Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.5.
4.1. Installer and image creation
RHEL for Edge now supports a Simplified Installer
This enhancement enables Image Builder to build the RHEL for Edge Simplified Installer (edge-simplified-installer
) and RHEL for Edge Raw Images (edge-raw-image
).
RHEL for Edge Simplified Installer enables you to specify a new blueprint option, installation_device
and thus, perform an unattended installation to a device. To create the raw image, you must provide an existing OSTree commit. It results in a raw image with the existing commit deployed in it. The installer will use this raw image to the specified installation device.
Additionally, you can also use Image Builder to build RHEL for Edge Raw Images. These are compressed raw images that contain a partition layout with an existing deployed OSTree commit in it. You can install the RHEL for Edge Raw Images to flash on a hard drive or booted in a virtual machine.
Warnings for deprecated kernel boot arguments
Anaconda boot arguments without the inst.
prefix (for example, ks
, stage2
, repo
and so on) are deprecated starting RHEL7. These arguments will be removed in the next major RHEL release.
With this release, appropriate warning messages are displayed when the boot arguments are used without the inst
prefix. The warning messages are displayed in dracut
when booting the installation and also when the installation program is started on a terminal.
Following is a sample warning message that is displayed on a terminal:
Deprecated boot argument ks
must be used with the inst.
prefix. Please use inst.ks
instead. Anaconda boot arguments without inst.
prefix have been deprecated and will be removed in a future major release.
Following is a sample warning message that is displayed in dracut
:
ks
has been deprecated. All usage of Anaconda boot arguments without the inst.
prefix have been deprecated and will be removed in a future major release. Please use inst.ks
instead.
Red Hat Connector is now fully supported
You can connect the system using Red Hat Connector (rhc
). Red Hat Connector consists of a command-line interface and a daemon that allow users to execute Insights remediation playbook directly on their host within the web user interface of Insights (console.redhat.com). Red Hat Connector was available as a Technology Preview in RHEL 8.4 and as of RHEL 8.5, it is fully supported.
Ability to override official repositories available
By default, the osbuild-composer
backend has its own set of official repositories defined in the /usr/share/osbuild-composer/repositories
directory. Consequently, it does not inherit the system repositories located in the /etc/yum.repos.d/
directory. You can now override the official repositories. To do that, define overrides in the /etc/osbuild-composer/repositories
and, as a result, the files located there take precedence over those in the /usr
directory.
Image Builder now supports filesystem configuration
With this enhancement, you can specify custom filesystem configuration in your blueprints and you can create images with the desired disk layout. As a result, by having non-default layouts, you can benefit from security benchmarks, consistency with existing setups, performance, and protection against out-of-disk errors.
To customize the filesystem configuration in your blueprint, set the following customization:
[[customizations.filesystem]] mountpoint = "MOUNTPOINT" size = MINIMUM-PARTITION-SIZE
Image Builder now supports creating bootable installer images
With this enhancement, you can use Image Builder to create bootable ISO images that consist of a tarball
file, which contains a root file system. As a result, you can use the bootable ISO image to install the tarball
file system to a bare metal system.
4.2. RHEL for Edge
Greenboot services now enabled by default
Previously, the greenboot services were not present in the default presets so, when the greenboot package was installed, users had to manually enable these greenboot services. With this update, the greenboot services are now present in the default presets configuration and users are no longer required to manually enable it.
4.3. Software management
RPM now has read-only support for the sqlite
database backend
The ability to query an RPM database based on sqlite
may be desired when inspecting other root directories, such as containers.This update adds read-only support for the RPM sqlite
database backend. As a result, it is now possible to query packages installed in a UBI 9 or Fedora container from the host RHEL 8. To do that with Podman:
-
Mount the container’s file system with the
podman mount
command. -
Run the
rpm -qa
command with the--root
option pointing to the mounted location.
Note that RPM on RHEL 8 still uses the BerkeleyDB database (bdb
) backend.
libmodulemd
rebased to version 2.12.1
The libmodulemd
packages have been rebased to version 2.12.1. Notable changes include:
-
Added support for version 1 of the
modulemd-obsoletes
document type, which provides information about a stream obsoleting another one, or a stream reaching its end of life. -
Added support for version 3 of the
modulemd-packager
document type, which provides a packager description of a module stream content for a module build system. -
Added support for the
static_context
attribute of the version 2modulemd
document type. With that, a module context is now defined by a packager instead of being generated by a module build system. - Now, a module stream value is always serialized as a quoted string.
libmodulemd
rebased to version 2.13.0
The libmodulemd
packages have been rebased to version 2.13.0, which provides the following notable changes over the previous version:
- Added support for delisting demodularized packages from a module.
-
Added support for validating
modulemd-packager-v3
documents with a new--type
option of themodulemd-validator
tool. - Fortified parsing integers.
-
Fixed various
modulemd-validator
issues.
sslverifystatus
has been added to dnf
configuration
With this update, when sslverifystatus
option is enabled, dnf
checks each server certificate revocation status using the Certificate Status Request TLS extension (OCSP stapling). As a result, when a revoked certificate is encountered, dnf
refuses to download from its server.
4.4. Shells and command-line tools
ReaR has been updated to version 2.6
Relax-and-Recover (ReaR) has been updated to version 2.6. Notable bug fixes and enhancements include:
-
Added support for
eMMC
devices. -
By default, all kernel modules are included in the rescue system. To include specific modules, set the
MODULES
array variable in the configuration file as:MODULES=( mod1 mod2 )
-
On the AMD and Intel 64-bit architectures and on IBM Power Systems, Little Endian, a new configuration variable
GRUB2_INSTALL_DEVICES
is introduced to control the location of the bootloader installation. See the description in/usr/share/rear/conf/default.conf
for more details. - Improved backup of multipath devices.
-
Files under
/media
,/run
,/mnt
,/tmp
are automatically excluded from backups as these directories are known to contain removable media or temporary files. See the description of the AUTOEXCLUDE_PATH variable in/usr/share/rear/conf/default.conf
. -
CLONE_ALL_USERS_GROUPS=true
is now the default. See the description in/usr/share/rear/conf/default.conf
for more details.
The modulemd-tools
package is now available
With this update, the modulemd-tools
package has been introduced which provides tools for parsing and generating modulemd
YAML files.
To install modulemd-tools
, use:
# yum install modulemd-tools
(BZ#1924850)
opencryptoki
rebased to version 3.16.0
opencryptoki
has been upgraded to version 3.16.0. Notable bug fixes and enhancements include:
-
Improved the
protected-key
option and support for theattribute-bound keys
in theEP11
core processor. -
Improved the import and export of secure key objects in the
cycle-count-accurate
(CCA) processor.
(BZ#1919223)
lsvpd
rebased to version 1.7.12
lsvpd
has been upgraded to version 1.7.12. Notable bug fixes and enhancements include:
-
Added the UUID property in
sysvpd
. -
Improved the
NVMe
firmware version. - Fixed PCI device manufacturer parsing logic.
-
Added
recommends clause
to thelsvpd
configuration file.
(BZ#1844428)
ppc64-diag
rebased to version 2.7.7
ppc64-diag
has been upgraded to version 2.7.7. Notable bug fixes and enhancements include:
- Improved unit test cases.
-
Added the UUID property in
sysvpd
. -
The
rtas_errd
service does not run in the Linux containers. -
The obsolete logging options are no longer available in the
systemd
service files.
(BZ#1779206)
The ipmi_power
and ipmi_boot
modules are available in the redhat.rhel_mgmt
Collection
This update provides support to the Intelligent Platform Management Interface (IPMI
) Ansible modules. IPMI
is a specification for a set of management interfaces to communicate with baseboard management controller (BMC) devices. The IPMI
modules - ipmi_power
and ipmi_boot
- are available in the redhat.rhel_mgmt
Collection, which you can obtain by installing the ansible-collection-redhat-rhel_mgmt
package.
(BZ#1843859)
udftools
2.3 are now added to RHEL
The udftools
packages provide user-space utilities for manipulating Universal Disk Format (UDF) file systems. With this enhancement, udftools
provides the following set of tools:
-
cdrwtool
- It performs actions like blank, format, quick setup, and write to the DVD-R/CD-R/CD-RW media. -
mkfs.udf
,mkudffs
- It creates a Universal Disk Format (UDF) filesystem. -
pktsetup
- It sets up and tears down the packet device. -
udfinfo
- It shows information about the Universal Disk Format (UDF) file system. -
udflabel
- It shows or changes the Universal Disk Format (UDF) file system label. -
wrudf
- It provides an interactive shell withcp
,rm
,mkdir
,rmdir
,ls
, andcd
operations on the existing Universal Disk Format (UDF) file system.
(BZ#1882531)
Tesseract
4.1.1 is now present in RHEL 8.5
Tesseract
is an open-source OCR (optical character reading) engine and has the following features:
-
Starting with
tesseract
version 4, character recognition is based on Long Short-Term Memory (LSTM) neural networks. - Supports UTF-8.
- Supports plain text, hOCR (HTML), PDF, and TSV output formats.
Errors when restoring LVM with thin pools do not happen anymore
With this enhancement, ReaR now detects when thin pools and other logical volume types with kernel metadata (for example, RAIDs and caches) are used in a volume group (VG) and switches to a mode where it recreates all the logical volumes (LVs) in the VG using lvcreate commands. Therefore, LVM with thin pools are restored without any errors.
This new method does not preserve all the LV properties, for example LVM UUIDs. A restore from the backup should be tested before using ReaR in a Production environment in order to determine whether the recreated storage layout matches the requirements.
Net-SNMP now detects RSA and ECC certificates
Previously, Net-Simple Network Management Protocol (Net-SNMP) detected only Rivest, Shamir, Adleman (RSA) certificates. This enhancement adds support for Elliptic Curve Cryptography (ECC). As a result, Net-SNMP now detects RSA and ECC certificates.
FCoE option is changed to rd.fcoe
Previously, the man page for dracut.cmdline
documented rd.nofcoe=0
as the command to turn off Fibre Channel over Ethernet (FCoE).
With this update, the command is changed to rd.fcoe
. To disable FCoE, run the command rd.fcoe=0
.
For further information on FCoE see, Configuring Fibre Channel over Ethernet
4.5. Infrastructure services
linuxptp
rebased to version 3.1
The linuxptp
package has been updated to version 3.1. Notable bug fixes and enhancements include:
-
Added
ts2phc
program for synchronization of Precision Time Protocol (PTP) hardware clock to Pulse Per Second (PPS) signal. - Added support for the automotive profile.
- Added support for client event monitoring.
chrony
rebased to version 4.1
chrony
has been updated to version 4.1. Notable bug fixes and enhancements include:
- Added support for Network Time Security (NTS) authentication. For more information, see Overview of Network Time Security (NTS) in chrony.
-
By default, the Authenticated Network Time Protocol (NTP) sources are trusted over non-authenticated NTP sources. Add the
autselectmode ignore
argument in thechrony.conf
file to restore the original behavior. -
The support for authentication with
RIPEMD
keys -RMD128
,RMD160
,RMD256
,RMD320
is no longer available. -
The support for long non-standard MACs in NTPv4 packets is no longer available. If you are using
chrony 2.x
,non-MD5/SHA1
keys, you need to configurechrony
with theversion 3
option.
PowerTop rebased to version 2.14
PowerTop
has been upgraded to version 2.14. This is an update adding Alder Lake, Sapphire Rapids, and Rocket Lake platforms support.
(BZ#1834722)
TuneD now moves unnecessary IRQs to housekeeping CPUs
Network device drivers like i40e
, iavf
, mlx5
, evaluate the online CPUs to determine the number of queues and hence the MSIX
vectors to be created.
In low-latency environments with a large number of isolated and very few housekeeping CPUs, when TuneD tries to move these device IRQs to the housekeeping CPUs it fails due to the per CPU vector limit.
With this enhancement, TuneD explicitly adjusts the numbers of network device channels (and hence MSIX vectors) as per the housekeeping CPUs. Therefore, all the device IRQs can now be moved on the housekeeping CPUs to achieve low latency.
(BZ#1951992)
4.6. Security
libreswan
rebased to 4.4
The libreswan
packages have been upgraded to upstream version 4.4, which introduces many enhancements and bug fixes. Most notably:
The IKEv2 protocol:
-
Introduced fixes for TCP encapsulation in
Transport Mode
and host-to-host connections. -
Added the
--globalstatus
option to theipsec whack
command for displaying redirect statistics. -
The
vhost
andvnet
values in theipsec.conf
configuration file are no longer allowed for IKEv2 connections.
-
Introduced fixes for TCP encapsulation in
The
pluto
IKE daemon:- Introduced fixes for host-to-host connections that use non-standard IKE ports.
-
Added peer ID (
IKEv2 IDr
orIKEv1 Aggr
) to select the best initial connection. -
Disabled the
interface-ip=
option because Libreswan does not provide the corresponding functionality yet. -
Fixed the
PLUTO_PEER_CLIENT
variable in theipsec__updown
script for NAT inTransport Mode
. -
Set the
PLUTO_CONNECTION_TYPE
variable totransport
ortunnel
. - Non-templated wildcard ID connections can now match.
(BZ#1958968)
GnuTLS rebased to 3.6.16
The gnutls
packages have been updated to version 3.6.16. Notable bug fixes and enhancements include:
-
The
gnutls_x509_crt_export2()
function now returns 0 instead of the size of the internal base64 blob in case of success. This aligns with the documentation in thegnutls_x509_crt_export2(3)
man page. -
Certificate verification failures due to the Online Certificate Status Protocol (OCSP) must-stapling not being followed are now correctly marked with the
GNUTLS_CERT_INVALID
flag. -
Previously, even when TLS 1.2 was explicitly disabled through the
-VERS-TLS1.2
option, the server still offered TLS 1.2 if TLS 1.3 was enabled. The version negotiation has been fixed, and TLS 1.2 can now be correctly disabled.
(BZ#1956783)
socat
rebased to 1.7.4
The socat
packages have been upgraded from version 1.7.3 to 1.7.4, which provides many bug fixes and improvements. Most notably:
-
GOPEN
andUNIX-CLIENT
addresses now supportSEQPACKET
sockets. -
The generic
setsockopt-int
and related options are, in the case of listening or accepting addresses, applied to the connected sockets. To enable setting options on a listening socket, thesetsockopt-listen
option is now available. -
Added the
-r
and-R
options for a raw dump of transferred data to a file. -
Added the
ip-transparent
option and theIP_TRANSPARENT
socket option. -
OPENSSL-CONNECT
now automatically uses the SNI feature and theopenssl-no-sni
option turns SNI off. Theopenssl-snihost
option overrides the value of theopenssl-commonname
option or the server name. -
Added the
accept-timeout
andlisten-timeout
options. -
Added the
ip-add-source-membership
option. -
UDP-DATAGRAM
address now does not check peer port of replies as it did in 1.7.3. Use thesourceport
optioon if your scenario requires the previous behavior. -
New
proxy-authorization-file
option readsPROXY-CONNECT
credentials from a file and enables to hide this data from the process table. -
Added
AF_VSOCK
support forVSOCK-CONNECT
andVSOCK-LISTEN
addresses.
crypto-policies
rebased to 20210617
The crypto-policies
packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably:
You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries, or services. For a complete list of available scopes and details on the new syntax, see the
crypto-policies(7)
man page. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both thelibssh
library and the OpenSSH suite:cipher@SSH = AES-256-CBC+
Directives can now use asterisks for specifying multiple values using wildcards. For example, the following directive disables all CBC mode ciphers for applications using
libssh
:cipher@libssh = -*-CBC
Note that future updates can introduce new algorithms matched by the current wildcards.
crypto-policies
now support AES-192 ciphers in custom policies
The system-wide cryptographic policies now support the following values for the cipher
option in custom policies and subpolicies: AES-192-GCM
, AES-192-CCM
, AES-192-CTR
, and AES-192-CBC
. As a result, you can enable the AES-192-GCM
and AES-192-CBC
ciphers for the Libreswan application and the AES-192-CTR
and AES-192-CBC
ciphers for the libssh
library and the OpenSSH suite through crypto-policies
.
(BZ#1876846)
CBC ciphers disabled in the FUTURE
cryptographic policy
This update of the crypto-policies
packages disables ciphers that use cipher block chaining (CBC) mode in the FUTURE
policy. The settings in FUTURE
should withstand near-term future attacks, and this change reflects the current progress. As a result, system components respecting crypto-policies
cannot use CBC mode when the FUTURE
policy is active.
(BZ#1933016)
Adding new kernel AVC tracepoint
With this enhancement, a new avc:selinux_audited
kernel tracepoint is added that triggers when an SELinux denial is to be audited. This feature allows for more convenient low-level debugging of SELinux denials. The new tracepoint is available for tools such as perf
.
(BZ#1954024)
New ACSC ISM profile in the SCAP Security Guide
The scap-security-guide
packages now provide the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) compliance profile and a corresponding Kickstart file. With this enhancement, you can install a system that conforms with this security baseline and use the OpenSCAP suite for checking security compliance and remediation using the risk-based approach for security controls defined by ACSC.
(BZ#1955373)
SCAP Security Guide rebased to 0.1.57
The scap-security-guide
packages have been rebased to upstream version 0.1.57, which provides several bug fixes and improvements. Most notably:
- The Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) profile has been introduced. The profile extends the Essential Eight profile and adds more security controls defined in the ISM.
- The Center for Internet Security (CIS) profile has been restructured into four different profiles respecting levels of hardening and system type (server and workstation) as defined in the official CIS benchmarks.
- The Security Technical Implementation Guide (STIG) security profile has been updated, and implements rules from the recently-released version V1R3.
-
The Security Technical Implementation Guide with GUI (STIG with GUI) security profile has been introduced. The profile derives from the STIG profile and is compatible with RHEL installations that select the
Server with GUI
package selection. - The ANSSI High level profile, which is based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. This contains a profile implementing rules of High hardening levels.
OpenSCAP rebased to 1.3.5
The OpenSCAP packages have been rebased to upstream version 1.3.5. Notable fixes and enhancements include:
-
Enabled Schematron-based validation by default for the
validate
command ofoval
andxccdf
modules. - Added SCAP 1.3 source data stream Schematron.
- Added XML signature validation.
-
Allowed clamping
mtime
toSOURCE_DATE_EPOCH
. -
Added
severity
androle
attributes. -
Support for
requires
andconflicts
elements of the Rule and Group (XCCDF). - Kubernetes remediation in the HTML report.
-
Handling
gpfs
,proc
andsysfs
file systems as non-local. -
Fixed handling of common options styled as
--arg=val
. -
Fixed behavior of the
StateType
operator. -
Namespace ignored in XPath expressions (
xmlfilecontent
) to allow for incomplete XPath queries. - Fixed a problem that led to a warning about the presence of obtrusive data.
-
Fixed multiple segfaults and a broken test in the
--stig-viewer
feature. -
Fixed the
TestResult/benchmark/@href
attribute. - Fixed many memory management issues.
- Fixed many memory leaks.
Validation of digitally signed SCAP source data streams
To conform with the Security Content Automation Protocol (SCAP) 1.3 specifications, OpenSCAP now validates digital signatures of digitally signed SCAP source data streams. As a result, OpenSCAP validates the digital signature when evaluating a digitally signed SCAP source data stream. The signature validation is performed automatically while loading the file. Data streams with invalid signatures are rejected, and OpenSCAP does not evaluate their content. OpenSCAP uses the XML Security Library with the OpenSSL cryptography library to validate the digital signature.
You can skip the signature validation by adding the --skip-signature-validation
option to the oscap xccdf eval
command.
OpenSCAP does not address the trustworthiness of certificates or public keys that are part of the KeyInfo
signature element and that are used to verify the signature. You should verify such keys by yourselves to prevent evaluation of data streams that have been modified and signed by bad actors.
New DISA STIG profile compatible with Server with GUI installations
A new profile, DISA STIG with GUI
, has been added to the SCAP Security Guide. This profile is derived from the DISA STIG
profile and is compatible with RHEL installations that selected the Server with GUI
package group. The previously existing stig
profile was not compatible with Server with GUI
because DISA STIG demands uninstalling any Graphical User Interface. However, this can be overridden if properly documented by a Security Officer during evaluation. As a result, the new profile helps when installing a RHEL system as a Server with GUI
aligned with the DISA STIG profile.
STIG security profile updated to version V1R3
The DISA STIG for Red Hat Enterprise Linux 8
profile in the SCAP Security Guide has been updated to align with the latest version V1R3
. The profile is now also more stable and better aligns with the RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense Information Systems Agency (DISA).
This second iteration brings approximately 90% of coverage with regards to the STIG. You should use only the current version of this profile because older versions are no longer valid.
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
Three new CIS profiles in SCAP Security Guide
Three new compliance profiles aligned with the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark have been introduced to the SCAP Security Guide. The CIS RHEL 8 Benchmark provides different configuration recommendations for "Server" and "Workstation" deployments, and defines two levels of configuration, "level 1" and "level 2" for each deployment. The CIS profile previously shipped in RHEL8 represented only the "Server Level 2". The three new profiles complete the scope of the CIS RHEL8 Benchmark profiles, and you can now more easily evaluate your system against CIS recommendations.
All currently available CIS RHEL 8 profiles are:
Workstation Level 1 |
|
Workstation Level 2 |
|
Server Level 1 |
|
Server Level 2 |
|
Performance of remediations for Audit improved by grouping similar system calls
Previously, Audit remediations generated an individual rule for each system call audited by the profile. This led to large numbers of audit rules, which degraded performance. With this enhancement, remediations for Audit can group rules for similar system calls with identical fields together into a single rule, which improves performance.
Examples of system calls grouped together:
-a always, exit -F arch=b32 -S chown, fchown, fchownat, lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always, exit -F arch=b32 -S unlink, unlinkat, rename, renameat, rmdir -F auid>=1000 -F auid!=unset -F key=delete
-a always, exit -F arch=b32 -S chown, fchown, fchownat, lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always, exit -F arch=b32 -S unlink, unlinkat, rename, renameat -F auid>=1000 -F auid!=unset -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
Added profile for ANSSI-BP-028 High level
The ANSSI High level profile, based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. This completes the availability of profiles for all ANSSI-BP-028 v1.2 hardening levels in the SCAP Security Guide. With the new profile, you can harden the system to the recommendations from ANSSI for GNU/Linux Systems at the High hardening level. As a result, you can configure and automate compliance of your RHEL 8 systems to the strictest hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles.
OpenSSL added for encrypting Rsyslog TCP and RELP traffic
The OpenSSL network stream driver has been added to Rsyslog. This driver implements TLS-protected transport using the OpenSSL library. This provides additional functionality compared to the stream driver using the GnuTLS library. As a result, you can now use either OpenSSL or GnuTLS as an Rsyslog network stream driver.
Rsyslog rebased to 8.2102.0-5
The rsyslog
packages have been rebased to upstream version 8.2102.0-5, which provides the following notable changes over the previous version:
-
Added the
exists()
script function to check whether a variable exists or not, for example$!path!var
. -
Added support for setting OpenSSL configuration commands with a new configuration parameter
tls.tlscfgcmd
for theomrelp
andimrelp
modules. Added new rate-limit options to the
omfwd
module for rate-limiting syslog messages sent to the remote server:-
ratelimit.interval
specifies the rate-limiting interval in seconds. -
ratelimit.burst
specifies the rate-limiting burst in the number of messages.
-
-
Rewritten the
immark
module with various improvements. -
Added the
max sessions
config parameter to theimptcp
module. The maximum is measured per instance, not globally across all instances. -
Added the
rsyslog-openssl
subpackage; this network stream driver implements TLS-protected transport using the OpenSSL library. -
Added per-minute rate limiting to the
imfile
module with theMaxBytesPerMinute
andMaxLinesPerMinute
options. These options accept integer values and limit the number of bytes or lines that may be sent in a minute. -
Added support to the
imtcp
andomfwd
module to configure a maximum depth for the certificate chain verification with thestreamdriver.TlsVerifyDepth
option.
4.7. Networking
Support for pause parameter of ethtool
in NetworkManager
Non auto-pause parameters need to be set explicitly on a specific network interface in certain cases. Previously, NetworkManager could not pause the control flow parameters of ethtool
in nmstate
. To disable the auto negotiation of the pause parameter and enable RX/TX pause support explicitly, use the following command:
# nmcli connection modify enp1s0 ethtool.pause-autoneg no ethtool.pause-rx true ethtool.pause-tx true
New property in NetworkManager for setting physical and virtual interfaces in promiscuous mode
With this update the 802-3-ethernet.accept-all-mac-addresses
property has been added to NetworkManager for setting physical and virtual interfaces in the accept all MAC addresses
mode. With this update, the kernel can accept network packages targeting current interfaces’ MAC address in the accept all MAC addresses
mode. To enable accept all MAC addresses
mode on eth1
, use the following command:
$ sudo nmcli c add type ethernet ifname eth1 connection.id eth1 802-3-ethernet.accept-all-mac-addresses true
NetworkManager rebased to version 1.32.10
The NetworkManager
packages have been upgraded to upstream version 1.32.10, which provides a number of enhancements and bug fixes over the previous version.
For further information about notable changes, read the upstream release notes for this version.
NetworkManager now supports nftables
as firewall back end
This enhancement adds support for the nftables
firewall framework to NetworkManager. To switch the default back end from iptables
to nftables
:
Create the
/etc/NetworkManager/conf.d/99-firewall-backend.conf
file with the following content:[main] firewall-backend=nftables
Reload the
NetworkManager
service.# systemctl reload NetworkManager
(BZ#1548825)
firewalld rebased to version 0.9.3
The firewalld
packages have been upgraded to upstream version 0.9.3, which provides a number of enhancements and bug fixes over the previous version.
For further details, see the upstream release notes:
The firewalld
policy objects feature is now available
Previously, you could not use firewalld
to filter traffic flowing between virtual machines, containers, and zones. With this update, the firewalld
policy objects feature has been introduced, which provides forward and output filtering in firewalld
.
(BZ#1492722)
Multipath TCP is now fully supported
Starting with RHEL 8.5, Multipath TCP (MPTCP) is fully supported. MPTCP improves resource usage within the network and resilience to network failure. For example, with Multipath TCP on the RHEL server, smartphones with MPTCP v1 enabled can connect to an application running on the server and switch between Wi-Fi and cellular networks without interrupting the connection to the server.
RHEL 8.5 introduced additional features, such as:
- Multiple concurrent active substreams
- Active-backup support
- Improved stream performances
-
Better memory usage, with
receive
andsend
buffer auto-tuning - SYN cookie support
Note that either the applications running on the server must natively support MPTCP or administrators must load an eBPF
program into the kernel to dynamically change IPPROTO_TCP
to IPPROTO_MPTCP
.
For further details see, Getting started with Multipath TCP.
(JIRA:RHELPLAN-57712)
Alternative network interface naming is now available in RHEL
Alternative interface naming is the RHEL kernel configuration, which provides the following networking benefits:
- Network interface card (NIC) names can have arbitrary length.
- One NIC can have multiple names at the same time.
- Usage of alternative names as handles for commands.
(BZ#2164986)
4.8. Kernel
Kernel version in RHEL 8.5
Red Hat Enterprise Linux 8.5 is distributed with the kernel version 4.18.0-348.
EDAC for Intel Sapphire Rapids processors is now supported
This enhancement provides Error Detection And Correction (EDAC) device support for Intel Sapphire Rapids processors. EDAC mainly handles Error Code Correction (ECC) memory and detects and reports PCI bus parity errors.
(BZ#1837389)
The bpftrace
package rebased to version 0.12.1
The bpftrace
package has been upgraded to version 0.12.1, which provides multiple bug fixes and enhancements. Notable changes over previous versions include:
-
Added the new
builtin
path, which is a new reliable method to display the full path from a path structure. -
Added wildcard support for
kfunc
probes andtracepoint
categories.
vmcore capture works as expected after CPU hot-add or hot-removal operations
Previously, on IBM POWER systems, after every CPU or memory hot-plug or removal operation, the CPU data on the device tree became stale unless the kdump.service
is reloaded. To reload the latest CPU information, the kdump.service
parses through the device nodes to fetch the CPU information. However, some of the CPU nodes are already lost during its hot-removal. Consequently, a race condition between the kdump.service
reload and a CPU hot-removal
happens at the same time and this may cause the dump to fail. A subsequent crash might then not capture the vmcore
file.
This update eliminates the need to reload the kdump.service
after a CPU hot-plug and the vmcore
capture works as expected in the described scenario.
Note: This enhancement works as expected for firmware-assisted dumps (fadump
). In the case of standard kdump
, the kdump.service
reload takes place during the hot-plug
operation.
(BZ#1922951)
The kdumpctl command now supports the new kdumpctl estimate
utility
The kdumpctl
command now supports the kdumpctl estimate
utility. Based on the existing kdump
configuration, kdumpctl estimate
prints a suitable estimated value for kdump
memory allocation.
The minimum size of the crash kernel may vary depending on the hardware and machine specifications. Hence, previously, it was difficult to estimate an accurate crashkernel=
value.
With this update, the kdumpctl estimate
utility provides an estimated value. This value is a best effort recommended estimate and can serve as a good reference to configure a feasible crashkernel=
value.
(BZ#1879558)
IBM TSS 2.0 package rebased to 1.6.0
The IBM’s Trusted Computing Group (TCG) Software Stack (TSS) 2.0 binary package has been upgraded to 1.6.0. This update adds the IBM TSS 2.0 support on AMD64 and Intel 64 architecture.
It is a user space TSS for Trusted Platform Modules (TPM) 2.0 and implements the functionality equivalent to (but not API compatible with) the TCG TSS working group’s Enhanced System Application Interface (ESAPI), System Application Interface (SAPI), and TPM Command Transmission Interface (TCTI) API with a simpler interface.
It is a security middleware that allows applications and platforms to share and integrate the TPM into secure applications.
This rebase provides many bug fixes and enhancements over the previous version. The most notable changes include the following new attributes:
-
tsscertifyx509
: validates thex509
certificate -
tssgetcryptolibrary
: displays the current cryptographic library -
tssprintattr
: prints the TPM attributes as text -
tsspublicname
: calculates the public name of an entity -
tsssetcommandcodeauditstatus
: clears or sets code viaTPM2_SetCommandCodeAuditStatus
-
tsstpmcmd
: sends an in-band TPM simulator signal
(BZ#1822073)
The schedutil
CPU frequency governor is now available on RHEL 8
The schedutil
CPU governor uses CPU utilization data available on the CPU scheduler. schedutil
is a part of the CPU scheduler and it can access the scheduler’s internal data structures directly. schedutil
controls how the CPU would raise and lower its frequency in response to system load. You must manually select the schedutil
frequency governor as it is not enabled as default.
There is one policyX
directory per CPU. schedutil
is available in the policyX/scaling_governors
list of the existing CPUFreq
governors in the kernel and is attached to /sys/devices/system/cpu/cpufreq/policyx
policy. The policy file can be overwritten to change it.
Note that when using intel_pstate
scaling drivers, it might be necessary to configure the intel_pstate=passive
command line argument for intel_pstate
to become available and be listed by the governor. intel_pstate
is the default on Intel hardware with any modern CPU.
(BZ#1938339)
The rt-tests suite rebased to rt-tests-2.1 upstream version
The rt-tests
suite has been rebased to rt-tests-2.1
version, which provides multiple bug fixes and enhancements. The notable changes over the previous version include:
-
Fixes to various programs in the
rt-tests
suite. -
Fixes to make programs more uniform with the common set of options, for example, the
oslat
program’s option-t --runtime
option is renamed to-D
to specify the run duration to match the rest of the suite. -
Implements a new feature to output data in
json
format.
Intel® QuickAssist Technology Library (QATlib) was rebased to version 21.05
The qatlib
package has been rebased to version 21.05, which provides multiple bug fixes and enhancements. Notable changes include:
Adding support for several encryption algorithms:
- AES-CCM 192/256
- ChaCha20-Poly1305
- PKE 8K (RSA, DH, ModExp, ModInv)
- Fixing device enumeration on different nodes
-
Fixing
pci_vfio_set_command
for 32-bit builds
For more information about QATlib installation, check Ensuring that Intel® QuickAssist Technology stack is working correctly on RHEL 8.
(BZ#1920237)
4.9. File systems and storage
xfs_quota state
command now outputs all grace times when multiple quota types are specified
The xfs_quota state
command now outputs grace times for multiple quota types specified on the command line. Previously, only one was shown even if more than one of -g
, -p
, or -u
was specified.
(BZ#1949743)
-H
option added to the rpc.gssd
daemon and the set-home
option added to the /etc/nfs.conf
file
This patch adds the -H
option to rpc.gssd
and the set-home
option into /etc/nfs.conf
, but does not change the default behavior.
By default, rpc.gssd
sets $HOME
to /
to avoid possible deadlock that may happen when users' home directories are on an NFS share with Kerberos security. If either the -H
option is added to rpc.gssd
, or set-home=0
is added to /etc/nfs.conf
, rpc.gssd
does not set $HOME
to /
.
These options allow you to use Kerberos k5identity files in $HOME/.k5identity
and assumes NFS home directory is not on an NFS share with Kerberos security. These options are provided for use in only specific environments, such as the need for k5identity files. For more information see the k5identity
man page.
(BZ#1868087)
The storage
RHEL system role now supports LVM VDO volumes
Virtual Data Optimizer (VDO) helps to optimize usage of the storage volumes. With this enhancement, administrators can use the storage
system role to manage compression
and deduplication
on Logical Manager Volumes (LVM) VDO volumes.
4.10. High availability and clusters
Local mode version of pcs cluster setup
command is now fully supported
By default, the pcs cluster setup
command automatically synchronizes all configuration files to the cluster nodes. Since RHEL 8.3, the pcs cluster setup
command has provided the --corosync-conf
option as a Technology Preview. This feature is now fully supported in RHEL 8.5. Specifying this option switches the command to local
mode. In this mode, the pcs
command-line interface creates a corosync.conf
file and saves it to a specified file on the local node only, without communicating with any other node. This allows you to create a corosync.conf
file in a script and handle that file by means of the script.
Ability to configure watchdog-only SBD for fencing on subset of cluster nodes
Previously, to use a watchdog-only SBD configuration, all nodes in the cluster had to use SBD. That prevented using SBD in a cluster where some nodes support it but other nodes (often remote nodes) required some other form of fencing. Users can now configure a watchdog-only SBD setup using the new fence_watchdog
agent, which allows cluster configurations where only some nodes use watchdog-only SBD for fencing and other nodes use other fencing types. A cluster may only have a single such device, and it must be named watchdog
.
New pcs
command to update SCSI fencing device without causing restart of all other resources
Updating a SCSI fencing device with the pcs stonith update
command causes a restart of all resources running on the same node where the stonith resource was running. The new pcs stonith update-scsi-devices
command allows you to update SCSI devices without causing a restart of other cluster resources.
New reduced output display option for pcs resource safe-disable
command
The pcs resource safe-disable
and pcs resource disable --safe
commands print a lengthy simulation result after an error report. You can now specify the --brief
option for those commands to print errors only. The error report now always contains resource IDs of affected resources.
pcs
now accepts Promoted
and Unpromoted
as role names
The pcs
command-line interface now accepts Promoted
and Unpromoted
anywhere roles are specified in Pacemaker configuration. These role names are the functional equivalent of the Master
and Slave
Pacemaker roles. Master
and Slave
remain the names for these roles in configuration displays and help text.
New pcs resource status display commands
The pcs resource status
and the pcs stonith status
commands now support the following options:
-
You can display the status of resources configured on a specific node with the
pcs resource status node=node_id
command and thepcs stonith status node=node_id
command. You can use these commands to display the status of resources on both cluster and remote nodes. -
You can display the status of a single resource with the
pcs resource status resource_id
and thepcs stonith status resource_id
commands. -
You can display the status of all resources with a specified tag with the
pcs resource status tag_id
and thepcs stonith status tag_id
commands.
(BZ#1290830, BZ#1285269)
New LVM volume group flag to control autoactivation
LVM volume groups now support a setautoactivation
flag which controls whether logical volumes that you create from a volume group will be automatically activated on startup. When creating a volume group that will be managed by Pacemaker in a cluster, set this flag to n
with the vgcreate --setautoactivation n
command for the volume group to prevent possible data corruption. If you have an existing volume group used in a Pacemaker cluster, set the flag with vgchange --setautoactivation n
.
4.11. Dynamic programming languages, web and database servers
The nodejs:16
module stream is now fully supported
The nodejs:16
module stream, previously available as a Technology preview, is fully supported with the release of the RHSA-2021:5171 advisory. The nodejs:16
module stream now provides Node.js 16.13.1
, which is a Long Term Support (LTS) version.
Node.js 16
included in RHEL 8.5 provides numerous new features and bug and security fixes over Node.js 14
available since RHEL 8.3.
Notable changes include:
-
The
V8
engine has been upgraded to version 9.4. -
The
npm
package manager has been upgraded to version 8.1.2. -
A new
Timers Promises
API provides an alternative set of timer functions that returnPromise
objects. -
Node.js
now provides a new experimentalWeb Streams
API. -
Node.js
now includesCorepack
, an experimental tool that enables you to use package managers configured in the given project without the need to manually install them. -
Node.js
now provides an experimental ECMAScript modules (ESM) loader hooks API, which consolidates ESM loader hooks.
To install the nodejs:16
module stream, use:
# yum module install nodejs:16
If you want to upgrade from the nodejs:14
stream, see Switching to a later stream.
(BZ#1953991, BZ#2027610)
A new module stream: ruby:3.0
RHEL 8.5 introduces Ruby 3.0.2
in a new ruby:3.0
module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.7
distributed with RHEL 8.3.
Notable enhancements include:
Concurrency and parallelism features:
-
Ractor
, an Actor-model abstraction that provides thread-safe parallel execution, is provided as an experimental feature. -
Fiber Scheduler
has been introduced as an experimental feature.Fiber Scheduler
intercepts blocking operations, which enables light-weight concurrency without changing existing code.
-
Static analysis features:
-
The
RBS
language has been introduced, which describes the structure ofRuby
programs. Therbs
gem has been added to parse type definitions written inRBS
. -
The
TypeProf
utility has been introduced, which is a type analysis tool forRuby
code.
-
The
-
Pattern matching with the
case/in
expression is no longer experimental. - One-line pattern matching, which is an experimental feature, has been redesigned.
- Find pattern has been added as an experimental feature.
The following performance improvements have been implemented:
-
Pasting long code to the
Interactive Ruby Shell (IRB)
is now significantly faster. -
The
measure
command has been added toIRB
for time measurement.
Other notable changes include:
- Keyword arguments have been separated from other arguments.
-
The default directory for user-installed gems is now
$HOME/.local/share/gem/
unless the$HOME/.gem/
directory is already present.
To install the ruby:3.0
module stream, use:
# yum module install ruby:3.0
If you want to upgrade from an earlier ruby
module stream, see Switching to a later stream.
Changes in the default separator for the Python urllib
parsing functions
To mitigate the Web Cache Poisoning CVE-2021-23336 in the Python urllib
library, the default separator for the urllib.parse.parse_qsl
and urllib.parse.parse_qs
functions is being changed from both ampersand (&
) and semicolon (;
) to only an ampersand.
This change was implemented in Python 3.6 with the release of RHEL 8.4, and now is being backported to Python 3.8 and Python 2.7.
The change of the default separator is potentially backwards incompatible, therefore Red Hat provides a way to configure the behavior in Python packages where the default separator has been changed. In addition, the affected urllib
parsing functions issue a warning if they detect that a customer’s application has been affected by the change.
For more information, see the Mitigation of Web Cache Poisoning in the Python urllib library (CVE-2021-23336) Knowledgebase article.
Python 3.9 is unaffected and already includes the new default separator (&
), which can be changed only by passing the separator parameter when calling the urllib.parse.parse_qsl
and urllib.parse.parse_qs
functions in Python code.
(BZ#1935686, BZ#1931555, BZ#1969517)
The Python ipaddress
module no longer allows zeros in IPv4 addresses
To mitigate CVE-2021-29921, the Python ipaddress
module now rejects IPv4 addresses with leading zeros with an AddressValueError: Leading zeros are not permitted
error.
This change has been introduced in the python38
and python39
modules. Earlier Python versions distributed in RHEL are not affected by CVE-2021-29921.
Customers who rely on the previous behavior can pre-process their IPv4 address inputs to strip the leading zeros off. For example:
>>> def reformat_ip(address): return '.'.join(part.lstrip('0') if part != '0' else part for part in address.split('.')) >>> reformat_ip('0127.0.0.1') '127.0.0.1'
To strip the leading zeros off with an explicit loop for readability, use:
def reformat_ip(address): parts = [] for part in address.split('.'): if part != "0": part = part.lstrip('0') parts.append(part) return '.'.join(parts)
(BZ#1986007, BZ#1970504, BZ#1970505)
The php:7.4
module stream rebased to version 7.4.19
The PHP scripting language, provided by the php:7.4
module stream, has been upgraded from version 7.4.6 to version 7.4.19. This update provides multiple security and bug fixes.
(BZ#1944110)
A new package: pg_repack
A new pg_repack
package has been added to the postgresql:12
and postgresql:13
module streams. The pg_repack
package provides a PostgreSQL
extension that lets you remove bloat from tables and indexes, and optionally restore physical order of clustered indexes.
(BZ#1967193, BZ#1935889)
A new module stream: nginx:1.20
The nginx 1.20
web and proxy server is now available as the nginx:1.20
module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.18.
New features:
-
nginx
now supports client SSL certificate validation with Online Certificate Status Protocol (OCSP). -
nginx
now supports cache clearing based on the minimum amount of free space. This support is implemented as themin_free
parameter of theproxy_cache_path
directive. -
A new
ngx_stream_set_module
module has been added, which enables you to set a value for a variable.
Enhanced directives:
-
Multiple new directives are now available, such as
ssl_conf_command
andssl_reject_handshake
. -
The
proxy_cookie_flags
directive now supports variables.
Improved support for HTTP/2:
-
The
ngx_http_v2
module now includes thelingering_close
,lingering_time
,lingering_timeout
directives. -
Handling connections in HTTP/2 has been aligned with HTTP/1.x. From
nginx 1.20
, use thekeepalive_timeout
andkeepalive_requests
directives instead of the removedhttp2_recv_timeout
,http2_idle_timeout
, andhttp2_max_requests
directives.
To install the nginx:1.20
stream, use:
# yum module install nginx:1.20
If you want to upgrade from the nginx:1.20
stream, see Switching to a later stream.
(BZ#1945671)
The squid:4
module stream rebased to version 4.15
The Squid
proxy server, available in the squid:4
module stream, has been upgraded from version 4.11 to version 4.15. This update provides various bug and security fixes.
(BZ#1964384)
LVM system.devices
file feature now available in RHEL 8
RHEL 8.5 introduces the LVM system.devices
file feature. By creating a list of devices in the /etc/lvm/devices/system.devices
file, you can select specific devices for LVM to recognize and use, and prevent LVM from using unwanted devices.
To enable the system.devices
file feature, set use_devicesfile=1
in the lvm.conf
configuration file and add devices to the system.devices
file. LVM ignores any devices filter settings while the system.devices
file feature is enabled. To prevent warning messages, remove your filter settings from the lvm.conf
file.
For more information, see the lvmdevices(8)
man page.
(BZ#1922312)
quota
now supports HPE XFS
The quota
utilities now provide support for the HPE XFS file system. As a result, users of HPE XFS can monitor and and manage user and group disk usage through quota
utilities.
(BZ#1945408)
mutt
rebased to version 2.0.7
The Mutt
email client has been updated to version 2.0.7, which provides a number of enhancements and bug fixes.
Notable changes include:
-
Mutt
now provides support for theOAuth 2.0
authorization protocol using theXOAUTH2
mechanism. Mutt now also supports theOAUTHBEARER
authentication mechanism for the IMAP, POP, and SMTP protocols. The OAuth-based functionality is provided through external scripts. As a result, you can connectMutt
with various cloud email providers, such asGmail
using authentication tokens. For more information on how to set upMutt
with OAuth support, see How to set up Mutt with Gmail using OAuth2 authentication. -
Mutt
adds support for domain-literal email addresses, for example,user@[IPv6:fcXX:…]
. -
The new
$ssl_use_tlsv1_3
configuration variable allows TLS 1.3 connections if they are supported by the email server. This variable is enabled by default. -
The new
$imap_deflate
variable adds support for theCOMPRESS=DEFLATE
compression. The variable is disabled by default. -
The
$ssl_starttls
variable no longer controls aborting an unencrypted IMAPPREAUTH
connection. Use the$ssl_force_tls
variable instead if you rely on theSTARTTLS
process.
Note that even after an update to the new Mutt
version, the ssl_force_tls
configuration variable still defaults to no
to prevent RHEL users from encountering problems in their existing environments. In the upstream version of Mutt
, ssl_force_tls
is now enabled by default.
4.12. Compilers and development tools
Go Toolset rebased to version 1.16.7
Go Toolset has been upgraded to version 1.16.7. Notable changes include:
-
The
GO111MODULE
environment variable is now set toon
by default. To revert this setting, changeGO111MODULE
toauto
. - The Go linker now uses less resources and improves code robustness and maintainability. This applies to all supported architectures and operating systems.
-
With the new
embed
package you can access embedded files while compiling programs. -
All functions of the
io/ioutil
package have been moved to theio
andos
packages. While you can still useio/ioutil
, theio
andos
packages provide better definitions. - The Delve debugger has been rebased to 1.6.0 and now supports Go 1.16.7 Toolset.
For more information, see Using Go Toolset.
(BZ#1938071)
Rust Toolset rebased to version 1.54.0
Rust Toolset has been updated to version 1.54.0. Notable changes include:
-
The Rust standard library is now available for the
wasm32-unknown-unknown
target. With this enhancement, you can generate WebAssembly binaries, including newly stabilized intrinsics. -
Rust now includes the
IntoIterator
implementation for arrays. With this enhancement, you can use theIntoIterator
trait to iterate over arrays by value and pass arrays to methods. However,array.into_iter()
still iterates values by reference until the 2021 edition of Rust. -
The syntax for
or
patterns now allows nesting anywhere in the pattern. For example:Pattern(1|2)
instead ofPattern(1)|Pattern(2)
. - Unicode identifiers can now contain all valid identifier characters as defined in the Unicode Standard Annex #31.
- Methods and trait implementations have been stabilized.
- Incremental compilation is re-enabled by default.
For more information, see Using Rust Toolset.
(BZ#1945805)
LLVM Toolset rebased to version 12.0.1
LLVM Toolset has been upgraded to version 12.0.1. Notable changes include:
-
The new compiler flag
-march=x86-64-v[234]
has been added. -
The compiler flag
-fasynchronous-unwind-tables
of the Clang compiler is now the default on Linux AArch64/PowerPC. - The Clang compiler now supports the C++20 likelihood attributes [[likely]] and [[unlikely]].
-
The new function attribute
tune-cpu
has been added. It allows microarchitectural optimizations to be applied independently from thetarget-cpu
attribute or TargetMachine CPU. -
The new sanitizer
-fsanitize=unsigned-shift-base
has been added to the integer sanitizer-fsanitize=integer
to improve security. - Code generation on PowerPC targets has been optimized.
- The WebAssembly backend is now enabled in LLVM. With this enhancement, you can generate WebAssembly binaries with LLVM and Clang.
For more information, see Using LLVM Toolset.
(BZ#1927937)
CMake rebased to version 3.20.2
CMake has been rebased from 3.18.2 to 3.20.2. To use CMake on a project that requires the version 3.20.2 or less, use the command cmake_minimum_required(version 3.20.2).
Notable changes include:
-
C++23 compiler modes can now be specified by using the target properties
CXX_STANDARD
,CUDA_STANDARD
,OBJCXX_STANDARD
, or by using thecxx_std_23
meta-feature of the compile features function. - CUDA language support now allows the NVIDIA CUDA compiler to be a symbolic link.
-
The Intel oneAPI NextGen LLVM compilers are now supported with the
IntelLLVM
compiler ID . - CMake now facilitates cross compiling for Android by merging with the Android NDK’s toolchain file.
-
When running
cmake(1)
to generate a project build system, unknown command-line arguments starting with a hyphen are now rejected.
For further information on new features and deprecated functionalities, see the CMake Release Notes.
(BZ#1957947)
New GCC Toolset 11
GCC Toolset 11 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream
repository.
The following components have been rebased since GCC Toolset 10:
- GCC to version 11.2
- GDB to version 10.2
- Valgrind to version 3.17.0
- SystemTap to version 4.5
- binutils to version 2.36
- elfutils to version 0.185
- dwz to version 0.14
- Annobin to version 9.85
For a complete list of components, see GCC Toolset 11.
To install GCC Toolset 11, run the following command as root:
# yum install gcc-toolset-11
To run a tool from GCC Toolset 11:
$ scl enable gcc-toolset-11 tool
To run a shell session where tool versions from GCC Toolset 11 override system versions of these tools:
$ scl enable gcc-toolset-11 bash
For more information, see Using GCC Toolset.
The GCC Toolset 11 components are also available in the two container images:
-
rhel8/gcc-toolset-11-toolchain
, which includes the GCC compiler, the GDB debugger, and themake
automation tool. -
rhel8/gcc-toolset-11-perftools
, which includes the performance monitoring tools, such as SystemTap and Valgrind.
To pull a container image, run the following command as root:
# podman pull registry.redhat.io/<image_name>
Note that only the GCC Toolset 11 container images are now supported. Container images of earlier GCC Toolset versions are deprecated.
(BZ#1953094)
.NET updated to version 6.0
Red Hat Enterprise Linux 8.5 is distributed with .NET version 6.0. Notable improvements include:
- Support for 64-bit Arm (aarch64)
- Support for IBM Z and LinuxONE (s390x)
For more information, see Release Notes for .NET 6.0 RPM packages and Release Notes for .NET 6.0 containers.
GCC Toolset 11: GCC rebased to version 11.2
In GCC Toolset 11, the GCC package has been updated to version 11.2. Notable bug fixes and enhancements include:
General improvements
- GCC now defaults to the DWARF Version 5 debugging format.
- Column numbers shown in diagnostics represent real column numbers by default and respect multicolumn characters.
- The straight-line code vectorizer considers the whole function when vectorizing.
- A series of conditional expressions that compare the same variable can be transformed into a switch statement if each of them contains a comparison expression.
Interprocedural optimization improvements:
-
A new IPA-modref pass, controlled by the
-fipa-modref
option, tracks side effects of function calls and improves the precision of points-to analysis. -
The identical code folding pass, controlled by the
-fipa-icf
option, was significantly improved to increase the number of unified functions and reduce compile-time memory use.
-
A new IPA-modref pass, controlled by the
Link-time optimization improvements:
- Memory allocation during linking was improved to reduce peak memory use.
-
Using a new
GCC_EXTRA_DIAGNOSTIC_OUTPUT
environment variable in IDEs, you can request machine-readable “fix-it hints” without adjusting build flags. -
The static analyzer, run by the
-fanalyzer
option, is improved significantly with numerous bug fixes and enhancements provided.
Language-specific improvements
C family
- C and C++ compilers support non-rectangular loop nests in OpenMP constructs and the allocator routines of the OpenMP 5.0 specification.
Attributes:
-
The new
no_stack_protector
attribute marks functions that should not be instrumented with stack protection (-fstack-protector
). -
The improved
malloc
attribute can be used to identify allocator and deallocator API pairs.
-
The new
New warnings:
-
-Wsizeof-array-div
, enabled by the-Wall
option, warns about divisions of twosizeof
operators when the first one is applied to an array and the divisor does not equal the size of the array element. -
-Wstringop-overread
, enabled by default, warns about calls to string functions that try to read past the end of the arrays passed to them as arguments.
-
Enhanced warnings:
-
-Wfree-nonheap-object
detects more instances of calls to deallocation functions with pointers not returned from a dynamic memory allocation function. -
-Wmaybe-uninitialized
diagnoses the passing of pointers and references to uninitialized memory to functions that takeconst
-qualified arguments. -
-Wuninitialized
detects reads from uninitialized dynamically allocated memory.
-
C
Several new features from the upcoming C2X revision of the ISO C standard are supported with the
-std=c2x
and-std=gnu2x
options. For example:-
The
standard attribute is supported.
-
The
__has_c_attribute
preprocessor operator is supported. - Labels may appear before declarations and at the end of a compound statement.
-
The
C++
-
The default mode is changed to
-std=gnu++17
. -
The C++ library
libstdc++
has improved C++17 support now. Several new C++20 features are implemented. Note that C++20 support is experimental.
For more information about the features, see C++20 Language Features.
- The C++ front end has experimental support for some of the upcoming C++23 draft features.
New warnings:
-
-Wctad-maybe-unsupported
, disabled by default, warns about performing class template argument deduction on a type with no deduction guides. -
-Wrange-loop-construct
, enabled by-Wall
, warns when a range-based for loop is creating unnecessary and resource inefficient copies. -
-Wmismatched-new-delete
, enabled by-Wall
, warns about calls to operator delete with pointers returned from mismatched forms of operator new or from other mismatched allocation functions. -
-Wvexing-parse
, enabled by default, warns about the most vexing parse rule: the cases when a declaration looks like a variable definition, but the C++ language requires it to be interpreted as a function declaration.
-
Architecture-specific improvements
The 64-bit ARM architecture
-
The Armv8-R architecture is supported through the
-march=armv8-r
option. - GCC can autovectorize operations performing addition, subtraction, multiplication, and the accumulate and subtract variants on complex numbers.
AMD and Intel 64-bit architectures
- The following Intel CPUs are supported: Sapphire Rapids, Alder Lake, and Rocket Lake.
-
New ISA extension support for Intel AVX-VNNI is added. The
-mavxvnni
compiler switch controls the AVX-VNNI intrinsics. -
AMD CPUs based on the znver3 core are supported with the new
-march=znver3
option. -
Three microarchitecture levels defined in the x86-64 psABI supplement are supported with the new
-march=x86-64-v2
,-march=x86-64-v3
, and-march=x86-64-v4
options.
(BZ#1946782)
GCC Toolset 11: dwz
now supports DWARF 5
In GCC Toolset 11, the dwz
tool now supports the DWARF Version 5 debugging format.
(BZ#1948709)
GCC Toolset 11: GCC now supports the AIA user interrupts
In GCC Toolset 11, GCC now supports the Accelerator Interfacing Architecture (AIA) user interrupts.
(BZ#1927516)
GCC Toolset 11: Generic SVE tuning defaults improved
In GCC Toolset 11, generic SVE tuning defaults have been improved on the 64-bit ARM architecture.
(BZ#1979715)
SystemTap rebased to version 4.5
The SystemTap package has been updated to version 4.5. Notable bug fixes and enhancements include:
-
32-bit floating-point variables are automatically widened to double variables and, as a result, can be accessed directly as
$context
variables. -
enum
values can be accessed as$context
variables. -
The BPF uconversions tapset has been extended and includes more tapset functions to access values in user space, for example
user_long_error()
. - Concurrency control has been significantly improved to provide stable operation on large servers.
For further information, see the upstream SystemTap 4.5 release notes.
elfutils
rebased to version 0.185
The elfutils
package has been updated to version 0.185. Notable bug fixes and enhancements include:
-
The
eu-elflint
andeu-readelf
tools now recognize and show theSHF_GNU_RETAIN
andSHT_X86_64_UNWIND
flags on ELF sections. -
The
DEBUGINFOD_SONAME
macro has been added todebuginfod.h
. This macro can be used with thedlopen
function to load thelibdebuginfod.so
library dynamically from an application. -
A new function
debuginfod_set_verbose_fd
has been added to thedebuginfod-client
library. This function enhances thedebuginfod_find_*
queries functionality by redirecting the verbose output to a separate file. -
Setting the
DEBUGINFOD_VERBOSE
environment variable now shows more information about which servers thedebuginfod
client connects to and the HTTP responses of those servers. -
The
debuginfod
server provides a new thread-busy metric and more detailed error metrics to make it easier to inspect processes that run on thedebuginfod
server. -
The
libdw
library now transparently handles theDW_FORM_indirect
location value so that thedwarf_whatform
function returns the actual FORM of an attribute. -
To reduce network traffic, the
debuginfod-client
library stores negative results in a cache, and client objects can reuse an existing connection.
Valgrind rebased to version 3.17.0
The Valgrind package has been updated to version 3.17.0. Notable bug fixes and enhancements include:
- Valgrind can read the DWARF Version 5 debugging format.
-
Valgrind supports debugging queries to the
debuginfod
server. - The ARMv8.2 processor instructions are partially supported.
- The Power ISA v.3.1 instructions on POWER10 processors are partially supported.
- The IBM z14 processor instructions are supported.
-
Most IBM z15 instructions are supported. The Valgrind tool suite supports the miscellaneous-instruction-extensions facility 3 and the vector-enhancements facility 2 for the IBM z15 processor. As a result, Valgrind runs programs compiled with GCC
-march=z15
correctly and provides improved performance and debugging experience. -
The
--track-fds=yes option
respects-q
(--quiet
) and ignores the standard file descriptorsstdin
,stdout
, andstderr
by default. To track the standard file descriptors, use the--track-fds=all
option. -
The DHAT tool has two new modes of operation:
--mode=copy
and--mode=ad-hoc
.
Dyninst rebased to version 11.0.0
The Dyninst package has been updated to version 11.0.0. Notable bug fixes and enhancements include:
-
Support for the
debuginfod
server and for fetching separatedebuginfo
files. - Improved detection of indirect calls to procedure linkage table (PLT) stubs.
- Improved C++ name demangling.
- Fixed memory leaks during code emitting.
DAWR functionality improved in GDB on IBM POWER10
With this enhancement, new hardware watchpoint capabilities are now enabled for GDB on the IBM POWER10 processors. For example, a new set of DAWR/DAWRX registers has been added.
(BZ#1854784)
GCC Toolset 11: GDB rebased to version 10.2
In GCC Toolset 11, the GDB package has been updated to version 10.2. Notable bug fixes and enhancements include:
New features
- Multithreaded symbol loading is enabled by default on architectures that support this feature. This change provides better performance for programs with many symbols.
- Text User Interface (TUI) windows can be arranged horizontally.
- GDB supports debugging multiple target connections simultaneously but this support is experimental and limited. For example, you can connect each inferior to a different remote server that runs on a different machine, or you can use one inferior to debug a local native process or a core dump or some other process.
New and improved commands
-
A new
tui new-layout name window weight [window weight…]
command creates a new text user interface (TUI) layout, you can also specify a layout name and displayed windows. -
The improved
alias [-a] [--] alias = command [default-args]
command can specify default arguments when creating a new alias. -
The
set exec-file-mismatch
andshow exec-file-mismatch
commands set and show a newexec-file-mismatch
option. When GDB attaches to a running process, this option controls how GDB reacts when it detects a mismatch between the current executable file loaded by GDB and the executable file used to start the process.
Python API
-
The
gdb.register_window_type
function implements new TUI windows in Python. -
You can now query dynamic types. Instances of the
gdb.Type
class can have a new boolean attributedynamic
and thegdb.Type.sizeof
attribute can have valueNone
for dynamic types. IfType.fields()
returns a field of a dynamic type, the value of itsbitpos
attribute can beNone
. -
A new
gdb.COMMAND_TUI
constant registers Python commands as members of the TUI help class of commands. -
A new
gdb.PendingFrame.architecture()
method retrieves the architecture of the pending frame. -
A new
gdb.Architecture.registers
method returns agdb.RegisterDescriptorIterator
object, an iterator that returnsgdb.RegisterDescriptor
objects. Such objects do not provide the value of a register but help understand which registers are available for an architecture. -
A new
gdb.Architecture.register_groups
method returns agdb.RegisterGroupIterator
object, an iterator that returnsgdb.RegisterGroup
objects. Such objects help understand which register groups are available for an architecture.
(BZ#1954332)
GCC Toolset 11: SystemTap rebased to version 4.5
In GCC Toolset 11, the SystemTap package has been updated to version 4.5. Notable bug fixes and enhancements include:
-
32-bit floating-point variables are now automatically widened to double variables and, as a result, can be accessed directly as
$context
variables. -
enum
values can now be accessed as$context
variables. -
The BPF uconversions tapset has been extended and now includes more tapset functions to access values in user space, for example
user_long_error()
. - Concurrency control has been significantly improved to provide stable operation on large servers.
For further information, see the upstream SystemTap 4.5 release notes.
GCC Toolset 11: elfutils
rebased to version 0.185
In GCC Toolset 11, the elfutils
package has been updated to version 0.185. Notable bug fixes and enhancements include:
-
The
eu-elflint
andeu-readelf
tools now recognize and show theSHF_GNU_RETAIN
andSHT_X86_64_UNWIND
flags on ELF sections. -
The
DEBUGINFOD_SONAME
macro has been added todebuginfod.h
. This macro can be used with thedlopen
function to load thelibdebuginfod.so
library dynamically from an application. -
A new function
debuginfod_set_verbose_fd
has been added to thedebuginfod-client
library. This function enhances thedebuginfod_find_*
queries functionality by redirecting the verbose output to a separate file. -
Setting the
DEBUGINFOD_VERBOSE
environment variable now shows more information about which servers thedebuginfod
client connects to and the HTTP responses of those servers. -
The
debuginfod
server provides a new thread-busy metric and more detailed error metrics to make it easier to inspect processes that run on thedebuginfod
server. -
The
libdw
library now transparently handles theDW_FORM_indirect
location value so that thedwarf_whatform
function returns the actual FORM of an attribute. -
The
debuginfod-client
library now stores negative results in a cache and client objects can reuse an existing connection. This way unnecessary network traffic when using the library is prevented.
GCC Toolset 11: Valgrind rebased to version 3.17.0
In GCC Toolset 11, the Valgrind package has been updated to version 3.17.0. Notable bug fixes and enhancements include:
- Valgrind can now read the DWARF Version 5 debugging format.
-
Valgrind now supports debugging queries to the
debuginfod
server. - Valgrind now partially supports the ARMv8.2 processor instructions.
- Valgrind now supports the IBM z14 processor instructions.
- Valgrind now partially supports the Power ISA v.3.1 instructions on POWER10 processors.
-
The
--track-fds=yes option
now respects-q
(--quiet
) and ignores the standard file descriptorsstdin
,stdout
, andstderr
by default. To track the standard file descriptors, use the--track-fds=all
option. -
The DHAT tool now has two new modes of operation:
--mode=copy
and--mode=ad-hoc
.
GCC Toolset 11: Dyninst rebased to version 11.0.0
In GCC Toolset 11, the Dyninst package has been updated to version 11.0.0. Notable bug fixes and enhancements include:
-
Support for the
debuginfod
server and for fetching separatedebuginfo
files. - Improved detection of indirect calls to procedure linkage table (PLT) stubs.
- Improved C++ name demangling.
- Fixed memory leaks during code emitting.
PAPI library support for Fujitsu A64FX added
PAPI library support for Fujitsu A64FX has been added. With this feature, developers can collect hardware statistics.
(BZ#1908126)
The PCP
package was rebased to 5.3.1
The Performance Co-Pilot (PCP) package has been rebased to version 5.3.1. This release includes bug fixes, enhancements, and new features. Notable changes include:
-
Scalability improvements, which now support centrally logged performance metrics for hundreds of hosts (
pmlogger
farms) and automatic monitoring with performance rules (pmie
farms). -
Resolved memory leaks in the
pmproxy
service and thelibpcp_web
API library, and added instrumentation and new metrics topmproxy
. -
A new
pcp-ss
tool for historical socket statistics. -
Improvements to the
pcp-htop
tool. - Extensions to the over-the-wire PCP protocol which now support higher resolution timestamps.
The grafana
package was rebased to version 7.5.9
The grafana
package has been rebased to version 7.5.9. Notable changes include:
- New time series panel (beta)
- New pie chart panel (beta)
- Alerting support for Loki
- Multiple new query transformations
For more information, see What’s New in Grafana v7.4, What’s New in Grafana v7.5.
The grafana-pcp
package was rebased to 3.1.0
The grafana-pcp
package has been rebased to version 3.1.0. Notable changes include:
- Performance Co-Pilot (PCP) Vector Checklist dashboards use a new time series panel, show units in graphs, and contain updated help texts.
-
Adding
pmproxy
URL andhostspec
variables to PCP Vector Host Overview and PCP Checklist dashboards. - All dashboards display datasource selection.
- Marking all included dashboards as readonly.
- Adding compatibility with Grafana 8.
grafana-container
rebased to version 7.5.9
The rhel8/grafana
container image provides Grafana. Notable changes include:
-
The
grafana
package is now updated to version 7.5.9. -
The
grafana-pcp
package is now updated to version 3.1.0. -
The container now supports the
GF_INSTALL_PLUGINS
environment variable to install custom Grafana plugins at container startup
The rebase updates the rhel8/grafana
image in the Red Hat Container Registry.
To pull this container image, execute the following command:
# podman pull registry.redhat.io/rhel8/grafana
pcp-container
rebased to version 5.3.1
The rhel8/pcp
container image provides Performance Co-Pilot. The pcp-container
package has been upgraded to version 5.3.1. Notable changes include:
-
The
pcp
package is now updated to version 5.3.1.
The rebase updates the rhel8/pcp
image in the Red Hat Container Registry.
To pull this container image, execute the following command:
# podman pull registry.redhat.io/rhel8/pcp
The new pcp-ss
PCP utility is now available
The pcp-ss
PCP utility reports socket statistics collected by the pmdasockets(1)
PMDA. The command is compatible with many of the ss
command line options and reporting formats. It also offers the advantages of local or remote monitoring in live mode and historical replay from a previously recorded PCP archive.
Power consumption metrics now available in PCP
The new pmda-denki
Performance Metrics Domain Agent (PMDA) reports metrics related to power consumption. Specifically, it reports:
- Consumption metrics based on Running Average Power Limit (RAPL) readings, available on recent Intel CPUs
- Consumption metrics based on battery discharge, available on systems which have a battery
(BZ#1629455)
4.13. Identity Management
IdM now supports new password policy options
With this update, Identity Management (IdM) supports additional libpwquality
library options:
--maxrepeat
- Specifies the maximum number of the same character in sequence.
--maxsequence
- Specifies the maximum length of monotonic character sequences (abcd).
--dictcheck
- Checks if the password is a dictionary word.
--usercheck
- Checks if the password contains the username.
Use the ipa pwpolicy-mod
command to apply these options. For example, to apply the user name check to all new passwords suggested by the users in the managers group:
*$ ipa pwpolicy-mod --usercheck=True managers*
If any of the new password policy options are set, then the minimum length of passwords is 6 characters regardless of the value of the --minlength
option. The new password policy settings are applied only to new passwords.
In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator will not be applied. To ensure consistent behavior, upgrade or update all servers to RHEL 8.4 and later.
(JIRA:RHELPLAN-89566)
Improved the SSSD debug logging by adding a unique identifier tag for each request
As SSSD processes requests asynchronously, it is not easy to follow log entries for individual requests in the backend logs, as messages from different requests are added to the same log file. To improve the readability of debug logs, a unique request identifier is now added to log messages in the form of RID#<integer>
. This allows you to isolate logs pertaining to an individual request, and you can track requests from start to finish across log files from multiple SSSD components.
For example, the following sample output from an SSSD log file shows the unique identifiers RID#3 and RID#4 for two different requests:
(2021-07-26 18:26:37): [be[testidm.com]] [dp_req_destructor] (0x0400): RID#3 Number of active DP request: 0 (2021-07-26 18:26:37): [be[testidm.com]] [dp_req_reply_std] (0x1000): RID#3 DP Request AccountDomain #3: Returning [Internal Error]: 3,1432158301,GetAccountDomain() not supported (2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): RID#4 DP Request Account #4: REQ_TRACE: New request. sssd.nss CID #1 Flags [0x0001]. (2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): RID#4 Number of active DP request: 1
(JIRA:RHELPLAN-92473)
IdM now supports the automember
and server
Ansible modules
With this update, the ansible-freeipa
package contains the ipaautomember
and ipaserver
modules:
-
Using the
ipaautomember
module, you can add, remove, and modify automember rules and conditions. As a result, future IdM users and hosts that meet the conditions will be assigned to IdM groups automatically. -
Using the
ipaserver
module, you can ensure various parameters of the presence or absence of a server in the IdM topology. You can also ensure that a replica is hidden or visible.
(JIRA:RHELPLAN-96640)
IdM performance baseline
With this update, a RHEL 8.5 IdM server with 4 CPUs and 8GB of RAM has been tested to successfully enroll 130 IdM clients simultaneously.
(JIRA:RHELPLAN-97145)
SSSD Kerberos cache performance has been improved
The System Security Services Daemon (SSSD) Kerberos Cache Manager (KCM) service now includes the new operation KCM_GET_CRED_LIST
. This enhancement improves KCM performance by reducing the number of input and output operations while iterating through a credentials cache.
SSSD now logs backtraces by default
With this enhancement, SSSD now stores detailed debug logs in an in-memory buffer and appends them to log files when a failure occurs. By default, the following error levels trigger a backtrace:
- Level 0: fatal failures
- Level 1: critical failures
- Level 2: serious failures
You can modify this behavior for each SSSD process by setting the debug_level
option in the corresponding section of the sssd.conf
configuration file:
- If you set the debugging level to 0, only level 0 events trigger a backtrace.
- If you set the debugging level to 1, levels 0 and 1 trigger a backtrace.
- If you set the debugging level to 2 or higher, events at level 0 through 2 trigger a backtrace.
You can disable this feature per SSSD process by setting the debug_backtrace_enabled
option to false
in the corresponding section of sssd.conf
:
[sssd] debug_backtrace_enabled = true debug_level=0 ... [nss] debug_backtrace_enabled = false ... [domain/idm.example.com] debug_backtrace_enabled = true debug_level=2 ... ...
SSSD KCM now supports the auto-renewal of ticket granting tickets
With this enhancement, you can now configure the System Security Services Daemon (SSSD) Kerberos Cache Manager (KCM) service to auto-renew ticket granting tickets (TGTs) stored in the KCM credential cache on an Identity Management (IdM) server. Renewals are only attempted when half of the ticket lifetime has been reached. To use auto-renewal, the key distribution center (KDC) on the IdM server must be configured to support renewable Kerberos tickets.
You can enable TGT auto-renewal by modifying the [kcm] section of the /etc/sssd/sssd.conf
file. For example, you can configure SSSD to check for renewable KCM-stored TGTs every 60 minutes and attempt auto-renewal if half of the ticket lifetime has been reached by adding the following options to the file:
[kcm] tgt_renewal = true krb5_renew_interval = 60m
Alternatively, you can configure SSSD to inherit krb5
options for renewals from an existing domain:
[kcm] tgt_renewal = true tgt_renewal_inherit = domain-name
For more information, see the Renewals
section of the sssd-kcm
man page.
samba rebased to version 4.14.4
The _samba_ packages have been upgraded to upstream version 4.14.4, which provides bug fixes and enhancements over the previous version:
- Publishing printers in Active Directory (AD) has increased reliability, and additional printer features have been added to the published information in AD. Also, Samba now supports Windows drivers for the ARM64 architecture.
-
The
ctdb isnotrecmaster
command has been removed. As an alternative, usectdb pnn
or thectdb recmaster
commands. -
The clustered trivial database (CTDB)
ctdb natgw master
andslave-only
parameters have been renamed toctdb natgw leader
andfollower-only
.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start Samba automatically updates its tdb
database files. Note that Red Hat does not support downgrading tdb
database files.
After updating Samba, verify the /etc/samba/smb.conf
file using the testparm
utility.
For further information about notable changes, read the upstream release notes before updating.
The dnaInterval
configuration attribute is now supported
With this update, Red Hat Directory Server supports setting the dnaInterval
attribute of the Distributed Numeric Assignment (DNA) plug-in in the cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
entry. The DNA plug-in generates unique values for specified attributes. In a replication environment, servers can share the same range. To avoid overlaps on different servers, you can set the dnaInterval
attribute to skip some values. For example, if the interval is 3
and the first number in the range is 1
, the next number used in the range is 4
, then 7
, then 10
.
For further details, see the dnaInterval parameter description.
Directory Server rebased to version 1.4.3.27
The 389-ds-base
packages have been upgraded to upstream version 1.4.3.27, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-24.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-23.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-22.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-21.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-20.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-19.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-18.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-3-17.html
Directory Server now supports temporary passwords
This enhancement enables administrators to configure temporary password rules in global and local password policies. With these rules, you can configure that, when an administrator resets the password of a user, the password is temporary and only valid for a specific time and for a defined number of attempts. Additionally, you can configure that the expiration time does not start directly when the administrator changes the password. As a result, Directory Server allows the user only to authenticate using the temporary password for a finite period of time or attempts. Once the user authenticates successfully, Directory Server allows this user only to change its password.
(BZ#1626633)
IdM KDC now issues Kerberos tickets with PAC information to increase security
With this update, to increase security, RHEL Identity Management (IdM) now issues Kerberos tickets with Privilege Attribute Certificate (PAC) information by default in new deployments. A PAC has rich information about a Kerberos principal, including its Security Identifier (SID), group memberships, and home directory information. As a result, Kerberos tickets are less susceptible to manipulation by malicious servers.
SIDs, which Microsoft Active Directory (AD) uses by default, are globally unique identifiers that are never reused. SIDs express multiple namespaces: each domain has a SID, which is a prefix in the SID of each object.
Starting with RHEL 8.5, when you install an IdM server or replica, the installation script generates SIDs for users and groups by default. This allows IdM to work with PAC data. If you installed IdM before RHEL 8.5, and you have not configured a trust with an AD domain, you may not have generated SIDs for your IdM objects. For more information about generating SIDs for your IdM objects, see Enabling Security Identifiers (SIDs) in IdM.
By evaluating PAC information in Kerberos tickets, you can control resource access with much greater detail. For example, the Administrator
account in one domain has a uniquely different SID than the Administrator
account in any other domain. In an IdM environment with a trust to an AD domain, you can set access controls based on globally unique SIDs rather than simple user names or UIDs that might repeat in different locations, such as every Linux root
account having a UID of 0.
(Jira:RHELPLAN-159143)
Directory Server provides monitoring settings that can prevent database corruption caused by lock exhaustion
This update adds the nsslapd-db-locks-monitoring-enable
parameter to the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
entry. If it is enabled, which is the default, Directory Server aborts all of the searches if the number of active database locks is higher than the percentage threshold configured in nsslapd-db-locks-monitoring-threshold
. If an issue is encountered, the administrator can increase the number of database locks in the nsslapd-db-locks
parameter in the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
entry. This can prevent data corruption. Additionally, the administrator now can set a time interval in milliseconds that the thread sleeps between the checks.
For further details, see the parameter descriptions in the Red Hat Directory Server Configuration, Command, and File Reference.
Directory Server can exclude attributes and suffixes from the retro changelog database
This enhancement adds the nsslapd-exclude-attrs
and nsslapd-exclude-suffix
parameters to Directory Server. You can set these parameters in the cn=Retro Changelog Plugin,cn=plugins,cn=config
entry to exclude certain attributes or suffixes from the retro changelog database.
Directory Server supports the entryUUID
attribute
With this enhancement, Directory Server supports the entryUUID
attribute to be compliant with RFC 4530. For example, with support for entryUUID
, migrations from OpenLDAP are easier. By default, Directory Server adds the entryUUID
attribute only to new entries. To manually add it to existing entries, use the dsconf <instance_name> plugin entryuuid fixup
command.
(BZ#1944494)
Added a new message to help set up nsSSLPersonalitySSL
Previously, many times happened that RHDS instance failed to start if the TLS certificate nickname didn’t match the value of the configuration parameter nsSSLPersonalitySSL
. This mismatch happened when customer copy the NSS DB from a previous instance or export the certificate’s data but forget to set the nsSSLPersonalitySSL
value accordingly. With this update, you can see log an additional message which should help a user to set up nsSSLPersonalitySSL
correctly.
4.14. Desktop
You can now connect to network at the login screen
With this update, you can now connect to your network and configure certain network options at the GNOME Display Manager (GDM) login screen. As a result, you can log in as an enterprise user whose home directory is stored on a remote server.
The login screen supports the following network options:
- Wired network
- Wireless network, including networks protected by a password
- Virtual Private Network (VPN)
The login screen cannot open windows for additional network configuration. As a consequence, you cannot use the following network options at the login screen:
- Networks that open a captive portal
- Modem connections
- Wireless networks with enterprise WPA or WPA2 encryption that have not been preconfigured
The network options at the login screen are disabled by default. To enable the network settings, use the following procedure:
Create the
/etc/polkit-1/rules.d/org.gnome.gdm.rules
file with the following content:polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.NetworkManager.network-control" && subject.user == "gdm") { return polkit.Result.YES; } return polkit.Result.NOT_HANDLED; });
Restart GDM:
# systemctl restart gdm
WarningRestarting GDM terminates all your graphical user sessions.
- At the login screen, access the network settings in the menu on the right side of the top panel.
Displaying the system security classification at login
You can now configure the GNOME Display Manager (GDM) login screen to display an overlay banner that contains a predefined message. This is useful for deployments where the user is required to read the security classification of the system before logging in.
To enable the overlay banner and configure a security classification message, use the following procedure:
Install the
gnome-shell-extension-heads-up-display
package:# yum install gnome-shell-extension-heads-up-display
Create the
/etc/dconf/db/gdm.d/99-hud-message
file with the following content:[org/gnome/shell] enabled-extensions=['heads-up-display@gnome-shell-extensions.gcampax.github.com'] [org/gnome/shell/extensions/heads-up-display] message-heading="Security classification title" message-body="Security classification description"
Replace the following values with text that describes the security classification of your system:
- Security classification title
- A short heading that identifies the security classification.
- Security classification description
- A longer message that provides additional details, such as references to various guidelines.
Update the
dconf
database:# dconf update
- Reboot the system.
Flicker free boot is available
You can now enable flicker free boot on your system. When flicker free boot is enabled, it eliminates abrupt graphical transitions during the system boot process, and the display does not briefly turn off during boot.
To enable flicker free boot, use the following procedure:
Configure the boot loader menu to hide by default:
# grub2-editenv - set menu_auto_hide=1
Update the boot loader configuration:
On UEFI systems:
# grub2-mkconfig -o /etc/grub2-efi.cfg
On legacy BIOS systems:
# grub2-mkconfig -o /etc/grub2.cfg
- Reboot the system.
As a result, the boot loader menu does not display during system boot, and the boot process is graphically smooth.
To access the boot loader menu, repeatedly press Esc after turning on the system.
(JIRA:RHELPLAN-99148)
Updated support for emoji
This release updates support for Unicode emoji characters from version 11 to version 13 of the emoji standard. As a result, you can now use more emoji characters on RHEL.
The following packages that provide emoji functionality have been rebased:
Package | Previous version | Rebased to version |
---|---|---|
| 33.1.0 | 38 |
| 20180508 | 20200723 |
| 10.90.20180207 | 13.0 |
(JIRA:RHELPLAN-61867)
You can set a default desktop session for all users
With this update, you can now configure a default desktop session that is preselected for all users that have not logged in yet.
If a user logs in using a different session than the default, their selection persists to their next login.
To configure the default session, use the following procedure:
Copy the configuration file template:
# cp /usr/share/accountsservice/user-templates/standard \ /etc/accountsservice/user-templates/standard
-
Edit the new
/etc/accountsservice/user-templates/standard
file. On theSession=gnome
line, replacegnome
with the session that you want to set as the default. Optional: To configure an exception to the default session for a certain user, follow these steps:
Copy the template file to
/var/lib/AccountsService/users/user-name
:# cp /usr/share/accountsservice/user-templates/standard \ /var/lib/AccountsService/users/user-name
-
In the new file, replace variables such as
${USER}
and${ID}
with the user values. -
Edit the
Session
value.
(BZ#1812788)
4.15. Graphics infrastructures
Support for new GPUs
The following new GPUs are now supported.
Intel graphics:
Alder Lake-S (ADL-S)
Support for Alder Lake-S graphics is disabled by default. To enable it, add the following option to the kernel command line:
i915.force_probe=PCI_ID
Replace PCI_ID with either the PCI device ID of your Intel GPU, or with the
*
character to enable support for all alpha-quality hardware that uses thei915
driver.- Elkhart Lake (EHL)
- Comet Lake Refresh (CML-R) with the TGP Platform Controller Hub (PCH)
AMD graphics:
- Cezzane and Barcelo
- Sienna Cichlid
- Dimgrey Cavefish
(JIRA:RHELPLAN-99040, BZ#1784132, BZ#1784136, BZ#1838558)
The Wayland session is available with the proprietary NVIDIA driver
The proprietary NVIDIA driver now supports hardware accelerated OpenGL and Vulkan rendering in Xwayland. As a result, you can now enable the GNOME Wayland session with the proprietary NVIDIA driver. Previously, only the legacy X11 session was available with the driver. X11 remains as the default session to avoid a possible disruption when updating from a previous version of RHEL.
To enable Wayland with the NVIDIA proprietary driver, use the following procedure:
Enable Direct Rendering Manager (DRM) kernel modesetting by adding the following option to the kernel command line:
nvidia-drm.modeset=1
For details on enabling kernel options, see Configuring kernel command-line parameters.
Reboot the system.
The Wayland session is now available at the login screen.
- Optional: To avoid the loss of video allocations when suspending or hibernating the system, enable the power management option with the driver. For details, see Configuring Power Management Support.
For the limitations related to the use of DRM kernel modesetting in the proprietary NVIDIA driver, see Direct Rendering Manager Kernel Modesetting (DRM KMS).
(JIRA:RHELPLAN-99049)
Improvements to GPU support
The following new GPU features are now enabled:
- Panel Self Refresh (PSR) is now enabled for Intel Tiger Lake and later graphics, which improves power consumption.
- Intel Tiger Lake, Ice Lake, and later graphics can now use High Bit Rate 3 (HBR3) mode with the DisplayPort Multi-Stream Transport (DP-MST) transmission method. This enables support for certain display capabilities with docks.
- Modesetting is now enabled on NVIDIA Ampere GPUs. This includes the following models: GA102, GA104, and GA107, including hybrid graphics systems.
- Most laptops with Intel integrated graphics and an NVIDIA Ampere GPU can now output to external displays using either GPU.
(JIRA:RHELPLAN-99043)
Updated graphics drivers
The following graphics drivers have been updated:
-
amdgpu
-
ast
-
i915
-
mgag2000
-
nouveau
-
vmwgfx
-
vmwgfx
- The Mesa library
- Vulkan packages
(JIRA:RHELPLAN-99044)
Intel Tiger Lake graphics are fully supported
Intel Tiger Lake UP3 and UP4 Xe graphics, which were previously available as a Technology Preview, are now fully supported. Hardware acceleration is enabled by default on these GPUs.
(BZ#1783396)
4.16. Red Hat Enterprise Linux system roles
Users can configure the maximum root distance using the timesync_max_distance
parameter
With this update, the timesync
RHEL system role is able to configure the tos maxdist
of ntpd
and the maxdistance
parameter of the chronyd
service using the new timesync_max_distance
parameter. The timesync_max_distance
parameter configures the maximum root distance to accept measurements from Network Time Protocol (NTP) servers. The default value is 0, which keeps the provider-specific defaults.
Elasticsearch can now accept lists of servers
Previously, the server_host
parameter in Elasticsearch output for the Logging RHEL system role accepted only a string value for a single host. With this enhancement, it also accepts a list of strings to support multiple hosts. As a result, you can now configure multiple Elasticsearch hosts in one Elasticsearch output dictionary.
Network Time Security (NTS) option added to the timesync
RHEL system role
The nts
option was added to the timesync
RHEL system role to enable NTS on client servers. NTS is a new security mechanism specified for Network Time Protocol (NTP), which can secure synchronization of NTP clients without client-specific configuration and can scale to large numbers of clients. The NTS
option is supported only with the chrony
NTP provider in version 4.0 and later.
The SSHD RHEL system role now supports non-exclusive configuration snippets
With this feature, you can configure SSHD through different roles and playbooks without rewriting the previous configurations by using namespaces. Namespaces are similar to a drop-in directory, and define non-exclusive configuration snippets for SSHD. As a result, you can use the SSHD RHEL system role from a different role, if you need to configure only a small part of the configuration and not the entire configuration file.
The SELinux
role can now manage SELinux modules
The SElinux
RHEL system role has the ability to manage SELinux modules. With this update, users can provide their own custom modules from .pp
or .cil
files, which allows for a more flexible SELinux policy management.
Users can manage the chrony
interleaved mode, NTP filtering, and hardware timestamping
With this update, the timesync
RHEL system role enables you to configure the Network Time Protocol (NTP) interleaved mode, additional filtering of NTP measurements, and hardware timestamping. The chrony
package of version 4.0 adds support for these functionalities to achieve a highly accurate and stable synchronization of clocks in local networks.
-
To enable the NTP interleaved mode, make sure the server supports this feature, and set the
xleave
option toyes
for the server in thetimesync_ntp_servers
list. The default value isno
. -
To set the number of NTP measurements per clock update, set the
filter
option for the NTP server you are configuring. The default value is1
. -
To set the list of interfaces which should have hardware timestamping enabled for NTP, use the
timesync_ntp_hwts_interfaces
parameter. The special value["*"]
enables timestamping on all interfaces that support it. The default is[]
.
timesync
role enables customization settings for chrony
Previously, there was no way to provide customized chrony configuration using the timesync
role. This update adds the timesync_chrony_custom_settings
parameter, which enables users to to provide customized settings for chrony, such as:
timesync_chrony_custom_settings: - "logdir /var/log/chrony" - "log measurements statistics tracking"
timesync
role supports hybrid end-to-end delay mechanisms
With this enhancement, you can use the new hybrid_e2e option
in timesync_ptp_domains
to enable hybrid end-to-end delay mechanisms in the timesync
role. The hybrid end-to-end delay mechanism uses unicast delay requests, which are useful to reduce multicast traffic in large networks.
ethtool
now supports reducing the packet loss rate and latency
Tx or Rx buffers are memory spaces allocated by a network adapter to handle traffic bursts. Properly managing the size of these buffers is critical to reduce the packet loss rate and achieve acceptable network latency.
The ethtool
utility now reduces the packet loss rate or latency by configuring the ring
option of the specified network device.
The list of supported ring
parameters is:
-
rx
- Changes the number of ring entries for the Rx ring. -
rx-jumbo
- Changes the number of ring entries for the Rx Jumbo ring. -
rx-mini
- Changes the number of ring entries for the Rx Mini ring. -
tx
- Changes the number of ring entries for the Tx ring.
New ipv6_disabled
parameter is now available
With this update, you can now use the ipv6_disabled
parameter to disable ipv6 when configuring addresses.
RHEL system roles now support VPN management
Previously, it was difficult to set up secure and properly configured IPsec tunneling and virtual private networking (VPN) solutions on Linux. With this enhancement, you can use the VPN RHEL system role to set up and configure VPN tunnels for host-to-host and mesh connections more easily across large numbers of hosts. As a result, you have a consistent and stable configuration interface for VPN and IPsec tunneling configuration within the RHEL system roles project.
The storage
RHEL system role now supports filesystem
relabel
Previously, the storage
role did not support relabelling. This update fixes the issue, providing support to relabel the filesystem
label. To do this, set a new label string to the fs_label
parameter in storage_volumes
.
Support for volume sizes expressed as a percentage is available in the storage
system role
This enhancement adds support to the storage
RHEL system role to express LVM volume sizes as a percentage of the pool’s total size. You can specify the size of LVM volumes as a percentage of the pool/VG size, for example: 50%
in addition to the human-readable size of the file system, for example, 10g
, 50 GiB
.
New Ansible Role for Microsoft SQL Server Management
The new microsoft.sql.server
role is designed to help IT and database administrators automate processes involved with setup, configuration, and performance tuning of SQL Server on Red Hat Enterprise Linux.
RHEL system roles do not support Ansible 2.8
With this update, support for Ansible 2.8 is no longer supported because the version is past the end of the product life cycle. The RHEL system roles support Ansible 2.9.
The postfix
role of RHEL system roles is fully supported
Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.
The rhel-system-roles
packages are distributed through the AppStream repository.
As of RHEL 8.5, the postfix
role is fully supported.
For more information, see the Knowledgebase article about RHEL system roles.
4.17. Virtualization
Enhancements to managing virtual machines in the web console
The Virtual Machines (VM) section of the RHEL 8 web console has been redesigned for a better user experience. In addition, the following changes and features have also been introduced:
- A single page now includes all the relevant VM information, such as VM status, disks, networks, or console information.
- You can now live migrate a VM using the web console
- The web console now allows editing the MAC address of a VM’s network interface
- You can use the web console to view a list of host devices attached to a VM
(JIRA:RHELPLAN-79074)
zPCI device assignment
It is now possible to attach zPCI devices as mediated devices to virtual machines (VMs) hosted on RHEL 8 running on IBM Z hardware. For example, thís enables the use of NVMe flash drives in VMs.
(JIRA:RHELPLAN-59528)
4.18. Supportability
sos
rebased to version 4.1
The sos
package has been upgraded to version 4.1, which provides multiple bug fixes and enhancements. Notable enhancements include:
-
Red Hat Update Infrastructure (
RHUI
) plugin is now natively implemented in thesos
package. With therhui-debug.py
python binary,sos
can collect reports fromRHUI
including, for example, the main configuration file, therhui-manager
log file, or the installation configuration. -
sos
introduces the--cmd-timeout
global option that sets manually a timeout for a command execution. The default value (-1) defers to the general command timeout, which is 300 seconds.
4.19. Containers
Default container image signature verification is now available
Previously, the policy YAML files for the Red Hat Container Registries had to be manually created in the /etc/containers/registries.d/
directory. Now, the registry.access.redhat.com.yaml
and registry.redhat.io.yaml
files are included in the containers-common
package. You can now use the podman image trust
command to verify the container image signatures on RHEL.
(JIRA:RHELPLAN-75166)
The container-tools:rhel8
module has been updated
The container-tools:rhel8
module, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.
(JIRA:RHELPLAN-76515)
The containers-common
package is now available
The containers-common
package has been added to the container-tools:rhel8
module. The containers-common
package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo.
(JIRA:RHELPLAN-77542)
Native overlay file system support in the kernel is now available
The overlay file system support is now available from kernel 5.11. The non-root users will have native overlay performance even when running rootless (as a user). Thus, this enhancement provides better performance to non-root users who wish to use overlayfs without the need for bind mounting.
(JIRA:RHELPLAN-77241)
A podman
container image is now available
The registry.redhat.io/rhel8/podman
container image, previously available as a Technology Preview, is now fully supported. The registry.redhat.io/rhel8/podman
container image is a containerized implementation of the podman
package. The podman
tool manages containers and images, volumes mounted into those containers, and pods made of groups of containers.
(JIRA:RHELPLAN-57941)
Universal Base Images are now available on Docker Hub
Previously, Universal Base Images were only available from the Red Hat container catalog. Now, Universal Base Images are also available from Docker Hub.
For more information, see Red Hat Brings Red Hat Universal Base Image to Docker Hub.
(JIRA:RHELPLAN-85064)
CNI plugins in Podman are now available
CNI plugins are now available to use in Podman rootless mode. The rootless networking commands now work without any other requirement on the system.
Podman has been updated to version 3.3.1
The Podman utility has been updated to version 3.3.1. Notable enhancements include:
-
Podman now supports restarting containers created with the
--restart
option after the system is rebooted. -
The
podman container checkpoint
andpodman container restore
commands now support checkpointing and restoring containers that are in pods and restoring those containers into pods. Further, thepodman container restore
command now supports the--publish
option to change ports forwarded to a container restored from an exported checkpoint.
(JIRA:RHELPLAN-87877)
The crun
OCI runtime is now available
The crun
OCI runtime is now available for the container-tools:rhel8
module. The crun
container runtime supports an annotation that enables the container to access the rootless user’s additional groups. This is useful for container operations when volume mounting in a directory where setgid is set, or where the user only has group access.
(JIRA:RHELPLAN-75164)
The podman
UBI image is now available
The registry.access.redhat.com/ubi8/podman is now available as a part of UBI.
(JIRA:RHELPLAN-77489)
The container-tools:rhel8
module has been updated
The container-tools:rhel8
module, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.
For more details, see the RHEA-2022:0352.
The ubi8/nodejs-16
and ubi8/nodejs-16-minimal
container images are now fully supported
The ubi8/nodejs-16
and ubi8/nodejs-16-minimal
container images, previously available as a Technology Preview, are fully supported with the release of the RHBA-2021:5260 advisory. These container images include Node.js 16.13
, which is a Long Term Support (LTS) version.