Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.6.
4.1. Installer and image creation
Image Builder supports customized file system partition on LVM
With this enhancement, if you have more than one partition, you can create images with a customized file system partition on LVM and resize those partitions at runtime. For that, you can specify a customized filesystem configuration in your blueprint and then create images with the desired disk layout. The default filesystem layout remains unchanged - if you use plain images without file system customization, the root partition is resized by cloud-init
.
(JIRA:RHELPLAN-102505)
4.2. RHEL for Edge
RHEL for Edge now supports Greenboot
built-in health checks by default
With this update, RHEL for Edge Greenboot
now includes built-in health checks with watchdog
feature to ensure that the hardware does not hang or freeze while rebooting. With that, you can benefit from the following features:
-
It makes it simple for
watchdogs
hardware users to adopt the built-in health checks - A set of default health checks that provide value for built-in OS components
-
The
watchdog
is now present as default presets, which makes it easy to enable or disable this feature - Ability to create custom health checks based on the already available health checks.
RHEL 8 rebased to rpm-ostree
v2022.2
RHEL 8 is distributed with the rpm-ostree
version v2022.2, which provides multiple bug fixes and enhancements. Notable changes include:
-
Kernel arguments can now be updated in an idempotent way, by using the new
--append-if-missing
and--delete-if-present
kargs flags. -
The
Count Me
feature from YUM is now fully disabled by default in all repo queries and will only be triggered by the correspondingrpm-ostree-countme.timer
andrpm-ostree-countme.service
units. See countme. -
The post-processing logic can now process the
user.ima
IMA extended attribute. When anxattr
extended attribute is found, the system automatically translates it tosecurity.ima
in the finalOSTree
package content. -
The
treefile
file has a newrepo-packages
field. You can use it to pin a set of packages to a specific repository. - Ability to use modularity on the compose and client side.
- Container images are now used as a compose target and also as an upgrade source.
4.3. Subscription management
Merged system purpose commands under subscription-manager syspurpose
Previously, there were multiple subscription-manager modules (addons
, role
, service-level
, and usage
) for setting attributes related to system purpose. These modules have been moved under the new subscription-manager syspurpose
module.
The original subscription-manager modules (addons
, role
, service-level
, and usage
) are now deprecated. Additionally, the package (python3-syspurpose
) that provides the syspurpose
command line tool has been deprecated in RHEL 8.6. All the capabilities of this package are covered by the new subscription-manager syspurpose
module.
This update provides a consistent way to view, set, and update all system purpose attributes using a single command of subscription-manager; this replaces all the existing system purpose commands with their equivalent versions available as a new subcommand. For example, subscription-manager role --set SystemRole
becomes subscription-manager syspurpose role --set SystemRole
and so on.
For complete information about the new commands, options, and other attributes, see the SYSPURPOSE OPTIONS
section in the subscription-manager
man page.
4.4. Software management
The modulesync
command is now available to replace certain workflows in RHEL 8
In Red Hat Enterprise Linux 8, modular packages cannot be installed without modular metadata. Previously, you could use the yum
command to download packages, and then use the createrepo_c
command to redistribute those packages.
This enhancement introduces the modulesync
command to ensure the presence of modular metadata, which ensures package installability. This command downloads rpm
packages from modules and creates a repository with modular metadata in a working directory.
A new --path
CLI option is added to RPM
With this update, you can query packages by a file that is currently not installed using a new --path
CLI option. This option is similar to the existing --file
option, but matches packages solely based on the provided path. Note that the file at that path does not need to exist on disk.
The --path
CLI option can be useful when a user excludes all documentation files at install time by using the --nodocs
option with yum
. In this case, by using the --path
option, you can display the owning package of such an excluded file, whereas the --file
option will not display the package because the requested file does not exist.
4.5. Shells and command-line tools
The lsvpd
package rebased to version 1.7.13
The lsvpd
package has been rebased to version 1.7.13. Notable bug fixes and enhancements include:
- Added support for SCSI location code.
-
Fixed length of absolute path
getDevTreePath
insysfstreecollector
.
(BZ#1993557)
The net-snmp-cert gencert
tool now uses the SHA512 encryption algorithm instead of SHA1
In order to increase security, the net-snmp-cert gencert
tool has been updated to generate certificates using SHA512 encryption algorithm by default.
The dnn
and text
modules are available in the opencv
package
The dnn
module containing Deep Neural Networks for image classification inference and the text
module for scene text detection and recognition are now available in the opencv
package.
The powerpc-utils
package rebased to version 1.3.9
The powerpc-utils
package has been upgraded to version 1.3.9. Notable bug fixes, and enhancements include:
-
Increased log size to 1MB in
drmgr
. -
Fixed checking
HCNID
array size at boot time. -
Implemented
autoconnect-slaves
on HNV connections inhcnmgr
. -
Improved the HNV bond list connections in
hcnmgr
. -
Uses
hexdump
fromutil-linux
instead ofxxd
fromvim
inhcnmgr
. -
The
hcn-init.service
starts together with NetworkManager. -
Fixed OF to logical FC lookup for multipath in
ofpathname
. -
Fixed OF to logical lookup with partitions in
ofpathname
. - Fixed bootlist for multipath devices with more than 5 paths.
-
Introduced
lparnumascore
command to detect the NUMA affinity score for the running LPAR. -
Added the
-x
option inlpartstat
to enhance security. -
Fixed
ofpathname
race withudev
rename inhcnmgr
. -
Fixed
qrydev
in HNV, and removedlsdevinfo
.
(BZ#2028690)
The powerpc-utils
package now supports vNIC as a backup device
The powerpc-utils
package now supports Virtual Network Interface cards (vNIC) as a backup vdevice
for Hybrid Network Virtualization (HNV).
(BZ#2022225)
The opencryptoki
package rebased to version 3.17.0
The opencryptoki
package has been rebased to version 3.17.0. Notable bug fixes and enhancements include:
-
The
p11sak
tool offers a new function of listing keys. -
Added support for
OpenSSL 3.0
. - Added support for event notifications.
- Added SW fallbacks in ICA tokens.
- The WebSphere Application Server no longer fails to start with the hardware crypto adapter enabled.
-
The
opencryptoki.module
was removed, and thep11-kit list-modules
command no longer causes error messages.
(BZ#1984993)
Certain network interfaces and IP addresses can be excluded when creating a rescue image
You can use the EXCLUDE_IP_ADDRESSES
variable to ignore certain IP addresses, and the EXCLUDE_NETWORK_INTERFACES
variable to ignore certain network interfaces when creating a rescue image.
On servers with floating addresses, you need to stop the ReaR rescue environment from configuring floating addresses that are moved to a fail-over server until the original server is recovered. Otherwise, a conflict with the fail-over server would occur and cause a consequent disruption of the services running on the fail-over server. To prevent conflicts, you can perform the following actions in the ReaR configuration file /etc/rear/local.conf
:
-
exclude the IP addresses in the ReaR by providing the
EXCLUDE_IP_ADDRESSES
variable as a bash array of addresses. For example:EXCLUDE_IP_ADDRESSES=( 192.0.2.27 192.0.2.10 )
, -
exclude the network interfaces in the ReaR by providing the
EXCLUDE_NETWORK_INTERFACES
variable as a bash array of interfaces. For example:EXCLUDE_NETWORK_INTERFACES=( eno1d1 )
.
4.6. Infrastructure services
New bind9.16
package version 9.16.23 introduced
A new bind9.16
package version 9.16.23 has been introduced as an alternative to bind
component version 9.11.36. Notable enhancements include:
- Introduced new Key and Signing Policy feature in DNSSEC.
- Introduced the QNAME minimisation to improve privacy.
-
Introduced the
validate-except
feature to Permanent. - Negative Trust Anchors to temporarily disable DNSSEC validation.
- Refactored the response policy zones (RPZ).
- Introduced new naming conventions for zone types: primary and secondary zone types are used as synonyms to master and slave.
-
Introduced a supplementary YAML output mode of
dig
,mdig
, anddelv
commands. -
The
filter-aaaa
functionality was moved into separatefilter-a
andfilter-aaaa
plugins. - Introduced a new zone type mirror support (RFC 8806).
Removed features:
-
The
dnssec-enabled
option has been removed, DNSSEC is enabled by default, and the dnssec-enabled keywords are no longer accepted. -
The
lwresd
lightweight resolver daemon, andliblwres
lightweight resolver library have been removed.
(BZ#1873486)
CUPS is available as a container image
The Common Unix Printing System (CUPS) is now available as a container image, and you can deploy it from the Red Hat Container Catalog.
(BZ#1913715)
The bind
component rebased to version 9.11.36
The bind
component has been updated to version 9.11.36. Notable bug fixes and enhancements include:
-
Improved the
lame-ttl
option to be more secure. -
A multiple threads bug affecting RBTDB instances no longer results in assertion failure in
free_rbtdb()
. - Updated implementation of the ZONEMD RR type to match RFC 8976.
- The maximum supported number of NSEC3 iterations has been reduced to 150. Records with more iterations are treated as insecure.
- An invalid direction field in a LOC record no longer results in a failure.
CUPS driverless printing is available in CUPS Web UI
CUPS driverless printing, based on the IPP Everywhere model, is available in the CUPS Web UI. In addition to the lpadmin
command used in the CLI, you can create an IPP Everywhere queue in the CUPS Web UI to print to network printers without special software.
4.7. Security
The pcsc-lite
packages rebased to 1.9.5
The pcsc-lite
packages have been rebased to upstream version 1.9.5. This update provides new enhancements and bug fixes, most notably:
-
The
pcscd
daemon no longer automatically exits after inactivity when started manually. -
The
pcsc-spy
utility now supports Python 3 and a new--thread
option. -
Performance of the
SCardEndTransaction()
function has been improved. -
The
poll()
function replaced theselect()
function, which allows file descriptor numbers higher thanFD_SETSIZE
. - Many memory leaks and concurrency problems have been fixed.
Crypto policies support diffie-hellman-group14-sha256
You can now use the diffie-hellman-group14-sha256
key exchange (KEX) algorithm for the libssh
library in RHEL system-wide cryptographic policies. This update also provides parity with OpenSSH, which also supports this KEX algorithm. With this update, libssh
has diffie-hellman-group14-sha256
enabled by default, but you can disable it by using a custom crypto policy.
OpenSSH servers now support drop-in configuration files
The sshd_config
file supports the Include
directive, which means you can include configuration files in another directory. This makes it easier to apply system-specific configurations on OpenSSH servers by using automation tools such as Ansible Engine. It is also more consistent with the capabilities of the ssh_config
file. In addition, drop-in configuration files also make it easier to organize different configuration files for different uses, such as filter incoming connections.
(BZ#1926103)
sshd_config:ClientAliveCountMax=0
disables connection termination
Setting the SSHD configuration option ClientAliveCountMax
to 0
now disables connection termination. This aligns the behavior of this option with the upstream. As a consequence, OpenSSH no longer disconnects idle SSH users when it reaches the timeout configured by the ClientAliveInterval
option.
libssh
rebased to 0.9.6
The libssh
package has been rebased to upstream version 0.9.6. This version provides bug fixes and enhancements, most notably:
-
Support for multiple identity files. The files are processed from the bottom to the top as listed in the
~/.ssh/config
file. - Parsing of sub-second times in SFTP is fixed.
-
A regression of the
ssh_channel_poll_timeout()
function returningSSH_AGAIN
unexpectedly is now fixed. - A possible heap-buffer overflow after key re-exchange is fixed.
- A handshake bug when AEAD cipher is matched but there is no HMAC overlap is fixed.
- Several memory leaks on error paths are fixed.
Libreswan rebased to 4.5
Libreswan has been rebased to upstream version 4.5. This version provides many bug fixes and enhancements, most notably:
- Support of Internet Key Exchange version 2 (IKEv2) for Labeled IPsec.
- Support for childless initiation of Internet Key Exchange (IKE) Security Association (SA).
(BZ#2017352)
New option to verify SELinux module checksums
With the newly added --checksum
option to the semodule
command, you can verify the versions of installed SELinux policy modules.
Because Common Intermediate Language (CIL) does not store module name and module version in the module itself, there previously was no simple way to verify that the installed module is the same version as the module which was supposed to be installed.
With the new command semodule -l --checksum
, you receive a SHA256 hash of the specified module and can compare it with the checksum of the original file, which is faster than reinstalling modules.
Example of use:
# semodule -l --checksum | grep localmodule localmodule sha256:db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd # /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd -
OpenSCAP can read local files
OpenSCAP can now consume local files instead of remote SCAP source data stream components. Previously, you could not perform a complete evaluation of SCAP source data streams containing remote components on systems that have no internet access. On these systems, OpenSCAP could not evaluate some of the rules in these data streams because the remote components needed to be downloaded from the internet. With this update, you can download and copy the remote SCAP source data stream components to the target system before performing the OpenSCAP scan and provide them to OpenSCAP by using the --local-files
option with the oscap
command.
SSG now scans and remediates rules for home directories and interactive users
OVAL content to check and remediate all existing rules related to home directories used by interactive users was added to the SCAP Security Guide (SSG) suite. Many benchmarks require verification of properties and content usually found within home directories of interactive users. Because the existence and the number of interactive users in a system may vary, there was previously no robust solution to cover this gap using the OVAL language. This update adds OVAL checks and remediations that detect local interactive users in a system and their respective home directories. As a result, SSG can safely check and remediate all related benchmark requirements.
SCAP rules now have a warning message to configure Audit log buffer for large systems
The SCAP rule xccdf_org.ssgproject.content_rule_audit_basic_configuration
now displays a performance warning that suggests users of large systems where the Audit log buffer configured by this rule might be too small and can override the custom value. The warning also describes the process to configure a larger Audit log buffer. With this enhancement, users of large systems can stay compliant and have their Audit log buffer set correctly.
SSG now supports the /etc/security/faillock.conf
file
This enhancement adds support for the /etc/security/faillock.conf
file in SCAP Security Guide (SSG). With this update, SSG can assess and remediate the /etc/security/faillock.conf
file for definition of pam_faillock
settings. The authselect
tool is also used to enable the pam_faillock
module while ensuring the integrity of pam
files. As a result, the assessment and remediation of the pam_faillock
module is aligned with the latest versions and best practices.
SCAP Security Guide rebased to 0.1.60
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.60. This version provides various enhancements and bug fixes, most notably:
-
Rules hardening the PAM stack now use
authselect
as the configuration tool. - Tailoring files that define profiles which represent the differences between DISA STIG automated SCAP content and SCAP automated content (delta tailoring) are now supported.
-
The rule
xccdf_org.ssgproject.content_enable_fips_mode
now checks only whether the FIPS mode has been enabled properly. It does not guarantee that system components have undergone FIPS certification.
DISA STIG profile supports Red Hat Virtualization 4.4
The DISA STIG for Red Hat Enterprise Linux 8
profile version V1R5 has been enhanced to support Red Hat Virtualization 4.4. This profile aligns with the RHEL 8 Security Technical Implementation Guide (STIG) manual benchmark provided by the Defense Information Systems Agency (DISA). However, some configurations are not applied on hosts where Red Hat Virtualization (RHV) is installed because they prevent Red Hat Virtualization from installing and working properly.
When the STIG profile is applied on a Red Hat Virtualization Host (RHVH), on a self-hosted install (RHELH), or on a host with RHV Manager installed, the following rules result in 'notapplicable':
-
package_gss_proxy_removed
-
package_krb5-workstation_removed
-
package_tuned_removed
-
sshd_disable_root_login
-
sudo_remove_nopasswd
-
sysctl_net_ipv4_ip_forward
-
xwindows_remove_packages
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
OpenSCAP rebased to 1.3.6
The OpenSCAP packages have been rebased to upstream version 1.3.6. This version provides various bug fixes and enhancements, most notably:
-
You can provide local copies of remote SCAP source data stream components by using the
--local-files
option. -
OpenSCAP accepts multiple
--rule
arguments to select multiple rules on the command line. -
OpenSCAP allows skipping evaluation of some rules using the
--skip-rule
option. -
You can restrict memory consumed by OpenSCAP probes by using the
OSCAP_PROBE_MEMORY_USAGE_RATIO
environment variable. - OpenSCAP now supports the OSBuild Blueprint as a remediation type.
clevis-systemd
no longer depends on nc
With this enhancement, the clevis-systemd
package no longer depends on the nc
package. The dependency did not work correctly when used with Extra Packages for Enterprise Linux (EPEL).
audit
rebased to 3.0.7
The audit
packages have been upgraded to version 3.0.7 which introduces many enhancements and bug fixes. Most notably:
-
Added
sudoers
to Audit base rules. -
Added the
--eoe-timeout
option to theausearch
command and its analogouseoe_timeout
option toauditd.conf
file that specifies the value for end of event timeout, which impacts howausearch
parses co-located events. - Introduced a fix for the 'audisp-remote' plugin that used 100% of CPU capacity when the remote location was not available.
Audit now provides options for specifying the end of the event timeout
With this release, the ausearch
tool supports the --eoe-timeout
option, and the auditd.conf
file contains the end_of_event_timeout
option. You can use these options to specify the end of the event timeout to avoid problems with parsing co-located events. The default value for the end of the event timeout is set to two seconds.
Adding sudoers
to Audit base rules
With this enhancement, the /etc/sudoers
and the etc/sudoers.d/
directories are added to Audit base rules such as the Payment Card Industry Data Security Standard (PCI DSS) and the Operating Systems Protection Profile (OSPP). This increases the security by monitoring configuration changes in privileged areas such as sudoers
.
(BZ#1927884)
Rsyslog includes the mmfields
module for higher-performance operations and CEF
Rsyslog now includes the rsyslog-mmfields
subpackage which provides the mmfields
module. This is an alternative to using the property replacer field extraction, but in contrast to the property replacer, all fields are extracted at once and stored inside the structured data part. As a result, you can use mmfields
particularly for processing field-based log formats, for example Common Event Format (CEF), and if you need a large number of fields or reuse specific fields. In these cases, mmfields
has better performance than existing Rsyslog features.
libcap
rebased to version 2.48
The libcap
packages have been upgraded to upstream version 2.48, which provides a number of bug fixes and enhancements over the previous version, most notably:
-
Helper library for POSIX semantic system calls (
libpsx
) - Support for overriding system call functions
- IAB abstraction for capability sets
-
Additional
capsh
testing features
fapolicyd
rebased to 1.1
The fapolicyd
packages have been upgraded to the upstream version 1.1, which contains many improvements and bug fixes. Most notable changes include the following:
-
The
/etc/fapolicyd/rules.d/
directory for files containing allow and deny execution rules replaces the/etc/fapolicyd/fapolicyd.rules
file. Thefagenrules
script now merges all component rule files in this directory to the/etc/fapolicyd/compiled.rules
file. See the newfagenrules(8)
man page for more details. -
In addition to the
/etc/fapolicyd/fapolicyd.trust
file for marking files outside of the RPM database as trusted, you can now use the new/etc/fapolicyd/trust.d
directory, which supports separating a list of trusted files into more files. You can also add an entry for a file by using thefapolicyd-cli -f
subcommand with the--trust-file
directive to these files. See thefapolicyd-cli(1)
andfapolicyd.trust(13)
man pages for more information. -
The
fapolicyd
trust database now supports white spaces in file names. -
fapolicyd
now stores the correct path to an executable file when it adds the file to the trust database.
libseccomp
rebased to 2.5.2
The libseccomp
packages have been rebased to upstream version 2.5.2. This version provides bug fixes and enhancements, most notably:
-
Updated the syscall table for Linux to version
v5.14-rc7
. -
Added the
get_notify_fd()
function to the Python bindings to get the notification file descriptor. - Consolidated multiplexed syscall handling for all architectures into one location.
- Added multiplexed syscall support to the PowerPC (PPC) and MIPS architectures.
-
Changed the meaning of the
SECCOMP_IOCTL_NOTIF_ID_VALID
operation within the kernel. -
Changed the
libseccomp
file descriptor notification logic to support the kernel’s previous and new usage ofSECCOMP_IOCTL_NOTIF_ID_VALID
.
4.8. Networking
CleanUpModulesOnExit
firewalld
global configuration option is now available
Previously, when restarting or otherwise shutting down firewalld
, firewalld
recursively unloaded kernel modules. As a result, other packages attempting to use these modules or dependent modules would fail. With this upgrade, users can set the CleanUpModulesOnExit
option to no
to stop firewalld
from unloading these kernel modules.
(BZ#1980206)
Restoring large nftables
sets requires less memory
With this enhancement, the nftables
framework requires significantly less memory when you restore large sets. The algorithm which prepares the netlink
message has been improved, and, as a result, restoring a set can use up to 40% less memory.
The nmstate
API now supports OVS-DPDK
This enhancement adds the schema for the Open vSwitch (OVS) Data Plane Development Kit (DPDK) to the nmstate
API. As a result, you can use nmstate
to configure OVS devices with DPDK ports.
The nmstate
API now supports VLAN and QoS ID in SR-IOV virtual functions
This update enhances the nmstate
API with support for local area network (VLAN) and quality of service (QoS) in single root I/O virtualization (SR-IOV) virtual functions. As a result, you can use nmstate
to configure these features.
NetworkManager rebased to version 1.36.0
The NetworkManager
packages have been upgraded to upstream version 1.36.0, which provides a number of enhancements and bug fixes over the previous version:
- The handling of layer 3 configurations has been reworked to improve the stability, performance, and memory usage.
-
NetworkManager now supports the
rd.znet_ifnames
kernel command line option on the IBM Z platform. -
The
blackhole
,unreachable
, andprohibit
route types have been added. - NetworkManager now ignores routes managed by routing services.
- The Wi-Fi Protected Access version 3 (WPA3) network security has been improved by enabling the hash-to-element (H2E) method when generating simultaneous authentication of equals (SAE) password elements.
- The service now correctly handles replies from DHCP servers that send duplicate address or mask options.
- You can now turn off MAC aging on bridges.
-
NetworkManager no longer listens for
netlink
events for traffic control objects, such asqdiscs
andfilters
. - Network bonds now support setting a queue ID for bond ports.
For further information about notable changes, read the upstream release notes:
The hostapd
package has been added to RHEL 8.6
With this release, RHEL provides the hostapd
package. However, Red Hat supports hostapd
only to set up a RHEL host as an 802.1X authenticator in Ethernet networks. Other scenarios, such as Wi-Fi access points or authenticators in Wi-Fi networks, are not supported.
For details about configuring RHEL as an 802.1X authenticator with a FreeRADIUS back end, see Setting up an 802.1x network authentication service for LAN clients using hostapd with FreeRADIUS backend.
(BZ#2016946)
NetworkManager now supports setting the number of receiving queues (rx_queue
) on OVS-DPDK interfaces
With this enhancement, you can use NetworkManager to configure the n_rxq
setting of Open vSwitch (OVS) Data Plane Development Kit (DPDK) interfaces. Use the ovs-dpdk.n-rxq
attribute in NetworkManager to set the number of receiving queues on OVS-DPDK interfaces.
For example, to configure 2 receiving queues in OVS interface named ovs-iface0
, enter:
# nmcli connection modify ovs-iface0 ovs-dpdk.nrxq 2
The nftables
framework now supports nft
set elements with attached counters
Previously, in the netfilter
framework, nftables
set counters were not supported. The nftables
framework is configurable by the nft
tool. The kernel allows this tool to count the network packets from a given source address with a statement add @myset {ip saddr counter}
. In this update, you can count packets that match a specific criteria with a dynamic set and elements with attached counters.
(BZ#1983635)
The nispor
packages are now fully supported
The nispor
packages, previously available as a Technology Preview, are now fully supported. This enhancement adds support for NetStateFilter
to use the kernel filter on network routes and interfaces.
With this release, the nispor
packages single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF), support new bonding options: lacp_active
, arp_missed_max
, and ns_ip6_target
.
(BZ#1848817)
4.9. Kernel
Kernel version in RHEL 8.6
Red Hat Enterprise Linux 8.6 is distributed with the kernel version 4.18.0-372.
See also Important changes to external kernel parameters and Device Drivers.
Extended Berkeley Packet Filter for RHEL 8.6
The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.
The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.
Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.6, the following eBPF components are supported:
- The BPF Compiler Collection (BCC) tools package, which provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
- The BCC library which allows the development of tools similar to those provided in the BCC tools package.
- The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
-
The
bpftrace
tracing language - The eXpress Data Path (XDP) feature, which provides access to received packets before the kernel networking stack processes them, is supported under specific conditions. For more information see, XDP is conditionally supported and Overview of networking eBPF features in RHEL.
-
The
libbpf
package, which is crucial for bpf related applications likebpftrace
andbpf/xdp
development. -
The
xdp-tools
package, which contains userspace support utilities for the XDP feature, is now supported on the AMD and Intel 64-bit architectures. This includes thelibxdp
library, thexdp-loader
utility for loading XDP programs, thexdp-filter
example program for packet filtering, and thexdpdump
utility for capturing packets from a network interface with XDP enabled.
Note that all other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.
The following notable eBPF components are currently available as Technology Preview:
-
The
AF_XDP
socket for connecting the eXpress Data Path (XDP) path to user space
For more information regarding the Technology Preview components, see eBPF available as a Technology Preview.
Red Hat, by default, enables eBPF in all RHEL versions for privileged users only
Extended Berkeley Packet Filter (eBPF) is a complex technology which allows users to execute custom code inside the Linux kernel. Due to its nature, the eBPF code needs to pass through the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures (CVE) instances, where bugs in this code could be misused for unauthorized operations. To mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users only. It is possible to enable eBPF for unprivileged users by using the kernel.command-line parameter unprivileged_bpf_disabled=0
.
However, note that:
-
Applying
unprivileged_bpf_disabled=0
disqualifies your kernel from Red Hat support and opens your system to security risks. -
Red Hat urges you to treat processes with the
CAP_BPF
capability as if the capability was equal toCAP_SYS_ADMIN
. -
Setting
unprivileged_bpf_disabled=0
will not be sufficient to execute many BPF programs by unprivileged users as loading of most BPF program types requires additional capabilities (typicallyCAP_SYS_ADMIN
orCAP_PERFMON
).
For information on how to apply kernel command-line parameters, see Configuring kernel command-line parameters.
(BZ#2089409)
The osnoise
and timerlat
tracers were added in RHEL 8
The osnoise
tracer measures operating system noise. That is, the interruptions of applications by the OS and hardware interrupts. It also provides a set of tracepoints to help find the source of the OS noise. The timerlat
tracer measures the wakeup latencies and helps to identify the causes of such latencies of real-time (RT) threads. In RT computing, latency is absolutely crucial and even a minimal delay can be detrimental. The osnoise
and timerlat
tracers enable you to investigate and find causes of OS interference with applications and wakeup delay of RT threads.
(BZ#1979382)
The strace
utility can now display mismatches between the actual SELinux contexts and the definitions extracted from the SELinux context database
An existing --secontext
option of strace
has been extended with the mismatch
parameter. This parameter enables to print the expected context along with the actual one upon mismatch only. The output is separated by double exclamation marks (!!
), first the actual context, then the expected one. In the examples below, the full,mismatch
parameters print the expected full context along with the actual one because the user part of the contexts mismatches. However, when using a solitary mismatch
, it only checks the type part of the context. The expected context is not printed because the type part of the contexts matches.
[...] $ strace --secontext=full,mismatch -e statx stat /home/user/file statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ... $ strace --secontext=mismatch -e statx stat /home/user/file statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...
SELinux context mismatches often cause access control issues associated with SELinux. The mismatches printed in the system call traces can significantly expedite the checks of SELinux context correctness. The system call traces can also explain specific kernel behavior with respect to access control checks.
The --cyclictest-threshold
option has been added to the rteval
utility
With this enhancement, the --cyclictest-threshold=USEC
option has been added to the rteval
test suite. Using this option you can specify a threshold value. The rteval
test run ends immediately if any latency measurements exceed this threshold value. When latency expectations are not met, the run aborts with a failure status.
4.10. File systems and storage
RHEL 8.6 is compatible with RHEL 9 XFS images
With this update, RHEL 8.6 is now able to use RHEL 9 XFS images. RHEL 9 XFS guest images must have bigtime
and inode btree counters (inobtcount
) on-disk capabilities allowed in order to mount the guest image with RHEL 8.6. Note that file systems created with bigtime
and inobtcount
features are not compatible with versions earlier than RHEL 8.6.
(BZ#2022903, BZ#2024201)
Options in Samba utilities have been renamed and removed for a consistent user experience
The Samba utilities have been improved to provide a consistent command-line interface. These improvements include renamed and removed options. Therefore, to avoid problems after the update, review your scripts that use Samba utilities, and update them, if necessary.
Samba 4.15 introduces the following changes to the Samba utilities:
- Previously, Samba command-line utilities silently ignored unknown options. To prevent unexpected behavior, the utilities now consistently reject unknown options.
-
Several command-line options now have a corresponding
smb.conf
variable to control their default value. See the man pages of the utilities to identify if a command-line option has ansmb.conf
variable name. -
By default, Samba utilities now log to standard error (
stderr
). Use the--debug-stdout
option to change this behavior. -
The
--client-protection=off|sign|encrypt
option has been added to the common parser. The following options have been renamed in all utilities:
-
--kerberos
to--use-kerberos=required|desired|off
-
--krb5-ccache
to--use-krb5-ccache=CCACHE
-
--scope
to--netbios-scope=SCOPE
-
--use-ccache
to--use-winbind-ccache
-
The following options have been removed from all utilities:
-
-e
and--encrypt
-
-C
removed from--use-winbind-ccache
-
-i
removed from--netbios-scope
-
-S
and--signing
-
To avoid duplicate options, certain options have been removed or renamed from the following utilities:
-
ndrdump
:-l
is no longer available for--load-dso
-
net
:-l
is no longer available for--long
-
sharesec
:-V
is no longer available for--viewsddl
-
smbcquotas
:--user
has been renamed to--quota-user
-
nmbd
:--log-stdout
has been renamed to--debug-stdout
-
smbd
:--log-stdout
has been renamed to--debug-stdout
-
winbindd
:--log-stdout
has been renamed to--debug-stdout
-
Compiler barrier changed to static inline function compiler_barrier
to avoid name conflict with function pointers
This enhancement provides additional features and a patch for a potential data corruption bug. The compiler barrier is now set to a static inline function compiler_barrier
. No name conflict occurs with the hardware store barrier, when implementing hardware fencing for non-temporal memcpy variants, while using a function pointer. As a result, RHEL 8.6 now includes pmdk
version 1.11.1.
(BZ#2009889)
4.11. High availability and clusters
The pcmk_delay_base
parameter may now take different values for different nodes
When configuring a fence device, you now can specify different values for different nodes with the pcmk_delay_base parameter
. This allows a single fence device to be used in a two-node cluster, with a different delay for each node. This helps prevent a situation where each node attempts to fence the other node at the same time. To specify different values for different nodes, you map the host names to the delay value for that node using a similar syntax to pcmk_host_map. For example, node1:0;node2:10s would use no delay when fencing node1 and a 10-second delay when fencing node2.
Specifying automatic removal of location constraint following resource move
When you execute the pcs resource move
command, this adds a constraint to the resource to prevent it from running on the node on which it is currently running. A new --autodelete
option for the pcs resource move
command, previously available as a Technology Preview, is now fully supported. When you specify this option, the location constraint that the command creates is automatically removed once the resource has been moved.
(BZ#1990784)
Detailed Pacemaker status display for internal errors
If Pacemaker can not execute a resource or fence agent for some reason, for example the agent is not installed or there has been an internal timeout, the Pacemaker status displays now show a detailed exit reason for the internal error.
(BZ#1470834)
Support for special characters inside pcmk_host_map
values
The pcmk_host_map
property now supports special characters inside pcmk_host_map
values using a backslash (\) in front of the value. For example, you can specify pcmk_host_map="node3:plug\ 1"
to include a space in the host alias.
pcs
suppport for OCF Resource Agent API 1.1 standard
The pcs
command-line interface now supports OCF 1.1 resource and STONITH agents. An OCF 1.1 agent’s metadata must comply with the OCF 1.1 schema. If an OCF 1.1 agent’s metadata does not comply with the OCF 1.1 schema, pcs
considers the agent invalid and will not create or update a resource of the agent unless the --force
option is specified. The pcsd
Web UI and pcs
commands for listing agents omit OCF 1.1 agents with invalid metadata from the listing.
An OCF agent that declares that it implements any OCF version other than 1.1, or does not declare a version at all, is validated against the OCF 1.0 schema. Validation issues are reported as warnings, but for those agents it is not necessary to specify the --force
option when creating or updating a resource of the agent.
New fencing agent for OpenShift
The fence_kubevirt
fencing agent is now available for use with RHEL High Availability on Red Hat OpenShift Virtualization. For information on the fence_kubevirt
agent, see the fence_kubevirt
(8) man page.
4.12. Dynamic programming languages, web and database servers
A new module stream: php:8.0
RHEL 8.6 adds PHP 8.0
, which provides a number of bug fixes and enhancements over version 7.4
Notable enhancements include:
- New named arguments are order-independent and self-documented, and enable you to specify only required parameters.
- New attributes enable you to use structured metadata with PHP’s native syntax.
- New union types enable you to use native union type declarations that are validated at runtime instead of PHPDoc annotations for a combination of types.
- Internal functions now more consistently raise an Error exception instead of warnings if parameter validation fails.
- The Just-In-Time compilation has improved the performance.
-
The
Xdebug
debugging and productivity extension for PHP has been updated to version 3. This version introduces major changes in functionality and configuration compared toXdebug 2
.
To install the php:8.0
module stream, use:
# yum module install php:8.0
If you want to upgrade from the php:7.4
stream, see Switching to a later stream.
For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.
(BZ#1978356, BZ#2027285)
A new module stream: perl:5.32
RHEL 8.6 introduces Perl 5.32
, which provides a number of bug fixes and enhancements over Perl 5.30
distributed in RHEL 8.3.
Notable enhancement include:
-
Perl
now supports unicode version 13.0. -
The
qr
qoute-like operator has been enhanced. -
The
POSIX::mblen()
,mbtowc
, andwctomb
functions now work on shift state locales and are thread-safe on C99 and above compilers when executed on a platform that has locale thread-safety; the length parameters are now optional. -
The new experimental
isa
infix operator tests whether a given object is an instance of a given class or a class derived from it. - Alpha assertions are no longer experimental.
- Script runs are no longer experimental.
- Feature checks are now faster.
-
Perl
can now dump compiled patterns before optimization.
To upgrade from an earlier perl
module stream, see Switching to a later stream.
A new package: nginx-mod-devel
A new nginx-mod-devel
package has been added to the nginx:1.20
module stream. The package provides all necessary files, including RPM macros and nginx
source code, for building external dynamic modules for nginx
.
MariaDB Galera now includes an upstream version of the garbd
systemd service and a wrapper script
MariaDB 10.3 and MariaDB 10.5 in RHEL 8 include a Red Hat version of garbd
systemd service and a wrapper script for the galera
package in the /usr/lib/systemd/system/garbd.service
and /usr/sbin/garbd-wrapper
files, respectively.
In addition to the Red Hat version of these files, RHEL 8 now also provides an upstream version. The upstream files are located at /usr/share/doc/galera/garb-systemd
and /usr/share/doc/galera/garbd.service
.
RHEL 9 provides only the upstream version of these files, located at /usr/lib/systemd/system/garbd.service
and /usr/sbin/garb-systemd
.
4.13. Compilers and development tools
New command for capturing glibc
optimization data
The new ld.so --list-diagnostics
command captures data that influences glibc
optimization decisions, such as IFUNC selection and glibc-hwcaps
configuration, in a single machine-readable file.
glibc
string functions are now optimized for Fujitsu A64FX
With this update, glibc
string functions exhibit increased throughput and reduced latency on A64FX CPUs.
(BZ#1929928)
New UTF-8 locale en_US@ampm
with 12-hour clock
With this update, you can now use a new UTF-8 locale en_US@ampm
with a 12-hour clock. This new locale can be combined with other locales by using the LC_TIME
environment variable.
New location for libffi
's self-modifying code
With this update libffi
's self-modifying code takes advantage of a feature in the RHEL 8 kernel to create a suitable file independent of any file system. As a result, libffi
's self-modifying code no longer depends on making part of the filesystem insecure.
Updated GCC Toolset 11
GCC Toolset 11 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream
repository.
Notable changes introduced with RHEL 8.6 include:
- The GCC compiler has been updated to version 11.2.1.
-
annobin
has been updated to version 10.23.
The following tools and versions are provided by GCC Toolset 10:
Tool | Version |
---|---|
GCC | 11.2.1 |
GDB | 10.2 |
Valgrind | 3.17.0 |
SystemTap | 4.5 |
Dyninst | 11.0.0 |
binutils | 2.36.1 |
elfutils | 0.185 |
dwz | 0.14 |
make | 4.3 |
strace | 5.13 |
ltrace | 0.7.91 |
annobin | 10.23 |
To install GCC Toolset 11, run the following command as root:
# yum install gcc-toolset-11
To run a tool from GCC Toolset 11:
$ scl enable gcc-toolset-11 tool
To run a shell session where tool versions from GCC Toolset 11 override system versions of these tools:
$ scl enable gcc-toolset-11 bash
For more information about usage, see Using GCC Toolset.
The GCC Toolset 11 components are available in the two container images:
-
rhel8/gcc-toolset-11-toolchain
, which includes the GCC compiler, the GDB debugger, and themake
automation tool. -
rhel8/gcc-toolset-11-perftools
, which includes the performance monitoring tools, such as SystemTap and Valgrind.
To pull a container image, run the following command as root:
# podman pull registry.redhat.io/<image_name>
Note that only the GCC Toolset 11 container images are now supported. Container images of earlier GCC Toolset versions are deprecated.
For details regarding the container images, see Using the GCC Toolset container images.
GDB disassembler now supports the new arch14 instructions
With this update, GDB is able to disassemble new arch14 instructions.
(BZ#2012818)
LLVM Toolset rebased to version 13.0.1
LLVM Toolset has been upgraded to version 13.0.1. Notable changes include:
-
Clang now supports guaranteed tail calls with statement attributes
[[clang::musttail]]
in C++ and__attribute__((musttail))
in C. -
Clang now supports the
-Wreserved-identifier
warning, which warns developers when using reserved identifiers in their code. -
Clang’s
-Wshadow
flag now also checks for shadowed structured bindings. -
Clang’s
-Wextra
now also impliesWnull-pointer-subtraction
.
(BZ#2001133)
Rust Toolset rebased to 1.58.1
The Rust Toolset
has been rebased to version 1.58.1. Notable changes include:
-
The Rust compiler now supports the 2021 edition of the language, featuring disjoint capture in closure,
IntoIterator
for arrays, a new Cargo feature resolver, and more. - Added Cargo support for new custom profiles.
- Cargo deduplicates compiler errors.
- Added new open range patterns.
- Added captured identifiers in format strings.
For further information, see:
(BZ#2002883)
Go Toolset rebased to version 1.17.7
Go Toolset has been upgraded to version 1.17.7. Notable changes include:
- Added an option to convert slices to array pointers.
- Added support for //go:build lines.
- Improvements to function call performance on amd64.
- Function arguments are formatted more clearly in stack traces.
- Functions containing closures can be inlined.
- Reduced resource consumption in x509 certificate parsing.
(BZ#2014088)
pcp
rebased to 5.3.5
The pcp
package has been rebased to version 5.3.5. Notable changes include:
-
Added new
pmieconf(1)
rules for CPU and disk saturation. -
Improved stability and scalability of
pmproxy(1)
service. -
Improved service latency and robustness of
pmlogger(1)
service. - Added new performance metrics related to electrical power.
-
Added new features in the
pcp-htop(1)
utility. -
Added new features in the
pcp-atop(1)
utility. - Updated Nvidia GPU metrics.
- Added new Linux kernel KVM and networking metrics.
- Added a new MongoDB metrics agent.
-
Added a new sockets metrics agent and
pcp-ss(1)
utility. -
Disabled
pmcd(1)
andpmproxy(1)
Avahi service advertising by default.
The grafana
package rebased to version 7.5.11
The grafana
package has been rebased to version 7.5.11. Notable changes include:
-
Added a new
prepare time series
transformation for backward compatibility of panels that do not support the new data frame format.
grafana-pcp
rebased to 3.2.0
The grafana-pcp
package has been rebased to version 3.2.0. Notable changes include:
- Added a new MS SQL server dashboard for PCP Redis.
- Added visibility of empty histogram buckets in the PCP Vector eBPF/BCC Overview dashboard.
-
Fixed a bug where the
metric()
function of PCP Redis did not return all metric names.
js-d3-flame-graph
rebased to 4.0.7
The js-d3-flame-graph
package has been rebased to version 4.0.7. Notable changes include:
- Added new blue and green color scheme.
- Added functionality to display flame graph context.
Power consumption metrics now available in PCP
The new pmda-denki
Performance Metrics Domain Agent (PMDA) reports metrics related to power consumption. Specifically, it reports:
- Consumption metrics based on Running Average Power Limit (RAPL) readings, available on recent Intel CPUs
- Consumption metrics based on battery discharge, available on systems which have a battery
(BZ#1629455)
A new module: log4j:2
A new log4j:2
module is now available in the AppStream repository. This module contains Apache Log4j 2
, which is a Java logging utility and a library enabling you to output log statements to a variety of output targets.
Log4j 2
provides significant improvements over Log4j 1
. Notably, Log4j 2
introduces enhancements to the Logback
framework and fixes some inherent problems in the Logback
architecture.
To install the log4j:2
module stream, use:
# yum module install log4j:2
(BZ#1937468)
4.14. Identity Management
ansible-freeipa
is now available in the AppStream repository with all dependencies
Previously in RHEL 8, before installing the ansible-freeipa
package, you first had to enable the Ansible repository and install the ansible
package. In RHEL 8.6 and RHEL 9, you can install ansible-freeipa
without any preliminary steps. Installing ansible-freeipa
automatically installs the ansible-core
package, a more basic version of ansible
, as a dependency. Both ansible-freeipa
and ansible-core
are available in the rhel-9-for-x86_64-appstream-rpms
repository.
ansible-freeipa
in RHEL 8.6 and RHEL 9 contains all the modules that it contained in RHEL 8.
(JIRA:RHELPLAN-100359)
IdM now supports the automountlocation
, automountmap
, and automountkey
Ansible modules
With this update, the ansible-freeipa
package contains the ipaautomountlocation
, ipaautomountmap
, and ipaautomountkey
modules. You can use these modules to configure directories to be mounted automatically for IdM users logged in to IdM clients in an IdM location. Note that currently, only direct maps are supported.
(JIRA:RHELPLAN-79161)
The support for managing subID ranges is available in the shadow-utils
Previously, shadow-utils
configured the subID ranges automatically from the /etc/subuid
and /etc/subgid
files. With this update, the configuration of subID ranges is available in the /etc/nsswitch.conf
file by setting a value in the subid
field. For more information, see man subuid
and man subgid
. Also, with this update, an SSSD implementation of the shadow-utils
plugin is available, which provides the subID ranges from the IPA server. To use this functionality, add the subid: sss
value to the /etc/nsswitch.conf
file. This solution might be useful in the containerized environment to facilitate rootless containers.
Note that in case the /etc/nsswitch.conf
file is configured by the authselect
tool, you must follow the procedures described in the authselect
documentation. When it is not the case, you can modify the /etc/nsswitch.conf
file manually.
(JIRA:RHELPLAN-103579)
An alternative to the traditional RHEL ansible-freeipa repository: Ansible Automation Hub
With this update, you can download ansible-freeipa
modules from the Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By using AAH, you can benefit from the faster updates of the ansible-freeipa
modules available in this repository.
In AAH, ansible-freeipa
roles and modules are distributed in the collection format. Note that you need an Ansible Automation Platform (AAP) subscription to access the content on the AAH portal. You also need ansible
version 2.9 or later.
The redhat.rhel_idm
collection has the same content as the traditional ansible-freeipa
package. However, the collection format uses a fully qualified collection name (FQCN) that consists of a namespace and the collection name. For example, the redhat.rhel_idm.ipadnsconfig
module corresponds to the ipadnsconfig
module in ansible-freeipa
provided by a RHEL repository. The combination of a namespace and a collection name ensures that the objects are unique and can be shared without any conflicts.
(JIRA:RHELPLAN-103147)
ansible-freeipa modules can now be executed remotely on IdM clients
Previously, ansible-freeipa
modules could only be executed on IdM servers. This required your Ansible administrator to have SSH
access to your IdM server, causing a potential security threat. With this update, you can execute ansible-freeipa
modules remotely on systems that are IdM clients. As a result, you can manage IdM configuration and entities in a more secure way.
To execute ansible-freeipa
modules on an IdM client, choose one of the following options:
-
Set the
hosts
variable of the playbook to an IdM client host. -
Add the
ipa_context: client
line to the playbook task that uses theansible-freeipa
module.
You can set the ipa_context
variable to client
on an IdM server, too. However, the server context usually provides better performance. If ipa_context
is not set, ansible-freeipa
checks if it is running on a server or a client, and sets the context accordingly. Note that executing an ansible-freeipa
module with context
set to server
on an IdM client host raises an error of missing libraries
.
(JIRA:RHELPLAN-103146)
The ipadnsconfig
module now requires action: member
to exclude a global forwarder
With this update, excluding global forwarders in Identity Management (IdM) by using the ansible-freeipa
ipadnsconfig
module requires using the action: member
option in addition to the state: absent
option. If you only use state: absent
in your playbook without also using action: member
, the playbook fails. Consequently, to remove all global forwarders, you must specify all of them individually in the playbook. In contrast, the state: present
option does not require action: member
.
Identity Management now supports SHA384withRSA signing by default
With this update, the Certificate Authority (CA) in IdM supports the SHA-384 With RSA Encryption signing algorithm. SHA384withRSA is compliant with the Federal Information Processing Standard (FIPS).
SSSD default SSH hashing value is now consistent with the OpenSSH setting
The default value of ssh_hash_known_hosts
has been changed to false. It is now consistent with the OpenSSH setting, which does not hash host names by default.
However, if you need to continue to hash host names, add ssh_hash_known_hosts = True
to the [ssh]
section of the /etc/sssd/sssd.conf
configuration file.
samba rebased to version 4.15.5
The samba packages have been upgraded to upstream version 4.15.5, which provides bug fixes and enhancements over the previous version:
- Options in Samba utilities have been renamed and removed for a consistent user experience
- Server multi-channel support is now enabled by default.
-
The
SMB2_22
,SMB2_24
, andSMB3_10
dialects, which were only used by Windows technical previews, have been removed.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Note that Red Hat does not support downgrading tdb
database files.
After updating Samba, verify the /etc/samba/smb.conf
file using the testparm
utility.
For further information about notable changes, read the upstream release notes before updating.
Directory Server rebased to version 1.4.3.28
The 389-ds-base
packages have been upgraded to upstream version 1.4.3, which provides a number of bug fixes and enhancements over the previous version:
- A potential deadlock in replicas has been fixed.
-
The server no longer terminates unexpectedly when the
dnaInterval
is set to0
. - The performance of connection handling has been improved.
-
Improved performance of
targetfilter
in access control instructions (ACI).
Directory Server now stores memory-mapped files of databases on a tmpfs
file system
In Directory Server, the nsslapd-db-home-directory
parameter defines the location of memory-mapped files of databases. This enhancement changes the default value of the parameter from /var/lib/dirsrv/slapd-instance_name/db/
to /dev/shm/
. As a result, with the internal databases stored on a tmpfs
file system, the performance of Directory Server increases.
4.15. Desktop
Security classification banners at login and in the desktop session
You can now configure classification banners to state the overall security classification level of the system. This is useful for deployments where the user must be aware of the security classification level of the system that they are logged into.
The classification banners can appear in the following contexts, depending on your configuration:
- Within the running session
- On the lock screen
- On the login screen
The classification banners can take the form of either a notification that you can dismiss, or a permanent banner.
For more information, see Displaying the system security classification.
4.16. Graphics infrastructures
Intel Alder Lake-P GPUs are now supported
This release adds support for the Intel Alder Lake-P CPU microarchitecture with integrated graphics. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:
- Intel Core i7-1280P
- Intel Core i7-1270P
- Intel Core i7-1260P
- Intel Core i5-1250P
- Intel Core i5-1240P
- Intel Core i3-1220P
Support for Alder Lake-P graphics is disabled by default. To enable it, add the following option to the kernel command line:
i915.force_probe=PCI_ID
Replace PCI_ID with either the PCI device ID of your Intel GPU, or with the *
character to enable support for all alpha-quality hardware that uses the i915
driver.
(BZ#1964761)
4.17. The web console
Smart card authentication for sudo and SSH from the web console
Previously, it was not possible to use smart card authentication to obtain sudo privileges or use SSH in the web console. With this update, Identity Management users can use a smart card to gain sudo privileges or to connect to a different host with SSH.
It is only possible to use one smart card to authenticate and gain sudo privileges. Using a separate smart card for sudo is not supported.
(JIRA:RHELPLAN-95126)
RHEL web console provides Insights registration by default
With this update, when you use the Red Hat Enterprise Linux web console to register a RHEL system, the Connect this system to Red Hat Insights. check box is checked by default. If you do not want to connect to the Insights service, uncheck the box.
Cockpit now supports using an existing TLS certificate
With this enhancement, the certificate does not have strict file permission requirements any more (such as root:cockpit-ws 0640
), and thus it can be shared with other services.
(JIRA:RHELPLAN-103855)
4.18. Red Hat Enterprise Linux system roles
The Firewall RHEL system role has been added in RHEL 8
The rhel-system-roles.firewall
RHEL system role was added to the rhel-system-roles
package. As a result, administrators can automate their firewall settings for managed nodes.
(BZ#1854988)
Full Support for HA Cluster RHEL system role
The High Availability Cluster (HA Cluster) role, previously available as a Technology Preview, is now fully supported. The following notable configurations are available:
- Configuring fence devices, resources, resource groups, and resource clones including meta attributes and resource operations
- Configuring resource location constraints, resource colocation constraints, resource order constraints, and resource ticket constraints
- Configuring cluster properties
- Configuring cluster nodes, custom cluster names and node names
- Configuring multi-link clusters
- Configuring whether clusters start automatically on boot
Running the role removes any configuration not supported by the role or not specified when running the role.
The HA Cluster system role does not currently support SBD.
The Networking system role now supports OWE
Opportunistic Wireless Encryption (OWE) is a mode of opportunistic security for Wi-Fi networks that provides encryption of the wireless medium but no authentication, such as public hot spots. OWE uses encryption between Wi-Fi clients and access points, protecting them from sniffing attacks. With this enhancement, the Networking RHEL system role supports OWE. As a result, administrators can now use the Networking system role to configure connections to Wi-Fi networks which use OWE.
The Networking system role now supports SAE
In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the Networking RHEL system role supports SAE. As a result, administrators can now use the Networking system role to configure connections to Wi-Fi networks, which use WPA-SAE.
The Cockpit RHEL system role is now supported
With this enhancement, you can install and configure the web console in your system. Consequently, you can manage web console in an automated manner.
Add support for raid_level
for LVM volumes
The Storage RHEL system role can now specify the raid_level
parameter for LVM volumes. As a result, LVM volumes can be grouped into RAIDs using the lvmraid
feature.
The NBDE client system role supports systems with static IP addresses
Previously, restarting a system with a static IP address and configured with the NBDE client system role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE client system role, and their IP addresses do not change after a reboot.
Support for cached volumes is available in the Storage system role
Storage RHEL system role can now create and manage cached LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes by temporarily storing subsets of an LV’s data on a smaller, faster device, for example an SSD.
Support to add Elasticsearch
username and password for authentication from rsyslog
This update adds the Elasticsearch
username and password parameters to the logging
system role, to enable the rsyslog
to authenticate to Elasticsearch using username and password.
Ansible Core support for the RHEL system roles
As of RHEL 8.6 GA release, Ansible Core is provided, with a limited scope of support, to enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was previously provided in a separate repository. Ansible Core is available in the AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. Users must manually migrate their systems from Ansible Engine to Ansible Core.
For details on that, see Using Ansible in RHEL 8.6 and later.
The network
RHEL system role now supports both named
and numeric
routing tables in static routes.
This update adds support for both the named
and numeric
routing tables in static routes, which is a prerequisite for supporting the policy routing (for example, source routing). The users can define policy routing rules later to instruct the system which table to use to determine the correct route. As a result, after the user specifies the table
attribute in the route
, the system can add routes into the routing table.
The Certificate role consistently uses "Ansible_managed" comment in its hook scripts
With this enhancement, the Certificate role generates pre-scripts and post-scripts to support providers, to which the role inserts the "Ansible managed" comment using the Ansible standard "ansible_managed" variable:
-
/etc/certmonger/pre-scripts/script_name.sh
-
/etc/certmonger/post-scripts/script_name.sh
The comment indicates that the script files should not be directly edited because the Certificate role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
The Terminal session recording system role uses the "Ansible managed" comment in its managed configuration files
The Terminal session recording role generates 2 configuration files:
-
/etc/sssd/conf.d/sssd-session-recording.conf
-
/etc/tlog/tlog-rec-session.conf
With this update, the Terminal session recording role inserts the Ansible managed
comment into the configuration files, using the standard Ansible variable ansible_managed
. The comment indicates that the configuration files should not be directly edited because the Terminal session recording role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
Microsoft SQL system role now supports customized repository for disconnected or Satellite subscriptions
Previously, users in disconnected environments that needed to pull packages from a custom server or Satellite users that needed to point to Satellite or Capsule had no support from Microsoft SQL Role . This update fixes it, by enabling users to provide a customized URL to use for RPM
key, client
and server
mssql repositories. If no URL is provided, the mssql
role uses the official Microsoft servers to download RPMs.
The Microsoft SQL system role consistently uses "Ansible_managed" comment in its managed configuration files
The mssql
role generates the following configuration file:
-
/var/opt/mssql/mssql.conf
With this update, the Microsoft SQL role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed
variable. The comment indicates that the configuration files should not be directly edited because the mssql
role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
Support to all bonding options added to the Networking system role
This update provides support to all bonding options to the Networking RHEL system role. Consequently, it enables you to flexibly control the network transmission over the bonded interface. As a result, you can control the network transmission over the bonded interface by specifying several options to that interface.
NetworkManager supports specifying a network card using its PCI address
Previously, during setting a connection profile, NetworkManager was only allowed to specify a network card using either its name or MAC address. In this case, the device name is not stable and the MAC address requires inventory to maintain record of used MAC addresses. Now, you can specify a network card based on its PCI address in a connection profile.
(BZ#1695634)
A new option auto_gateway
controls the default route behavior
Previously, the DEFROUTE
parameter was not configurable with configuration files but only manually configurable by naming every route. This update adds a new auto_gateway
option in the ip
configuration section for connections, with which you can control the default route behavior. You can configure auto_gateway
in the following ways:
-
If set to
true
, default gateway settings apply to a default route. -
If set to
false
, the default route is removed. -
If unspecified, the
network
role uses the default behavior of the selectednetwork_provider
.
The VPN role consistently uses Ansible_managed
comment in its managed configuration files
The VPN role generates the following configuration file:
-
/etc/ipsec.d/mesh.conf
-
/etc/ipsec.d/policies/clear
-
/etc/ipsec.d/policies/private
-
/etc/ipsec.d/policies/private-or-clear
With this update, the VPN role inserts the Ansible managed
comment to the configuration files, using the Ansible standard ansible_managed
variable. The comment indicates that the configuration files should not be directly edited because the VPN role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
New source
parameter in the Firewall system role
You can now use the source
parameter of the Firewall system role to add or remove sources in the firewall configuration.
The Networking system role now uses the ‘Ansible managed’ comment in its managed configuration files
When using the initscripts
provider, the Networking system role now generates commented ifcfg
files in the /etc/sysconfig/network-scripts
directory. The Networking role inserts the Ansible managed
comment using the Ansible standard ansible_managed
variable. The comment declares that an ifcfg
file is managed by Ansible, and indicates that the ifcfg
file should not be edited directly as the Networking role will overwrite the file. The Ansible managed
comment is added when the provider is initscripts
. When using the Networking role with the nm
(NetworkManager) provider, the ifcfg
file is managed by NetworkManager and not by the Networking role.
The Firewall system role now supports setting the firewall default zone
You can now set a default firewall zone in the Firewall system role. Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. Firewall rules for each zone are managed independently enabling the administrator to define complex firewall settings and apply them to the traffic. This feature allows setting the default zone used as the default zone to assign interfaces to, same as firewall-cmd --set-default-zone zone-name
.
The Metrics system role now generates files with the proper ansible_managed
comment in the header
Previously, the Metrics role did not add an ansible_managed
header comment to files generated by the role. With this fix, the Metrics role adds the ansible_managed
header comment to files it generates, and as a result, users can easily identify files generated by the Metrics role.
The Postfix system role now generates files with the proper ansible_managed
comment in the header
Previously, the Postfix role did not add an ansible_managed
header comment to files generated by the role. With this fix, the Postfix role adds the ansible_managed
header comment to files it generates, and as a result, users can easily identify files generated by the Postfix role.
4.19. Virtualization
Mediated devices are now supported by virtualization CLIs on IBM Z
Using virt-install
or virt-xml
, you can now attach mediated devices to your virtual machines (VMs), such as vfio-ap and vfio-ccw. This for example enables more flexible management of DASD storage devices and cryptographic coprocessors on IBM Z hosts. In addition, using virt-install
, you can create a VM that uses an existing DASD mediated device as its primary disk. For instructions to do so, see the Configuring and Managing Virtualization in RHEL 8 guide.
(BZ#1995125)
Virtualization support for Intel Atom P59 series processors
With this update, virtualization on RHEL 8 adds support for the Intel Atom P59 series processors, formerly known as Snow Ridge. As a result, virtual machines hosted on RHEL 8 can now use the Snowridge
CPU model and utilise new features that the processors provide.
(BZ#1662007)
ESXi hypervisor and SEV-ES is now fully supported
You can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to secure RHEL virtual machines (VMs) on VMware’s ESXi hypervisor, versions 7.0.2 and later. This feature was previously introduced in RHEL 8.4 as a Technology Preview. It is now fully supported.
(BZ#1904496)
Windows 11 and Windows Server 2022 guests are supported
RHEL 8 now supports using Windows 11 and Windows Server 2022 as the guest operating systems on KVM virtual machines.
(BZ#2036863, BZ#2004162)
4.20. RHEL in cloud environments
RHEL 8 virtual machines are now supported on certain ARM64 hosts on Azure
Virtual machines that use RHEL 8.6 or later as the guest operating system are now supported on Microsoft Azure hypervisors running on Ampere Altra ARM-based processors.
(BZ#1949614)
New SSH module for cloud-init
With this update, an SSH module has been added to the cloud-init
utility, which automatically generates host keys during instance creation.
Note that with this change, the default cloud-init
configuration has been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line.
Otherwise, cloud-init
creates an image which fails to start the sshd
service. If this occurs, do the following to work around the problem:
Make sure the
/etc/cloud/cloud.cfg
file contains the following line:ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']
-
Check whether
/etc/ssh/ssh_host_*
files exist in the instance. If the
/etc/ssh/ssh_host_*
files do not exist, use the following command to generate host keys:cloud-init single --name cc_ssh
Restart the sshd service:
systemctl restart sshd
(BZ#2115791)
cloud-init
supports user data on Microsoft Azure
The --user-data
option has been introduced for the cloud-init
utility. Using this option, you can pass scripts and metadata from the Azure Instance Metadata Service (IMDS) when setting up a RHEL 8 virtual machine on Azure.
(BZ#2023940)
cloud-init
supports the VMware GuestInfo datasource
With this update, the cloud-init
utility is able to read the datasource for VMware guestinfo data. As a result, using cloud-init
to set up RHEL 8 virtual machines on VMware vSphere is now more efficient and reliable.
(BZ#2026587)
4.21. Supportability
A new package: rig
RHEL 8 introduces the rig
package, which provides the rig
system monitoring and event handling utility.
The rig
utility is designed to assist system administrators and support engineers in diagnostic data collection for issues that are seemingly random in their occurrence, or occur at inopportune times for human intervention.
(BZ#1888705)
sos report
now offers an estimate mode run
This sos report
update adds the --estimate-only
option with which you can approximate the disk space required for collecting an sos
report from a RHEL server. Running the sos report --estimate-only
command:
-
executes a dry run of
sos report
- mimics all plugins consecutively and estimates their disk size.
Note that the final disk space estimation is very approximate. Therefore, it is recommended to double the estimated value.
(BZ#1873185)
Red Hat Support Tool
now uses Hydra APIs
The Red Hat Support Tool
has moved from the deprecated Strata APIs to the new Hydra APIs. This has no impact on functionality. However, if you have configured the firewall to allow only the Strata API /rs/
path explicitly, update it to /support/
to ensure the firewall works correctly.
In addition, due to this change, you can now download files greater than 5 GB when using the Red Hat Support Tool
.
Red Hat Support Tool
now supports Red Hat Secure FTP
When using Red Hat Support Tool
, you can now upload files to the case by the Red Hat Secure FTP
. Red Hat Secure FTP
is a more secure replacement of the deprecated Dropbox
utility that Red Hat Support Tool
used to support in its earlier versions.
Red Hat Support Tool
now supports S3 APIs
The Red Hat Support Tool
now uses S3 APIs to upload files to the Red Hat Technical Support case. As a result, users can upload a file greater than 1 GB to the case directly.
(BZ#1767195)
4.22. Containers
container-tools:4.0
stable stream is now available
The container-tools:4.0
stable module stream, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and enhancements over the previous version.
For instructions on how to upgrade from an earlier stream, see Switching to a later stream.
(JIRA:RHELPLAN-100175)
The NFS storage is now available
You can now use the NFS file system as a backend storage for containers and images if your file system has xattr support.
(JIRA:RHELPLAN-75169)
The container-tools:rhel8
module has been updated
The container-tools:rhel8
module, which contains the Podman, Buildah, Skopeo, crun, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.
Notable changes include:
- Due to the changes in the network stack, containers created by Podman v3 and earlier will not be usable in v4.0
- The native overlay file system is usable as a rootless user
- Support for NFS storage within a container
- Downgrading to earlier versions of Podman is not supported unless all containers are destroyed and recreated
Podman tool has been upgraded to version 4.0, for further information about notable changes, see the upstream release notes.
(JIRA:RHELPLAN-100174)
Universal Base Images are now available on Docker Hub
Previously, Universal Base Images were only available from the Red Hat container catalog. With this enhancement, Universal Base Images are also available from Docker Hub as a Verified Publisher image.
(JIRA:RHELPLAN-101137)
A podman
container image is now available
The registry.redhat.io/rhel8/podman
container image, previously available as a Technology Preview, is now fully supported. The registry.redhat.io/rhel8/podman
container image is a containerized implementation of the podman
package. The podman
tool manages containers and images, volumes mounted into those containers, and pods made of groups of containers.
(JIRA:RHELPLAN-57941)
Podman now supports auto-building and auto-running pods using a YAML file
The podman play kube
command automatically builds and runs multiple pods with multiple containers in the pods using a YAML file.
(JIRA:RHELPLAN-108830)
Podman now has ability to source subUID and subGID ranges from IdM
The subUID and subGID ranges can now be managed by IdM. Instead of deploying the same /etc/subuid
and /etc/subgid
files onto every host, you can now define range in a single central storage. You have to modify the /etc/nsswitch.conf
file and add sss
to the services map line: services: files sss
.
For more details, see Managing subID ranges manually in IdM documentation.
(JIRA:RHELPLAN-101133)
The openssl
container image is now available
The openssl
image provides an openssl
command-line tool for using the various functions of the OpenSSL crypto library. Using the OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and display certificate information.
The openssl
container image is available in these repositories:
- registry.redhat.io/rhel8/openssl
- registry.access.redhat.com/ubi8/openssl
(JIRA:RHELPLAN-101138)
Netavark network stack is now available
The new network stack available starting with Podman 4.1.1-7 consists of two tools, the Netavark network setup tool and the Aardvark DNS server. The Netavark stack, previously available as a Technology Preview, is with the release of the RHBA-2022:7127 advisory fully supported.
This network stack has the following capabilities:
- Configuration of container networks using the JSON configuration file
- Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces
- Configuring firewall settings, such as network address translation (NAT) and port mapping rules
- IPv4 and IPv6
- Improved capability for containers in multiple networks
- Container DNS resolution using the aardvark-dns project
You have to use the same version of Netavark stack and the Aardvark authoritative DNS server.
(JIRA:RHELPLAN-137623)
Podman now supports the --health-on-failure
option
With the release of the RHBA-2022:7127 advisory. the podman run
and podman create
commands now support the --health-on-failure
option to determine the actions to be performed when the status of a container becomes unhealthy.
The --health-on-failure
option supports four actions:
-
none
: Take no action, this is the default action. -
kill
: Kill the container. -
restart
: Restart the container. -
stop
: Stop the container.
Do not combine the restart
action with the --restart
option. When running inside of a systemd unit, consider using the kill
or stop
action instead to make use of systemd’s restart policy.