Chapter 4. New features

download PDF

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.6.

4.1. Installer and image creation

Image Builder supports customized file system partition on LVM

With this enhancement, if you have more than one partition, you can create images with a customized file system partition on LVM and resize those partitions at runtime. For that, you can specify a customized filesystem configuration in your blueprint and then create images with the desired disk layout. The default filesystem layout remains unchanged - if you use plain images without file system customization, the root partition is resized by cloud-init.


4.2. RHEL for Edge

RHEL for Edge now supports Greenboot built-in health checks by default

With this update, RHEL for Edge Greenboot now includes built-in health checks with watchdog feature to ensure that the hardware does not hang or freeze while rebooting. With that, you can benefit from the following features:

  • It makes it simple for watchdogs hardware users to adopt the built-in health checks
  • A set of default health checks that provide value for built-in OS components
  • The watchdog is now present as default presets, which makes it easy to enable or disable this feature
  • Ability to create custom health checks based on the already available health checks.


RHEL 8 rebased to rpm-ostree v2022.2

RHEL 8 is distributed with the rpm-ostree version v2022.2, which provides multiple bug fixes and enhancements. Notable changes include:

  • Kernel arguments can now be updated in an idempotent way, by using the new --append-if-missing and --delete-if-present kargs flags.
  • The Count Me feature from YUM is now fully disabled by default in all repo queries and will only be triggered by the corresponding rpm-ostree-countme.timer and rpm-ostree-countme.service units. See countme.
  • The post-processing logic can now process the user.ima IMA extended attribute. When an xattr extended attribute is found, the system automatically translates it to security.ima in the final OSTree package content.
  • The treefile file has a new repo-packages field. You can use it to pin a set of packages to a specific repository.
  • Ability to use modularity on the compose and client side.
  • Container images are now used as a compose target and also as an upgrade source.


4.3. Subscription management

Merged system purpose commands under subscription-manager syspurpose

Previously, there were multiple subscription-manager modules (addons, role, service-level, and usage) for setting attributes related to system purpose. These modules have been moved under the new subscription-manager syspurpose module.

The original subscription-manager modules (addons, role, service-level, and usage) are now deprecated. Additionally, the package (python3-syspurpose) that provides the syspurpose command line tool has been deprecated in RHEL 8.6. All the capabilities of this package are covered by the new subscription-manager syspurpose module.

This update provides a consistent way to view, set, and update all system purpose attributes using a single command of subscription-manager; this replaces all the existing system purpose commands with their equivalent versions available as a new subcommand. For example, subscription-manager role --set SystemRole becomes subscription-manager syspurpose role --set SystemRole and so on.

For complete information about the new commands, options, and other attributes, see the SYSPURPOSE OPTIONS section in the subscription-manager man page.


4.4. Software management

The modulesync command is now available to replace certain workflows in RHEL 8

In Red Hat Enterprise Linux 8, modular packages cannot be installed without modular metadata. Previously, you could use the yum command to download packages, and then use the createrepo_c command to redistribute those packages.

This enhancement introduces the modulesync command to ensure the presence of modular metadata, which ensures package installability. This command downloads rpm packages from modules and creates a repository with modular metadata in a working directory.


A new --path CLI option is added to RPM

With this update, you can query packages by a file that is currently not installed using a new --path CLI option. This option is similar to the existing --file option, but matches packages solely based on the provided path. Note that the file at that path does not need to exist on disk.

The --path CLI option can be useful when a user excludes all documentation files at install time by using the --nodocs option with yum. In this case, by using the --path option, you can display the owning package of such an excluded file, whereas the --file option will not display the package because the requested file does not exist.


4.5. Shells and command-line tools

The lsvpd package rebased to version 1.7.13

The lsvpd package has been rebased to version 1.7.13. Notable bug fixes and enhancements include:

  • Added support for SCSI location code.
  • Fixed length of absolute path getDevTreePath in sysfstreecollector.


The net-snmp-cert gencert tool now uses the SHA512 encryption algorithm instead of SHA1

In order to increase security, the net-snmp-cert gencert tool has been updated to generate certificates using SHA512 encryption algorithm by default.


The dnn and text modules are available in the opencv package

The dnn module containing Deep Neural Networks for image classification inference and the text module for scene text detection and recognition are now available in the opencv package.


The powerpc-utils package rebased to version 1.3.9

The powerpc-utils package has been upgraded to version 1.3.9. Notable bug fixes, and enhancements include:

  • Increased log size to 1MB in drmgr.
  • Fixed checking HCNID array size at boot time.
  • Implemented autoconnect-slaves on HNV connections in hcnmgr.
  • Improved the HNV bond list connections in hcnmgr.
  • Uses hexdump from util-linux instead of xxd from vim in hcnmgr.
  • The hcn-init.service starts together with NetworkManager.
  • Fixed OF to logical FC lookup for multipath in ofpathname.
  • Fixed OF to logical lookup with partitions in ofpathname.
  • Fixed bootlist for multipath devices with more than 5 paths.
  • Introduced lparnumascore command to detect the NUMA affinity score for the running LPAR.
  • Added the -x option in lpartstat to enhance security.
  • Fixed ofpathname race with udev rename in hcnmgr.
  • Fixed qrydev in HNV, and removed lsdevinfo.


The powerpc-utils package now supports vNIC as a backup device

The powerpc-utils package now supports Virtual Network Interface cards (vNIC) as a backup vdevice for Hybrid Network Virtualization (HNV).


The opencryptoki package rebased to version 3.17.0

The opencryptoki package has been rebased to version 3.17.0. Notable bug fixes and enhancements include:

  • The p11sak tool offers a new function of listing keys.
  • Added support for OpenSSL 3.0.
  • Added support for event notifications.
  • Added SW fallbacks in ICA tokens.
  • The WebSphere Application Server no longer fails to start with the hardware crypto adapter enabled.
  • The opencryptoki.module was removed, and the p11-kit list-modules command no longer causes error messages.


Certain network interfaces and IP addresses can be excluded when creating a rescue image

You can use the EXCLUDE_IP_ADDRESSES variable to ignore certain IP addresses, and the EXCLUDE_NETWORK_INTERFACES variable to ignore certain network interfaces when creating a rescue image.

On servers with floating addresses, you need to stop the ReaR rescue environment from configuring floating addresses that are moved to a fail-over server until the original server is recovered. Otherwise, a conflict with the fail-over server would occur and cause a consequent disruption of the services running on the fail-over server. To prevent conflicts, you can perform the following actions in the ReaR configuration file /etc/rear/local.conf:

  • exclude the IP addresses in the ReaR by providing the EXCLUDE_IP_ADDRESSES variable as a bash array of addresses. For example: EXCLUDE_IP_ADDRESSES=( ),
  • exclude the network interfaces in the ReaR by providing the EXCLUDE_NETWORK_INTERFACES variable as a bash array of interfaces. For example: EXCLUDE_NETWORK_INTERFACES=( eno1d1 ).


4.6. Infrastructure services

New bind9.16 package version 9.16.23 introduced

A new bind9.16 package version 9.16.23 has been introduced as an alternative to bind component version 9.11.36. Notable enhancements include:

  • Introduced new Key and Signing Policy feature in DNSSEC.
  • Introduced the QNAME minimisation to improve privacy.
  • Introduced the validate-except feature to Permanent.
  • Negative Trust Anchors to temporarily disable DNSSEC validation.
  • Refactored the response policy zones (RPZ).
  • Introduced new naming conventions for zone types: primary and secondary zone types are used as synonyms to master and slave.
  • Introduced a supplementary YAML output mode of dig, mdig, and delv commands.
  • The filter-aaaa functionality was moved into separate filter-a and filter-aaaa plugins.
  • Introduced a new zone type mirror support (RFC 8806).

Removed features:

  • The dnssec-enabled option has been removed, DNSSEC is enabled by default, and the dnssec-enabled keywords are no longer accepted.
  • The lwresd lightweight resolver daemon, and liblwres lightweight resolver library have been removed.


CUPS is available as a container image

The Common Unix Printing System (CUPS) is now available as a container image, and you can deploy it from the Red Hat Container Catalog.


The bind component rebased to version 9.11.36

The bind component has been updated to version 9.11.36. Notable bug fixes and enhancements include:

  • Improved the lame-ttl option to be more secure.
  • A multiple threads bug affecting RBTDB instances no longer results in assertion failure in free_rbtdb().
  • Updated implementation of the ZONEMD RR type to match RFC 8976.
  • The maximum supported number of NSEC3 iterations has been reduced to 150. Records with more iterations are treated as insecure.
  • An invalid direction field in a LOC record no longer results in a failure.


CUPS driverless printing is available in CUPS Web UI

CUPS driverless printing, based on the IPP Everywhere model, is available in the CUPS Web UI. In addition to the lpadmin command used in the CLI, you can create an IPP Everywhere queue in the CUPS Web UI to print to network printers without special software.


4.7. Security

The pcsc-lite packages rebased to 1.9.5

The pcsc-lite packages have been rebased to upstream version 1.9.5. This update provides new enhancements and bug fixes, most notably:

  • The pcscd daemon no longer automatically exits after inactivity when started manually.
  • The pcsc-spy utility now supports Python 3 and a new --thread option.
  • Performance of the SCardEndTransaction() function has been improved.
  • The poll() function replaced the select() function, which allows file descriptor numbers higher than FD_SETSIZE.
  • Many memory leaks and concurrency problems have been fixed.


Crypto policies support diffie-hellman-group14-sha256

You can now use the diffie-hellman-group14-sha256 key exchange (KEX) algorithm for the libssh library in RHEL system-wide cryptographic policies. This update also provides parity with OpenSSH, which also supports this KEX algorithm. With this update, libssh has diffie-hellman-group14-sha256 enabled by default, but you can disable it by using a custom crypto policy.


OpenSSH servers now support drop-in configuration files

The sshd_config file supports the Include directive, which means you can include configuration files in another directory. This makes it easier to apply system-specific configurations on OpenSSH servers by using automation tools such as Ansible Engine. It is also more consistent with the capabilities of the ssh_config file. In addition, drop-in configuration files also make it easier to organize different configuration files for different uses, such as filter incoming connections.


sshd_config:ClientAliveCountMax=0 disables connection termination

Setting the SSHD configuration option ClientAliveCountMax to 0 now disables connection termination. This aligns the behavior of this option with the upstream. As a consequence, OpenSSH no longer disconnects idle SSH users when it reaches the timeout configured by the ClientAliveInterval option.


libssh rebased to 0.9.6

The libssh package has been rebased to upstream version 0.9.6. This version provides bug fixes and enhancements, most notably:

  • Support for multiple identity files. The files are processed from the bottom to the top as listed in the ~/.ssh/config file.
  • Parsing of sub-second times in SFTP is fixed.
  • A regression of the ssh_channel_poll_timeout() function returning SSH_AGAIN unexpectedly is now fixed.
  • A possible heap-buffer overflow after key re-exchange is fixed.
  • A handshake bug when AEAD cipher is matched but there is no HMAC overlap is fixed.
  • Several memory leaks on error paths are fixed.


Libreswan rebased to 4.5

Libreswan has been rebased to upstream version 4.5. This version provides many bug fixes and enhancements, most notably:

  • Support of Internet Key Exchange version 2 (IKEv2) for Labeled IPsec.
  • Support for childless initiation of Internet Key Exchange (IKE) Security Association (SA).


New option to verify SELinux module checksums

With the newly added --checksum option to the semodule command, you can verify the versions of installed SELinux policy modules.

Because Common Intermediate Language (CIL) does not store module name and module version in the module itself, there previously was no simple way to verify that the installed module is the same version as the module which was supposed to be installed.

With the new command semodule -l --checksum, you receive a SHA256 hash of the specified module and can compare it with the checksum of the original file, which is faster than reinstalling modules.

Example of use:

# semodule -l --checksum | grep localmodule
localmodule sha256:db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd

# /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd  -


OpenSCAP can read local files

OpenSCAP can now consume local files instead of remote SCAP source data stream components. Previously, you could not perform a complete evaluation of SCAP source data streams containing remote components on systems that have no internet access. On these systems, OpenSCAP could not evaluate some of the rules in these data streams because the remote components needed to be downloaded from the internet. With this update, you can download and copy the remote SCAP source data stream components to the target system before performing the OpenSCAP scan and provide them to OpenSCAP by using the --local-files option with the oscap command.


SSG now scans and remediates rules for home directories and interactive users

OVAL content to check and remediate all existing rules related to home directories used by interactive users was added to the SCAP Security Guide (SSG) suite. Many benchmarks require verification of properties and content usually found within home directories of interactive users. Because the existence and the number of interactive users in a system may vary, there was previously no robust solution to cover this gap using the OVAL language. This update adds OVAL checks and remediations that detect local interactive users in a system and their respective home directories. As a result, SSG can safely check and remediate all related benchmark requirements.


SCAP rules now have a warning message to configure Audit log buffer for large systems

The SCAP rule xccdf_org.ssgproject.content_rule_audit_basic_configuration now displays a performance warning that suggests users of large systems where the Audit log buffer configured by this rule might be too small and can override the custom value. The warning also describes the process to configure a larger Audit log buffer. With this enhancement, users of large systems can stay compliant and have their Audit log buffer set correctly.


SSG now supports the /etc/security/faillock.conf file

This enhancement adds support for the /etc/security/faillock.conf file in SCAP Security Guide (SSG). With this update, SSG can assess and remediate the /etc/security/faillock.conf file for definition of pam_faillock settings. The authselect tool is also used to enable the pam_faillock module while ensuring the integrity of pam files. As a result, the assessment and remediation of the pam_faillock module is aligned with the latest versions and best practices.


SCAP Security Guide rebased to 0.1.60

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.60. This version provides various enhancements and bug fixes, most notably:

  • Rules hardening the PAM stack now use authselect as the configuration tool.
  • Tailoring files that define profiles which represent the differences between DISA STIG automated SCAP content and SCAP automated content (delta tailoring) are now supported.
  • The rule xccdf_org.ssgproject.content_enable_fips_mode now checks only whether the FIPS mode has been enabled properly. It does not guarantee that system components have undergone FIPS certification.


DISA STIG profile supports Red Hat Virtualization 4.4

The DISA STIG for Red Hat Enterprise Linux 8 profile version V1R5 has been enhanced to support Red Hat Virtualization 4.4. This profile aligns with the RHEL 8 Security Technical Implementation Guide (STIG) manual benchmark provided by the Defense Information Systems Agency (DISA). However, some configurations are not applied on hosts where Red Hat Virtualization (RHV) is installed because they prevent Red Hat Virtualization from installing and working properly.

When the STIG profile is applied on a Red Hat Virtualization Host (RHVH), on a self-hosted install (RHELH), or on a host with RHV Manager installed, the following rules result in 'notapplicable':

  • package_gss_proxy_removed
  • package_krb5-workstation_removed
  • package_tuned_removed
  • sshd_disable_root_login
  • sudo_remove_nopasswd
  • sysctl_net_ipv4_ip_forward
  • xwindows_remove_packages

Automatic remediation might render the system non-functional. Run the remediation in a test environment first.


OpenSCAP rebased to 1.3.6

The OpenSCAP packages have been rebased to upstream version 1.3.6. This version provides various bug fixes and enhancements, most notably:

  • You can provide local copies of remote SCAP source data stream components by using the --local-files option.
  • OpenSCAP accepts multiple --rule arguments to select multiple rules on the command line.
  • OpenSCAP allows skipping evaluation of some rules using the --skip-rule option.
  • You can restrict memory consumed by OpenSCAP probes by using the OSCAP_PROBE_MEMORY_USAGE_RATIO environment variable.
  • OpenSCAP now supports the OSBuild Blueprint as a remediation type.


clevis-systemd no longer depends on nc

With this enhancement, the clevis-systemd package no longer depends on the nc package. The dependency did not work correctly when used with Extra Packages for Enterprise Linux (EPEL).


audit rebased to 3.0.7

The audit packages have been upgraded to version 3.0.7 which introduces many enhancements and bug fixes. Most notably:

  • Added sudoers to Audit base rules.
  • Added the --eoe-timeout option to the ausearch command and its analogous eoe_timeout option to auditd.conf file that specifies the value for end of event timeout, which impacts how ausearch parses co-located events.
  • Introduced a fix for the 'audisp-remote' plugin that used 100% of CPU capacity when the remote location was not available.


Audit now provides options for specifying the end of the event timeout

With this release, the ausearch tool supports the --eoe-timeout option, and the auditd.conf file contains the end_of_event_timeout option. You can use these options to specify the end of the event timeout to avoid problems with parsing co-located events. The default value for the end of the event timeout is set to two seconds.


Adding sudoers to Audit base rules

With this enhancement, the /etc/sudoers and the etc/sudoers.d/ directories are added to Audit base rules such as the Payment Card Industry Data Security Standard (PCI DSS) and the Operating Systems Protection Profile (OSPP). This increases the security by monitoring configuration changes in privileged areas such as sudoers.


Rsyslog includes the mmfields module for higher-performance operations and CEF

Rsyslog now includes the rsyslog-mmfields subpackage which provides the mmfields module. This is an alternative to using the property replacer field extraction, but in contrast to the property replacer, all fields are extracted at once and stored inside the structured data part. As a result, you can use mmfields particularly for processing field-based log formats, for example Common Event Format (CEF), and if you need a large number of fields or reuse specific fields. In these cases, mmfields has better performance than existing Rsyslog features.


libcap rebased to version 2.48

The libcap packages have been upgraded to upstream version 2.48, which provides a number of bug fixes and enhancements over the previous version, most notably:

  • Helper library for POSIX semantic system calls (libpsx)
  • Support for overriding system call functions
  • IAB abstraction for capability sets
  • Additional capsh testing features


fapolicyd rebased to 1.1

The fapolicyd packages have been upgraded to the upstream version 1.1, which contains many improvements and bug fixes. Most notable changes include the following:

  • The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. See the new fagenrules(8) man page for more details.
  • In addition to the /etc/fapolicyd/ file for marking files outside of the RPM database as trusted, you can now use the new /etc/fapolicyd/trust.d directory, which supports separating a list of trusted files into more files. You can also add an entry for a file by using the fapolicyd-cli -f subcommand with the --trust-file directive to these files. See the fapolicyd-cli(1) and man pages for more information.
  • The fapolicyd trust database now supports white spaces in file names.
  • fapolicyd now stores the correct path to an executable file when it adds the file to the trust database.


libseccomp rebased to 2.5.2

The libseccomp packages have been rebased to upstream version 2.5.2. This version provides bug fixes and enhancements, most notably:

  • Updated the syscall table for Linux to version v5.14-rc7.
  • Added the get_notify_fd() function to the Python bindings to get the notification file descriptor.
  • Consolidated multiplexed syscall handling for all architectures into one location.
  • Added multiplexed syscall support to the PowerPC (PPC) and MIPS architectures.
  • Changed the meaning of the SECCOMP_IOCTL_NOTIF_ID_VALID operation within the kernel.
  • Changed the libseccomp file descriptor notification logic to support the kernel’s previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID.


4.8. Networking

CleanUpModulesOnExit firewalld global configuration option is now available

Previously, when restarting or otherwise shutting down firewalld, firewalld recursively unloaded kernel modules. As a result, other packages attempting to use these modules or dependent modules would fail. With this upgrade, users can set the CleanUpModulesOnExit option to no to stop firewalld from unloading these kernel modules.


Restoring large nftables sets requires less memory

With this enhancement, the nftables framework requires significantly less memory when you restore large sets. The algorithm which prepares the netlink message has been improved, and, as a result, restoring a set can use up to 40% less memory.


The nmstate API now supports OVS-DPDK

This enhancement adds the schema for the Open vSwitch (OVS) Data Plane Development Kit (DPDK) to the nmstate API. As a result, you can use nmstate to configure OVS devices with DPDK ports.


The nmstate API now supports VLAN and QoS ID in SR-IOV virtual functions

This update enhances the nmstate API with support for local area network (VLAN) and quality of service (QoS) in single root I/O virtualization (SR-IOV) virtual functions. As a result, you can use nmstate to configure these features.


NetworkManager rebased to version 1.36.0

The NetworkManager packages have been upgraded to upstream version 1.36.0, which provides a number of enhancements and bug fixes over the previous version:

  • The handling of layer 3 configurations has been reworked to improve the stability, performance, and memory usage.
  • NetworkManager now supports the rd.znet_ifnames kernel command line option on the IBM Z platform.
  • The blackhole, unreachable, and prohibit route types have been added.
  • NetworkManager now ignores routes managed by routing services.
  • The Wi-Fi Protected Access version 3 (WPA3) network security has been improved by enabling the hash-to-element (H2E) method when generating simultaneous authentication of equals (SAE) password elements.
  • The service now correctly handles replies from DHCP servers that send duplicate address or mask options.
  • You can now turn off MAC aging on bridges.
  • NetworkManager no longer listens for netlink events for traffic control objects, such as qdiscs and filters.
  • Network bonds now support setting a queue ID for bond ports.

For further information about notable changes, read the upstream release notes:


The hostapd package has been added to RHEL 8.6

With this release, RHEL provides the hostapd package. However, Red Hat supports hostapd only to set up a RHEL host as an 802.1X authenticator in Ethernet networks. Other scenarios, such as Wi-Fi access points or authenticators in Wi-Fi networks, are not supported.

For details about configuring RHEL as an 802.1X authenticator with a FreeRADIUS back end, see Setting up an 802.1x network authentication service for LAN clients using hostapd with FreeRADIUS backend.


NetworkManager now supports setting the number of receiving queues (rx_queue) on OVS-DPDK interfaces

With this enhancement, you can use NetworkManager to configure the n_rxq setting of Open vSwitch (OVS) Data Plane Development Kit (DPDK) interfaces. Use the ovs-dpdk.n-rxq attribute in NetworkManager to set the number of receiving queues on OVS-DPDK interfaces.

For example, to configure 2 receiving queues in OVS interface named ovs-iface0, enter:

# nmcli connection modify ovs-iface0 ovs-dpdk.nrxq 2


The nftables framework now supports nft set elements with attached counters

Previously, in the netfilter framework, nftables set counters were not supported. The nftables framework is configurable by the nft tool. The kernel allows this tool to count the network packets from a given source address with a statement add @myset {ip saddr counter}. In this update, you can count packets that match a specific criteria with a dynamic set and elements with attached counters.


The nispor packages are now fully supported

The nispor packages, previously available as a Technology Preview, are now fully supported. This enhancement adds support for NetStateFilter to use the kernel filter on network routes and interfaces.

With this release, the nispor packages single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF), support new bonding options: lacp_active, arp_missed_max, and ns_ip6_target.


4.9. Kernel

Kernel version in RHEL 8.6

Red Hat Enterprise Linux 8.6 is distributed with the kernel version 4.18.0-372.

See also Important changes to external kernel parameters and Device Drivers.


Extended Berkeley Packet Filter for RHEL 8.6

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.

The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.

Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.6, the following eBPF components are supported:

  • The BPF Compiler Collection (BCC) tools package, which provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
  • The BCC library which allows the development of tools similar to those provided in the BCC tools package.
  • The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
  • The bpftrace tracing language
  • The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions. For more information see, XDP is conditionally supported and Overview of networking eBPF features in RHEL.
  • The libbpf package, which is crucial for bpf related applications like bpftrace and bpf/xdp development.
  • The xdp-tools package, which contains userspace support utilities for the XDP feature, is now supported on the AMD and Intel 64-bit architectures. This includes the libxdp library, the xdp-loader utility for loading XDP programs, the xdp-filter example program for packet filtering, and the xdpdump utility for capturing packets from a network interface with XDP enabled.

Note that all other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.

The following notable eBPF components are currently available as Technology Preview:

  • The AF_XDP socket for connecting the eXpress Data Path (XDP) path to user space

For more information regarding the Technology Preview components, see eBPF available as a Technology Preview.


Red Hat, by default, enables eBPF in all RHEL versions for privileged users only

Extended Berkeley Packet Filter (eBPF) is a complex technology which allows users to execute custom code inside the Linux kernel. Due to its nature, the eBPF code needs to pass through the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures (CVE) instances, where bugs in this code could be misused for unauthorized operations. To mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users only. It is possible to enable eBPF for unprivileged users by using the kernel.command-line parameter unprivileged_bpf_disabled=0.

However, note that:

  • Applying unprivileged_bpf_disabled=0 disqualifies your kernel from Red Hat support and opens your system to security risks.
  • Red Hat urges you to treat processes with the CAP_BPF capability as if the capability was equal to CAP_SYS_ADMIN.
  • Setting unprivileged_bpf_disabled=0 will not be sufficient to execute many BPF programs by unprivileged users as loading of most BPF program types requires additional capabilities (typically CAP_SYS_ADMIN or CAP_PERFMON).

For information on how to apply kernel command-line parameters, see Configuring kernel command-line parameters.


The osnoise and timerlat tracers were added in RHEL 8

The osnoise tracer measures operating system noise. That is, the interruptions of applications by the OS and hardware interrupts. It also provides a set of tracepoints to help find the source of the OS noise. The timerlat tracer measures the wakeup latencies and helps to identify the causes of such latencies of real-time (RT) threads. In RT computing, latency is absolutely crucial and even a minimal delay can be detrimental. The osnoise and timerlat tracers enable you to investigate and find causes of OS interference with applications and wakeup delay of RT threads.


The strace utility can now display mismatches between the actual SELinux contexts and the definitions extracted from the SELinux context database

An existing --secontext option of strace has been extended with the mismatch parameter. This parameter enables to print the expected context along with the actual one upon mismatch only. The output is separated by double exclamation marks (!!), first the actual context, then the expected one. In the examples below, the full,mismatch parameters print the expected full context along with the actual one because the user part of the contexts mismatches. However, when using a solitary mismatch, it only checks the type part of the context. The expected context is not printed because the type part of the contexts matches.

$ strace --secontext=full,mismatch -e statx stat /home/user/file
statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ...

$ strace --secontext=mismatch -e statx stat /home/user/file
statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...

SELinux context mismatches often cause access control issues associated with SELinux. The mismatches printed in the system call traces can significantly expedite the checks of SELinux context correctness. The system call traces can also explain specific kernel behavior with respect to access control checks.

(BZ#2038992, BZ#2038810)

The --cyclictest-threshold option has been added to the rteval utility

With this enhancement, the --cyclictest-threshold=USEC option has been added to the rteval test suite. Using this option you can specify a threshold value. The rteval test run ends immediately if any latency measurements exceed this threshold value. When latency expectations are not met, the run aborts with a failure status.


4.10. File systems and storage

RHEL 8.6 is compatible with RHEL 9 XFS images

With this update, RHEL 8.6 is now able to use RHEL 9 XFS images. RHEL 9 XFS guest images must have bigtime and inode btree counters (inobtcount) on-disk capabilities allowed in order to mount the guest image with RHEL 8.6. Note that file systems created with bigtime and inobtcount features are not compatible with versions earlier than RHEL 8.6.

(BZ#2022903, BZ#2024201)

Options in Samba utilities have been renamed and removed for a consistent user experience

The Samba utilities have been improved to provide a consistent command-line interface. These improvements include renamed and removed options. Therefore, to avoid problems after the update, review your scripts that use Samba utilities, and update them, if necessary.

Samba 4.15 introduces the following changes to the Samba utilities:

  • Previously, Samba command-line utilities silently ignored unknown options. To prevent unexpected behavior, the utilities now consistently reject unknown options.
  • Several command-line options now have a corresponding smb.conf variable to control their default value. See the man pages of the utilities to identify if a command-line option has an smb.conf variable name.
  • By default, Samba utilities now log to standard error (stderr). Use the --debug-stdout option to change this behavior.
  • The --client-protection=off|sign|encrypt option has been added to the common parser.
  • The following options have been renamed in all utilities:

    • --kerberos to --use-kerberos=required|desired|off
    • --krb5-ccache to --use-krb5-ccache=CCACHE
    • --scope to --netbios-scope=SCOPE
    • --use-ccache to --use-winbind-ccache
  • The following options have been removed from all utilities:

    • -e and --encrypt
    • -C removed from --use-winbind-ccache
    • -i removed from --netbios-scope
    • -S and --signing
  • To avoid duplicate options, certain options have been removed or renamed from the following utilities:

    • ndrdump: -l is no longer available for --load-dso
    • net: -l is no longer available for --long
    • sharesec: -V is no longer available for --viewsddl
    • smbcquotas: --user has been renamed to --quota-user
    • nmbd: --log-stdout has been renamed to --debug-stdout
    • smbd: --log-stdout has been renamed to --debug-stdout
    • winbindd: --log-stdout has been renamed to --debug-stdout


Compiler barrier changed to static inline function compiler_barrier to avoid name conflict with function pointers

This enhancement provides additional features and a patch for a potential data corruption bug. The compiler barrier is now set to a static inline function compiler_barrier. No name conflict occurs with the hardware store barrier, when implementing hardware fencing for non-temporal memcpy variants, while using a function pointer. As a result, RHEL 8.6 now includes pmdk version 1.11.1.


4.11. High availability and clusters

The pcmk_delay_base parameter may now take different values for different nodes

When configuring a fence device, you now can specify different values for different nodes with the pcmk_delay_base parameter. This allows a single fence device to be used in a two-node cluster, with a different delay for each node. This helps prevent a situation where each node attempts to fence the other node at the same time. To specify different values for different nodes, you map the host names to the delay value for that node using a similar syntax to pcmk_host_map. For example, node1:0;node2:10s would use no delay when fencing node1 and a 10-second delay when fencing node2.


Specifying automatic removal of location constraint following resource move

When you execute the pcs resource move command, this adds a constraint to the resource to prevent it from running on the node on which it is currently running. A new --autodelete option for the pcs resource move command, previously available as a Technology Preview, is now fully supported. When you specify this option, the location constraint that the command creates is automatically removed once the resource has been moved.


Detailed Pacemaker status display for internal errors

If Pacemaker can not execute a resource or fence agent for some reason, for example the agent is not installed or there has been an internal timeout, the Pacemaker status displays now show a detailed exit reason for the internal error.


Support for special characters inside pcmk_host_map values

The pcmk_host_map property now supports special characters inside pcmk_host_map values using a backslash (\) in front of the value. For example, you can specify pcmk_host_map="node3:plug\ 1" to include a space in the host alias.


pcs suppport for OCF Resource Agent API 1.1 standard

The pcs command-line interface now supports OCF 1.1 resource and STONITH agents. An OCF 1.1 agent’s metadata must comply with the OCF 1.1 schema. If an OCF 1.1 agent’s metadata does not comply with the OCF 1.1 schema, pcs considers the agent invalid and will not create or update a resource of the agent unless the --force option is specified. The pcsd Web UI and pcs commands for listing agents omit OCF 1.1 agents with invalid metadata from the listing.

An OCF agent that declares that it implements any OCF version other than 1.1, or does not declare a version at all, is validated against the OCF 1.0 schema. Validation issues are reported as warnings, but for those agents it is not necessary to specify the --force option when creating or updating a resource of the agent.


New fencing agent for OpenShift

The fence_kubevirt fencing agent is now available for use with RHEL High Availability on Red Hat OpenShift Virtualization. For information on the fence_kubevirt agent, see the fence_kubevirt(8) man page.


4.12. Dynamic programming languages, web and database servers

A new module stream: php:8.0

RHEL 8.6 adds PHP 8.0, which provides a number of bug fixes and enhancements over version 7.4

Notable enhancements include:

  • New named arguments are order-independent and self-documented, and enable you to specify only required parameters.
  • New attributes enable you to use structured metadata with PHP’s native syntax.
  • New union types enable you to use native union type declarations that are validated at runtime instead of PHPDoc annotations for a combination of types.
  • Internal functions now more consistently raise an Error exception instead of warnings if parameter validation fails.
  • The Just-In-Time compilation has improved the performance.
  • The Xdebug debugging and productivity extension for PHP has been updated to version 3. This version introduces major changes in functionality and configuration compared to Xdebug 2.

To install the php:8.0 module stream, use:

# yum module install php:8.0

If you want to upgrade from the php:7.4 stream, see Switching to a later stream.

For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.

(BZ#1978356, BZ#2027285)

A new module stream: perl:5.32

RHEL 8.6 introduces Perl 5.32, which provides a number of bug fixes and enhancements over Perl 5.30 distributed in RHEL 8.3.

Notable enhancement include:

  • Perl now supports unicode version 13.0.
  • The qr qoute-like operator has been enhanced.
  • The POSIX::mblen(), mbtowc, and wctomb functions now work on shift state locales and are thread-safe on C99 and above compilers when executed on a platform that has locale thread-safety; the length parameters are now optional.
  • The new experimental isa infix operator tests whether a given object is an instance of a given class or a class derived from it.
  • Alpha assertions are no longer experimental.
  • Script runs are no longer experimental.
  • Feature checks are now faster.
  • Perl can now dump compiled patterns before optimization.

To upgrade from an earlier perl module stream, see Switching to a later stream.


A new package: nginx-mod-devel

A new nginx-mod-devel package has been added to the nginx:1.20 module stream. The package provides all necessary files, including RPM macros and nginx source code, for building external dynamic modules for nginx.


MariaDB Galera now includes an upstream version of the garbd systemd service and a wrapper script

MariaDB 10.3 and MariaDB 10.5 in RHEL 8 include a Red Hat version of garbd systemd service and a wrapper script for the galera package in the /usr/lib/systemd/system/garbd.service and /usr/sbin/garbd-wrapper files, respectively.

In addition to the Red Hat version of these files, RHEL 8 now also provides an upstream version. The upstream files are located at /usr/share/doc/galera/garb-systemd and /usr/share/doc/galera/garbd.service.

RHEL 9 provides only the upstream version of these files, located at /usr/lib/systemd/system/garbd.service and /usr/sbin/garb-systemd.

(BZ#2042306, BZ#2042298, BZ#2050543, BZ#2050546)

4.13. Compilers and development tools

New command for capturing glibc optimization data

The new --list-diagnostics command captures data that influences glibc optimization decisions, such as IFUNC selection and glibc-hwcaps configuration, in a single machine-readable file.


glibc string functions are now optimized for Fujitsu A64FX

With this update, glibc string functions exhibit increased throughput and reduced latency on A64FX CPUs.


New UTF-8 locale en_US@ampm with 12-hour clock

With this update, you can now use a new UTF-8 locale en_US@ampm with a 12-hour clock. This new locale can be combined with other locales by using the LC_TIME environment variable.


New location for libffi's self-modifying code

With this update libffi's self-modifying code takes advantage of a feature in the RHEL 8 kernel to create a suitable file independent of any file system. As a result, libffi's self-modifying code no longer depends on making part of the filesystem insecure.


Updated GCC Toolset 11

GCC Toolset 11 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Notable changes introduced with RHEL 8.6 include:

  • The GCC compiler has been updated to version 11.2.1.
  • annobin has been updated to version 10.23.

The following tools and versions are provided by GCC Toolset 10:


























To install GCC Toolset 11, run the following command as root:

# yum install gcc-toolset-11

To run a tool from GCC Toolset 11:

$ scl enable gcc-toolset-11 tool

To run a shell session where tool versions from GCC Toolset 11 override system versions of these tools:

$ scl enable gcc-toolset-11 bash

For more information about usage, see Using GCC Toolset.

The GCC Toolset 11 components are available in the two container images:

  • rhel8/gcc-toolset-11-toolchain, which includes the GCC compiler, the GDB debugger, and the make automation tool.
  • rhel8/gcc-toolset-11-perftools, which includes the performance monitoring tools, such as SystemTap and Valgrind.

To pull a container image, run the following command as root:

# podman pull<image_name>

Note that only the GCC Toolset 11 container images are now supported. Container images of earlier GCC Toolset versions are deprecated.

For details regarding the container images, see Using the GCC Toolset container images.


GDB disassembler now supports the new arch14 instructions

With this update, GDB is able to disassemble new arch14 instructions.


LLVM Toolset rebased to version 13.0.1

LLVM Toolset has been upgraded to version 13.0.1. Notable changes include:

  • Clang now supports guaranteed tail calls with statement attributes [[clang::musttail]] in C++ and __attribute__((musttail)) in C.
  • Clang now supports the -Wreserved-identifier warning, which warns developers when using reserved identifiers in their code.
  • Clang’s -Wshadow flag now also checks for shadowed structured bindings.
  • Clang’s -Wextra now also implies Wnull-pointer-subtraction.


Rust Toolset rebased to 1.58.1

The Rust Toolset has been rebased to version 1.58.1. Notable changes include:

  • The Rust compiler now supports the 2021 edition of the language, featuring disjoint capture in closure, IntoIterator for arrays, a new Cargo feature resolver, and more.
  • Added Cargo support for new custom profiles.
  • Cargo deduplicates compiler errors.
  • Added new open range patterns.
  • Added captured identifiers in format strings.

For further information, see:


Go Toolset rebased to version 1.17.7

Go Toolset has been upgraded to version 1.17.7. Notable changes include:

  • Added an option to convert slices to array pointers.
  • Added support for //go:build lines.
  • Improvements to function call performance on amd64.
  • Function arguments are formatted more clearly in stack traces.
  • Functions containing closures can be inlined.
  • Reduced resource consumption in x509 certificate parsing.


pcp rebased to 5.3.5

The pcp package has been rebased to version 5.3.5. Notable changes include:

  • Added new pmieconf(1) rules for CPU and disk saturation.
  • Improved stability and scalability of pmproxy(1) service.
  • Improved service latency and robustness of pmlogger(1) service.
  • Added new performance metrics related to electrical power.
  • Added new features in the pcp-htop(1) utility.
  • Added new features in the pcp-atop(1) utility.
  • Updated Nvidia GPU metrics.
  • Added new Linux kernel KVM and networking metrics.
  • Added a new MongoDB metrics agent.
  • Added a new sockets metrics agent and pcp-ss(1) utility.
  • Disabled pmcd(1) and pmproxy(1) Avahi service advertising by default.


The grafana package rebased to version 7.5.11

The grafana package has been rebased to version 7.5.11. Notable changes include:

  • Added a new prepare time series transformation for backward compatibility of panels that do not support the new data frame format.


grafana-pcp rebased to 3.2.0

The grafana-pcp package has been rebased to version 3.2.0. Notable changes include:

  • Added a new MS SQL server dashboard for PCP Redis.
  • Added visibility of empty histogram buckets in the PCP Vector eBPF/BCC Overview dashboard.
  • Fixed a bug where the metric() function of PCP Redis did not return all metric names.


js-d3-flame-graph rebased to 4.0.7

The js-d3-flame-graph package has been rebased to version 4.0.7. Notable changes include:

  • Added new blue and green color scheme.
  • Added functionality to display flame graph context.


Power consumption metrics now available in PCP

The new pmda-denki Performance Metrics Domain Agent (PMDA) reports metrics related to power consumption. Specifically, it reports:

  • Consumption metrics based on Running Average Power Limit (RAPL) readings, available on recent Intel CPUs
  • Consumption metrics based on battery discharge, available on systems which have a battery


A new module: log4j:2

A new log4j:2 module is now available in the AppStream repository. This module contains Apache Log4j 2, which is a Java logging utility and a library enabling you to output log statements to a variety of output targets.

Log4j 2 provides significant improvements over Log4j 1. Notably, Log4j 2 introduces enhancements to the Logback framework and fixes some inherent problems in the Logback architecture.

To install the log4j:2 module stream, use:

# yum module install log4j:2


4.14. Identity Management

ansible-freeipa is now available in the AppStream repository with all dependencies

Previously in RHEL 8, before installing the ansible-freeipa package, you first had to enable the Ansible repository and install the ansible package. In RHEL 8.6 and RHEL 9, you can install ansible-freeipa without any preliminary steps. Installing ansible-freeipa automatically installs the ansible-core package, a more basic version of ansible, as a dependency. Both ansible-freeipa and ansible-core are available in the rhel-9-for-x86_64-appstream-rpms repository.

ansible-freeipa in RHEL 8.6 and RHEL 9 contains all the modules that it contained in RHEL 8.


IdM now supports the automountlocation, automountmap, and automountkey Ansible modules

With this update, the ansible-freeipa package contains the ipaautomountlocation, ipaautomountmap, and ipaautomountkey modules. You can use these modules to configure directories to be mounted automatically for IdM users logged in to IdM clients in an IdM location. Note that currently, only direct maps are supported.


The support for managing subID ranges is available in the shadow-utils

Previously, shadow-utils configured the subID ranges automatically from the /etc/subuid and /etc/subgid files. With this update, the configuration of subID ranges is available in the /etc/nsswitch.conf file by setting a value in the subid field. For more information, see man subuid and man subgid. Also, with this update, an SSSD implementation of the shadow-utils plugin is available, which provides the subID ranges from the IPA server. To use this functionality, add the subid: sss value to the /etc/nsswitch.conf file. This solution might be useful in the containerized environment to facilitate rootless containers.

Note that in case the /etc/nsswitch.conf file is configured by the authselect tool, you must follow the procedures described in the authselect documentation. When it is not the case, you can modify the /etc/nsswitch.conf file manually.


An alternative to the traditional RHEL ansible-freeipa repository: Ansible Automation Hub

With this update, you can download ansible-freeipa modules from the Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By using AAH, you can benefit from the faster updates of the ansible-freeipa modules available in this repository.

In AAH, ansible-freeipa roles and modules are distributed in the collection format. Note that you need an Ansible Automation Platform (AAP) subscription to access the content on the AAH portal. You also need ansible version 2.9 or later.

The redhat.rhel_idm collection has the same content as the traditional ansible-freeipa package. However, the collection format uses a fully qualified collection name (FQCN) that consists of a namespace and the collection name. For example, the redhat.rhel_idm.ipadnsconfig module corresponds to the ipadnsconfig module in ansible-freeipa provided by a RHEL repository. The combination of a namespace and a collection name ensures that the objects are unique and can be shared without any conflicts.


ansible-freeipa modules can now be executed remotely on IdM clients

Previously, ansible-freeipa modules could only be executed on IdM servers. This required your Ansible administrator to have SSH access to your IdM server, causing a potential security threat. With this update, you can execute ansible-freeipa modules remotely on systems that are IdM clients. As a result, you can manage IdM configuration and entities in a more secure way.

To execute ansible-freeipa modules on an IdM client, choose one of the following options:

  • Set the hosts variable of the playbook to an IdM client host.
  • Add the ipa_context: client line to the playbook task that uses the ansible-freeipa module.

You can set the ipa_context variable to client on an IdM server, too. However, the server context usually provides better performance. If ipa_context is not set, ansible-freeipa checks if it is running on a server or a client, and sets the context accordingly. Note that executing an ansible-freeipa module with context set to server on an IdM client host raises an error of missing libraries.


The ipadnsconfig module now requires action: member to exclude a global forwarder

With this update, excluding global forwarders in Identity Management (IdM) by using the ansible-freeipa ipadnsconfig module requires using the action: member option in addition to the state: absent option. If you only use state: absent in your playbook without also using action: member, the playbook fails. Consequently, to remove all global forwarders, you must specify all of them individually in the playbook. In contrast, the state: present option does not require action: member.


Identity Management now supports SHA384withRSA signing by default

With this update, the Certificate Authority (CA) in IdM supports the SHA-384 With RSA Encryption signing algorithm. SHA384withRSA is compliant with the Federal Information Processing Standard (FIPS).


SSSD default SSH hashing value is now consistent with the OpenSSH setting

The default value of ssh_hash_known_hosts has been changed to false. It is now consistent with the OpenSSH setting, which does not hash host names by default.

However, if you need to continue to hash host names, add ssh_hash_known_hosts = True to the [ssh] section of the /etc/sssd/sssd.conf configuration file.


samba rebased to version 4.15.5

The samba packages have been upgraded to upstream version 4.15.5, which provides bug fixes and enhancements over the previous version:

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Note that Red Hat does not support downgrading tdb database files.

After updating Samba, verify the /etc/samba/smb.conf file using the testparm utility.

For further information about notable changes, read the upstream release notes before updating.


Directory Server rebased to version

The 389-ds-base packages have been upgraded to upstream version 1.4.3, which provides a number of bug fixes and enhancements over the previous version:

  • A potential deadlock in replicas has been fixed.
  • The server no longer terminates unexpectedly when the dnaInterval is set to 0.
  • The performance of connection handling has been improved.
  • Improved performance of targetfilter in access control instructions (ACI).


Directory Server now stores memory-mapped files of databases on a tmpfs file system

In Directory Server, the nsslapd-db-home-directory parameter defines the location of memory-mapped files of databases. This enhancement changes the default value of the parameter from /var/lib/dirsrv/slapd-instance_name/db/ to /dev/shm/. As a result, with the internal databases stored on a tmpfs file system, the performance of Directory Server increases.


4.15. Desktop

Security classification banners at login and in the desktop session

You can now configure classification banners to state the overall security classification level of the system. This is useful for deployments where the user must be aware of the security classification level of the system that they are logged into.

The classification banners can appear in the following contexts, depending on your configuration:

  • Within the running session
  • On the lock screen
  • On the login screen

The classification banners can take the form of either a notification that you can dismiss, or a permanent banner.

For more information, see Displaying the system security classification.


4.16. Graphics infrastructures

Intel Alder Lake-P GPUs are now supported

This release adds support for the Intel Alder Lake-P CPU microarchitecture with integrated graphics. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:

  • Intel Core i7-1280P
  • Intel Core i7-1270P
  • Intel Core i7-1260P
  • Intel Core i5-1250P
  • Intel Core i5-1240P
  • Intel Core i3-1220P

Support for Alder Lake-P graphics is disabled by default. To enable it, add the following option to the kernel command line:


Replace PCI_ID with either the PCI device ID of your Intel GPU, or with the * character to enable support for all alpha-quality hardware that uses the i915 driver.


4.17. The web console

Smart card authentication for sudo and SSH from the web console

Previously, it was not possible to use smart card authentication to obtain sudo privileges or use SSH in the web console. With this update, Identity Management users can use a smart card to gain sudo privileges or to connect to a different host with SSH.


It is only possible to use one smart card to authenticate and gain sudo privileges. Using a separate smart card for sudo is not supported.


RHEL web console provides Insights registration by default

With this update, when you use the Red Hat Enterprise Linux web console to register a RHEL system, the Connect this system to Red Hat Insights. check box is checked by default. If you do not want to connect to the Insights service, uncheck the box.


Cockpit now supports using an existing TLS certificate

With this enhancement, the certificate does not have strict file permission requirements any more (such as root:cockpit-ws 0640), and thus it can be shared with other services.


4.18. Red Hat Enterprise Linux System Roles

The Firewall RHEL System Role has been added in RHEL 8

The rhel-system-roles.firewall RHEL System Role was added to the rhel-system-roles package. As a result, administrators can automate their firewall settings for managed nodes.


Full Support for HA Cluster RHEL System Role

The High Availability Cluster (HA Cluster) role, previously available as a Technology Preview, is now fully supported. The following notable configurations are available:

  • Configuring fence devices, resources, resource groups, and resource clones including meta attributes and resource operations
  • Configuring resource location constraints, resource colocation constraints, resource order constraints, and resource ticket constraints
  • Configuring cluster properties
  • Configuring cluster nodes, custom cluster names and node names
  • Configuring multi-link clusters
  • Configuring whether clusters start automatically on boot

Running the role removes any configuration not supported by the role or not specified when running the role.

The HA Cluster System Role does not currently support SBD.


The Networking System Role now supports OWE

Opportunistic Wireless Encryption (OWE) is a mode of opportunistic security for Wi-Fi networks that provides encryption of the wireless medium but no authentication, such as public hot spots. OWE uses encryption between Wi-Fi clients and access points, protecting them from sniffing attacks. With this enhancement, the Networking RHEL System role supports OWE. As a result, administrators can now use the Networking System Role to configure connections to Wi-Fi networks which use OWE.


The Networking System Role now supports SAE

In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the Networking RHEL System role supports SAE. As a result, administrators can now use the Networking System Role to configure connections to Wi-Fi networks, which use WPA-SAE.


The Cockpit RHEL System Role is now supported

With this enhancement, you can install and configure the web console in your system. Consequently, you can manage web console in an automated manner.


Add support for raid_level for LVM volumes

The Storage RHEL System Role can now specify the raid_level parameter for LVM volumes. As a result, LVM volumes can be grouped into RAIDs using the lvmraid feature.


The NBDE client System Role supports systems with static IP addresses

Previously, restarting a system with a static IP address and configured with the NBDE client System Role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE client System Role, and their IP addresses do not change after a reboot.


Support for cached volumes is available in the Storage System Role

Storage RHEL System Role can now create and manage cached LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes by temporarily storing subsets of an LV’s data on a smaller, faster device, for example an SSD.


Support to add Elasticsearch username and password for authentication from rsyslog

This update adds the Elasticsearch username and password parameters to the logging System Role, to enable the rsyslog to authenticate to Elasticsearch using username and password.


Ansible Core support for the RHEL System Roles

As of RHEL 8.6 GA release, Ansible Core is provided, with a limited scope of support, to enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was previously provided in a separate repository. Ansible Core is available in the AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. Users must manually migrate their systems from Ansible Engine to Ansible Core.

For details on that, see Using Ansible in RHEL 8.6 and later.


The network RHEL System Role now supports both named and numeric routing tables in static routes.

This update adds support for both the named and numeric routing tables in static routes, which is a prerequisite for supporting the policy routing (for example, source routing). The users can define policy routing rules later to instruct the system which table to use to determine the correct route. As a result, after the user specifies the table attribute in the route, the system can add routes into the routing table.


The Certificate role consistently uses "Ansible_managed" comment in its hook scripts

With this enhancement, the Certificate role generates pre-scripts and post-scripts to support providers, to which the role inserts the "Ansible managed" comment using the Ansible standard "ansible_managed" variable:

  • /etc/certmonger/pre-scripts/
  • /etc/certmonger/post-scripts/

The comment indicates that the script files should not be directly edited because the Certificate role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.


The Terminal session recording System Role uses the "Ansible managed" comment in its managed configuration files

The Terminal session recording role generates 2 configuration files:

  • /etc/sssd/conf.d/sssd-session-recording.conf
  • /etc/tlog/tlog-rec-session.conf

With this update, the Terminal session recording role inserts the Ansible managed comment into the configuration files, using the standard Ansible variable ansible_managed. The comment indicates that the configuration files should not be directly edited because the Terminal session recording role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.


Microsoft SQL System Role now supports customized repository for disconnected or Satellite subscriptions

Previously, users in disconnected environments that needed to pull packages from a custom server or Satellite users that needed to point to Satellite or Capsule had no support from Microsoft SQL Role . This update fixes it, by enabling users to provide a customized URL to use for RPM key, client and server mssql repositories. If no URL is provided, the mssql role uses the official Microsoft servers to download RPMs.


The Microsoft SQL System Role consistently uses "Ansible_managed" comment in its managed configuration files

The mssql role generates the following configuration file:

  • /var/opt/mssql/mssql.conf

With this update, the Microsoft SQL role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the mssql role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.


Support to all bonding options added to the Networking System Role

This update provides support to all bonding options to the Networking RHEL System Role. Consequently, it enables you to flexibly control the network transmission over the bonded interface. As a result, you can control the network transmission over the bonded interface by specifying several options to that interface.


NetworkManager supports specifying a network card using its PCI address

Previously, during setting a connection profile, NetworkManager was only allowed to specify a network card using either its name or MAC address. In this case, the device name is not stable and the MAC address requires inventory to maintain record of used MAC addresses. Now, you can specify a network card based on its PCI address in a connection profile.


A new option auto_gateway controls the default route behavior

Previously, the DEFROUTE parameter was not configurable with configuration files but only manually configurable by naming every route. This update adds a new auto_gateway option in the ip configuration section for connections, with which you can control the default route behavior. You can configure auto_gateway in the following ways:

  • If set to true, default gateway settings apply to a default route.
  • If set to false, the default route is removed.
  • If unspecified, the network role uses the default behavior of the selected network_provider.


The VPN role consistently uses Ansible_managed comment in its managed configuration files

The VPN role generates the following configuration file:

  • /etc/ipsec.d/mesh.conf
  • /etc/ipsec.d/policies/clear
  • /etc/ipsec.d/policies/private
  • /etc/ipsec.d/policies/private-or-clear

With this update, the VPN role inserts the Ansible managed comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the VPN role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.


New source parameter in the Firewall System Role

You can now use the source parameter of the Firewall System Role to add or remove sources in the firewall configuration.


The Networking System Role now uses the ‘Ansible managed’ comment in its managed configuration files

When using the initscripts provider, the Networking System Role now generates commented ifcfg files in the /etc/sysconfig/network-scripts directory. The Networking role inserts the Ansible managed comment using the Ansible standard ansible_managed variable. The comment declares that an ifcfg file is managed by Ansible, and indicates that the ifcfg file should not be edited directly as the Networking role will overwrite the file. The Ansible managed comment is added when the provider is initscripts. When using the Networking role with the nm (NetworkManager) provider, the ifcfg file is managed by NetworkManager and not by the Networking role.


The Firewall System Role now supports setting the firewall default zone

You can now set a default firewall zone in the Firewall System role. Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. Firewall rules for each zone are managed independently enabling the administrator to define complex firewall settings and apply them to the traffic. This feature allows setting the default zone used as the default zone to assign interfaces to, same as firewall-cmd --set-default-zone zone-name.


The Metrics System Role now generates files with the proper ansible_managed comment in the header

Previously, the Metrics role did not add an ansible_managed header comment to files generated by the role. With this fix, the Metrics role adds the ansible_managed header comment to files it generates, and as a result, users can easily identify files generated by the Metrics role.


The Postfix System Role now generates files with the proper ansible_managed comment in the header

Previously, the Postfix role did not add an ansible_managed header comment to files generated by the role. With this fix, the Postfix role adds the ansible_managed header comment to files it generates, and as a result, users can easily identify files generated by the Postfix role.


4.19. Virtualization

Mediated devices are now supported by virtualization CLIs on IBM Z

Using virt-install or virt-xml, you can now attach mediated devices to your virtual machines (VMs), such as vfio-ap and vfio-ccw. This for example enables more flexible management of DASD storage devices and cryptographic coprocessors on IBM Z hosts. In addition, using virt-install, you can create a VM that uses an existing DASD mediated device as its primary disk. For instructions to do so, see the Configuring and Managing Virtualization in RHEL 8 guide.


Virtualization support for Intel Atom P59 series processors

With this update, virtualization on RHEL 8 adds support for the Intel Atom P59 series processors, formerly known as Snow Ridge. As a result, virtual machines hosted on RHEL 8 can now use the Snowridge CPU model and utilise new features that the processors provide.


ESXi hypervisor and SEV-ES is now fully supported

You can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to secure RHEL virtual machines (VMs) on VMware’s ESXi hypervisor, versions 7.0.2 and later. This feature was previously introduced in RHEL 8.4 as a Technology Preview. It is now fully supported.


Windows 11 and Windows Server 2022 guests are supported

RHEL 8 now supports using Windows 11 and Windows Server 2022 as the guest operating systems on KVM virtual machines.

(BZ#2036863, BZ#2004162)

4.20. RHEL in cloud environments

RHEL 8 virtual machines are now supported on certain ARM64 hosts on Azure

Virtual machines that use RHEL 8.6 or later as the guest operating system are now supported on Microsoft Azure hypervisors running on Ampere Altra ARM-based processors.


New SSH module for cloud-init

With this update, an SSH module has been added to the cloud-init utility, which automatically generates host keys during instance creation.

Note that with this change, the default cloud-init configuration has been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line.

Otherwise, cloud-init creates an image which fails to start the sshd service. If this occurs, do the following to work around the problem:

  1. Make sure the /etc/cloud/cloud.cfg file contains the following line:

    ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
  2. Check whether /etc/ssh/ssh_host_* files exist in the instance.
  3. If the /etc/ssh/ssh_host_* files do not exist, use the following command to generate host keys:

    cloud-init single --name cc_ssh
  4. Restart the sshd service:

    systemctl restart sshd


cloud-init supports user data on Microsoft Azure

The --user-data option has been introduced for the cloud-init utility. Using this option, you can pass scripts and metadata from the Azure Instance Metadata Service (IMDS) when setting up a RHEL 8 virtual machine on Azure.


cloud-init supports the VMware GuestInfo datasource

With this update, the cloud-init utility is able to read the datasource for VMware guestinfo data. As a result, using cloud-init to set up RHEL 8 virtual machines on VMware vSphere is now more efficient and reliable.


4.21. Supportability

A new package: rig

RHEL 8 introduces the rig package, which provides the rig system monitoring and event handling utility.

The rig utility is designed to assist system administrators and support engineers in diagnostic data collection for issues that are seemingly random in their occurrence, or occur at inopportune times for human intervention.


sos report now offers an estimate mode run

This sos report update adds the --estimate-only option with which you can approximate the disk space required for collecting an sos report from a RHEL server. Running the sos report --estimate-only command:

  • executes a dry run of sos report
  • mimics all plugins consecutively and estimates their disk size.

Note that the final disk space estimation is very approximate. Therefore, it is recommended to double the estimated value.


Red Hat Support Tool now uses Hydra APIs

The Red Hat Support Tool has moved from the deprecated Strata APIs to the new Hydra APIs. This has no impact on functionality. However, if you have configured the firewall to allow only the Strata API /rs/ path explicitly, update it to /support/ to ensure the firewall works correctly.

In addition, due to this change, you can now download files greater than 5 GB when using the Red Hat Support Tool.


Red Hat Support Tool now supports Red Hat Secure FTP

When using Red Hat Support Tool, you can now upload files to the case by the Red Hat Secure FTP. Red Hat Secure FTP is a more secure replacement of the deprecated Dropbox utility that Red Hat Support Tool used to support in its earlier versions.


Red Hat Support Tool now supports S3 APIs

The Red Hat Support Tool now uses S3 APIs to upload files to the Red Hat Technical Support case. As a result, users can upload a file greater than 1 GB to the case directly.


4.22. Containers

container-tools:4.0 stable stream is now available

The container-tools:4.0 stable module stream, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and enhancements over the previous version.

For instructions on how to upgrade from an earlier stream, see Switching to a later stream.


The NFS storage is now available

You can now use the NFS file system as a backend storage for containers and images if your file system has xattr support.


The container-tools:rhel8 module has been updated

The container-tools:rhel8 module, which contains the Podman, Buildah, Skopeo, crun, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.

Notable changes include:

  • Due to the changes in the network stack, containers created by Podman v3 and earlier will not be usable in v4.0
  • The native overlay file system is usable as a rootless user
  • Support for NFS storage within a container
  • Downgrading to earlier versions of Podman is not supported unless all containers are destroyed and recreated

Podman tool has been upgraded to version 4.0, for further information about notable changes, see the upstream release notes.


Universal Base Images are now available on Docker Hub

Previously, Universal Base Images were only available from the Red Hat container catalog. With this enhancement, Universal Base Images are also available from Docker Hub as a Verified Publisher image.


A podman container image is now available

The container image, previously available as a Technology Preview, is now fully supported. The container image is a containerized implementation of the podman package. The podman tool manages containers and images, volumes mounted into those containers, and pods made of groups of containers.


Podman now supports auto-building and auto-running pods using a YAML file

The podman play kube command automatically builds and runs multiple pods with multiple containers in the pods using a YAML file.


Podman now has ability to source subUID and subGID ranges from IdM

The subUID and subGID ranges can now be managed by IdM. Instead of deploying the same /etc/subuid and /etc/subgid files onto every host, you can now define range in a single central storage. You have to modify the /etc/nsswitch.conf file and add sss to the services map line: services: files sss.

For more details, see Managing subID ranges manually in IdM documentation.


The openssl container image is now available

The openssl image provides an openssl command-line tool for using the various functions of the OpenSSL crypto library. Using the OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and display certificate information.

The openssl container image is available in these repositories:



Netavark network stack is now available

The new network stack available starting with Podman 4.1.1-7 consists of two tools, the Netavark network setup tool and the Aardvark DNS server. The Netavark stack, previously available as a Technology Preview, is with the release of the RHBA-2022:7127 advisory fully supported.

This network stack has the following capabilities:

  • Configuration of container networks using the JSON configuration file
  • Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces
  • Configuring firewall settings, such as network address translation (NAT) and port mapping rules
  • IPv4 and IPv6
  • Improved capability for containers in multiple networks
  • Container DNS resolution using the aardvark-dns project

You have to use the same version of Netavark stack and the Aardvark authoritative DNS server.


Podman now supports the --health-on-failure option

With the release of the RHBA-2022:7127 advisory. the podman run and podman create commands now support the --health-on-failure option to determine the actions to be performed when the status of a container becomes unhealthy.

The --health-on-failure option supports four actions:

  • none: Take no action, this is the default action.
  • kill: Kill the container.
  • restart: Restart the container.
  • stop: Stop the container.

Do not combine the restart action with the --restart option. When running inside of a systemd unit, consider using the kill or stop action instead to make use of systemd’s restart policy.


Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.