client.
  • The logging level of various SSL errors has been lowered, for example, from Critical to Informational.

To install the nginx:1.24 stream, use:

# yum module install nginx:1.24

To upgrade from an earlier nginx stream, switch to a later stream.

For more information, see Setting up and configuring NGINX.

For information about the length of support for the nginx module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle article.

Jira:RHEL-14714[1]

A new module stream: mariadb:10.11

MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available version 10.5 include:

  • A new sys_schema feature.
  • Atomic Data Definition Language (DDL) statements.
  • A new GRANT ... TO PUBLIC privilege.
  • Separate SUPER and READ ONLY ADMIN privileges.
  • A new UUID database data type.
  • Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires correctly configured SSL to start.
  • Support for the natural sort order through the natural_sort_key() function.
  • A new SFORMAT function for arbitrary text formatting.
  • Changes to the UTF-8 charset and the UCA-14 collation.
  • systemd socket activation files available in the /usr/share/ directory. Note that they are not a part of the default configuration in RHEL as opposed to upstream.
  • Error messages containing the MariaDB string instead of MySQL.
  • Error messages available in the Chinese language.
  • Changes to the default logrotate file.
  • For MariaDB and MySQL clients, the connection property specified on the command line (for example, --port=3306), now forces the protocol type of communication between the client and the server, such as tcp, socket, pipe, or memory.

For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5 and MariaDB 10.11.

For more information about MariaDB, see Using MariaDB.

To install the mariadb:10.11 stream, use:

# yum module install mariadb:10.11

If you want to upgrade from the mariadb:10.5 module stream, see Upgrading from MariaDB 10.5 to MariaDB 10.11.

For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-3637

A new module stream: postgresql:16

RHEL 8.10 introduces PostgreSQL 16, which provides several new features and enhancements over version 15.

Notable enhancements include:

  • Enhanced bulk loading improves performance.
  • The libpq library now supports connection-level load balancing. You can use the new load_balance_hosts option for more efficient load balancing.
  • You can now create custom configuration files and include them in the pg_hba.conf and pg_ident.conf files.
  • PostgreSQL now supports regular expression matching on database and role entries in the pg_hba.conf file.

Other changes include:

  • PostgreSQL is no longer distributed with the postmaster binary. Users who start the postgresql server by using the provided systemd unit file (the systemctl start postgres command) are not affected by this change. If you previously started the postgresql server directly through the postmaster binary, you must now use the postgres binary instead.
  • PostgreSQL no longer provides documentation in PDF format within the package. Use the online documentation instead.

See also Using PostgreSQL.

To install the postgresql:16 stream, use the following command:

# yum module install postgresql:16

If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 8 version of PostgreSQL.

For information about the length of support for the postgresql module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-3636

Git rebased to version 2.43.0

The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.

Notable enhancements include:

  • You can now use the new --source option with the git check-attr command to read the .gitattributes file from the provided tree-ish object instead of the current working directory.
  • Git can now pass information from the WWW-Authenticate response-type header to credential helpers.
  • In case of an empty commit, the git format-patch command now writes an output file containing a header of the commit instead of creating an empty file.
  • You can now use the git blame --contents=<file> <revision> -- <path> command to find the origins of lines starting at <file> contents through the history that leads to <revision>.
  • The git log --format command now accepts the %(decorate) placeholder for further customization to extend the capabilities provided by the --decorate option.

Jira:RHEL-17103[1]

Git LFS rebased to version 3.4.1

The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.

Notable changes include:

  • The git lfs push command can now read references and object IDs from standard input.
  • Git LFS now handles alternative remotes without relying on Git.
  • Git LFS now supports the WWW-Authenticate response-type header as a credential helper.

Jira:RHEL-17102[1]

Increased performance of the Python interpreter

All supported versions of Python in RHEL 8 are now compiled with the -O3 optimization flag, which is the default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter itself.

The change is available with the release of the following advisories:

Jira:RHEL-49614[1], Jira:RHEL-49636, Jira:RHEL-49644, Jira:RHEL-49638

4.10. Compilers and development tools

New GCC Toolset 14

GCC Toolset 14 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The following tools and versions are provided by GCC Toolset 14 available with the release of the RHEA-2024:8851 advisory:

  • GCC 14.2
  • GDB 14.2
  • binutils 2.41
  • annobin 12.70
  • dwz 0.14

To install GCC Toolset 14, run the following command as root:

# yum install gcc-toolset-14

To run a tool from GCC Toolset 14:

$ scl enable gcc-toolset-14 <tool>

To run a shell session where tool versions from GCC Toolset 14 override system versions of these tools:

$ scl enable gcc-toolset-14 bash

GCC Toolset 14 components are also available in the gcc-toolset-14-toolchain container image.

For more information, see GCC Toolset 14 and Using GCC Toolset.

Jira:RHEL-34596[1], Jira:RHEL-30411

GCC Toolset 14: GCC rebased to version 14.2

In GCC Toolset 14, the GNU Compiler Collection (GCC) has been updated to version 14.2 with the release of the RHEA-2024:8864 advisory.

Notable changes include:

  • Optimization and diagnostic improvements
  • A new -fhardened umbrella option, which enables a set of hardening flags
  • A new -fharden-control-flow-redundancy option to detect attacks that transfer control into the middle of functions
  • A new strub type attribute to control stack scrubbing properties of functions and variables
  • A new -finline-stringops option to force inline expansion of certain mem* functions
  • Support for new OpenMP 5.1, 5.2, and 6.0 features
  • Several new C23 features
  • Multiple new C++23 and C++26 features
  • Several resolved C++ defect reports
  • New and improved experimental support for C++20, C++23, and C++26 in the C++ library
  • Support for new CPUs in the 64-bit ARM architecture
  • Multiple new instruction set architecture (ISA) extensions in the 64-bit Intel architecture, for example: AVX10.1, AVX-VNNI-INT16, SHA512, and SM4
  • New warnings in the GCC’s static analyzer
  • Certain warnings changed to errors; for details, see Porting to GCC 14
  • Various bug fixes

For more information about changes in GCC 14, see the upstream GCC release notes.

Jira:RHEL-30412[1]

GCC Toolset 14: GDB rebased to version 14.2

In GCC Toolset 14, GDB has been updated to version 14.2 with the release of the RHBA-2024:8862 advisory. The following paragraphs list notable changes since GDB 12.1.

General:

  • The info breakpoints command now displays enabled breakpoint locations of disabled breakpoints as in the y- state.
  • Added support for debug sections compressed with Zstandard (ELFCOMPRESS_ZSTD) for ELF.
  • The Text User Interface (TUI) no longer styles the source and assembly code highlighted by the current position indicator by default. To re-enable styling, use the new command set style tui-current-position.
  • A new $_inferior_thread_count convenience variable contains the number of live threads in the current inferior.
  • For breakpoints with multiple code locations, GDB now prints the code location using the <breakpoint_number>.<location_number> syntax.
  • When a breakpoint is hit, GDB now sets the $_hit_bpnum and $_hit_locno convenience variables to the hit breakpoint number and code location number. You can now disable the last hit breakpoint by using the disable $_hit_bpnum command, or disable only the specific breakpoint code location by using the disable $_hit_bpnum.$_hit_locno command.
  • Added support for the NO_COLOR environment variable.
  • Added support for integer types larger than 64 bits.
  • You can use new commands for multi-target feature configuration to configure remote target feature sets (see the set remote <name>-packet and show remote <name>-packet in Commands).
  • Added support for the Debugger Adapter Protocol.
  • You can now use the new inferior keyword to make breakpoints inferior-specific (see break or watch in Commands).
  • You can now use the new $_shell() convenience function to execute a shell command during expression evaluation.

Changes to existing commands:

  • break, watch

    • Using the thread or task keywords multiple times with the break and watch commands now results in an error instead of using the thread or task ID of the last instance of the keyword.
    • Using more than one of the thread, task, and inferior keywords in the same break or watch command is now invalid.
  • printf, dprintf

    • The printf and dprintf commands now accept the %V output format, which formats an expression the same way as the print command. You can also modify the output format by using additional print options in brackets […​] following the command, for example: printf "%V[-array-indexes on]", <array>.
  • list

    • You can now use the . argument to print the location around the point of execution in the current frame, or around the beginning of the main() function if the inferior has not started yet.
    • Attempting to list more source lines in a file than are available now issues a warning, referring the user to the . argument.
  • document user-defined

    • It is now possible to document user-defined aliases.

New commands:

  • set print nibbles [on|off] (default: off), show print nibbles - controls whether the print/t command displays binary values in groups of four bits (nibbles).
  • set debug infcall [on|off] (default: off), show debug infcall - prints additional debug messages about inferior function calls.
  • set debug solib [on|off] (default: off), show debug solib - prints additional debug messages about shared library handling.
  • set print characters <LIMIT>, show print characters, print -characters <LIMIT> - controls how many characters of a string are printed.
  • set debug breakpoint [on|off] (default: off), show debug breakpoint - prints additional debug messages about breakpoint insertion and removal.
  • maintenance print record-instruction [ N ] - prints the recorded information for a given instruction.
  • maintenance info frame-unwinders - lists the frame unwinders currently in effect in the order of priority (highest first).
  • maintenance wait-for-index-cache - waits until all pending writes to the index cache are completed.
  • info main - prints information on the main symbol to identify an entry point into the program.
  • set tui mouse-events [on|off] (default: on), show tui mouse-events - controls whether mouse click events are sent to the TUI and Python extensions (when on), or the terminal (when off).

Machine Interface (MI) changes:

  • MI version 1 has been removed.
  • MI now reports no-history when reverse execution history is exhausted.
  • The thread and task breakpoint fields are no longer reported twice in the output of the -break-insert command.
  • Thread-specific breakpoints can no longer be created on non-existent thread IDs.
  • The --simple-values argument to the -stack-list-arguments, -stack-list-locals, -stack-list-variables, and -var-list-children commands now considers reference types as simple if the target is simple.
  • The -break-insert command now accepts a new -g thread-group-id option to create inferior-specific breakpoints.
  • Breakpoint-created notifications and the output of the -break-insert command can now include an optional inferior field for the main breakpoint and each breakpoint location.
  • The async record stating the breakpoint-hit stopped reason now contains an optional field locno giving the code location number in case of a multi-location breakpoint.

Changes in the GDB Python API:

  • Events

    • A new gdb.ThreadExitedEvent event.
    • A new gdb.executable_changed event registry, which emits the ExecutableChangedEvent objects that have progspace and reload attributes.
    • New gdb.events.new_progspace and gdb.events.free_progspace event registries, which emit the NewProgpspaceEvent and FreeProgspaceEvent event types. Both of these event types have a single attribute progspace to specify the gdb.Progspace program space that is being added to or removed from GDB.
  • The gdb.unwinder.Unwinder class

    • The name attribute is now read-only.
    • The name argument of the __init__ function must be of the str type, otherwise a TypeError is raised.
    • The enabled attribute now accepts only the bool type.
  • The gdb.PendingFrame class

    • New methods: name, is_valid, pc, language, find_sal, block, and function, which mirror similar methods of the gdb.Frame class.
    • The frame-id argument of the create_unwind_info function can now be either an integer or a gdb.Value object for the pc, sp, and special attributes.
  • A new gdb.unwinder.FrameId class, which can be passed to the gdb.PendingFrame.create_unwind_info function.
  • The gdb.disassembler.DisassemblerResult class can no longer be sub-classed.
  • The gdb.disassembler module now includes styling support.
  • A new gdb.execute_mi(COMMAND, [ARG]…​) function, which invokes a GDB/MI command and returns result as a Python dictionary.
  • A new gdb.block_signals() function, which returns a context manager that blocks any signals that GDB needs to handle.
  • A new gdb.Thread subclass of the threading.Thread class, which calls the gdb.block_signals function in its start method.
  • The gdb.parse_and_eval function has a new global_context parameter to restrict parsing on global symbols.
  • The gdb.Inferior class

    • A new arguments attribute, which holds the command-line arguments to the inferior, if known.
    • A new main_name attribute, which holds the name of the inferior’s main function, if known.
    • New clear_env, set_env, and unset_env methods, which can modify the inferior’s environment before it is started.
  • The gdb.Value class

    • A new assign method to assign a value of an object.
    • A new to_array method to convert an array-like value to an array.
  • The gdb.Progspace class

    • A new objfile_for_address method, which returns the gdb.Objfile object that covers a given address (if exists).
    • A new symbol_file attribute holding the gdb.Objfile object that corresponds to the Progspace.filename variable (or None if the filename is None).
    • A new executable_filename attribute, which holds the string with a filename that is set by the exec-file or file commands, or None if no executable file is set.
  • The gdb.Breakpoint class

    • A new inferior attribute, which contains the inferior ID (an integer) for breakpoints that are inferior-specific, or None if no such breakpoints are set.
  • The gdb.Type class

    • New is_array_like and is_string_like methods, which reflect whether a type might be array- or string-like regardless of the type’s actual type code.
  • A new gdb.ValuePrinter class, which can be used as the base class for the result of applying a pretty-printer.
  • A newly implemented gdb.LazyString.__str__ method.
  • The gdb.Frame class

    • A new static_link method, which returns the outer frame of a nested function frame.
    • A new gdb.Frame.language method that returns the name of the frame’s language.
  • The gdb.Command class

    • GDB now reformats the doc string for the gdb.Command class and the gdb.Parameter sub-classes to remove unnecessary leading whitespace from each line before using the string as the help output.
  • The gdb.Objfile class

    • A new is_file attribute.
  • A new gdb.format_address(ADDRESS, PROGSPACE, ARCHITECTURE) function, which uses the same format as when printing address, symbol, and offset information from the disassembler.
  • A new gdb.current_language function, which returns the name of the current language.
  • A new Python API for wrapping GDB’s disassembler, including gdb.disassembler.register_disassembler(DISASSEMBLER, ARCH), gdb.disassembler.Disassembler, gdb.disassembler.DisassembleInfo, gdb.disassembler.builtin_disassemble(INFO, MEMORY_SOURCE), and gdb.disassembler.DisassemblerResult.
  • A new gdb.print_options function, which returns a dictionary of the prevailing print options, in the form accepted by the gdb.Value.format_string function.
  • The gdb.Value.format_string function

    • gdb.Value.format_string now uses the format provided by the print command if it is called during a print or other similar operation.
    • gdb.Value.format_string now accepts the summary keyword.
  • A new gdb.BreakpointLocation Python type.
  • The gdb.register_window_type method now restricts the set of acceptable window names.

Architecture-specific changes:

  • AMD and Intel 64-bit architectures

    • Added support for disassembler styling using the libopcodes library, which is now used by default. You can modify how the disassembler output is styled by using the set style disassembler * commands. To use the Python Pygments styling instead, use the new maintenance set libopcodes-styling off command.
  • The 64-bit ARM architecture

    • Added support for dumping memory tag data for the Memory Tagging Extension (MTE).
    • Added support for the Scalable Matrix Extension 1 and 2 (SME/SME2). Some features are still considered experimental or alpha, for example, manual function calls with ZA state or tracking Scalable Vector Graphics (SVG) changes based on DWARF.
    • Added support for Thread Local Storage (TLS) variables.
    • Added support for hardware watchpoints.
  • The 64-bit IBM Z architecture

    • Record and replay support for the new arch14 instructions on IBM Z targets, except for the specialized-function-assist instruction NNPA.
  • IBM Power Systems, Little Endian

    • Added base enablement support for POWER11.

Jira:RHELDOCS-18598[1], Jira:RHEL-36225, Jira:RHEL-36518

GCC Toolset 14: annobin rebased to version 12.70

In GCC Toolset 14, annobin has been updated to version 12.70 with the release of the RHBA-2024:8863 advisory. The updated set of the annobin tools for testing binaries provides various bug fixes, introduces new tests, and updates the tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers. With the enhanced tools, you can detect new issues in programs that are built in a non-standard way.

Jira:RHEL-30409[1]

GCC Toolset 13: GCC supports AMD Zen 5

With the release of the RHBA-2024:8829 advisory, the GCC Toolset 13 version of GCC adds support for the AMD Zen 5 processor microarchitecture. To enable the support, use the -march=znver5 command-line option.

Jira:RHEL-36524[1]

LLVM Toolset updated to 18.1.8

LLVM Toolset has been updated to version 18.1.8 with the release of the RHBA-2024:8828 advisory.

Notable LLVM updates:

  • The constant expression variants of the following instructions have been removed: and, or, lshr, ashr, zext, sext, fptrunc, fpext, fptoui, fptosi, uitofp, sitofp.
  • The llvm.exp10 intrinsic has been added.
  • The code_model attribute for global variables has been added.
  • The backend for the AArch64, AMDGPU, PowerPC, RISC-V, SystemZ and x86 architectures has been improved.
  • LLVM tools have been improved.

Notable Clang enhancements:

  • C++20 feature support:

    • Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the -Xclang -fno-skip-odr-check-in-gmf option.
  • C++23 feature support:

    • A new diagnostic flag -Wc++23-lambda-attributes has been added to warn about the use of attributes on lambdas.
  • C++2c feature support:

    • Clang now allows using the _ character as a placeholder variable name multiple times in the same scope.
    • Attributes now expect unevaluated strings in attribute parameters that are string literals.
    • The deprecated arithmetic conversion on enumerations from C++26 has been removed.
    • The specification of template parameter initialization has been improved.
  • For a complete list of changes, see the upstream release notes for Clang.

ABI changes in Clang:

  • Following the SystemV ABI for x86_64, the __int128 arguments are no longer split between a register and a stack slot.
  • For more information, see the list of ABI changes in Clang.

Notable backwards incompatible changes:

  • A bug fix in the reversed argument order for templated operators breaks code in C++20 that was previously accepted in C++17.
  • The GCC_INSTALL_PREFIX CMake variable (which sets the default --gcc-toolchain=) is deprecated and will be removed. Specify the --gcc-install-dir= or --gcc-triple= option in a configuration file instead.
  • The default extension name for precompiled headers (PCH) generation (-c -xc-header and -c -xc++-header) is now .pch instead of .gch.
  • When -include a.h probes the a.h.gch file, the include now ignores a.h.gch if it is not a Clang PCH file or a directory containing any Clang PCH file.
  • A bug that caused __has_cpp_attribute and __has_c_attribute to return incorrect values for certain C++-11-style attributes has been fixed.
  • A bug in finding a matching operator!= while adding a reversed operator== has been fixed.
  • The name mangling rules for function templates have been changed to accept that functions can be overloaded on their template parameter lists or requires-clauses.
  • The -Wenum-constexpr-conversion warning is now enabled by default on system headers and macros. It will be turned into a hard (non-downgradable) error in the next Clang release.
  • A path to the imported modules for C++20 named modules can no longer be hardcoded. You must specify all the dependent modules from the command line.
  • It is no longer possible to import modules by using import <module>; Clang uses explicitly-built modules.
  • For more details, see the list of potentially breaking changes.

For more information, see the LLVM release notes and Clang release notes.

LVM Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

Jira:RHEL-30907[1]

Rust Toolset rebased to version 1.79.0

Rust Toolset has been updated to version 1.79.0 with the release of the RHBA-2024:8827 advisory. Notable enhancements since the previously available version 1.75.0 include:

  • A new offset_of! macro
  • Support for C-string literals
  • Support for inline const expressions
  • Support for bounds in associated type position
  • Improved automatic temporary lifetime extension
  • Debug assertions for unsafe preconditions

Rust Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

Jira:RHEL-30073[1]

Go Toolset rebased to version 1.22

Go Toolset has been updated to version 1.22 with the release of the RHSA-2024:8876 advisory.

Notable enhancements include:

  • Variables in for loops are now created per iteration, preventing accidental sharing bugs. Additionally, for loops can now range over integers.
  • Commands in workspaces can now use a vendor directory for the dependencies of the workspace.
  • The go get command no longer supports the legacy GOPATH mode. This change does not affect the go build and go test commands.
  • The vet tool has been updated to match the new behavior of the for loops.
  • CPU performance has been improved by keeping type-based garbage collection metadata nearer to each heap object.
  • Go now provides improved inlining optimizations and better profile-guided optimization support for higher performance.
  • A new math/rand/v2 package is available.
  • Go now provides enhanced HTTP routing patterns with support for methods and wildcards.

For more information, see the Go upstream release notes.

Go Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

Jira:RHEL-46972[1]

elfutils rebased to version 0.190

The elfutils package has been updated to version 0.190. Notable improvements include:

  • The libelf library now supports relative relocation (RELR).
  • The libdw library now recognizes .debug_[ct]u_index sections.
  • The eu-readelf utility now supports a new -Ds, --use-dynamic --symbol option to show symbols through the dynamic segment without using ELF sections.
  • The eu-readelf utility can now show .gdb_index version 9.
  • A new eu-scrlines utility compiles a list of source files associated with a specified DWARF or ELF file.
  • A debuginfod server schema has changed for a 60% compression in file name representation (this requires reindexing).

Jira:RHEL-15924

valgrind updated to 3.22

The valgrind package has been updated to version 3.22. Notable improvements include:

  • valgrind memcheck now checks that the values given to the C functions memalign, posix_memalign, and aligned_alloc, and the C++17 aligned new operator are valid alignment values.
  • valgrind memcheck now supports mismatch detection for C++14 sized and C++17 aligned new and delete operators.
  • Added support for lazy reading of DWARF debugging information, resulting in faster startup when debuginfo packages are installed.

Jira:RHEL-15926

Clang resource directory moved

The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17 to /usr/lib/clang/17.

Jira:RHEL-9299

A new grafana-selinux package

Previously, the default installation of grafana-server ran as an unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t SELinux type.

Jira:RHEL-7503

Updated GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Notable changes introduced in RHEL 8.10 include:

  • The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
  • binutils now support AMD CPUs based on the znver5 core through the -march=znver5 compiler switch.
  • annobin has been updated to version 12.32.
  • The annobin plugin for GCC now defaults to using a more compressed format for the notes that it stores in object files, resulting in smaller object files and faster link times, especially in large, complex programs.

The following tools and versions are provided by GCC Toolset 13:

ToolVersion

GCC

13.2.1

GDB

12.1

binutils

2.40

dwz

0.14

annobin

12.32

To install GCC Toolset 13, run the following command as root:

# yum install gcc-toolset-13

To run a tool from GCC Toolset 13:

$ scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:

$ scl enable gcc-toolset-13 bash

For more information, see GCC Toolset 13 and Using GCC Toolset.

Jira:RHEL-25405[1]

LLVM Toolset rebased to version 17.0.6

LLVM Toolset has been updated to version 17.0.6.

Notable enhancements include:

  • The opaque pointers migration is now completed.
  • Removed support for the legacy pass manager in middle-end optimization.

Clang changes:

  • C++20 coroutines are no longer considered experimental.
  • Improved code generation for the std::move function and similar in unoptimized builds.

For more information, see the LLVM and Clang upstream release notes.

Jira:RHEL-9028

Rust Toolset rebased to version 1.75.0

Rust Toolset has been updated to version 1.75.0.

Notable enhancements include:

  • Constant evaluation time is now unlimited
  • Cleaner panic messages
  • Cargo registry authentication
  • async fn and opaque return types in traits

Jira:RHEL-12964

Go Toolset rebased to version 1.21.0

Go Toolset has been updated to version 1.21.0.

Notable enhancements include:

  • min, max, and clear built-ins have been added.
  • Official support for profile guided optimization has been added.
  • Package initialization order is now more precisely defined.
  • Type inferencing is improved.
  • Backwards compatibility support is improved.

For more information, see the Go upstream release notes.

Jira:RHEL-11872[1]

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

  • AMD Zen 4
  • 4th Generation Intel® Xeon® Scalable Processors

Jira:RHEL-9336[1], Jira:RHEL-9320, Jira:RHEL-9337

Ant rebased to version 1.10.9

The ant:1.10 module stream has been updated to version 1.10.9. This version provides support for code signing, using a provider class and provider argument.

Note

The updated ant:1.10 module stream provides only the ant and ant-lib packages. Remaining packages related to Ant are distributed in the javapackages-tools module in the unsupported CodeReady Linux Builder (CRB) repository and have not been updated.

Packages from the updated ant:1.10 module stream cannot be used in parallel with packages from the javapackages-tools module. If you want to use the complete set of Ant-related packages, you must uninstall the ant:1.10 module and disable it, enable the CRB repository, and install the javapackages-tools module.

Jira:RHEL-5365

New package: maven-openjdk21

The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.

Jira:RHEL-17126[1]

cmake rebased to version 3.26

The cmake package has been updated to version 3.26. Notable improvements include:

  • Added support for the C17 and C18 language standards.
  • cmake can now query the /etc/os-release file for operating system identification information.
  • Added support for the CUDA 20 and nvtx3 libraries.
  • Added support for the Python stable application binary interface.
  • Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.

Jira:RHEL-7396

4.11. Identity Management

Identity Management users can now use external identity providers to authenticate to IdM

With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.

If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.

Jira:RHELPLAN-123140[1]

ipa rebased to version 4.9.13

The ipa package has been updated from version 4.9.12 to 4.9.13. Notable changes include:

  • The installation of an IdM replica now occurs against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests.
  • The performance of the cert-find command has been improved dramatically for situations with a large number of certificates.
  • The ansible-freeipa package has been rebased from version 1.11 to 1.12.1.

For more information, see the upstream release notes.

Jira:RHEL-16936

Deleting expired KCM Kerberos tickets

Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy command.

Jira:SSSD-6216

Support for bcrypt password hashing algorithm for local users

With this update, you can enable the bcrypt password hashing algorithm for local users. To switch to the bcrypt hashing algorithm:

  1. Edit the /etc/authselect/system-auth and /etc/authselect/password-auth files by changing the pam_unix.so sha512 setting to pam_unix.so blowfish.
  2. Apply the changes:

    # authselect apply-changes
  3. Change the password for a user by using the passwd command.
  4. In the /etc/shadow file, verify that the hashing algorithm is set to $2b$, indicating that the bcrypt password hashing algorithm is now used.

Jira:SSSD-6790

The idp Ansible module allows associating IdM users with external IdPs

With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user. 

After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.

Jira:RHEL-16938

IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules

With this update, the ansible-freeipa package now contains the following modules:

idoverrideuser
Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP server, for example, the user login name, home directory, certificate, or SSH keys.
idoverridegroup
Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of the group, its GID, or description.
idview
Allows you to organize user and group ID overrides and apply them to specific IdM hosts.

In the future, you will be able to use these modules to enable AD users to use smart cards to log in to IdM.

Jira:RHEL-16933

The delegation of DNS zone management enabled in ansible-freeipa

You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the dnszone module to set a per-zone access delegation permission.

Jira:RHEL-19133

The ansible-freeipa ipauser and ipagroup modules now support a new renamed state

With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change the group name of an existing IdM group.

Jira:RHEL-4963

The runasuser_group parameter is now available in ansible-freeipa ipasudorule

With this update, you can set Groups of RunAs Users for a sudo rule by using the ansible-freeipa ipasudorule module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.

Jira:RHEL-19129

389-ds-base rebased to version 1.4.3.39

The 389-ds-base package has been updated to version 1.4.3.39.

Jira:RHEL-19028

The HAProxy protocol is now supported for the 389-ds-base package

Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.

If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:

[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4

Jira:RHEL-19240

samba rebased to version 4.19.4

The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:

  • Command-line options in the smbget utility have been renamed and removed for a consistent user experience. However, this can break existing scripts or jobs that use the utility. See the smbget --help command and smbget(1) man page for further details about the new options.
  • If the winbind debug traceid option is enabled, the winbind service now logs, additionally, the following fields:

    • traceid: Tracks the records belonging to the same request.
    • depth: Tracks the request nesting level.
  • Samba no longer uses its own cryptography implementations and, instead, now fully uses cryptographic functionality provided by the GnuTLS library.
  • The directory name cache size option was removed.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

Jira:RHEL-16483[1]

4.12. The web console

RHEL web console can now generate Ansible and shell scripts

In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to implement a specific kdump configuration on multiple systems.

Jira:RHELDOCS-17060[1]

Simplified managing storage and resizing partitions on Storage

The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.

Jira:RHELDOCS-17056[1]

4.13. Red Hat Enterprise Linux System Roles

The ad_integration RHEL system role now supports configuring dynamic DNS update options

With this update, the ad_integration RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:

  • When the identity provider comes online (always).
  • At a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours.

You can change these and other settings using the new variables in ad_integration. For example, you can set ad_dyndns_refresh_interval to 172800 to change the DNS record refresh interval to 48 hours. For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/ directory.

Jira:RHELDOCS-17372[1]

The metrics RHEL System Role now supports configuring PMIE webhooks

With this update, you can automatically configure the global webhook_endpoint PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL System Role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.

Jira:RHEL-18170

The bootloader RHEL system role

This update introduces the bootloader RHEL system role. You can use this feature for stable and consistent configuration of boot loaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory.

Jira:RHEL-3241

The logging role supports general queue and general action parameters in output modules

Previously, it was not possible to configure general queue parameters and general action parameters with the logging role. With this update, the logging RHEL System Role supports configuration of general queue parameters and general action parameters in output modules.

Jira:RHEL-15440

Support for new ha_cluster System Role features

The ha_cluster System Role now supports the following features:

  • Enablement of the repositories containing resilient storage packages, such as dlm or gfs2. A Resilient Storage subscription is needed to access the repository.
  • Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
  • Configuration of node attributes.

For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL System Role.

Jira:RHEL-4624[1], Jira:RHEL-22108, Jira:RHEL-14090

New RHEL System Role for configuring fapolicyd

With the new fapolicyd RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.

Jira:RHEL-16542

The network RHEL System role now supports new route types

With this enhancement, you can now use the following route types with the network RHEL System Role:

  • blackhole
  • prohibit
  • unreachable

Jira:RHEL-21491[1]

New rhc_insights.display_name option in the rhc role to set display names

You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.

Jira:RHEL-16965

The RHEL system roles now support LVM snapshot management

With this enhancement, you can use the new snapshot RHEL system roles to create, configure, and manage LVM snapshots.

Jira:RHEL-16553

The postgresql RHEL System Role now supports PostgreSQL 16

The postgresql RHEL System Role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.

For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL System Role.

Jira:RHEL-18963

New rhc_insights.ansible_host option in the rhc role to set Ansible hostnames

You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host parameter. When set, the parameter changes the ansible_host configuration in the /etc/insights-client/insights-client.conf file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.

Jira:RHEL-16975

ForwardToSyslog flag is now supported in the journald system role

In the journald RHEL System Role, the journald_forward_to_syslog variable controls whether the received messages should be forwarded to the traditional syslog daemon or not. The default value of this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log files.

Jira:RHEL-21123

ratelimit_burst variable is only used if ratelimit_interval is set in logging system role

Previously, in the logging RHEL System Role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also required to set ratelimit_interval.

With this enhancement, if ratelimit_interval is not set, the role does not set ratelimit.burst. If you want to set ratelimit.burst, you must set both ratelimit_interval and ratelimit_burst variables.

Jira:RHEL-19047

Use the logging_max_message_size parameter instead of rsyslog_max_message_size in the logging system role

Previously, even though the rsyslog_max_message_size parameter was not supported, the logging RHEL System Role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log messages.

Jira:RHEL-15038

The ad_integration RHEL System Role now supports custom SSSD settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

Jira:RHEL-21134

The ad_integration RHEL System Role now supports custom SSSD domain configuration settings

Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

Jira:RHEL-17667

New logging_preserve_fqdn variable for the logging RHEL System Role

Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog entries.

Jira:RHEL-15933

Support for creation of volumes without creating a file system

With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted option.

Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode is disabled.

Jira:RHEL-16213

The rhc system role now supports RHEL 7 systems

You can now manage RHEL 7 systems by using the rhc system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc system role.

Using the rhc_insights.remediation parameter has no impact on RHEL 7 systems as the Insights Remediation feature is currently not available on RHEL 7.

Jira:RHEL-16977

New mssql_ha_prep_for_pacemaker variable

Previously, the microsoft.sql.server RHEL System Role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and you want to use another HA solution.

Jira:RHEL-19204

The sshd role now configures certificate-based SSH authentications

With the sshd RHEL System Role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.

Jira:RHEL-5985

selinux role now supports configuring SELinux in disabled mode

With this update, the selinux RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.

Jira:RHEL-15871

selinux role now prints a message when specifying a non-existent module

With this release, the selinux RHEL System Role prints an error message when you specify a non-existent module in the selinux_modules.path variable.

Jira:RHEL-19044

4.14. Virtualization

RHEL now supports Multi-FD migration of virtual machines

With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.

It is recommended to use this feature on high-speed networks (20 Gbps and higher).

Jira:RHELDOCS-16970[1]

Secure Execution VMs on IBM Z now support cryptographic coprocessors

With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.

By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now use hardware encryption without compromising the security of the VM.

Jira:RHEL-11597[1]

You can now replace SPICE with VNC in the web console

With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).

Because the support for the SPICE protocol is deprecated in RHEL 8 and will be removed in RHEL 9, VMs that use the SPICE protocol fail to migrate to RHEL 9. However, RHEL 8 VMs use SPICE by default, so you must switch from SPICE to VNC for a successful migration.

Jira:RHELDOCS-18289[1]

New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

  • Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the ~/.ssh/authorized_keys file of the designated non-root user on the newly created VM, which provides you with an immediate SSH access to the specified user account.
  • Select a pre-formatted block device type when creating a new storage pool. This is a more robust alternative to a physical disk device type, as it prevents unintentional reformatting of a raw disk device.

This update also changes some default behavior in the Virtual Machines page:

  • In the Add disk dialog, the Always attach option is now set by default.

Jira:RHELDOCS-18323[1]

4.15. RHEL in cloud environments

New cloud-init clean option for deleting generated configuration files

The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary configuration files generated by cloud-init on your instance. For example, to delete cloud-init configuration files that define network setup, use the following command:

cloud-init clean --configs network

Jira:RHEL-7312[1]

RHEL instances on EC2 now support IPv6 IMDS connections

With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet.

Jira:RHEL-7278

4.16. Containers

The Container Tools packages have been updated

The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:

Notable changes in Podman v4.9:

  • You can now use Podman to load the modules on-demand by using the podman --module <your_module_name> command and to override the system and user configuration files.
  • A new podman farm command with a set of the create, set, remove, and update subcommands has been added. With these commands, you can farm out builds to machines running podman for different architectures.
  • A new podman-compose command has been added, which runs Compose workloads by using an external compose provider such as Docker compose.
  • The podman build command now supports the --layer-label and --cw options.
  • The podman generate systemd command is deprecated. Use Quadlet to run containers and pods under systemd.
  • The podman build command now supports Containerfiles with the HereDoc syntax.
  • The podman machine init and podman machine set commands now support a new --usb option. Use this option to allow USB passthrough for the QEMU provider.
  • The podman kube play command now supports a new --publish-all option. Use this option to expose all containerPorts on the host.

For more information about notable changes, see upstream release notes.

Jira:RHELPLAN-167794[1]

Podman now supports containers.conf modules

You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the Tom’s Obvious Minimal Language (TOML) format.

These modules are located in the following directories, or their subdirectories:

  • For rootless users: $HOME/.config/containers/containers.conf.modules
  • For root users: /etc/containers/containers.conf.modules, or /usr/share/containers/containers.conf.modules

You can load the modules on-demand with the podman --module <your_module_name> command to override the system and user configuration files. Working with modules involve the following facts:

  • You can specify modules multiple times by using the --module option.
  • If <your_module_name> is the absolute path, the configuration file will be loaded directly.
  • The relative paths are resolved relative to the three module directories mentioned previously.
  • Modules in $HOME override those in the /etc/ and /usr/share/ directories.

For more information, see the upstream documentation.

Jira:RHELPLAN-167830[1]

The Podman v4.9 RESTful API now displays data of progress

With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.

Jira:RHELPLAN-167822[1]

SQLite is now fully supported as a default database backend for Podman

With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 8.10. If you upgrade from a previous RHEL version, the default backend is BoltDB.

If you have explicitly configured the database backend by using the database_backend option in the containers.conf file, then Podman will continue to use the specified backend.

Jira:RHELPLAN-168179[1]

Administrators can set up isolation for firewall rules by using nftables

You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables installed. With this enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated firewall rules.

Jira:RHELDOCS-16955[1]

Containerfile now supports multi-line instructions

You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of image layers caused by performing multiple RUN directives.

For example, the original Containerfile can contain the following RUN directives:

RUN dnf update
RUN dnf -y install golang
RUN dnf -y install java

Instead of multiple RUN directives, you can use the HereDoc notation:

RUN <<EOF
dnf update
dnf -y install golang
dnf -y install java
EOF

Jira:RHELPLAN-168184[1]

Toolbx is now available

With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi8.10/toolbox:latest image.

Jira:RHELDOCS-16241[1]

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.