Chapter 4. New features

RHEL for Edge now supports a Simplified Installer

This enhancement enables Image Builder to build the RHEL for Edge Simplified Installer (edge-simplified-installer) and RHEL for Edge Raw Images (edge-raw-image).

Warnings for deprecated kernel boot arguments

Anaconda boot arguments without the inst. prefix (for example, ks, stage2, repo and so on) are deprecated starting RHEL7. These arguments will be removed in the next major RHEL release.

Red Hat Connector is now fully supported

You can connect the system using Red Hat Connector (rhc). Red Hat Connector consists of a command-line interface and a daemon that allow users to execute Insights remediation playbook directly on their host within the web user interface of Insights (console.redhat.com). Red Hat Connector was available as a Technology Preview in RHEL 8.4 and as of RHEL 8.5, it is fully supported.

Ability to override official repositories available

By default, the osbuild-composer backend has its own set of official repositories defined in the /usr/share/osbuild-composer/repositories directory. Consequently, it does not inherit the system repositories located in the /etc/yum.repos.d/ directory. You can now override the official repositories. To do that, define overrides in the /etc/osbuild-composer/repositories and, as a result, the files located there take precedence over those in the /usr directory.

Image Builder now supports filesystem configuration

With this enhancement, you can specify custom filesystem configuration in your blueprints and you can create images with the desired disk layout. As a result, by having non-default layouts, you can benefit from security benchmarks, consistency with existing setups, performance, and protection against out-of-disk errors.

Image Builder now supports creating bootable installer images

With this enhancement, you can use Image Builder to create bootable ISO images that consist of a tarball file, which contains a root file system. As a result, you can use the bootable ISO image to install the tarball file system to a bare metal system.

Greenboot services now enabled by default

Previously, the greenboot services were not present in the default presets so, when the greenboot package was installed, users had to manually enable these greenboot services. With this update, the greenboot services are now present in the default presets configuration and users are no longer required to manually enable it.

RPM now has read-only support for the sqlite database backend

The ability to query an RPM database based on sqlite may be desired when inspecting other root directories, such as containers.This update adds read-only support for the RPM sqlite database backend. As a result, it is now possible to query packages installed in a UBI 9 or Fedora container from the host RHEL 8. To do that with Podman:

libmodulemd rebased to version 2.12.1

The libmodulemd packages have been rebased to version 2.12.1. Notable changes include:

libmodulemd rebased to version 2.13.0

The libmodulemd packages have been rebased to version 2.13.0, which provides the following notable changes over the previous version:

sslverifystatus has been added to dnf configuration

With this update, when sslverifystatus option is enabled, dnf checks each server certificate revocation status using the Certificate Status Request TLS extension (OCSP stapling). As a result, when a revoked certificate is encountered, dnf refuses to download from its server.

ReaR has been updated to version 2.6

Relax-and-Recover (ReaR) has been updated to version 2.6. Notable bug fixes and enhancements include:

The modulemd-tools package is now available

With this update, the modulemd-tools package has been introduced which provides tools for parsing and generating modulemd YAML files.

opencryptoki rebased to version 3.16.0

opencryptoki has been upgraded to version 3.16.0. Notable bug fixes and enhancements include:

lsvpd rebased to version 1.7.12

lsvpd has been upgraded to version 1.7.12. Notable bug fixes and enhancements include:

ppc64-diag rebased to version 2.7.7

ppc64-diag has been upgraded to version 2.7.7. Notable bug fixes and enhancements include:

The ipmi_power and ipmi_boot modules are available in the redhat.rhel_mgmt Collection

This update provides support to the Intelligent Platform Management Interface (IPMI) Ansible modules. IPMI is a specification for a set of management interfaces to communicate with baseboard management controller (BMC) devices. The IPMI modules - ipmi_power and ipmi_boot - are available in the redhat.rhel_mgmt Collection, which you can obtain by installing the ansible-collection-redhat-rhel_mgmt package.

udftools 2.3 are now added to RHEL

The udftools packages provide user-space utilities for manipulating Universal Disk Format (UDF) file systems. With this enhancement, udftools provides the following set of tools:

Tesseract 4.1.1 is now present in RHEL 8.5

Tesseract is an open-source OCR (optical character reading) engine and has the following features:

Errors when restoring LVM with thin pools do not happen anymore

With this enhancement, ReaR now detects when thin pools and other logical volume types with kernel metadata (for example, RAIDs and caches) are used in a volume group (VG) and switches to a mode where it recreates all the logical volumes (LVs) in the VG using lvcreate commands. Therefore, LVM with thin pools are restored without any errors.

Net-SNMP now detects RSA and ECC certificates

Previously, Net-Simple Network Management Protocol (Net-SNMP) detected only Rivest, Shamir, Adleman (RSA) certificates. This enhancement adds support for Elliptic Curve Cryptography (ECC). As a result, Net-SNMP now detects RSA and ECC certificates.

FCoE option is changed to rd.fcoe

Previously, the man page for dracut.cmdline documented rd.nofcoe=0 as the command to turn off Fibre Channel over Ethernet (FCoE).

linuxptp rebased to version 3.1

The linuxptp package has been updated to version 3.1. Notable bug fixes and enhancements include:

chrony rebased to version 4.1

chrony has been updated to version 4.1. Notable bug fixes and enhancements include:

PowerTop rebased to version 2.14

PowerTop has been upgraded to version 2.14. This is an update adding Alder Lake, Sapphire Rapids, and Rocket Lake platforms support.

TuneD now moves unnecessary IRQs to housekeeping CPUs

Network device drivers like i40e, iavf, mlx5, evaluate the online CPUs to determine the number of queues and hence the MSIX vectors to be created.

libreswan rebased to 4.4

The libreswan packages have been upgraded to upstream version 4.4, which introduces many enhancements and bug fixes. Most notably:

GnuTLS rebased to 3.6.16

The gnutls packages have been updated to version 3.6.16. Notable bug fixes and enhancements include:

socat rebased to 1.7.4

The socat packages have been upgraded from version 1.7.3 to 1.7.4, which provides many bug fixes and improvements. Most notably:

crypto-policies rebased to 20210617

The crypto-policies packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably:

crypto-policies now support AES-192 ciphers in custom policies

The system-wide cryptographic policies now support the following values for the cipher option in custom policies and subpolicies: AES-192-GCM, AES-192-CCM, AES-192-CTR, and AES-192-CBC. As a result, you can enable the AES-192-GCM and AES-192-CBC ciphers for the Libreswan application and the AES-192-CTR and AES-192-CBC ciphers for the libssh library and the OpenSSH suite through crypto-policies.

CBC ciphers disabled in the FUTURE cryptographic policy

This update of the crypto-policies packages disables ciphers that use cipher block chaining (CBC) mode in the FUTURE policy. The settings in FUTURE should withstand near-term future attacks, and this change reflects the current progress. As a result, system components respecting crypto-policies cannot use CBC mode when the FUTURE policy is active.

Adding new kernel AVC tracepoint

With this enhancement, a new avc:selinux_audited kernel tracepoint is added that triggers when an SELinux denial is to be audited. This feature allows for more convenient low-level debugging of SELinux denials. The new tracepoint is available for tools such as perf.

New ACSC ISM profile in the SCAP Security Guide

The scap-security-guide packages now provide the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) compliance profile and a corresponding Kickstart file. With this enhancement, you can install a system that conforms with this security baseline and use the OpenSCAP suite for checking security compliance and remediation using the risk-based approach for security controls defined by ACSC.

SCAP Security Guide rebased to 0.1.57

The scap-security-guide packages have been rebased to upstream version 0.1.57, which provides several bug fixes and improvements. Most notably:

OpenSCAP rebased to 1.3.5

The OpenSCAP packages have been rebased to upstream version 1.3.5. Notable fixes and enhancements include:

Validation of digitally signed SCAP source data streams

To conform with the Security Content Automation Protocol (SCAP) 1.3 specifications, OpenSCAP now validates digital signatures of digitally signed SCAP source data streams. As a result, OpenSCAP validates the digital signature when evaluating a digitally signed SCAP source data stream. The signature validation is performed automatically while loading the file. Data streams with invalid signatures are rejected, and OpenSCAP does not evaluate their content. OpenSCAP uses the XML Security Library with the OpenSSL cryptography library to validate the digital signature.

New DISA STIG profile compatible with Server with GUI installations

A new profile, DISA STIG with GUI, has been added to the SCAP Security Guide. This profile is derived from the DISA STIG profile and is compatible with RHEL installations that selected the Server with GUI package group. The previously existing stig profile was not compatible with Server with GUI because DISA STIG demands uninstalling any Graphical User Interface. However, this can be overridden if properly documented by a Security Officer during evaluation. As a result, the new profile helps when installing a RHEL system as a Server with GUI aligned with the DISA STIG profile.

STIG security profile updated to version V1R3

The DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP Security Guide has been updated to align with the latest version V1R3. The profile is now also more stable and better aligns with the RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense Information Systems Agency (DISA).

Three new CIS profiles in SCAP Security Guide

Three new compliance profiles aligned with the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark have been introduced to the SCAP Security Guide. The CIS RHEL 8 Benchmark provides different configuration recommendations for "Server" and "Workstation" deployments, and defines two levels of configuration, "level 1" and "level 2" for each deployment. The CIS profile previously shipped in RHEL8 represented only the "Server Level 2". The three new profiles complete the scope of the CIS RHEL8 Benchmark profiles, and you can now more easily evaluate your system against CIS recommendations.

Performance of remediations for Audit improved by grouping similar system calls

Previously, Audit remediations generated an individual rule for each system call audited by the profile. This led to large numbers of audit rules, which degraded performance. With this enhancement, remediations for Audit can group rules for similar system calls with identical fields together into a single rule, which improves performance.

Added profile for ANSSI-BP-028 High level

The ANSSI High level profile, based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. This completes the availability of profiles for all ANSSI-BP-028 v1.2 hardening levels in the SCAP Security Guide. With the new profile, you can harden the system to the recommendations from ANSSI for GNU/Linux Systems at the High hardening level. As a result, you can configure and automate compliance of your RHEL 8 systems to the strictest hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles.

OpenSSL added for encrypting Rsyslog TCP and RELP traffic

The OpenSSL network stream driver has been added to Rsyslog. This driver implements TLS-protected transport using the OpenSSL library. This provides additional functionality compared to the stream driver using the GnuTLS library. As a result, you can now use either OpenSSL or GnuTLS as an Rsyslog network stream driver.

Rsyslog rebased to 8.2102.0-5

The rsyslog packages have been rebased to upstream version 8.2102.0-5, which provides the following notable changes over the previous version:

Support for pause parameter of ethtool in NetworkManager

Non auto-pause parameters need to be set explicitly on a specific network interface in certain cases. Previously, NetworkManager could not pause the control flow parameters of ethtool in nmstate. To disable the auto negotiation of the pause parameter and enable RX/TX pause support explicitly, use the following command:

New property in NetworkManager for setting physical and virtual interfaces in promiscuous mode

With this update the 802-3-ethernet.accept-all-mac-addresses property has been added to NetworkManager for setting physical and virtual interfaces in the accept all MAC addresses mode. With this update, the kernel can accept network packages targeting current interfaces’ MAC address in the accept all MAC addresses mode. To enable accept all MAC addresses mode on eth1, use the following command:

NetworkManager rebased to version 1.32.10

The NetworkManager packages have been upgraded to upstream version 1.32.10, which provides a number of enhancements and bug fixes over the previous version.

NetworkManager now supports nftables as firewall back end

This enhancement adds support for the nftables firewall framework to NetworkManager. To switch the default back end from iptables to nftables:

firewalld rebased to version 0.9.3

The firewalld packages have been upgraded to upstream version 0.9.3, which provides a number of enhancements and bug fixes over the previous version.

The firewalld policy objects feature is now available

Previously, you could not use firewalld to filter traffic flowing between virtual machines, containers, and zones. With this update, the firewalld policy objects feature has been introduced, which provides forward and output filtering in firewalld.

Multipath TCP is now fully supported

Starting with RHEL 8.5, Multipath TCP (MPTCP) is fully supported. MPTCP improves resource usage within the network and resilience to network failure. For example, with Multipath TCP on the RHEL server, smartphones with MPTCP v1 enabled can connect to an application running on the server and switch between Wi-Fi and cellular networks without interrupting the connection to the server.

Alternative network interface naming is now available in RHEL

Alternative interface naming is the RHEL kernel configuration, which provides the following networking benefits:

Kernel version in RHEL 8.5

Red Hat Enterprise Linux 8.5 is distributed with the kernel version 4.18.0-348.

EDAC for Intel Sapphire Rapids processors is now supported

This enhancement provides Error Detection And Correction (EDAC) device support for Intel Sapphire Rapids processors. EDAC mainly handles Error Code Correction (ECC) memory and detects and reports PCI bus parity errors.

The bpftrace package rebased to version 0.12.1

The bpftrace package has been upgraded to version 0.12.1, which provides multiple bug fixes and enhancements. Notable changes over previous versions include:

vmcore capture works as expected after CPU hot-add or hot-removal operations

Previously, on IBM POWER systems, after every CPU or memory hot-plug or removal operation, the CPU data on the device tree became stale unless the kdump.service is reloaded. To reload the latest CPU information, the kdump.service parses through the device nodes to fetch the CPU information. However, some of the CPU nodes are already lost during its hot-removal. Consequently, a race condition between the kdump.service reload and a CPU hot-removal happens at the same time and this may cause the dump to fail. A subsequent crash might then not capture the vmcore file.

The kdumpctl command now supports the new kdumpctl estimate utility

The kdumpctl command now supports the kdumpctl estimate utility. Based on the existing kdump configuration, kdumpctl estimate prints a suitable estimated value for kdump memory allocation.

IBM TSS 2.0 package rebased to 1.6.0

The IBM’s Trusted Computing Group (TCG) Software Stack (TSS) 2.0 binary package has been upgraded to 1.6.0. This update adds the IBM TSS 2.0 support on AMD64 and Intel 64 architecture.

The schedutil CPU frequency governor is now available on RHEL 8

The schedutil CPU governor uses CPU utilization data available on the CPU scheduler. schedutil is a part of the CPU scheduler and it can access the scheduler’s internal data structures directly. schedutil controls how the CPU would raise and lower its frequency in response to system load. You must manually select the schedutil frequency governor as it is not enabled as default.

The rt-tests suite rebased to rt-tests-2.1 upstream version

The rt-tests suite has been rebased to rt-tests-2.1 version, which provides multiple bug fixes and enhancements. The notable changes over the previous version include:

Intel® QuickAssist Technology Library (QATlib) was rebased to version 21.05

The qatlib package has been rebased to version 21.05, which provides multiple bug fixes and enhancements. Notable changes include:

xfs_quota state command now outputs all grace times when multiple quota types are specified

The xfs_quota state command now outputs grace times for multiple quota types specified on the command line. Previously, only one was shown even if more than one of -g, -p, or -u was specified.

-H option added to the rpc.gssd daemon and the set-home option added to the /etc/nfs.conf file

This patch adds the -H option to rpc.gssd and the set-home option into /etc/nfs.conf, but does not change the default behavior.

The storage RHEL system role now supports LVM VDO volumes

Virtual Data Optimizer (VDO) helps to optimize usage of the storage volumes. With this enhancement, administrators can use the storage system role to manage compression and deduplication on Logical Manager Volumes (LVM) VDO volumes.

Local mode version of pcs cluster setup command is now fully supported

By default, the pcs cluster setup command automatically synchronizes all configuration files to the cluster nodes. Since RHEL 8.3, the pcs cluster setup command has provided the --corosync-conf option as a Technology Preview. This feature is now fully supported in RHEL 8.5. Specifying this option switches the command to local mode. In this mode, the pcs command-line interface creates a corosync.conf file and saves it to a specified file on the local node only, without communicating with any other node. This allows you to create a corosync.conf file in a script and handle that file by means of the script.

Ability to configure watchdog-only SBD for fencing on subset of cluster nodes

Previously, to use a watchdog-only SBD configuration, all nodes in the cluster had to use SBD. That prevented using SBD in a cluster where some nodes support it but other nodes (often remote nodes) required some other form of fencing. Users can now configure a watchdog-only SBD setup using the new fence_watchdog agent, which allows cluster configurations where only some nodes use watchdog-only SBD for fencing and other nodes use other fencing types. A cluster may only have a single such device, and it must be named watchdog.

New pcs command to update SCSI fencing device without causing restart of all other resources

Updating a SCSI fencing device with the pcs stonith update command causes a restart of all resources running on the same node where the stonith resource was running. The new pcs stonith update-scsi-devices command allows you to update SCSI devices without causing a restart of other cluster resources.

New reduced output display option for pcs resource safe-disable command

The pcs resource safe-disable and pcs resource disable --safe commands print a lengthy simulation result after an error report. You can now specify the --brief option for those commands to print errors only. The error report now always contains resource IDs of affected resources.

pcs now accepts Promoted and Unpromoted as role names

The pcs command-line interface now accepts Promoted and Unpromoted anywhere roles are specified in Pacemaker configuration. These role names are the functional equivalent of the Master and Slave Pacemaker roles. Master and Slave remain the names for these roles in configuration displays and help text.

New pcs resource status display commands

The pcs resource status and the pcs stonith status commands now support the following options:

New LVM volume group flag to control autoactivation

LVM volume groups now support a setautoactivation flag which controls whether logical volumes that you create from a volume group will be automatically activated on startup. When creating a volume group that will be managed by Pacemaker in a cluster, set this flag to n with the vgcreate --setautoactivation n command for the volume group to prevent possible data corruption. If you have an existing volume group used in a Pacemaker cluster, set the flag with vgchange --setautoactivation n.

The nodejs:16 module stream is now fully supported

The nodejs:16 module stream, previously available as a Technology preview, is fully supported with the release of the RHSA-2021:5171 advisory. The nodejs:16 module stream now provides Node.js 16.13.1, which is a Long Term Support (LTS) version.

A new module stream: ruby:3.0

RHEL 8.5 introduces Ruby 3.0.2 in a new ruby:3.0 module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.7 distributed with RHEL 8.3.

Changes in the default separator for the Python urllib parsing functions

To mitigate the Web Cache Poisoning CVE-2021-23336 in the Python urllib library, the default separator for the urllib.parse.parse_qsl and urllib.parse.parse_qs functions is being changed from both ampersand (&) and semicolon (;) to only an ampersand.

The Python ipaddress module no longer allows zeros in IPv4 addresses

To mitigate CVE-2021-29921, the Python ipaddress module now rejects IPv4 addresses with leading zeros with an AddressValueError: Leading zeros are not permitted error.

The php:7.4 module stream rebased to version 7.4.19

The PHP scripting language, provided by the php:7.4 module stream, has been upgraded from version 7.4.6 to version 7.4.19. This update provides multiple security and bug fixes.

A new package: pg_repack

A new pg_repack package has been added to the postgresql:12 and postgresql:13 module streams. The pg_repack package provides a PostgreSQL extension that lets you remove bloat from tables and indexes, and optionally restore physical order of clustered indexes.

A new module stream: nginx:1.20

The nginx 1.20 web and proxy server is now available as the nginx:1.20 module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.18.

The squid:4 module stream rebased to version 4.15

The Squid proxy server, available in the squid:4 module stream, has been upgraded from version 4.11 to version 4.15. This update provides various bug and security fixes.

LVM system.devices file feature now available in RHEL 8

RHEL 8.5 introduces the LVM system.devices file feature. By creating a list of devices in the /etc/lvm/devices/system.devices file, you can select specific devices for LVM to recognize and use, and prevent LVM from using unwanted devices.

quota now supports HPE XFS

The quota utilities now provide support for the HPE XFS file system. As a result, users of HPE XFS can monitor and and manage user and group disk usage through quota utilities.

mutt rebased to version 2.0.7

The Mutt email client has been updated to version 2.0.7, which provides a number of enhancements and bug fixes.

Go Toolset rebased to version 1.16.7

Go Toolset has been upgraded to version 1.16.7. Notable changes include:

Rust Toolset rebased to version 1.54.0

Rust Toolset has been updated to version 1.54.0. Notable changes include:

LLVM Toolset rebased to version 12.0.1

LLVM Toolset has been upgraded to version 12.0.1. Notable changes include:

CMake rebased to version 3.20.2

CMake has been rebased from 3.18.2 to 3.20.2. To use CMake on a project that requires the version 3.20.2 or less, use the command cmake_minimum_required(version 3.20.2).

New GCC Toolset 11

GCC Toolset 11 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

.NET updated to version 6.0

Red Hat Enterprise Linux 8.5 is distributed with .NET version 6.0. Notable improvements include:

GCC Toolset 11: GCC rebased to version 11.2

In GCC Toolset 11, the GCC package has been updated to version 11.2. Notable bug fixes and enhancements include:

GCC Toolset 11: dwz now supports DWARF 5

In GCC Toolset 11, the dwz tool now supports the DWARF Version 5 debugging format.

GCC Toolset 11: GCC now supports the AIA user interrupts

In GCC Toolset 11, GCC now supports the Accelerator Interfacing Architecture (AIA) user interrupts.

GCC Toolset 11: Generic SVE tuning defaults improved

In GCC Toolset 11, generic SVE tuning defaults have been improved on the 64-bit ARM architecture.

SystemTap rebased to version 4.5

The SystemTap package has been updated to version 4.5. Notable bug fixes and enhancements include:

elfutils rebased to version 0.185

The elfutils package has been updated to version 0.185. Notable bug fixes and enhancements include:

Valgrind rebased to version 3.17.0

The Valgrind package has been updated to version 3.17.0. Notable bug fixes and enhancements include:

Dyninst rebased to version 11.0.0

The Dyninst package has been updated to version 11.0.0. Notable bug fixes and enhancements include:

DAWR functionality improved in GDB on IBM POWER10

With this enhancement, new hardware watchpoint capabilities are now enabled for GDB on the IBM POWER10 processors. For example, a new set of DAWR/DAWRX registers has been added.

GCC Toolset 11: GDB rebased to version 10.2

In GCC Toolset 11, the GDB package has been updated to version 10.2. Notable bug fixes and enhancements include:

GCC Toolset 11: SystemTap rebased to version 4.5

In GCC Toolset 11, the SystemTap package has been updated to version 4.5. Notable bug fixes and enhancements include:

GCC Toolset 11: elfutils rebased to version 0.185

In GCC Toolset 11, the elfutils package has been updated to version 0.185. Notable bug fixes and enhancements include:

GCC Toolset 11: Valgrind rebased to version 3.17.0

In GCC Toolset 11, the Valgrind package has been updated to version 3.17.0. Notable bug fixes and enhancements include:

GCC Toolset 11: Dyninst rebased to version 11.0.0

In GCC Toolset 11, the Dyninst package has been updated to version 11.0.0. Notable bug fixes and enhancements include:

PAPI library support for Fujitsu A64FX added

PAPI library support for Fujitsu A64FX has been added. With this feature, developers can collect hardware statistics.

The PCP package was rebased to 5.3.1

The Performance Co-Pilot (PCP) package has been rebased to version 5.3.1. This release includes bug fixes, enhancements, and new features. Notable changes include:

The grafana package was rebased to version 7.5.9

The grafana package has been rebased to version 7.5.9. Notable changes include:

The grafana-pcp package was rebased to 3.1.0

The grafana-pcp package has been rebased to version 3.1.0. Notable changes include:

grafana-container rebased to version 7.5.9

The rhel8/grafana container image provides Grafana. Notable changes include:

pcp-container rebased to version 5.3.1

The rhel8/pcp container image provides Performance Co-Pilot. The pcp-container package has been upgraded to version 5.3.1. Notable changes include:

The new pcp-ss PCP utility is now available

The pcp-ss PCP utility reports socket statistics collected by the pmdasockets(1) PMDA. The command is compatible with many of the ss command line options and reporting formats. It also offers the advantages of local or remote monitoring in live mode and historical replay from a previously recorded PCP archive.

Power consumption metrics now available in PCP

The new pmda-denki Performance Metrics Domain Agent (PMDA) reports metrics related to power consumption. Specifically, it reports:

IdM now supports new password policy options

With this update, Identity Management (IdM) supports additional libpwquality library options:

Improved the SSSD debug logging by adding a unique identifier tag for each request

As SSSD processes requests asynchronously, it is not easy to follow log entries for individual requests in the backend logs, as messages from different requests are added to the same log file. To improve the readability of debug logs, a unique request identifier is now added to log messages in the form of RID#<integer>. This allows you to isolate logs pertaining to an individual request, and you can track requests from start to finish across log files from multiple SSSD components.

IdM now supports the automember and server Ansible modules

With this update, the ansible-freeipa package contains the ipaautomember and ipaserver modules:

IdM performance baseline

With this update, a RHEL 8.5 IdM server with 4 CPUs and 8GB of RAM has been tested to successfully enroll 130 IdM clients simultaneously.

SSSD Kerberos cache performance has been improved

The System Security Services Daemon (SSSD) Kerberos Cache Manager (KCM) service now includes the new operation KCM_GET_CRED_LIST. This enhancement improves KCM performance by reducing the number of input and output operations while iterating through a credentials cache.

SSSD now logs backtraces by default

With this enhancement, SSSD now stores detailed debug logs in an in-memory buffer and appends them to log files when a failure occurs. By default, the following error levels trigger a backtrace:

SSSD KCM now supports the auto-renewal of ticket granting tickets

With this enhancement, you can now configure the System Security Services Daemon (SSSD) Kerberos Cache Manager (KCM) service to auto-renew ticket granting tickets (TGTs) stored in the KCM credential cache on an Identity Management (IdM) server. Renewals are only attempted when half of the ticket lifetime has been reached. To use auto-renewal, the key distribution center (KDC) on the IdM server must be configured to support renewable Kerberos tickets.

samba rebased to version 4.14.4

The _samba_ packages have been upgraded to upstream version 4.14.4, which provides bug fixes and enhancements over the previous version:

The _samba_ packages have been upgraded to upstream version 4.14.4, which provides bug fixes and enhancements over the previous version:

The dnaInterval configuration attribute is now supported

With this update, Red Hat Directory Server supports setting the dnaInterval attribute of the Distributed Numeric Assignment (DNA) plug-in in the cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config entry. The DNA plug-in generates unique values for specified attributes. In a replication environment, servers can share the same range. To avoid overlaps on different servers, you can set the dnaInterval attribute to skip some values. For example, if the interval is 3 and the first number in the range is 1, the next number used in the range is 4, then 7, then 10.

Directory Server rebased to version 1.4.3.27

The 389-ds-base packages have been upgraded to upstream version 1.4.3.27, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Directory Server now supports temporary passwords

This enhancement enables administrators to configure temporary password rules in global and local password policies. With these rules, you can configure that, when an administrator resets the password of a user, the password is temporary and only valid for a specific time and for a defined number of attempts. Additionally, you can configure that the expiration time does not start directly when the administrator changes the password. As a result, Directory Server allows the user only to authenticate using the temporary password for a finite period of time or attempts. Once the user authenticates successfully, Directory Server allows this user only to change its password.

IdM KDC now issues Kerberos tickets with PAC information to increase security

With this update, to increase security, RHEL Identity Management (IdM) now issues Kerberos tickets with Privilege Attribute Certificate (PAC) information by default in new deployments. A PAC has rich information about a Kerberos principal, including its Security Identifier (SID), group memberships, and home directory information. As a result, Kerberos tickets are less susceptible to manipulation by malicious servers.

Directory Server provides monitoring settings that can prevent database corruption caused by lock exhaustion

This update adds the nsslapd-db-locks-monitoring-enable parameter to the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry. If it is enabled, which is the default, Directory Server aborts all of the searches if the number of active database locks is higher than the percentage threshold configured in nsslapd-db-locks-monitoring-threshold. If an issue is encountered, the administrator can increase the number of database locks in the nsslapd-db-locks parameter in the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry. This can prevent data corruption. Additionally, the administrator now can set a time interval in milliseconds that the thread sleeps between the checks.

Directory Server can exclude attributes and suffixes from the retro changelog database

This enhancement adds the nsslapd-exclude-attrs and nsslapd-exclude-suffix parameters to Directory Server. You can set these parameters in the cn=Retro Changelog Plugin,cn=plugins,cn=config entry to exclude certain attributes or suffixes from the retro changelog database.

Directory Server supports the entryUUID attribute

With this enhancement, Directory Server supports the entryUUID attribute to be compliant with RFC 4530. For example, with support for entryUUID, migrations from OpenLDAP are easier. By default, Directory Server adds the entryUUID attribute only to new entries. To manually add it to existing entries, use the dsconf <instance_name> plugin entryuuid fixup command.

Added a new message to help set up nsSSLPersonalitySSL

Previously, many times happened that RHDS instance failed to start if the TLS certificate nickname didn’t match the value of the configuration parameter nsSSLPersonalitySSL. This mismatch happened when customer copy the NSS DB from a previous instance or export the certificate’s data but forget to set the nsSSLPersonalitySSL value accordingly. With this update, you can see log an additional message which should help a user to set up nsSSLPersonalitySSL correctly.

You can now connect to network at the login screen

With this update, you can now connect to your network and configure certain network options at the GNOME Display Manager (GDM) login screen. As a result, you can log in as an enterprise user whose home directory is stored on a remote server.

Displaying the system security classification at login

You can now configure the GNOME Display Manager (GDM) login screen to display an overlay banner that contains a predefined message. This is useful for deployments where the user is required to read the security classification of the system before logging in.

Flicker free boot is available

You can now enable flicker free boot on your system. When flicker free boot is enabled, it eliminates abrupt graphical transitions during the system boot process, and the display does not briefly turn off during boot.

Updated support for emoji

This release updates support for Unicode emoji characters from version 11 to version 13 of the emoji standard. As a result, you can now use more emoji characters on RHEL.

You can set a default desktop session for all users

With this update, you can now configure a default desktop session that is preselected for all users that have not logged in yet.

Support for new GPUs

The following new GPUs are now supported.

The Wayland session is available with the proprietary NVIDIA driver

The proprietary NVIDIA driver now supports hardware accelerated OpenGL and Vulkan rendering in Xwayland. As a result, you can now enable the GNOME Wayland session with the proprietary NVIDIA driver. Previously, only the legacy X11 session was available with the driver. X11 remains as the default session to avoid a possible disruption when updating from a previous version of RHEL.

Improvements to GPU support

The following new GPU features are now enabled:

Updated graphics drivers

The following graphics drivers have been updated:

Intel Tiger Lake graphics are fully supported

Intel Tiger Lake UP3 and UP4 Xe graphics, which were previously available as a Technology Preview, are now fully supported. Hardware acceleration is enabled by default on these GPUs.

Users can configure the maximum root distance using the timesync_max_distance parameter

With this update, the timesync RHEL system role is able to configure the tos maxdist of ntpd and the maxdistance parameter of the chronyd service using the new timesync_max_distance parameter. The timesync_max_distance parameter configures the maximum root distance to accept measurements from Network Time Protocol (NTP) servers. The default value is 0, which keeps the provider-specific defaults.

Elasticsearch can now accept lists of servers

Previously, the server_host parameter in Elasticsearch output for the Logging RHEL system role accepted only a string value for a single host. With this enhancement, it also accepts a list of strings to support multiple hosts. As a result, you can now configure multiple Elasticsearch hosts in one Elasticsearch output dictionary.

Network Time Security (NTS) option added to the timesync RHEL system role

The nts option was added to the timesync RHEL system role to enable NTS on client servers. NTS is a new security mechanism specified for Network Time Protocol (NTP), which can secure synchronization of NTP clients without client-specific configuration and can scale to large numbers of clients. The NTS option is supported only with the chrony NTP provider in version 4.0 and later.

The SSHD RHEL system role now supports non-exclusive configuration snippets

With this feature, you can configure SSHD through different roles and playbooks without rewriting the previous configurations by using namespaces. Namespaces are similar to a drop-in directory, and define non-exclusive configuration snippets for SSHD. As a result, you can use the SSHD RHEL system role from a different role, if you need to configure only a small part of the configuration and not the entire configuration file.

The SELinux role can now manage SELinux modules

The SElinux RHEL system role has the ability to manage SELinux modules. With this update, users can provide their own custom modules from .pp or .cil files, which allows for a more flexible SELinux policy management.

Users can manage the chrony interleaved mode, NTP filtering, and hardware timestamping

With this update, the timesync RHEL system role enables you to configure the Network Time Protocol (NTP) interleaved mode, additional filtering of NTP measurements, and hardware timestamping. The chrony package of version 4.0 adds support for these functionalities to achieve a highly accurate and stable synchronization of clocks in local networks.

timesync role enables customization settings for chrony

Previously, there was no way to provide customized chrony configuration using the timesync role. This update adds the timesync_chrony_custom_settings parameter, which enables users to to provide customized settings for chrony, such as:

timesync role supports hybrid end-to-end delay mechanisms

With this enhancement, you can use the new hybrid_e2e option in timesync_ptp_domains to enable hybrid end-to-end delay mechanisms in the timesync role. The hybrid end-to-end delay mechanism uses unicast delay requests, which are useful to reduce multicast traffic in large networks.

ethtool now supports reducing the packet loss rate and latency

Tx or Rx buffers are memory spaces allocated by a network adapter to handle traffic bursts. Properly managing the size of these buffers is critical to reduce the packet loss rate and achieve acceptable network latency.

New ipv6_disabled parameter is now available

With this update, you can now use the ipv6_disabled parameter to disable ipv6 when configuring addresses.

RHEL system roles now support VPN management

Previously, it was difficult to set up secure and properly configured IPsec tunneling and virtual private networking (VPN) solutions on Linux. With this enhancement, you can use the VPN RHEL system role to set up and configure VPN tunnels for host-to-host and mesh connections more easily across large numbers of hosts. As a result, you have a consistent and stable configuration interface for VPN and IPsec tunneling configuration within the RHEL system roles project.

The storage RHEL system role now supports filesystem relabel

Previously, the storage role did not support relabelling. This update fixes the issue, providing support to relabel the filesystem label. To do this, set a new label string to the fs_label parameter in storage_volumes.

Support for volume sizes expressed as a percentage is available in the storage system role

This enhancement adds support to the storage RHEL system role to express LVM volume sizes as a percentage of the pool’s total size. You can specify the size of LVM volumes as a percentage of the pool/VG size, for example: 50% in addition to the human-readable size of the file system, for example, 10g, 50 GiB.

New Ansible Role for Microsoft SQL Server Management

The new microsoft.sql.server role is designed to help IT and database administrators automate processes involved with setup, configuration, and performance tuning of SQL Server on Red Hat Enterprise Linux.

RHEL system roles do not support Ansible 2.8

With this update, support for Ansible 2.8 is no longer supported because the version is past the end of the product life cycle. The RHEL system roles support Ansible 2.9.

The postfix role of RHEL system roles is fully supported

Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusion of Ansible Roles. This interface enables managing system configurations across multiple versions of Red Hat Enterprise Linux, as well as adopting new major releases.

Enhancements to managing virtual machines in the web console

The Virtual Machines (VM) section of the RHEL 8 web console has been redesigned for a better user experience. In addition, the following changes and features have also been introduced:

zPCI device assignment

It is now possible to attach zPCI devices as mediated devices to virtual machines (VMs) hosted on RHEL 8 running on IBM Z hardware. For example, thís enables the use of NVMe flash drives in VMs.

sos rebased to version 4.1

The sos package has been upgraded to version 4.1, which provides multiple bug fixes and enhancements. Notable enhancements include:

Default container image signature verification is now available

Previously, the policy YAML files for the Red Hat Container Registries had to be manually created in the /etc/containers/registries.d/ directory. Now, the registry.access.redhat.com.yaml and registry.redhat.io.yaml files are included in the containers-common package. You can now use the podman image trust command to verify the container image signatures on RHEL.

The container-tools:rhel8 module has been updated

The container-tools:rhel8 module, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.

The containers-common package is now available

The containers-common package has been added to the container-tools:rhel8 module. The containers-common package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo.

Native overlay file system support in the kernel is now available

The overlay file system support is now available from kernel 5.11. The non-root users will have native overlay performance even when running rootless (as a user). Thus, this enhancement provides better performance to non-root users who wish to use overlayfs without the need for bind mounting.

A podman container image is now available

The registry.redhat.io/rhel8/podman container image, previously available as a Technology Preview, is now fully supported. The registry.redhat.io/rhel8/podman container image is a containerized implementation of the podman package. The podman tool manages containers and images, volumes mounted into those containers, and pods made of groups of containers.

Universal Base Images are now available on Docker Hub

Previously, Universal Base Images were only available from the Red Hat container catalog. Now, Universal Base Images are also available from Docker Hub.

CNI plugins in Podman are now available

CNI plugins are now available to use in Podman rootless mode. The rootless networking commands now work without any other requirement on the system.

Podman has been updated to version 3.3.1

The Podman utility has been updated to version 3.3.1. Notable enhancements include:

The crun OCI runtime is now available

The crun OCI runtime is now available for the container-tools:rhel8 module. The crun container runtime supports an annotation that enables the container to access the rootless user’s additional groups. This is useful for container operations when volume mounting in a directory where setgid is set, or where the user only has group access.

The podman UBI image is now available

The registry.access.redhat.com/ubi8/podman is now available as a part of UBI.

The container-tools:rhel8 module has been updated

The container-tools:rhel8 module, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.

The ubi8/nodejs-16 and ubi8/nodejs-16-minimal container images are now fully supported

The ubi8/nodejs-16 and ubi8/nodejs-16-minimal container images, previously available as a Technology Preview, are fully supported with the release of the RHBA-2021:5260 advisory. These container images include Node.js 16.13, which is a Long Term Support (LTS) version.