Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.4.

4.1. Installer and image creation

Anaconda replaces the original boot device NVRAM variable list with new values

Previously, booting from NVRAM could lead to boot system failure due to the entries with the incorrect values in the boot device list.

With this update the problem is fixed, but the previous list of devices is cleared when updating the boot device NVRAM variable.

(BZ#1854307)

Graphical installation of KVM virtual machines on IBM Z is now available

When using the KVM hypervisor on IBM Z hardware, you can now use the graphical installation when creating virtual machines (VMs).

Now, when a user executes the installation in KVM, and QEMU provides a virtio-gpu driver, the installer automatically starts the graphical console. The user can switch to text or VNC mode by appending the inst.text or inst.vnc boot parameters in the VM’s kernel command line.

(BZ#1609325)

Warnings for deprecated kernel boot arguments

Anaconda boot arguments without the inst. prefix (for example, ks, stage2, repo and so on) are deprecated starting RHEL7. These arguments will be removed in the next major RHEL release.

With this release, appropriate warning messages are displayed when the boot arguments are used without the inst prefix. The warning messages are displayed in dracut when booting the installation and also when the installation program is started on a terminal.

Following is a sample warning message that is displayed on a terminal:

Deprecated boot argument %s must be used with the inst. prefix. Please use inst.%s instead. Anaconda boot arguments without inst. prefix have been deprecated and will be removed in a future major release.

Following is a sample warning message that is displayed in dracut:

$1 has been deprecated. All usage of Anaconda boot arguments without the inst. prefix have been deprecated and will be removed in a future major release. Please use $2 instead.

(BZ#1897657)

4.2. RHEL for Edge

Support to specify the kernel name as customization for RHEL for Edge image types

When creating OSTree commits for RHEL for Edge images, only one kernel package can be installed at a time, otherwise the commit creation fails in rpm-ostree. This prevents RHEL for Edge from adding alternative kernels, in particular, the real-time kernel (kernel-rt). With this enhancement, when creating a blueprint for RHEL for Edge image using the CLI, you can define the name of the kernel to be used in an image, by setting the customizations.kernel.name key. If you do not specify any kernel name, the image include the default kernel package.

(BZ#1960043)

4.3. Software management

New fill_sack_from_repos_in_cache function is now supported in DNF API

With this update, the new DNF API fill_sack_from_repos_in_cache function has been introduced which allows to load repositories only from the cached solv, solvx files, and the repomd.xml file. As a result, if the user manages dnf cache, it is possible to save resources without having duplicate information (xml and solv), and without processing xml into solv.

(BZ#1865803)

createrepo_c now automatically adds modular metadata to repositories

Previously, running the createrepo_c command on RHEL8 packages to create a new repository did not include modular repodata in this repository. Consequently, it caused various problems with repositories. With this update, createrepo_c:

scans for modular metadata
merges the found module YAML files into a single modular document modules.yaml
automatically adds this document to the repository.

As a result, adding modular metadata to repositories is now automatic and no longer has to be done as a separate step using the modifyrepo_c command.

(BZ#1795936)

The ability to mirror a transaction between systems within DNF is now supported

With this update, the user can store and replay a transaction within DNF.

To store a transaction from DNF history into a JSON file, run the dnf history store command.
To replay the transaction later on the same machine, or on a different one, run the dnf history replay command.

Comps groups operations storing and replaying is supported. Module operations are not yet supported, and consequently, are not stored or replayed.

(BZ#1807446)

createrepo_c rebased to version 0.16.2

The createrepo_c packages have been rebased to version 0.16.2 which provides the following notable changes over the previous version:

Added module metadata support for createrepo_c.
Fixed various memory leaks

(BZ#1894361)

The protect_running_kernel configuration option is now available.

With this update, the protect_running_kernel configuration option for the dnf and microdnf commands has been introduced. This option controls whether the package corresponding to the running version of the kernel is protected from removal. As a result, the user can now disable protection of the running kernel.

(BZ#1698145)

4.4. Shells and command-line tools

OpenIPMI rebased to version 2.0.29

The OpenIPMI packages have been upgraded to version 2.0.29. Notable changes over the previous version include:

Fixed memory leak, variable binding, and missing error messages.
Added support for IPMB.
Added support for registration of individual group extension in the lanserv.

(BZ#1796588)

freeipmi rebased to version 1.6.6

The freeipmi packages have been upgraded to version 1.6.6. Notable changes over the previous version include:

Fixed memory leaks and typos in the source code.
Implemented workarounds for the following known issues:
- unexpected completion code.
- Dell Poweredge FC830.
- out of order packets with lan/rmcpplus ipmb.
Added support for new Dell, Intel, and Gigabyte devices.
Added support for the interpretation of system information and events.

(BZ#1861627)

opal-prd rebased to version 6.6.3

The opal-prd package has been rebased to version 6.6.3. Notable changes include:

Added an offline worker process handle page for opal-prd daemon.
Fixed the bug for opal-gard on POWER9P so that the system can identify the chip targets for gard records.
Fixed false negatives in wait_for_all_occ_init() of occ command.
Fixed OCAPI_MEM BAR values in hw/phys-map.
Fixed warnings for Inconsistent MSAREA in hdata/memory.c.
For sensors in occ:
- Fixed sensor values zero bug.
- Fixed the GPU detection code.
Skipped sysdump retrieval in MPIPL boot.
Fixed IPMI double-free in the Mihawk platform.
Updated non-MPIPL scenario in fsp/dump.
For hw/phb4:
- Verified AER support before initialising AER regs.
- Enabled error reporting.
Added new smp-cable-connector VPD keyword in hdata.

(BZ#1844427)

opencryptoki rebased to version 3.15.1

The opencryptoki packages have been rebased to version 3.15.1. Notable changes include:

Fixed segfault in C_SetPin.
Fixed usage of EVP_CipherUpdate and EVP_CipherFinal.
Added utility to migrate the token repository to FIPS compliant encryption.
For pkcstok_migrate tool:
- Fixed NVTOK.DAT conversion on Little Endian platforms.
- Fixed private and public token object conversion on Little Endian platforms.
Fixed storing of public token objects in the new data format.
Fixed the parameter checking mechanism in dh_pkcs_derive.
Corrected soft token model name.
Replaced deprecated OpenSSL interfaces in mech_ec.c file and in ICA, TPM, and Soft tokens.
Replaced deprecated OpenSSL AES/3DES interfaces in sw_crypt.c file.
Added support for ECC mechanism in Soft token.
Added IBM specific SHA3 HMAC and SHA512/224/256 HMAC mechanisms in the Soft token.
Added support for key wrapping with CKM_RSA_PKCS in CCA.
For EP11 crypto stack:
- Fixed ep11_get_keytype to recognize CKM_DES2_KEY_GEN.
- Fixed error trace in token_specific_rng.
- Enabled specific FW version and API in HSM simulation.
Fixed Endian bug in X9.63 KDF.
Added an error message for handling p11sak remove-key command.
Fixed compiling issues with C++.
Fixed the problem with C_Get/SetOperationState and digest contexts.
Fixed pkcscca migration fails with usr/sb2.

(BZ#1847433)

powerpc-utils rebased to version 1.3.8

The powerpc-utils packages have been rebased to version 1.3.8. Notable changes include:

Commands that do not depend on Perl are now moved to the core subpackage.
Added support for Linux Hybrid Network Virtualization.
Updated safe bootlist.
Added vcpustat utility.
Added support for cpu-hotplug in lparstat command.
Added switch to print Scaled metrics in lparstat command.
Added helper function to calculate the delta, scaled timebase, and to derive PURR/SPURR values.
For ofpathname utility:
- Improved the speed for l2of_scsi().
- Fixed the udevadm location.
- Added partition to support l2od_ide() and l2of_scsi().
- Added support for the plug ID of a SCSI/SATA host.
Fixed the segfault condition on the unsupported connector type.
Added tools to support migration of SR_IOV to a hybrid virtual network.
Fixed the format-overflow warnings.
Fixed the bash command substitution warning using the lsdevinfo utility.
Fixed boot-time bonding interface cleanup.

(BZ#1853297)

New kernel cmdline option now generates network device name

The net_id built-in from systemd-udevd service gains a new kernel cmdline option net.naming-scheme=SCHEME_VERSION. Based on the value of the SCHEME_VERSION, a user can select a version of the algorithm that will generate the network device name.

For example, to use the features of net_id built-in in RHEL 8.4, set the value of the SCHEME_VERSION to rhel-8.4.

Similarly, you can set the value of the SCHEME_VERSION to any other minor release that includes the required change or fix.

(BZ#1827462)

4.5. Infrastructure services

Difference in default postfix-3.5.8 behavior

For better RHEL-8 backward compatibility, the behavior of the postfix-3.5.8 update differs from the default upstream postfix-3.5.8 behavior. For the default upstream postfix-3.5.8 behavior, run the following commands:

# postconf info_log_address_format=external

# postconf smtpd_discard_ehlo_keywords=

# postconf rhel_ipv6_normalize=yes

For details, see the /usr/share/doc/postfix/README-RedHat.txt file. If the incompatible functionalities are not used or RHEL-8 backward compatibility is the priority, no steps are necessary.

(BZ#1688389)

BIND rebased to version 9.11.26

The bind packages have been updated to version 9.11.26. Notable changes include:

Changed the default EDNS buffer size from 4096 to 1232 bytes. This change will prevent the loss of fragmented packets in some networks.
Increased the default value of max-recursion-queries from 75 to 100. Related to CVE-2020-8616.
Fixed the problem of reused dead nodes in lib/dns/rbtdb.c file in named.
Fixed the crashing problem in the named service when cleaning the reused dead nodes in the lib/dns/rbtdb.c file.
Fixed the problem of configured multiple forwarders sometimes occurring in the named service.
Fixed the problem of the named service of assigning incorrect signed zones with no DS record at the parent as bogus.
Fixed the missing DNS cookie response over UDP.

(BZ#1882040)

unbound configuration now provides enhanced logging output

With this enhancement, the following three options have been added to the unbound configuration:

log-servfail enables log lines that explain the reason for the SERVFAIL error code to clients.
log-local-actions enables logging of all local zone actions.
log-tag-queryreply enables tagging of log queries and log replies in the log file.

(BZ#1850460)

Multiple vulnerabilities fixed with ghostscript-9.27

The ghostscript-9.27 release contains security fixes for the following vulnerabilities:

(BZ#1874523)

Tuned rebased to version 2.15-1.

Notable changes include:

Added service plugin for Linux services control.
Improved scheduler plugin.

(BZ#1874052)

DNSTAP now records incoming detailed queries.

DNSTAP provides an advanced way to monitor and log details of incoming name queries. It also records sent answers from the named service. Classic query logging of the named service has a negative impact on the performance of the named service.

As a result, DNSTAP offers a way to perform continuous logging of detailed incoming queries without impacting the performance penalty. The new dnstap-read utility allows you to analyze the queries running on a different system.

(BZ#1854148)

SpamAssassin rebased to version 3.4.4

The SpamAssassin package has been upgraded to version 3.4.4. Notable changes include:

OLEVBMacro plugin has been added.
New functions check_rbl_ns, check_rbl_rcvd, check_hashbl_bodyre, and check_hashbl_uris have been added.

(BZ#1822388)

Key algorithm can be changed using the OMAPI shell

With this enhancement, users can now change the key algorithm. The key algorithm that was hardcoded as HMAC-MD5 is not considered secure anymore. As a result, users can use the omshell command to change the key algorithm.

(BZ#1883999)

Sendmail now supports TLSFallbacktoClear configuration

With this enhancement, if the outgoing TLS connection fails, the sendmail client will fall back to the plaintext. This overcomes the TLS compatibility problems with the other parties. Red Hat ships sendmail with the TLSFallbacktoClear option disabled by default.

(BZ#1868041)

tcpdump now allows viewing RDMA capable devices

This enhancement enables support for capturing RDMA traffic with tcpdump. It allows users to capture and analyze offloaded RDMA traffic with the tcpdump tool. As a result, users can use tcpdump to view RDMA capable devices, capture RoCE and VMA traffic, and analyze its content.

(BZ#1743650)

4.6. Security

libreswan rebased to 4.3

The libreswan packages have been upgraded to version 4.3. Notable changes over the previous version include:

IKE and ESP over TCP support (RFC 8229)
IKEv2 Labeled IPsec support
IKEv2 leftikeport/rightikeport support
Experimental support for Intermediate Exchange
Extended Redirect support for loadbalancing
Default IKE lifetime changed from 1 h to 8 h for increased interoperability
:RSA sections in the ipsec.secrets file are no longer required
Fixed Windows 10 rekeying
Fixed sending certificate for ECDSA authentication
Fixes for MOBIKE and NAT-T

(BZ#1891128)

IPsec VPN now supports TCP transport

This update of the libreswan packages adds support for IPsec-based VPNs over TCP encapsulation as described in RFC 8229. The addition helps establish IPsec VPNs on networks that prevent traffic using Encapsulating Security Payload (ESP) and UDP. As a result, administrators can configure VPN servers and clients to use TCP either as a fallback or as the main VPN transport protocol.

(BZ#1372050)

Libreswan now supports IKEv2 for Labeled IPsec

The Libreswan Internet Key Exchange (IKE) implementation now includes Internet Key Exchange version 2 (IKEv2) support of Security Labels for IPsec. With this update, systems that use security labels with IKEv1 can be upgraded to IKEv2.

(BZ#1025061)

libpwquality rebased to 1.4.4

The libpwquality package has been rebased to version 1.4.4. This release includes multiple bug fixes and translation updates. Most notably, the following setting options have been added to the pwquality.conf file:

retry
enforce_for_root
local_users_only

(BZ#1537240)

p11-kit rebased to 0.23.19

The p11-kit packages have been upgraded from version 0.23.14 to version 0.23.19. The new version fixes several bugs and provides various enhancements, notably:

Fixed CVE-2020-29361, CVE-2020-29362, CVE-2020-29363 security issues.
p11-kit now supports building through the meson build system.

(BZ#1887853)

pyOpenSSL rebased to 19.0.0

The pyOpenSSL packages have been rebased to upstream version 19.0.0. This version provides bug fixes and enhancements, most notably:

Improved TLS 1.3 support with openssl version 1.1.1.
No longer raising an error when trying to add a duplicate certificate with X509Store.add_cert
Improved handling of X509 certificates containing NUL bytes in components

(BZ#1629914)

SCAP Security Guide rebased to 0.1.54

The scap-security-guide packages have been rebased to upstream version 0.1.54, which provides several bug fixes and improvements. Most notably:

The Operating System Protection Profile (OSPP) has been updated in accordance with the Protection Profile for General Purpose Operating Systems for Red Hat Enterprise Linux 8.4.
The ANSSI family of profiles based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. The content contains profiles implementing rules of the Minimum, Intermediary and Enhanced hardening levels.
The Security Technical Implementation Guide (STIG) security profile has been updated, and it implements rules from the recently-released version V1R1.

(BZ#1889344)

OpenSCAP rebased to 1.3.4

The OpenSCAP packages have been rebased to upstream version 1.3.4. Notable fixes and enhancements include:

Fixed certain memory issues that were causing systems with large amounts of files to run out of memory.
OpenSCAP now treats GPFS as a remote file system.
Proper handling of OVALs with circular dependencies between definitions.
Improved yamlfilecontent: updated yaml-filter, extended the schema and probe to be able to work with a set of values in maps.
Fixed numerous warnings (GCC and Clang).
Numerous memory management fixes.
Numerous memory leak fixes.
Platform elements in XCCDF files are now properly resolved in accordance with the XCCDF specification.
Improved compatibility with uClibc.
Local and remote file system detection methods improved.
Fixed dpkginfo probe to use pkgCacheFile instead of manually opening the cache.
OpenSCAP scan report is now a valid HTML5 document.
Fixed unwanted recursion in the file probe.

(BZ#1887794)

The RHEL 8 STIG security profile updated to version V1R1

With the release of the RHBA-2021:1886 advisory, the DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP Security Guide has been updated to align with the latest version V1R1. The profile is now also more stable and better aligns with the RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense Information Systems Agency (DISA). This first iteration brings approximately 60% of coverage with regards to the STIG.

You should use only the current version of this profile because the draft profile is no longer valid.

Warning

Automatic remediation might render the system non-functional. Run the remediation in a test environment first.

(BZ#1918742)

New DISA STIG profile compatible with Server with GUI installations

A new profile, DISA STIG with GUI, has been added to the SCAP Security Guide with the release of the RHBA-2021:4098 advisory. This profile is derived from the DISA STIG profile and is compatible with RHEL installations that selected the Server with GUI package group. The previously existing stig profile was not compatible with Server with GUI because DISA STIG demands uninstalling any Graphical User Interface. However, this can be overridden if properly documented by a Security Officer during evaluation. As a result, the new profile helps when installing a RHEL system as a Server with GUI aligned with the DISA STIG profile.

(BZ#2005431)

Profiles for ANSSI-BP-028 Minimal, Intermediary and Enhanced levels are now available in SCAP Security Guide

With the new profiles, you can harden the system to the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the Minimal, Intermediary and Enhanced hardening levels. As a result, you can configure and automate compliance of your RHEL 8 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles.

(BZ#1778188)

scap-workbench can now scan remote systems using sudo privileges

The scap-workbench GUI tool now supports scanning remote systems using passwordless sudo access. This feature reduces the security risk imposed by supplying root’s credentials.

Be cautious when using scap-workbench with passwordless sudo access and the remediate option. Red Hat recommends dedicating a well-secured user account just for the OpenSCAP scanner.

(BZ#1877522)

rhel8-tang container image is now available

With this release, the rhel8/rhel8-tang container image is available in the registry.redhat.io catalog. The container image provides Tang-server decryption capabilities for Clevis clients that run either in OpenShift Container Platform (OCP) clusters or in separate virtual machines.

(BZ#1913310)

Clevis rebased to version 15

The clevis packages have been rebased to upstream version 15. This version provides many bug fixes and enhancements over the previous version, most notably:

Clevis now produces a generic initramfs and no longer automatically adds the rd.neednet=1 parameter to the kernel command line.
Clevis now properly handles incorrect configurations that use the sss pin, and the clevis encrypt sss sub-command returns outputs that indicate the error cause.

(BZ#1887836)

Clevis no longer automatically adds rd.neednet=1

Clevis now correctly produces a generic initrd (initial ramdisk) without host-specific configuration options by default. As a result, Clevis no longer automatically adds the rd.neednet=1 parameter to the kernel command line.

If your configuration uses the previous functionality, you can either enter the dracut command with the --hostonly-cmdline argument or create the clevis.conf file in the /etc/dracut.conf.d and add the hostonly_cmdline=yes option to the file. A Tang binding must be present during the initrd build process.

(BZ#1853651)

New package: rsyslog-udpspoof

The rsyslog-udpspoof subpackage has been added back to RHEL 8. This module is similar to the regular UDP forwarder, but permits relaying syslog between different network segments while maintaining the source IP in the syslog packets.

(BZ#1869874)

fapolicyd rebased to 1.0.2

The fapolicyd packages have been rebased to upstream version 1.0.2. This version provides many bug fixes and enhancements over the previous version, most notably:

Added the integrity configuration option for enabling integrity checks through:
- Comparing file sizes
- Comparing SHA-256 hashes
- Integrity Measurement Architecture (IMA) subsystem
The fapolicyd RPM plugin now registers any system update that is handled by either the YUM package manager or the RPM Package Manager.
Rules now can contain GID in subjects.
You can now include rule numbers in debug and syslog messages.

(BZ#1887451)

New RPM plugin notifies fapolicyd about changes during RPM transactions

This update of the rpm packages introduces a new RPM plugin that integrates the fapolicyd framework with the RPM database. The plugin notifies fapolicyd about installed and changed files during an RPM transaction. As a result, fapolicyd now supports integrity checking.

Note that the RPM plugin replaces the YUM plugin because its functionality is not limited to YUM transactions but covers also changes by RPM.

(BZ#1923167)

4.7. Networking

The PTP capabilities output format of the ethtool utility has changed

Starting with RHEL 8.4, the ethtool utility uses the netlink interface instead of the ioctl() system call to communicate with the kernel. Consequently, when you use the ethtool -T <network_controller> command, the format of Precision Time Protocol (PTP) values changes.

Previously, with the ioctl() interface, ethtool translated the capability bit names by using an ethtool-internal string table and, the ethtool -T <network_controller> command displayed, for example:

Time stamping parameters for <network_controller>:
Capabilities:
hardware-transmit (SOF_TIMESTAMPING_TX_HARDWARE)
software-transmit (SOF_TIMESTAMPING_TX_SOFTWARE)
...

With the netlink interface, ethtool receives the strings from the kernel. These strings do not include the internal SOF_TIMESTAMPING_* names. Therefore, ethtool -T <network_controller> now displays, for example:

Time stamping parameters for <network_controller>:
Capabilities:
hardware-transmit
software-transmit
...

If you use the PTP capabilities output of ethtool in scripts or applications, update them accordingly.

(JIRA:RHELDOCS-18188)

XDP is conditionally supported

Red Hat supports the eXpress Data Path (XDP) feature only if all of the following conditions apply:

You load the XDP program on an AMD or Intel 64-bit architecture
You use the libxdp library to load the program into the kernel
The XDP program does not use the XDP hardware offloading

In RHEL 8.4, XDP_TX and XDP_REDIRECT return codes are now supported in XDP programs.

For details about unsupported XDP features, see XDP features that are available as Technology Preview

(BZ#1952421)

NetworkManager rebased to version 1.30.0

The NetworkManager packages have been upgraded to upstream version 1.30.0, which provides a number of enhancements and bug fixes over the previous version:

The ipv4.dhcp-reject-servers connection property has been added to define from which DHCP server IDs NetworkManager should reject lease offers.
The ipv4.dhcp-vendor-class-identifier connection property has been added to send a custom Vendor Class Identifier DHCP option value.
The active_slave bond option has been deprecated. Instead, set the primary option in the controller connection.
The nm-initrd-generator utility now supports MAC addresses to indicate interfaces.
The nm-initrd-generator utility generator now supports creating InfiniBand connections.
The timeout of the NetworkManager-wait-online service has been increased to 60 seconds.
The ipv4.dhcp-client-id=ipv6-duid connection property has been added to be compliant to RFC4361.
Additional ethtool offload features have been added.
Support for the WPA3 Enterprise Suite-B 192-bit mode has been added.
Support for virtual Ethernet (veth) devices has been added.

For further information about notable changes, read the upstream release notes:

(BZ#1878783)

The iproute2 utility introduces traffic control actions to add MPLS headers before Ethernet header

With this enhancement, the iproute2 utility offers three new traffic control (tc) actions:

mac_push - The act_mpls module provides this action to add MPLS labels before the original Ethernet header.
push_eth - The act_vlan module provides this action to build an Ethernet header at the beginning of the packet.
pop_eth - The act_vlan module provides this action to drop the outer Ethernet header.

These tc actions help in implementing layer 2 virtual private network (L2VPN) by adding multiprotocol label switching (MPLS) labels before Ethernet headers. You can use these actions while adding tc filters to the network interfaces.

Red Hat provides these actions as unsupported Technology Preview, because MPLS itself is a Technology Preview feature.

For more information about these actions and their parameters, refer to the tc-mpls(8) and tc-vlan(8) man pages.

(BZ#1861261)

The nmstate API is now fully supported

Nmstate, which was previously a Technology Preview, is a network API for hosts and fully supported in RHEL 8.4. The nmstate packages provide a library and the nmstatectl command-line utility to manage host network settings in a declarative manner. The networking state is described by a predefined schema. Reporting of the current state and changes to the desired state both conform to the schema.

For further details, see the /usr/share/doc/nmstate/README.md file and the sections about nmstatectl in the Configuring and managing networking documentation.

(BZ#1674456)

New package: rshim

The rhsim package provides the Mellanox BlueField rshim user-space driver, which enables accessing the rshim resources on the BlueField SmartNIC target from the external host machine. The current version of the rshim user-space driver implements device files for boot image push and virtual console access. In addition, it creates a virtual network interface to connect to the BlueField target and provides a way to access internal rshim registers.

Note that in order for the virtual console or virtual network interface to be operational, the target must be running a tmfifo driver.

(BZ#1744737)

iptraf-ng rebased to 1.2.1

The iptraf-ng packages have been rebased to upstream version 1.2.1, which provides several bug fixes and improvements. Most notably:

The iptraf-ng application no longer causes 100% CPU usage when showing the detailed statistics of a deleted interface.
The unsafe handling arguments of printf() functions have been fixed.
Partial support for IP over InfiniBand (IPoIB) interface has been added. Because the kernel does not provide the source address on the interface, you cannot use this feature in the LAN station monitor mode.
Packet capturing abstraction has been added to allow iptraf-ng to capture packets at multi-gigabit speed.
You can now scroll using the Home, End, Page up, and Page down keyboard keys.
The application now shows the dropped packet count.

(BZ#1906097)

4.8. Kernel

Kernel version in RHEL 8.4

Red Hat Enterprise Linux 8.4 is distributed with the kernel version 4.18.0-305.

(BZ#1839151)

Extended Berkeley Packet Filter for RHEL 8.4

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.

The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.

Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.4, the following eBPF components are supported:

The BPF Compiler Collection (BCC) tools package, which provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
The BCC library which allows the development of tools similar to those provided in the BCC tools package.
The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions.
The libbpf package, which is crucial for bpf related applications like bpftrace and bpf/xdp development.
The xdp-tools package, which contains userspace support utilities for the XDP feature, is now supported on the AMD and Intel 64-bit architectures. This includes the libxdp library, the xdp-loader utility for loading XDP programs, the xdp-filter example program for packet filtering, and the xdpdump utility for capturing packets from a network interface with XDP enabled.

Note that all other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.

The following notable eBPF components are currently available as Technology Preview:

The bpftrace tracing language
The AF_XDP socket for connecting the eXpress Data Path (XDP) path to user space

For more information regarding the Technology Preview components, see Technology Previews.

(BZ#1780124)

New package: kmod-redhat-oracleasm

This update adds the new kmod-redhat-oracleasm package, which provides the kernel module part of the ASMLib utility. Oracle Automated Storage Management (ASM) is a data volume manager for Oracle databases. ASMLib is an optional utility that can be used on Linux systems to manage Oracle ASM devices.

(BZ#1827015)

The xmon program changes to support Secure Boot and kernel_lock resilience against attacks

If the Secure Boot mechanism is disabled, you can set the xmon program into read-write mode (xmon=rw) on the kernel command-line. However, if you specify xmon=rw and boot into Secure Boot mode, the kernel_lockdown feature overrides xmon=rw and changes it to read-only mode. The additional behavior of xmon depending on Secure Boot enablement is listed below:

Secure Boot is on:

xmon=ro (default)
A stack trace is printed
Memory read works
Memory write is blocked

Secure Boot is off:

Possibility to set xmon=rw
A stack trace is always printed
Memory read always works
Memory write is permitted only if xmon=rw

These changes to xmon behavior aim to support the Secure Boot and kernel_lock resilience against attackers with root permissions.

For information how to configure kernel command-line parameters, see Configuring kernel command-line parameters on the Customer Portal.

(BZ#1952161)

Cornelis Omni-Path Architecture (OPA) Host Software

Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.4. OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

For instructions on installing Omni-Path Architecture, see: Cornelis Omni-Path Fabric Software Release Notes file.

(BZ#1960412)

SLAB cache merging disabled by default

The CONFIG_SLAB_MERGE_DEFAULT kernel configuration option has been disabled, and now SLAB caches are not merged by default. This change aims to enhance the allocator’s reliability and traceability of cache usage. If the previous slab-cache merging behavior was desirable, the user can re-enable it by adding the slub_merge parameter to the kernel command-line. For more information on how to set the kernel command-line parameters, see the Configuring kernel command-line parameters on Customer Portal.

(BZ#1871214)

The ima-evm-utils package rebased to version 1.3.2

The ima-evm-utils package has been upgraded to version 1.3.2, which provides multiple bug fixes and enhancements. Notable changes include:

Added support for handling the Trusted Platform Module (TPM2) multi-banks feature
Extended the boot aggregate value to Platform Configuration Registers (PCRs) 8 and 9
Preloaded OpenSSL engine through a CLI parameter
Added support for Intel Task State Segment (TSS2) PCR reading
Added support for the original Integrity Measurement Architecture (IMA) template

Both the libimaevm.so.0 and libimaevm.so.2 libraries are part of ima-evm-utils. Users of libimaevm.so.0 will not be affected, when their more recent applications use libimaevm.so.2.

(BZ#1868683)

Levelling IMA and EVM features across supported CPU architectures

All CPU architectures, except ARM, have a similar level of feature support for Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) technologies. The enabled functionalities are different for each CPU architecture. The following are the most significant changes for each supported CPU architecture:

IBM Z: IMA appraise and trusted keyring enablement.
AMD64 and Intel 64: specific architecture policy in secure boot state.
IBM Power System (little-endian): specific architecture policy in secure and trusted boot state.
SHA-256 as default hash algorithm for all supported architectures.
For all architectures, the measurement template has changed to IMA-SIG The template includes the signature bits when present. Its format is d-ng|n-ng|sig.

The goal of this update is to decrease the level of feature difference in IMA and EVM, so that userspace applications can behave equally across all supported CPU architectures.

(BZ#1869758)

Proactive compaction is now included in RHEL 8 as disabled-by-default

With ongoing workload activity, system memory becomes fragmented. The fragmentation can result in capacity and performance problems. In some cases, program errors are also possible. Thereby, the kernel relies on a reactive mechanism called memory compaction. The original design of the mechanism is conservative, and the compaction activity is initiated on demand of allocation request. However, reactive behavior tends to increase the allocation latency if the system memory is already heavily fragmented. Proactive compaction improves the design by regularly initiating memory compaction work before a request for allocation is made. This enhancement increases the chances that memory allocation requests find the physically contiguous blocks of memory without the need of memory compaction producing those on-demand. As a result, latency for specific memory allocation requests is lowered.

Warning

Proactive compaction can result in increased compaction activity. This might have serious, system-wide impact, because memory pages that belong to different processes are moved and remapped. Therefore, enabling proactive compaction requires utmost care to avoid latency spikes in applications.

(BZ#1848427)

EDAC support has been added in RHEL 8

With this update, RHEL 8 supports the Error Detection and Correction (EDAC) kernel module set in 8th and 9th generation Intel Core Processors (CoffeeLake). The EDAC kernel module mainly handles Error Code Correction (ECC) memory and detect and report PCI bus parity errors.

(BZ#1847567)

A new package: kpatch-dnf

The kpatch-dnf package provides a DNF plugin, which makes it possible to subscribe a RHEL system to kernel live patch updates. The subscription will affect all kernels currently installed on the system, including kernels that will be installed in the future. For more details about kpatch-dnf, see the dnf-kpatch(8) manual page or the Managing, monitoring, and updating the kernel documentation.

(BZ#1798711)

A new cgroups controller implementation for slab memory

A new implementation of slab memory controller for the control groups technology is now available in RHEL 8. Currently, a single memory slab can contain objects owned by different memory control group. The slab memory controller brings improvement in slab utilization (up to 45%) and enables to shift the memory accounting from the page level to the object level. Also, this change eliminates each set of duplicated per-CPU and per-node slab caches for each memory control group and establishes one common set of per-CPU and per-node slab caches for all memory control groups. As a result, you can achieve a significant drop in the total kernel memory footprint and observe positive effects on memory fragmentation.

Note that the new and more precise memory accounting requires more CPU time. However, the difference seems to be negligible in practice.

(BZ#1877019)

Time namespace has been added in RHEL 8

The time namespace enables the system monotonic and boot-time clocks to work with per-namespace offsets on AMD64, Intel 64, and the 64-bit ARM architectures. This feature is suited for changing the date and time inside Linux containers and for in-container adjustments of clocks after restoration from a checkpoint. As a result, users can now independently set time for each individual container.

(BZ#1548297)

New feature: Free memory page returning

With this update, the RHEL 8 host kernel is able to return memory pages that are not used by its virtual machines (VMs) back to the hypervisor. This improves the stability and resource efficiency of the host. Note that for memory page returning to work, it must be configured in the VM, and the VM must also use the virtio_balloon device.

(BZ#1839055)

Supports changing the sorting order in perf top

With this update, perf top can now sort samples by arbitrary event column in case multiple events in a group are sampled, instead of sorting by the first column. As a result, pressing a number key sorts the table by the matching data column.

Note

The column numbering starts from 0.

Using the --group-sort-idx command line option, it is possible to sort by the column number.

(BZ#1851933)

The kabi_whitelist package has been renamed to kabi_stablelist

In accordance with Red Hat commitment to replacing problematic language, we renamed the kabi_whitelist package to kabi_stablelist in the RHEL 8.4 release.

(BZ#1867910, BZ#1886901)

bpf rebased to version 5.9

The bpf kernel technology in RHEL 8 has been brought up-to-date with its upstream counterpart from the kernel v5.9.

The update provides multiple bug fixes and enhancements. Notable changes include:

Added Berkeley Packet Filter (BPF) iterator for map elements and to iterate all BPF programs for efficient in-kernel inspection.
Programs in the same control group (cgroup) can share the cgroup local storage map.
BPF programs can run on socket lookup.
The SO_KEEPALIVE and related options are available to the bpf_setsockopt() helper.

Note that some BPF programs may need changes to their source code.

(BZ#1874005)

The bcc package rebased to version 0.16.0

The bcc package has been upgraded to version 0.16.0, which provides multiple bug fixes and enhancements. Notable changes include:

Added utilities klockstat and funcinterval
Fixes in various parts of the tcpconnect manual page
Fix to make the tcptracer tool output show SPORT and DPORT columns for IPv6 addresses
Fix broken dependencies

(BZ#1879411)

bpftrace rebased to version 0.11.0

The bpftrace package has been upgraded to version 0.11.0, which provides multiple bug fixes and enhancements. Notable changes include:

Added utilities threadsnoop, tcpsynbl, tcplife, swapin, setuids, and naptime
Fixed failures to run of the tcpdrop.bt and syncsnoop.bt tools
Fixed a failure to load the Berkeley Packet Filter (BPF) program on IBM Z architectures
Fixed a symbol lookup error

(BZ#1879413)

libbpf rebased to version 0.2.0.1

The libbpf package has been upgraded to version 0.2.0.1, which provides multiple bug fixes and enhancements. Notable changes include:

Added support for accessing Berkeley Packet Filter (BPF) map fields in the bpf_map struct from programs that have BPF Type Format (BTF) struct access
Added BPF ring buffer
Added bpf iterator infrastructure
Improved bpf_link observability

(BZ#1919345)

perf now supports adding or removing tracepoints from a running collector without having to stop or restart perf

Previously, to add or remove tracepoints from an instance of perf record, the perf process had to be stopped. As a consequence, performance data that occurred during the time the process was stopped was not collected and, therefore, lost. With this update, you can dynamically enable and disable tracepoints being collected by perf record via the control pipe interface without having to stop the perf record process.

(BZ#1844111)

The perf tool now supports recording and displaying absolute timestamps for trace data

With this update, perf script can now record and display trace data with absolute timestamps.

Note: To display trace data with absolute timestamps, the data must be recorded with the clock ID specified.

To record data with absolute timestamps, specify the clock ID:

# perf record -k CLOCK_MONOTONIC sleep 1

To display trace data recorded with the specified clock ID, execute the following command:

# perf script -F+tod

(BZ#1811839)

dwarves rebased to version 1.19.1

The dwarves package has been upgraded to version 1.19.1, which provides multiple bug fixes and enhancements. Notably, this update introduces a new way of checking functions from the DWARF debug data with related ftrace entries to ensure a subset of ftrace functions is generated.

(BZ#1903566)

perf now supports circular buffers that use specified events to trigger snapshots

With this update, you can create custom circular buffers that write data to a perf.data file when an event you specify is detected. As a result, perf record can run continuously in the system background without generating excess overhead by continuously writing data to a perf.data file, and only recording data you are interested in.

To create a custom circular buffer using the perf tool that records event specific snapshots, use the following command:

# perf record --overwrite -e _events_to_be_collected_ --switch-output-event _snapshot_trigger_event_

(BZ#1844086)

Kernel DRBG and Jitter entropy source are compliant to NIST SP 800-90A and NIST SP 800-90B

Kernel Deterministic Random Bit Generator (DRBG) and Jitter entropy source are now compliant to recommendation for random number generation using DRBG (NIST SP 800-90A) and recommendation for the entropy sources used for random bit generation (NIST SP 800-90B) specifications. As a result, applications in FIPS mode can use these sources as FIPS-compliant randomness and noise sources.

(BZ#1905088)

kdump now supports Virtual Local Area Network tagged team network interface

This update adds support to configure Virtual Local Area Network tagged team interface for kdump. As a result, this feature now enables kdump to use a Virtual Local Area Network tagged team interface to dump a vmcore file.

(BZ#1844941)

kernel-rt source tree has been updated to RHEL 8.4 tree

The kernel-rt source has been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.10-rt7. Both of these updates provide a number of bug fixes and enhancements.

(BZ#1858099, BZ#1858105)

The stalld package is now added to RHEL 8.4 distribution

This update adds the stalld package to RHEL 8.4.0. stalld is a daemon that monitors threads on a system running low latency applications. It checks for job threads that have been on a run-queue without being scheduled onto a CPU for a specified threshold.

When it detects a stalled thread, stalld temporarily changes the scheduling policy to SCHED_DEADLINE and assigns the thread a slice of CPU time to make forward progress. When the time slice completes or the thread blocks, the thread goes back to its original scheduling policy.

(BZ#1875037)

Support for CPU hotplug in the hv_24x7 and hv_gpci PMUs

With this update, PMU counters correctly react to the hot-plugging of a CPU. As a result, if a hv_gpci event counter is running on a CPU that gets disabled, the counting redirects to another CPU.

(BZ#1844416)

Metrics for POWERPC hv_24x7 nest events are now available

Metrics for POWERPC hv_24x7 nest events are now available for perf. By aggregating multiple events, these metrics provide a better understanding of the values obtained from perf counters and how effectively the CPU is able to process the workload.

(BZ#1780258)

hwloc rebased to version 2.2.0

The hwloc package has been upgraded to version 2.2.0, which provides the following change:

The hwloc functionality can report details on Nonvolatile Memory Express (NVMe) drives including total disk size and sector size.

(BZ#1841354)

The igc driver is now fully supported

The igc Intel 2.5G Ethernet Linux wired LAN driver was introduced in RHEL 8.1 as a Technology Preview. Starting with RHEL 8.4, it is fully supported on all architectures. The ethtool utility also supports igc wired LANs.

(BZ#1495358)

4.9. File systems and storage

RHEL installation now supports creating a swap partition of size 16 TiB

Previously, when installing RHEL, the installer created a swap partition of maximum 128 GB for automatic and manual partitioning.

With this update, for automatic partitioning, the installer continues to create a swap partition of maximum 128 GB, but in case of manual partitioning, you can now create a swap partition of 16 TiB.

(BZ#1656485)

Surprise removal of NVMe devices

With this enhancement, you can surprise remove NVMe devices from the Linux operating system without notifying the operating system beforehand. This will enhance the serviceability of NVMe devices because no additional steps are required to prepare the devices for orderly removal, which ensures the availability of servers by eliminating server downtime.

Note the following:

Surprise removal of NVMe devices requires kernel-4.18.0-193.13.2.el8_2.x86_64 version or later.
Additional requirements from the hardware platform or the software running on the platform might be necessary for successful surprise removal of NVMe devices.
Surprise removing an NVMe device that is critical to the system operation is not supported. For example, you cannot remove an NVMe device that contains the operating system or a swap partition.

(BZ#1634655)

Stratis filesystem symlink paths have changed

With this enhancement, Stratis filesystem symlink paths have changed from /stratis/<stratis-pool>/<filesystem-name> to /dev/stratis/<stratis-pool>/<filesystem-name>. Consequently, all existing Stratis symlinks must be migrated to utilize the new symlink paths.

Use the included stratis_migrate_symlinks.sh migration script or reboot your system to update the symlink paths. If you manually changed the systemd unit files or the /etc/fstab file to automatically mount Stratis filesystems, you must update them with the new symlink paths.

Note

If you do not update your configuration with the new Stratis symlink paths, or if you temporarily disable the automatic mounts, the boot process might not complete the next time you reboot or start your system.

(BZ#1798244)

Stratis now supports binding encrypted pools to a supplementary Clevis encryption policy

With this enhancement, you can now bind encrypted Stratis pools to Network Bound Disk Encryption (NBDE) using a Tang server, or to the Trusted Platform Module (TPM) 2.0. Binding an encrypted Stratis pool to NBDE or TPM 2.0 facilitates automatic unlocking of pools. As a result, you can access your Stratis pools without having to provide the kernel keyring description after each system reboot. Note that binding a Stratis pool to a supplementary Clevis encryption policy does not remove the primary kernel keyring encryption.

(BZ#1868100)

New mount options to control when DAX is enabled on XFS and ext4 file systems

This update introduces new mount options which, when combined with the FS_XFLAG_DAX inode flag, provide finer-grained control of the Direct Access (DAX) mode for files on XFS and ext4 file systems. In prior releases, DAX was enabled for the entire file system using the dax mount option. Now, the direct access mode can be enabled on a per-file basis.

The on-disk flag, FS_XFLAG_DAX, is used to selectively enable or disable DAX for a particular file or directory. The dax mount option dictates whether or not the flag is honored:

-o dax=inode - follow FS_XFLAG_DAX. This is the default when no dax option is specified.
-o dax=never - never enable DAX, ignore FS_XFLAG_DAX.
-o dax=always - always enable DAX, ignore FS_XFLAG_DAX.
-o dax - is a legacy option which is an alias for "dax=always". This may be removed in the future, so "-o dax=always" is preferred.

You can set FS_XFLAG_DAX flag by using the xfs_io utility’s chatter command:

# xfs_io -c "chattr +x" filename

(BZ#1838876, BZ#1838344)

SMB Direct is now supported

With this update, the SMB client now supports SMB Direct.

(BZ#1887940)

New API for mounting filesystems has been added

With this update, a new API for mounting filesystems based on an internal kernel structure called a filesystem context (struct fs_context) has been added into RHEL 8.4, allowing greater flexibility in communication of mount parameters between userspace, the VFS, and the file system. Along with this, there are following system calls for operating on the file system context:

fsopen() - creates a blank filesystem configuration context within the kernel for the filesystem named in the fsname parameter, adds it into creation mode, and attaches it to a file descriptor, which it then returns.
fsmount() - takes the file descriptor returned by fsopen() and creates a mount object for the file system root specified there.
fsconfig() - supplies parameters to and issues commands against a file system configuration context as set up by the fsopen(2) or fspick(2) system calls.
fspick() - creates a new file system configuration context within the kernel and attaches a pre-existing superblock to it so that it can be reconfigured.
move_mount() - moves a mount from one location to another; it can also be used to attach an unattached mount created by fsmount() or open_tree() with the OPEN_TREE_CLONE system call.
open_tree() - picks the mount object specified by the pathname and attaches it to a new file descriptor or clones it and attaches the clone to the file descriptor.

Note that the old API based on the mount() system call is still supported.

For additional information, see the Documentation/filesystems/mount_api.txt file in the kernel source tree.

(BZ#1622041)

Discrepancy in vfat file system mtime no longer occurs

With this update, the discrepancy in the vfat file system mtime between in-memory and on-disk write times is no longer present. This discrepancy was caused by a difference between in-memory and on-disk mtime metadata, which no longer occurs.

(BZ#1533270)

RHEL 8.4 now supports close_range() system call

With this update, the close_range() system call was backported to RHEL 8.4. This system call closes all file descriptors in a given range effectively, preventing timing problems which are present when closing a wide range of file descriptors sequentially if applications configure very large limits.

(BZ#1900674)

Support for user extended attributes through the NFSv4.2 protocol has been added

This update adds NFSV4.2 client-side and server-side support for user extended attributes (RFC 8276) and newly includes the following protocol extensions:

New operations:

- GETXATTR - get an extended attribute of a file
- SETXATTR - set an extended attribute of a file
- LISTXATTR - list extended attributes of a file
- REMOVEXATTR - remove an extended attribute of a file

New error codes:

- NFS4ERR-NOXATTR - xattr does not exist
- NFS4ERR_XATTR2BIG - xattr value is too big

New attribute:

- xattr_support - per-fs read-only attribute determines whether xattrs are supported. When set to True, the object’s file system supports extended attributes.

(BZ#1888214)

4.10. High availability and clusters

Noncritical resources in colocation constraints are now supported

With this enhancement, you can configure a colocation constraint such that if the dependent resource of the constraint reaches its migration threshold for failure, Pacemaker will leave that resource offline and keep the primary resource on its current node rather than attempting to move both resources to another node. To support this behavior, colocation constraints now have an influence option, which can be set to true or false, and resources have a critical meta-attribute, which can also be set to true or false. The value of the critical resource meta option determines the default value of the influence option for all colocation constraints involving the resource as a dependent resource.

When the influence colocation constraint option has a value of true Pacemaker will attempt to keep both the primary and dependent resource active. If the dependent resource reaches its migration threshold for failures, both resources will move to another node, if possible.

When the influence colocation option has a value of false, Pacemaker will avoid moving the primary resource as a result of the status of the dependent resource. In this case, if the dependent resource reaches its migration threshold for failures, it will stop if the primary resource is active and can remain on its current node.

By default, the value of the critical resource meta option is set to true, which in turn determines that the default value of the influence option is true. This preserves the previous behavior where Pacemaker attempted to keep both resources active.

(BZ#1371576)

New number data type supported by Pacemaker rules

PCS now supports a data type of number, which you can use when defining Pacemaker rules in any PCS command that accepts rules. Pacemaker rules implement number as a double-precision floating-point number and integer as a 64-bit integer.

(BZ#1869399)

Ability to specify a custom clone ID when creating a clone resource or promotable clone resource

When you create a clone resource or a promotable clone resource, the clone resource is named resource-id -clone by default. If that ID is already in use, PCS adds the suffix -integer, starting with an integer value of 1 and incrementing by one for each additional clone. You can now override this default by specifying a name for a clone resource ID or promotable clone resource ID with the clone-id option when creating a clone resource with the pcs resource create or the pcs resource clone command. For information on creating clone resources, see Creating cluster resources that are active on multiple nodes.

(BZ#1741056)

New command to display Corosync configuration

You can now print the contents of the corosync.conf file in several output formats with the new pcs cluster config [show] command. By default, the pcs cluster config command uses the text output format, which displays the Corosync configuration in a human-readable form, with the same structure and option names as the pcs cluster setup and pcs cluster config update commands.

(BZ#1667066)

New command to modify the Corosync configuration of an existing cluster

You can now modify the parameters of the corosync.conf file with the new pcs cluster config update command. You can use this command, for example, to increase the totem token to avoid fencing during temporary system unresponsiveness. For information on modifying the corosync.conf file, see Modifying the corosync.conf file with the pcs command.

(BZ#1667061)

Enabling and disabling Corosync traffic encryption in an existing cluster

Previously, you could configure Corosync traffic encryption only when creating a new cluster. With this update:

You can change the configuration of the Corosync crypto cipher and hash with the pcs cluster config update command.
You can change the Corosync authkey with the pcs cluster authkey corosync command.

(BZ#1457314)

New crypt resource agent for shared and encrypted GFS2 file systems

RHEL HA now supports a new crypt resource agent, which allows you to configure a LUKS encrypted block device that can be used to provide shared and encrypted GFS2 file systems. Using the crypt resource is currently supported only with GFS2 file systems. For information on configuring an encrypted GFS2 file system, see Configuring an encrypted GFS2 file system in a cluster.

(BZ#1471182)

4.11. Dynamic programming languages, web and database servers

A new module: python39

RHEL 8.4 introduces Python 3.9, provided by the new module python39 and the ubi8/python-39 container image.

Notable enhancements compared to Python 3.8 include:

The merge (|) and update (|=) operators have been added to the dict class.
Methods to remove prefixes and suffixes have been added to strings.
Type hinting generics have been added to certain standard types, such as list and dict.
The IANA Time Zone Database is now available through the new zoneinfo module.

Python 3.9 and packages built for it can be installed in parallel with Python 3.8 and Python 3.6 on the same system.

To install packages from the python39 module, use, for example:

# yum install python39
# yum install python39-pip

The python39:3.9 module stream will be enabled automatically.

To run the interpreter, use, for example:

$ python3.9
$ python3.9 -m pip --help

See Installing and using Python for more information.

Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8. Similarly to Python 3.8, Python 3.9 will have a shorter life cycle; see Red Hat Enterprise Linux 8 Application Streams Life Cycle.

(BZ#1877430)

Changes in the default separator for the Python urllib parsing functions

To mitigate the Web Cache Poisoning CVE-2021-23336 in the Python urllib library, the default separator for the urllib.parse.parse_qsl and urllib.parse.parse_qs functions is being changed from both ampersand (&) and semicolon (;) to only an ampersand.

This change has been implemented in Python 3.6 with the release of RHEL 8.4, and will be backported to Python 3.8 and Python 2.7 in the following minor release of RHEL 8.

The change of the default separator is potentially backwards incompatible, therefore Red Hat provides a way to configure the behavior in Python packages where the default separator has been changed. In addition, the affected urllib parsing functions issue a warning if they detect that a customer’s application has been affected by the change.

For more information, see the Mitigation of Web Cache Poisoning in the Python urllib library (CVE-2021-23336).

Python 3.9 is unaffected and already includes the new default separator (&), which can be changed only by passing the separator parameter when calling the urllib.parse.parse_qsl and urllib.parse.parse_qs functions in Python code.

(BZ#1935686, BZ#1928904)

A new module stream: swig:4.0

RHEL 8.4 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.0, available as a new module stream, swig:4.0.

Notable changes over the previously released SWIG 3.0 include:

The only supported Python versions are: 2.7 and 3.2 to 3.8.
The Python module has been improved: the generated code has been simplified and most optimizations are now enabled by default.
Support for Ruby 2.7 has been added.
PHP 7 is now the only supported PHP version; support for PHP 5 has been removed.
Performance has been significantly improved when running SWIG on large interface files.
Support for a command-line options file (also referred to as a response file) has been added.
Support for JavaScript Node.js versions 2 to 10 has been added.
Support for Octave versions 4.4 to 5.1 has been added.

To install the swig:4.0 module stream, use:

# yum module install swig:4.0

If you want to upgrade from the swig:3.0 stream, see Switching to a later stream.

For information about the length of support for the swig module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.

(BZ#1853639)

A new module stream: subversion:1.14

RHEL 8.4 introduces a new module stream, subversion:1.14. Subversion 1.14 is the most recent Long Term Support (LTS) release.

Notable changes since Subversion 1.10 distributed in RHEL 8.0 include:

Subversion 1.14 includes Python 3 bindings for automation and integration of Subversion into the customer’s build and release infrastructure.
A new svnadmin rev-size command enables users to determine the total size of a revision.
A new svnadmin build-repcache command enables administrators to populate the rep-cache database with missing entries.
A new experimental command has been added to provide an overview of the current working copy status.
Various improvements to the svn log, svn info, and svn list commands have been implemented. For example, svn list --human-readable now uses human-readable units for file sizes.
Significant improvements to svn status for large working copies have been made.

Compatibility information:

Subversion 1.10 clients and servers interoperate with Subversion 1.14 servers and clients. However, certain features might not be available unless both client and server are upgraded to the latest version.
Repositories created under Subversion 1.10 can be successfully loaded in Subversion 1.14.
Subversion 1.14 distributed in RHEL 8 enables users to cache passwords in plain text on the client side. This behaviour is the same as Subversion 1.10 but different from the upstream release of Subversion 1.14.
The experimental Shelving feature has been significantly changed, and it is incompatible with shelves created in Subversion 1.10. See the upstream documentation for details and upgrade instructions.
The interpretation of path-based authentication configurations with both global and repository-specific rules has changed in Subversion 1.14. See the upstream documentation for details on affected configurations.

To install the subversion:1:14 module stream, use:

# yum module install subversion:1.14

If you want to upgrade from the subversion:1.10 stream, see Switching to a later stream.

For information about the length of support for the subversion module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.

(BZ#1844947)

A new module stream: redis:6

Redis 6, an advanced key-value store, is now available as a new module stream, redis:6.

Notable changes over Redis 5 include:

Redis now supports SSL on all channels.
Redis now supports Access Control List (ACL), which defines user permissions for command calls and key pattern access.
Redis now supports a new RESP3 protocol, which returns more semantical replies.
Redis can now optionally use threads to handle I/O.
Redis now offers server-side support for client-side caching of key values.
The Redis active expire cycle has been improved to enable faster eviction of expired keys.

Redis 6 is compatible with Redis 5, with the exception of this backward incompatible change:

When a set key does not exist, the SPOP <count> command no longer returns null. In Redis 6, the command returns an empty set in this scenario, similar to a situation when it is called with a 0 argument.

To install the redis:6 module stream, use:

# yum module install redis:6

If you want to upgrade from the redis:5 stream, see Switching to a later stream.

For information about the length of support for the redis module streams, see the Red Hat Enterprise Linux 8 Application Streams Life Cycle.

(BZ#1862063)

A new module stream: postgresql:13

RHEL 8.4 introduces PostgreSQL 13, which provides a number of new features and enhancements over version 12. Notable changes include:

Performance improvements resulting from de-duplication of B-tree index entries
Improved performance for queries that use aggregates or partitioned tables
Improved query planning when using extended statistics
Parallelized vacuuming of indexes
Incremental sorting

Note that support for Just-In-Time (JIT) compilation, available in upstream since PostgreSQL 11, is not provided by the postgresql:13 module stream.

4.12. Compilers and development tools

The glibc library now supports glibc-hwcaps subdirectories for loading optimized shared library implementations

On certain architectures, hardware upgrades sometimes caused glibc to load libraries with baseline optimizations, rather than optimized libraries for the previous hardware generation. Additionally, when running on AMD CPUs, optimized libraries were not loaded at all.

With this enhancement, glibc supports locating optimized library implementations in the glibc-hwcaps subdirectories. The dynamic loader checks for library files in the sub-directories based on the CPU in use and its hardware capabilities. This feature is available on following architectures: IBM Power Systems (little endian), IBM Z, 64-bit AMD and Intel.

(BZ#1817513)

The glibc dynamic loader now activates selected audit modules at run time

Previously, the binutils link editor ld supported the --audit option to select audit modules for activation at run time, but the glibc dynamic loader ignored the request. With this update, the glib dynamic loader no longer ignores the request, and loads the indicated audit modules. As a result, it is possible to activate audit modules for specific programs without writing wrapper scripts or using similar mechanisms.

(BZ#1871385)

glibc now provides improved performance on IBM POWER9

This update introduces new implementations of the functions strlen, strcpy, stpcpy, and rawmemchr for IBM POWER9. As a result, these functions now execute faster on IBM POWER9 hardware which leads to performance gains.

(BZ#1871387)

Optimized performance of memcpy and memset on IBM Z

With this enhancement, the core library implementation for the memcpy and memset APIs were adjusted to accelerate both small (< 64KiB) and larger data copies on IBM Z processors. As a result, applications working with in-memory data now benefit from significantly improved performance across a wide variety of workloads.

(BZ#1871395)

GCC now supports the ARMv8.1 LSE atomic instructions

With this enhancement, the GCC compiler now supports Large System Extensions (LSE), atomic instructions added with the ARMv8.1 specification. These instructions provide better performance in multi-threaded applications than the ARMv8.0 Load-Exclusive and Store-Exclusive instructions.

(BZ#1821994)

GCC now emits vector alignment hints for certain IBM Z systems

This update enables the GCC compiler to emit vector load and store alignment hints for IBM z13 processors. To use this enhancement the assembler must support such hints. As a result, users now benefit from improved performance of certain vector operations.

(BZ#1850498)

Dyninst rebased to version 10.2.1

The Dyninst binary analysis and modification tool has been updated to version 10.2.1. Notable bug fixes and enhancements include:

Support for the elfutils debuginfod client library.
Improved parallel binary code analysis.
Improved analysis and instrumentation of large binaries.

(BZ#1892001)

elfutils rebased to version 0.182

The elfutils package has been updated to version 0.182. Notable bug fixes and enhancements include:

Recognizes the DW_CFA_AARCH64_negate_ra_state instruction. When Pointer Authentication Code (PAC) is not enabled, you can use DW_CFA_AARCH64_negate_ra_state to unwind code that is compiled for PAC on the 64-bit ARM architecture.
elf_update now fixes bad sh_addralign values in sections that have set the SHF_COMPRESSED flag.
debuginfod-client now supports kernel ELF images compressed with ZSTD.
debuginfod has a more efficient package traversal, tolerating various errors during scanning. The grooming process is more visible and interruptible, and provides more Prometheus metrics.

(BZ#1875318)

SystemTap rebased to version 4.4

The SystemTap instrumentation tool has been updated to version 4.4, which provides multiple bug fixes and enhancements. Notable changes include:

Performance and stability improvements to user-space probing.
Users can now access implicit thread local storage variables on these architectures: AMD64, Intel 64, IBM Z, the little-endian variant of IBM Power Systems.
Initial support for processing of floating point values.
Improved concurrency for scripts using global variables. The locks required to protect concurrent access to global variables have been optimized so that they span the smallest possible critical region.
New syntax for defining aliases with both a prologue and an epilogue.
New @probewrite predicate.
syscall arguments are writable again.

For further information about notable changes, read the upstream release notes before updating.

(BZ#1875341)

Valgrind now supports IBM z14 instructions

With this update, the Valgrind tool suite supports instructions for the IBM z14 processor. As a result, you can now use the Valgrind tools to debug programs using the z14 vector instructions and the miscellaneous z14 instruction set.

(BZ#1504123)

CMake rebased to version 3.18.2

The CMake build system has been upgraded from version 3.11.4 to version 3.18.2. It is available in RHEL 8.4 as the cmake-3.18.2-8.el8 package.

To use CMake on a project that requires the version 3.18.2 or less, use the command cmake_minimum_required(version x.y.z).

For further information on new features and deprecated functionalities, see the CMake Release Notes.

(BZ#1816874)

libmpc rebased to version 1.1.0

The libmpc package has been rebased to version 1.1.0, which provides several enhancements and bug fixes over the previous version. For details, see GNU MPC 1.1.0 release notes.

(BZ#1835193)

Updated GCC Toolset 10

GCC Toolset 10 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Notable changes introduced with RHEL 8.4 include:

The GCC compiler has been updated to the upstream version, which provides multiple bug fixes.
elfutils has been updated to version 0.182.
Dyninst has been updated to version 10.2.1.
SystemTap has been updated to version 4.4.

The following tools and versions are provided by GCC Toolset 10:

Tool	Version
GCC	10.2.1
GDB	9.2
Valgrind	3.16.0
SystemTap	4.4
Dyninst	10.2.1
binutils	2.35
elfutils	0.182
dwz	0.12
make	4.2.1
strace	5.7
ltrace	0.7.91
annobin	9.29

To install GCC Toolset 10, run the following command as root:

# yum install gcc-toolset-10

To run a tool from GCC Toolset 10:

$ scl enable gcc-toolset-10 tool

To run a shell session where tool versions from GCC Toolset 10 override system versions of these tools:

$ scl enable gcc-toolset-10 bash

For more information, see Using GCC Toolset.

The GCC Toolset 10 components are available in the two container images:

rhel8/gcc-toolset-10-toolchain, which includes the GCC compiler, the GDB debugger, and the make automation tool.
rhel8/gcc-toolset-10-perftools, which includes the performance monitoring tools, such as SystemTap and Valgrind.

To pull a container image, run the following command as root:

# podman pull registry.redhat.io/<image_name>

Note that only the GCC Toolset 10 container images are now supported. Container images of earlier GCC Toolset versions are deprecated.

For details regarding the container images, see Using the GCC Toolset container images.

(BZ#1918055)

GCC Toolset 10: GCC now supports bfloat16

In GCC Toolset 10, the GCC compiler now supports the bfloat16 extension through ACLE Intrinsics. This enhancement provides high-performance computing.

(BZ#1656139)

GCC Toolset 10: GCC now supports ENQCMD and ENQCMDS instructions on Intel Sapphire Rapids processors

In GCC Toolset 10, the GNU Compiler Collection (GCC) now supports the ENQCMD and ENQCMDS instructions, which you can use to submit work descriptors to devices automatically. To apply this enhancement, run GCC with the -menqcmd option.

(BZ#1891998)

GCC Toolset 10: Dyninst rebased to version 10.2.1

In GCC Toolset 10, the Dyninst binary analysis and modification tool has been updated to version 10.2.1. Notable bug fixes and enhancements include:

Support for the elfutils debuginfod client library.
Improved parallel binary code analysis.
Improved analysis and instrumentation of large binaries.

(BZ#1892007)

GCC Toolset 10: elfutils rebased to version 0.182

In GCC Toolset 10, the elfutils package has been updated to version 0.182. Notable bug fixes and enhancements include:

Recognizes the DW_CFA_AARCH64_negate_ra_state instruction. When Pointer Authentication Code (PAC) is not enabled, you can use DW_CFA_AARCH64_negate_ra_state to unwind code that is compiled for PAC on the 64-bit ARM architecture.
elf_update now fixes bad sh_addralign values in sections that have set the SHF_COMPRESSED flag.
debuginfod-client now supports kernel ELF images compressed with ZSTD.
debuginfod has a more efficient package traversal, tolerating various errors during scanning. The grooming process is more visible and interruptible, and provides more Prometheus metrics.

(BZ#1879758)

Go Toolset rebased to version 1.15.7

Go Toolset has been upgraded to 1.15.7. Notable enhancements include:

Linking is now faster and requires less memory due to the newly implemented object file format and increased concurrency of internal phases. With this enhancement, internal linking is now the default. To disable this setting, use the compiler flag -ldflags=-linkmode=external.
Allocating small objects has been improved for high core counts, including worst-case latency.
Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are specified is now disabled by default. To enable it, add the value x509ignoreCN=0 to the GODEBUG environment variable.
GOPROXY now supports skipping proxies that return errors.
Go now includes the new package time/tzdata. It enables you to embed the timezone database into a program even if the timezone database is not available on your local system.

For more information on Go Toolset, go to Using Go Toolset.

(BZ#1870531)

Rust Toolset rebased to version 1.49.0

Rust Toolset has been updated to version 1.49.0. Notable changes include:

You can now use the path of a rustdoc page item to link to it in rustdoc.
The rust test framework now hides thread output. Output of failed tests still show in the terminal.
You can now use [T; N]: TryFrom<Vec<T>> to turn a vector into an array of any length.
You can now use slice::select_nth_unstable to perform ordered partitioning. This function is also available with the following variants:
- slice::select_nth_unstable_by provides a comparator function.
- slice::select_nth_unstable_by_key provides a key extraction function.
You can now use ManuallyDrop as the type of a union field. It is also possible to use impl Drop for Union to add the Drop trait to existing unions. This makes it possible to define unions where certain fields need to be dropped manually.
Container images for Rust Toolset have been deprecated and Rust Toolset has been added to the Universal Base Images (UBI) repositories.

For further information, see Using Rust Toolset.

(BZ#1896712)

LLVM Toolset rebased to version 11.0.0

LLVM Toolset has been upgraded to version 11.0.0. Notable changes include:

Support for the -fstack-clash-protection command-line option has been added to the AMD and Intel 64-bit architectures, IBM Power Systems, Little Endian, and IBM Z. This new compiler flag protects from stack-clash attacks by automatically checking each stack page.
The new compiler flag ffp-exception-behavior={ignore,maytrap,strict} enables the specification of floating-point exception behavior. The default setting is ignore.
The new compiler flag ffp-model={precise,strict,fast} allows the simplification of single purpose floating-point options. The default setting is precise.
The new compiler flag -fno-common is now enabled by default. With this enhancement, code written in C using tentative variable definitions in multiple translation units now triggers multiple-definition linker errors. To disable this setting, use the -fcommon flag.
Container images for LLVM Toolset have been deprecated and LLVM Toolset has been added to the Universal Base Images (UBI) repositories.

For more information, see Using LLVM Toolset.

(BZ#1892716)

pcp rebased to version 5.2.5

The pcp package has been upgraded to version 5.2.5. Notable changes include:

SQL Server metrics support via a secure connection.
eBPF/BCC netproc module with per-process network metrics.
pmdaperfevent(1) support for the hv_24x7 core-level and hv_gpci event metrics.
New Linux process accounting metrics, Linux ZFS metrics, Linux XFS metric, Linux kernel socket metrics, Linux multipath TCP metrics, Linux memory and ZRAM metrics, and S.M.A.R.T. metric support for NVM Express disks.
New pcp-htop(1) utility to visualize the system and process metrics.
New pmrepconf(1) utility to generate the pmrep/pcp2xxx configurations.
New pmiectl(1) utility for controlling the pmie services.
New pmlogctl(1) utility for controlling the pmlogger services.
New pmlogpaste(1) utility for writing log string metrics.
New pcp-atop(1) utility to process accounting statistics and per-process network statistics reporting.
New pmseries(1) utility to query functions, language extensions, and REST API.
New pmie(1) rules for detecting OOM kills and socket connection saturation.
Bug fixes in the pcp-atopsar(1), pcp-free(1), pcp-dstat(1), pmlogger(1), and pmchart(1) utilities.
REST API and C API support for per-context derived metrics.
Improved OpenMetrics metric metadata (units, semantics).
Rearranged installed /var file system layouts extensively.

(BZ#1854035)

Accessing remote hosts through a central pmproxy for the Vector data source in grafana-pcp

In some environments, the network policy does not allow connections from the dashboard viewer’s browser to the monitored hosts directly. This update makes it possible to customize the hostspec in order to connect to a central pmproxy, which forwards the requests to the individual hosts.

(BZ#1845592)

grafana rebased to version 7.3.6

The grafana package has been upgraded to version 7.3.6. Notable changes include:

New panel editor and new data transformations feature
Improved time zone support
Default provisioning path now changed from the /usr/share/grafana/conf/provisioning to the /etc/grafana/provisioning directory. You can configure this setting in the /etc/grafana/grafana.ini configuration file.

For more information, see What’s New in Grafana v7.0, What’s New in Grafana v7.1, What’s New in Grafana v7.2, and What’s New in Grafana v7.3.

(BZ#1850471)

grafana-pcp rebased to version 3.0.2

The grafana-pcp package has been upgraded to version 3.0.2. Notable changes include:

Redis:
- Supports creating an alert in Grafana.
- Using the label_values(metric, label) in a Grafana variable query is deprecated due to performance reasons. The label_values(label) query is still supported.
Vector:
- Supports derived metrics, which allows the usage of arithmetic operators and statistical functions inside a query. For more information, see the pmRegisterDerived(3) man page.
- Configurable hostspec, where you can access remote Performance Metrics Collector Daemon (PMCDs) through a central pmproxy.
- Automatically configures the unit of the panel.
Dashboards:
- Detects potential performance issues and shows possible solutions with the checklist dashboards, using the Utilization Saturation and Errors (USE) method.
- New MS SQL server dashboard, eBPF/BCC dashboard, and container overview dashboard with the CGroups v2.
- All dashboards are now located in the Dashboards tab in the Datasource settings pages and are not imported automatically.

Upgrade notes:

Update the Grafana configuration file:

Edit the /etc/grafana/grafana.ini Grafana configuration file and make sure that the following option is set:
```
allow_loading_unsigned_plugins = pcp-redis-datasource
```
Restart the Grafana server:
```
# systemctl restart grafana-server
```

(BZ#1854093)

Active Directory authentication for accessing SQL Server metrics in PCP

With this update, a system administrator can configure pmdamssql(1) to connect securely to the SQL Server metrics using Active Directory (AD) authentication.

(BZ#1847808)

grafana-container rebased to version 7.3.6

The rhel8/grafana container image provides Grafana. Grafana is an open source utility with metrics dashboard, and graphic editor for Graphite, Elasticsearch, OpenTSDB, Prometheus, InfluxDB, and Performance Co-Pilot (PCP). The grafana-container package has been upgraded to version 7.3.6. Notable changes include:

The grafana package is now updated to version 7.3.6.
The grafana-pcp package is now updated to version 3.0.2.

The rebase updates the rhel8/grafana image in the Red Hat Container Registry.

To pull this container image, execute the following command:

# podman pull registry.redhat.io/rhel8/grafana

(BZ#1916154)

pcp-container rebased to version 5.2.5

The rhel8/pcp container image provides Performance Co-Pilot, which is a system performance analysis toolkit. The pcp-container package has been upgraded to version 5.2.5. Notable changes include:

The pcp package is now updated to version 5.2.5.
Introduced a new PCP_SERVICES environment variable, which specifies a comma-separated list of PCP services to start inside the container.

The rebase updates the rhel8/pcp image in the Red Hat Container Registry.

To pull this container image, execute the following command:

# podman pull registry.redhat.io/rhel8/pcp

(BZ#1916155)

JDK Mission Control rebased to version 8.0.0

The JDK Mission Control (JMC) profiler for HotSpot JVMs, provided by the jmc:rhel8 module stream, has been upgraded to version 8.0.0. Notable enhancements include:

The Treemap viewer has been added to the JOverflow plug-in for visualizing memory usage by classes.
The Threads graph has been enhanced with more filtering and zoom options.
JDK Mission Control now provides support for opening JDK Flight Recorder recordings compressed with the LZ4 algorithm.
New columns have been added to the Memory and TLAB views to help you identify areas of allocation pressure.
Graph view has been added to improve visualization of stack traces.
The Percentage column has been added to histogram tables.

JMC in RHEL 8 requires JDK version 8 or later to run. Target Java applications must run with at least OpenJDK version 8 so that JMC can access JDK Flight Recorder features.

The jmc:rhel8 module stream has two profiles:

The common profile, which installs the entire JMC application
The core profile, which installs only the core Java libraries (jmc-core)

To install the common profile of the jmc:rhel8 module stream, use:

# yum module install jmc:rhel8/common

Change the profile name to core to install only the jmc-core package.

(BZ#1919283)

4.13. Identity Management

Making Identity Management more inclusive

Red Hat is committed to using conscious language.

In Identity Management, planned terminology replacements include:

block list replaces blacklist
allow list replaces whitelist
secondary replaces slave
The word master is going to be replaced with more precise language, depending on the context:
- IdM server replaces IdM master
- CA renewal server replaces CA renewal master
- CRL publisher server replaces CRL master
- multi-supplier replaces multi-master

(JIRA:RHELPLAN-73418)

The dsidm utility supports renaming and moving entries

With this enhancement, you can use the dsidm utility to rename and move users, groups, POSIX groups, roles, and organizational units (OU) in Directory Server. For further details and examples, see the Renaming Users, Groups, POSIX Groups, and OUs section in the Directory Server Administration Guide.

(BZ#1859218)

Deleting Sub-CAs in IdM

With this enhancement, if you run the ipa ca-del command and have not disabled the Sub-CA, an error indicates the Sub-CA cannot be deleted and it must be disabled. First run the ipa ca-disable command to disable the Sub-CA and then delete it using the ipa ca-del command.

Note that you cannot disable or delete the IdM CA.

(JIRA:RHELPLAN-63081)

IdM now supports new Ansible management role and modules

RHEL 8.4 provides Ansible modules for automated management of role-based access control (RBAC) in Identity Management (IdM), an Ansible role for backing up and restoring IdM servers, and an Ansible module for location management:

You can use the ipapermission module to create, modify, and delete permissions and permission members in IdM RBAC.
You can use the ipaprivilege module to create, modify, and delete privileges and privilege members in IdM RBAC.
You can use the iparole module to create, modify, and delete roles and role members in IdM RBAC.
You can use the ipadelegation module to delegate permissions over users in IdM RBAC.
You can use the ipaselfservice module to create, modify, and delete self-service access rules in IdM.
You can use the ipabackup role to create, copy, and remove IdM server backups and restore an IdM server either locally or from the control node.
You can use the ipalocation module to ensure the presence or absence of the physical locations of hosts, such as their data center racks.

(JIRA:RHELPLAN-72660)

IdM in FIPS mode now supports a cross-forest trust with AD

With this enhancement, administrators can establish a cross-forest trust between an IdM domain with FIPS mode enabled and an Active Directory (AD) domain. Note that you cannot establish a trust using a shared secret while FIPS mode is enabled in IdM, see FIPS compliance.

(JIRA:RHELPLAN-58629)

AD users can now log in to IdM with UPN suffixes subordinate to known UPN suffixes

Previously, Active Directory (AD) users could not log into Identity Management (IdM) with a Universal Principal Name (UPN) (for example, sub1.ad-example.com) that is a subdomain of a known UPN suffix (for example, ad-example.com) because internal Samba processes filtered subdomains as duplicates of any Top Level Names (TLNs). This update validates UPNs by testing if they are subordinate to the known UPN suffixes. As a result, users can now log in using subordinate UPN suffixes in the described scenario.

(BZ#1891056)

IdM now supports new password policy options

With this update, Identity Management (IdM) supports additional libpwquality library options:

--maxrepeat: Specifies the maximum number of the same character in sequence.
--maxsequence: Specifies the maximum length of monotonic character sequences (abcd).
--dictcheck: Checks if the password is a dictionary word.
--usercheck: Checks if the password contains the username.

If any of the new password policy options are set, then the minimum length of passwords is 6 characters regardless of the value of the --minlength option. The new password policy settings are applied only to new passwords.

In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator will not be applied. To ensure consistent behavior, upgrade or update all servers to RHEL 8.4 and later.

(BZ#1340463)

Improved Active Directory site discovery process

The SSSD service now discovers Active Directory sites in parallel over connection-less LDAP (CLDAP) to multiple domain controllers to speed up site discovery in situations where some domain controllers are unreachable. Previously, site discovery was performed sequentially and, in situations where domain controllers were unreachable, a timeout eventually occurred and SSSD went offline.

(BZ#1819012)

The default value of nsslapd-nagle has been turned off to increase the throughput

Previously, the nsslapd-nagle parameter in the cn=config entry was enabled by default. As a consequence, Directory Server performed a high number of setsocketopt system calls which slowed down the server. This update changes the default value of nsslapd-nagle to off. As a result, Directory Server performs a lower number of setsocketopt system calls and can handle a higher number of operations per second.

(BZ#1996076)

Enabling or disabling SSSD domains within the [domain] section of the sssd.conf file

With this update, you can now enable or disable an SSSD domain by modifying its respective [domain] section in the sssd.conf file.

Previously, if your SSSD configuration contained a standalone domain, you still had to modify the domains option in the [sssd] section of the sssd.conf file. This update allows you to set the enabled= option in the domain configuration to true or false.

Setting the enabled option to true enables a domain, even if it is not listed under the domains option in the [sssd] section of the sssd.conf file.
Setting the enabled option to false disables a domain, even if it is listed under the domains option in the [sssd] section of the sssd.conf file.
If the enabled option is not set, the configuration in the domains option in the [sssd] section of the sssd.conf is used.

(BZ#1884196)

Added an option to manually control the maximum offline timeout

The offline_timeout period determines the time incrementation between attempts by SSSD to go back online. Previously, the maximum possible value for this interval was hardcoded to 3600 seconds, which was adequate for general usage but resulted in issues in fast or slow changing environments.

This update adds the offline_timeout_max option to manually control the maximum length of each interval, allowing you more flexibility to track the server behavior in SSSD.

Note that you should set this value in correlation to the offline_timeout parameter value. A value of 0 disables the incrementing behavior.

(BZ#1884213)

Support for exclude_users and exclude_groups with scope=all in SSSD session recording configuration

Red Hat Enterprise 8.4 now provides new SSSD options for defining session recording for large lists of groups or users:

exclude_users
A comma-separated list of users to be excluded from recording, only applicable with the scope=all configuration option.
exclude_groups
A comma-separated list of groups, members of which should be excluded from recording. Only applicable with the scope=all configuration option.

For more information, refer to the sssd-session-recording man page.

(BZ#1784459)

samba rebased to version 4.13.2

The samba packages have been upgraded to upstream version 4.13.2, which provides a number of bug fixes and enhancements over the previous version:

To avoid a security issue that allows unauthenticated users to take over a domain using the netlogon protocol, ensure that your Samba servers use the default value (yes) of the server schannel parameter. To verify, use the testparm -v | grep 'server schannel' command. For further details, see CVE-2020-1472.
The Samba "wide links" feature has been converted to a VFS module.
Running Samba as a PDC or BDC is deprecated.
You can now use Samba on RHEL with FIPS mode enabled. Due to the restrictions of the FIPS mode:
- You cannot use NT LAN Manager (NTLM) authentication because the RC4 cipher is blocked.
- By default in FIPS mode, Samba client utilities use Kerberos authentication with AES ciphers.
- You can use Samba as a domain member only in Active Directory (AD) or Red Hat Identity Management (IdM) environments with Kerberos authentication that uses AES ciphers. Note that Red Hat continues supporting the primary domain controller (PDC) functionality IdM uses in the background.
The following parameters for less-secure authentication methods, which are only usable over the server message block version 1 (SMB1) protocol, are now deprecated:
- client plaintext auth
- client NTLMv2 auth
- client lanman auth
- client use spnego
An issue with the GlusterFS write-behind performance translator, when used with Samba, has been fixed to avoid data corruption.
The minimum runtime support is now Python 3.6.
The deprecated ldap ssl ads parameter has been removed.

Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading tdb database files.

For further information about notable changes, read the upstream release notes before updating.

(BZ#1878109)

New GSSAPI PAM module for passwordless sudo authentication with SSSD

With the new pam_sss_gss.so Pluggable Authentication Module (PAM), you can configure the System Security Services Daemon (SSSD) to authenticate users to PAM-aware services with the Generic Security Service Application Programming Interface (GSSAPI).

For example, you can use this module for passwordless sudo authentication with a Kerberos ticket. For additional security in an IdM environment, you can configure SSSD to grant access only to users with specific authentication indicators in their tickets, such as users that have authenticated with a smart card or a one-time password.

For additional information, see Granting sudo access to an IdM user on an IdM client.

(BZ#1893698)

Directory Server rebased to version 1.4.3.16

The 389-ds-base packages have been upgraded to upstream version 1.4.3.16, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

(BZ#1862529)

Directory Server now logs the work and operation time in RESULT entries

With this update, Directory Server now logs two additional time values in RESULT entries in the /var/log/dirsrv/slapd-<instance_name>/access file:

The wtime value indicates how long it took for an operation to move from the work queue to a worker thread.
The optime value shows the time the actual operation took to be completed once a worker thread started the operation.

The new values provide additional information about how the Directory Server handles load and processes operations.

For further details, see the Access Log Reference section in the Red Hat Directory Server Configuration, Command, and File Reference.

(BZ#1850275)

Directory Server can now reject internal unindexed searches

This enhancement adds the nsslapd-require-internalop-index parameter to the cn=<database_name>,cn=ldbm database,cn=plugins,cn=config entry to reject internal unindexed searches. When a plug-in modifies data, it has a write lock on the database. On large databases, if a plug-in then executes an unindexed search, the plug-in sometimes uses all database locks, which corrupts the database or causes the server to become unresponsive. To avoid this problem, you can now reject internal unindexed searches by enabling the nsslapd-require-internalop-index parameter.

(BZ#1851975)

4.14. Desktop

You can configure the unresponsive application timeout in GNOME

GNOME periodically sends a signal to every application to detect if the application is unresponsive. When GNOME detects an unresponsive application, it displays a dialog over the application window that asks if you want to stop the application or wait.

Certain applications cannot respond to the signal in time. As a consequence, GNOME displays the dialog even when the application is working properly.

With this update, you can configure the time between the signals. The setting is stored in the org.gnome.mutter.check-alive-timeout GSettings key. To completely disable the unresponsive application detection, set the key to 0.

For details on configuring a GSettings key, see Working with GSettings keys on command line.

(BZ#1886034)

4.15. Graphics infrastructures

Intel Tiger Lake GPUs are now supported

This release adds support for the Intel Tiger Lake CPU microarchitecture with integrated graphics. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:

Intel Core i7-1160G7
Intel Core i7-1185G7
Intel Core i7-1165G7
Intel Core i7-1165G7
Intel Core i7-1185G7E
Intel Core i7-1185GRE
Intel Core i7-11375H
Intel Core i7-11370H
Intel Core i7-1180G7
Intel Core i5-1130G7
Intel Core i5-1135G7
Intel Core i5-1135G7
Intel Core i5-1145G7E
Intel Core i5-1145GRE
Intel Core i5-11300H
Intel Core i5-1145G7
Intel Core i5-1140G7
Intel Core i3-1115G4
Intel Core i3-1115G4
Intel Core i3-1110G4
Intel Core i3-1115GRE
Intel Core i3-1115G4E
Intel Core i3-1125G4
Intel Core i3-1125G4
Intel Core i3-1120G4
Intel Pentium Gold 7505
Intel Celeron 6305
Intel Celeron 6305E

You no longer have to set the i915.alpha_support=1 or i915.force_probe=* kernel option to enable Tiger Lake GPU support.

(BZ#1882620)

Intel GPUs that use the 11th generation Core microprocessors are now supported

This release adds support for the 11th generation Core CPU architecture (formerly known as Rocket Lake) with Xe gen 12 integrated graphics, which is found in the following CPU models:

Intel Core i9-11900KF
Intel Core i9-11900K
Intel Core i9-11900
Intel Core i9-11900F
Intel Core i9-11900T
Intel Core i7-11700K
Intel Core i7-11700KF
Intel Core i7-11700T
Intel Core i7-11700
Intel Core i7-11700F
Intel Core i5-11500T
Intel Core i5-11600
Intel Core i5-11600K
Intel Core i5-11600KF
Intel Core i5-11500
Intel Core i5-11600T
Intel Core i5-11400
Intel Core i5-11400F
Intel Core i5-11400T

(BZ#1784246, BZ#1784247, BZ#1937558)

Nvidia Ampere is now supported

This release adds support for the Nvidia Ampere GPUs that use the GA102 or GA104 chipset. That includes the following GPU models:

GeForce RTX 3060 Ti
GeForce RTX 3070
GeForce RTX 3080
GeForce RTX 3090
RTX A4000
RTX A5000
RTX A6000
Nvidia A40

Note that the nouveau graphics driver does not yet support 3D acceleration with the Nvidia Ampere family.

(BZ#1916583)

Various updated graphics drivers

The following graphics drivers have been updated to the latest upstream version:

The Matrox mgag200 driver
The Aspeed ast driver

(JIRA:RHELPLAN-72994, BZ#1854354, BZ#1854367)

4.16. The web console

Software Updates page checks for required restarts

With this update, the Software Updates page in the RHEL web console checks if it is sufficient to only restart some services or running processes for updates to become effective after installation. In these cases this avoids having to reboot the machine.

(JIRA:RHELPLAN-59941)

Graphical performance analysis in the web console

With this update the system graphs page has been replaced with a new dedicated page for analyzing the performance of a machine. To view the performance metrics, click View details and history from the Overview page. It shows current metrics and historical events based on the Utilization Saturation, and Errors (USE) method.

(JIRA:RHELPLAN-59938)

Web console assists with SSH key setup

Previously, the web console allowed logging into remote hosts with your initial login password when Reuse my password for remote connections was selected during login. This option has been removed, and instead of that the web console now helps with setting up SSH keys for users that want automatic and password-less login to remote hosts.

Check Managing remote systems in the web console for more details.

(JIRA:RHELPLAN-59950)

4.17. Red Hat Enterprise Linux system roles

The RELP secure transport support added to the Logging role configuration

Reliable Event Logging Protocol, RELP, is a secure, reliable protocol to forward and receive log messages among rsyslog servers. With this enhancement, administrators can now benefit from the RELP, which is a useful protocol with high demands from rsyslog users, as rsyslog servers are capable of forwarding and receiving log messages over the RELP protocol.

(BZ#1889484)

SSH Client RHEL system role is now supported

Previously, there was no vendor-supported automation tooling to configure RHEL SSH in a consistent and stable manner for servers and clients. With this enhancement, you can use the RHEL system roles to configure SSH clients in a systematic and unified way, independently of the operating system version.

(BZ#1893712)

An alternative to the traditional RHEL system roles format: Ansible Collection

RHEL 8.4 introduces RHEL system roles in the Collection format, available as an option to the traditional RHEL system roles format.

This update introduces the concept of a fully qualified collection name (FQCN), that consists of a namespace and the collection name. For example, the Kernel role fully qualified name is: redhat.rhel_system_roles.kernel_settings

The combination of a namespace and a collection name guarantees that the objects are unique.
The combination of a namespace and a collection name ensures that the objects are shared across the Collections and namespaces without any conflicts.

Install the Collection using an RPM package. Ensure that you have the python3-jmespath installed on the host on which you execute the playbook:

# yum install rhel-system-roles

The RPM package includes the roles in both the legacy Ansible Roles format as well as the new Ansible Collection format. For example, to use the network role, perform the following steps:

Legacy format:

---
- hosts: all
  roles:
rhel-system-roles.network

Collection format:

---
- hosts: all
  roles:
redhat.rhel_system_roles.network

If you are using Automation Hub and want to install the system roles Collection hosted in Automation Hub, enter the following command:

$ ansible-galaxy collection install redhat.rhel_system_roles

Then you can use the roles in the Collection format, as previously described. This requires configuring your system with the ansible-galaxy command to use Automation Hub instead of Ansible Galaxy. See How to configure the ansible-galaxy client to use Automation Hub instead of Ansible Galaxy for more details.

(BZ#1893906)

Metrics role supports configuration and enablement of metrics collection for SQL server via PCP

The metrics RHEL system role now provides the ability to connect SQL Server, mssql with Performance Co-Pilot, pcp. SQL Server is a general purpose relational database from Microsoft. As it runs, SQL Server updates internal statistics about the operations it is performing. These statistics can be accessed using SQL queries but it is important for system and database administrators undertaking performance analysis tasks to be able to record, report, visualize these metrics. With this enhancement, users can use the metrics RHEL system role to automate connecting SQL server, mssql, with Performance Co-Pilot, pcp, which provides recording, reporting, and visualization functionality for mssql metrics.

(BZ#1893908)

exporting-metric-data-to-elasticsearch functionality available in the Metrics RHEL system role

Elasticsearch is a popular, powerful and scalable search engine. With this enhancement, by exporting metric values from the Metrics RHEL system role to the Elasticsearch, users are able to access metrics via Elasticsearch interfaces, including via graphical interfaces, REST APIs, between others. As a result, users are able to use these Elasticsearch interfaces to help diagnose performance problems and assist in other performance related tasks like capacity planning, benchmarking and so on.

(BZ#1895188)

Support for SSHD RHEL system role

Previously, there was no vendor-supported automation tooling to configure SSH RHEL system roles in a consistent and stable manner for servers and clients. With this enhancement, you can use the RHEL system roles to configure sshd servers in a systematic and unified way regardless of operating system version.

(BZ#1893696)

Crypto Policies RHEL system role is now supported

With this enhancement, RHEL 8 introduces a new feature for system-wide cryptographic policy management. By using RHEL system roles, you now can consistently and easily configure cryptographic policies on any number of RHEL 8 systems.

(BZ#1893699)

The Logging RHEL system role now supports rsyslog behavior

With this enhancement, rsyslog receives the message from Red Hat Virtualization and forwards the message to the elasticsearch.

(BZ#1889893)

The networking RHEL system role now supports the ethtool settings

With this enhancement, you can use the networking RHEL system role to configure ethtool coalesce settings of a NetworkManager connection. When using the interrupt coalescing procedure, the system collects network packets and generates a single interrupt for multiple packets. As a result, this increases the amount of data sent to the kernel with one hardware interrupt, which reduces the interrupt load, and maximizes the throughput.

(BZ#1893961)

4.18. Virtualization

IBM Z virtual machines can now run up to 248 CPUs

Previously, the number of CPUs that you could use in an IBM Z (s390x) virtual machine (VM), with DIAG318 enabled, was limited to 240. Now, using the Extended-Length SCCB, IBM Z VMs can run up to 248 CPUs.

(JIRA:RHELPLAN-44450)

HMAT is now supported on RHEL KVM

With this update, ACPI Heterogeneous Memory Attribute Table (HMAT) is now supported on RHEL KVM. The ACPI HMAT optimizes memory by providing information about memory attributes, such as memory side cache attributes as well as bandwidth and latency details related to the System Physical Address (SPA) Memory Ranges.

(JIRA:RHELPLAN-37817)

Virtual machines can now use features of Intel Atom P5000 Processors

The Snowridge CPU model name is now available for virtual machines (VMs). On hosts with Intel Atom P5000 processors, using Snowridge as the CPU type in the XML configuration of the VM exposes new features of these processors to the VM.

(JIRA:RHELPLAN-37579)

virtio-gpu devices now work better on virtual machines with Windows 10 and later

This update extends the virtio-win drivers to also provide custom drivers for virtio-gpu devices on selected Windows platforms. As a result, the virtio-gpu devices now have improved performance on virtual machines that use Windows 10 or later as their guest systems. In addition, the devices will also benefit from future enhancements to virtio-win.

(BZ#1861229)

Virtualization support for 3rd generation AMD EPYC processors

With this update, virtualization on RHEL 8 adds support for the 3rd generation AMD EPYC processors, also known as EPYC Milan. As a result, virtual machines hosted on RHEL 8 can now use the EPYC-Milan CPU model and utilise new features that the processors provide.

(BZ#1790620)

4.19. RHEL in cloud environments

Automatic registration for gold images for AWS

With this update, gold images of RHEL 8.4 and later for Amazon Web Services and Microsoft Azure can be configured by the user to automatically register to Red Hat Subscription Management (RHSM) and Red Hat Insights. This makes it faster and easier to configure a large number of virtual machines created from a gold image.

However, if you require consuming repositories provided by RHSM, ensure that the manage_repos option in /etc/rhsm/rhsm.conf is set to 1. For more information, please refer to Red Hat KnowledgeBase.

(BZ#1905398, BZ#1932804)

cloud-init is now supported on Power Systems Virtual Server in IBM Cloud

With this update, the cloud-init utility can be used to configure RHEL 8 virtual machines hosted on IBM Power Systems hosts and running in the IBM Cloud Virtual Server service.

(BZ#1886430)

4.20. Supportability

sos rebased to version 4.0

The sos package has been upgraded to version 4.0. This major version release includes a number of new features and changes.

Major changes include:

A new sos binary has replaced the former sosreport binary as the main entry point for the utility.
sos report is now used to generate sosreport tarballs. The sosreport binary is maintained as a redirection point and now invokes sos report.
The /etc/sos.conf file has been moved to /etc/sos/sos.conf, and its layout has changed as follows:
- The [general] section has been renamed to [global], and may be used to specify options that are available to all sos commands and sub-commands.
- The [tunables] section has been renamed to [plugin_options].
- Each sos component, report, collect, and clean, has its own dedicated section. For example, sos report loads options from global and from report.
sos is now a Python3-only utility. Python2 is no longer supported in any capacity.

sos collect

sos collect formally brings the sos-collector utility into the main sos project, and is used to collect sosreports from multiple nodes simultaneously. The sos-collector binary is maintained as a redirection point and invokes sos collect. The standalone sos-collector project will no longer be independently developed. Enhancements for sos collect include:

sos collect is now supported on all distributions that sos report supports, that is any distribution with a Policy defined.
The --insecure-sudo option has been renamed to --nopasswd-sudo.
The --threads option, used to connect simultaneously to the number of nodes, has been renamed to --jobs

sos clean

sos clean formally brings the functionality of the soscleaner utility into the main sos project. This subcommand performs further data obfuscation on reports, such as cleaning IP addresses, domain names, and user-provided keywords.

Note: When the --clean option is used with the sos report or sos collect command, sos clean is applied on a report being generated. Thus, it is not necessary to generate a report and only after then apply the cleaner function on it.

Key enhancements for sos clean include:

Support for IPv4 address obfuscation. Note that this will attempt to preserve topological relationships between discovered addresses.
Support for host name and domain name obfuscation.
Support for user-provided keyword obfuscations.
The --clean or --mask flag used with the sos report command obfuscates a report being generated. Alternatively, the following command obfuscates an already existing report:
```
[user@server1 ~]$ sudo sos (clean|mask) $archive
```
Using the former results in a single obfuscated report archive, while the latter results in two; an obfuscated archive and the un-obfuscated original.

For full information on the changes contained in this release, see sos-4.0.

(BZ#1966838)

4.21. Containers

Podman now supports volume plugins written for Docker

Podman now has support for Docker volume plugins. These volume plugins or drivers, written by vendors and community members, can be used by Podman to create and manage container volumes.

The podman volume create command now supports creation of the volume using a volume plugin with the given name. The volume plugins must be defined in the [engine.volume_plugins] section of the container.conf configuration file.

Example:

[engine.volume_plugins]
testvol = "/run/docker/plugins/testvol.sock"

where testvol is the name of the plugin and /run/docker/plugins/testvol.sock is the path to the plugin socket.

You can use the podman volume create --driver testvol to create a volume using a testvol plugin.

(BZ#1734854)

The ubi-micro container image is now available

The registry.redhat.io/ubi8/ubi-micro container image is the smallest base image that uses the package manager on the underlying host to install packages, typically using Buildah or multi-stage builds with Podman. Excluding package managers and all of its dependencies increases the level of security of the image.

(JIRA:RHELPLAN-56664)

Support to auto-update container images is available

With this enhancement, users can use the podman auto-update command to auto-update containers according to their auto-update policy. The containers have to be labeled with a specified "io.containers.autoupdate=image" label to check if the image has been updated. If it has, Podman pulls the new image and restarts the systemd unit executing the container. The podman auto-update command relies on systemd and requires a fully-specified image name to create a container.

(JIRA:RHELPLAN-56661)

Podman now supports secure short names

Short-name aliases for images can now be configured in the registries.conf file in the [aliases] table. The short-names modes are:

Enforcing: If no matching alias is found during the image pull, Podman prompts the user to choose one of the unqualified-search registries. If the selected image is pulled successfully, Podman automatically records a new short-name alias in the users $HOME/.config/containers/short-name-aliases.conf file. If the user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note that the short-name-aliases.conf file has precedence over registries.conf file if both specify the same alias.
Permissive: Similar to enforcing mode but it does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded.

Example:

unqualified-search-registries=[“registry.fedoraproject.org”, “quay.io”]

[aliases]

"fedora"="registry.fedoraproject.org/fedora"

(JIRA:RHELPLAN-39843)

container-tools:3.0 stable stream is now available

The container-tools:3.0 stable module stream, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and enhancements over the previous version.

For instructions how to upgrade from an earlier stream, see Switching to a later stream.

(JIRA:RHELPLAN-56782)