Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.7.
4.1. Installer and image creation
Automatic FCP SCSI LUN scanning support in installer
The installer can now use the automatic LUN scanning when attaching FCP SCSI LUNs on IBM Z systems. Automatic LUN scanning is available for FCP devices operating in NPIV mode, if it is not disabled through the zfcp.allow_lun_scan
kernel module parameter. It is enabled by default. It provides access to all SCSI devices found in the storage area network attached to the FCP device with the specified device bus ID. It is not necessary to specify WWPN and FCP LUNs anymore and it is sufficient to provide just the FCP device bus ID.
(BZ#1497089)
Image builder on-premise now supports the /boot
partition customization
Image builder on-premise version now supports building images with custom /boot
mount point partition size. You can specify the size of the /boot
mount point partition in the blueprint customization, to increase the size of the /boot
partition in case the default boot partition size is too small. For example:
[[customizations.filesystem]] mountpoint = "/boot" size = "20 GiB"
(JIRA:RHELPLAN-130379)
Image builder on-premise now supports uploading images to GCP
With this enhancement, you can use image builder CLI to build a gce
image, providing credentials for the user or service account that you want to use to upload the images. As a result, image builder creates the image and then uploads the gce
image directly to the GCP environment that you specified.
Image builder on-premise CLI supports pushing a container image directly to a registry
With this enhancement, you can push RHEL for Edge container images directly to a container registry after it has been built, using the image builder CLI. To build the container image:
- Set up an upload provider and optionally, add credentials.
Build the container image, passing the container registry and the repository to
composer-cli
as arguments.After the image is ready, it is available in the container registry you set up.
(JIRA:RHELPLAN-130376)
Image builder on-premise users now customize their blueprints during the image creation process
With this update, the Edit Blueprint page was removed to unify the user experience in the image builder service and in the image builder app in cockpit-composer
. Users can now create their blueprints and add their customization, such as adding packages, and create users, during the image creation process. The versioning of blueprints has also been removed so that blueprints only have one version: the current one. Users have access to older blueprint versions through their already created images.
(JIRA:RHELPLAN-122735)
4.2. Shells and command-line tools
Cronie
adds support for a randomized time within a selected range
The Cronie
utility now supports the ~
(random within range) operator for cronjob execution. As a result, you can start a cronjob on a randomized time within the selected range.
A new package: xmlstarlet
XMLStarlet is a set of command-line utilities for parsing, transforming, querying, validating, and editing XML files. The new xmlstarlet
package offers a simple set of shell commands that you can use in a similar way as you use UNIX commands for plain text files like grep
, sed
, awk
, diff
, patch
, join
and other.
(BZ#1882020)
ReaR adds new variables for executing commands before and after recovery
With this enhancement, ReaR introduces two new variables for easier automation of commands to be executed before and after recovery:
-
PRE_RECOVERY_COMMANDS
accepts an array of commands. These commands will be executed before recovery starts. -
POST_RECOVERY_COMMANDS
accepts an array of commands. These commands will be executed after recovery finishes.
These variables are an alternative to PRE_RECOVERY_SCRIPT
and POST_RECOVERY_SCRIPT
with the following differences:
-
The earlier
PRE_RECOVERY_SCRIPT
andPOST_RECOVERY_SCRIPT
variables accept a single shell command. To pass multiple commands to these variables, you must separate the commands by semicolons. -
The new
PRE_RECOVERY_COMMANDS
andPOST_RECOVERY_COMMANDS
variables accept arrays of commands, and each element of the array is executed as a separate command.
As a result, providing multiple commands to be executed in the rescue system before and after recovery is now easier and less error-prone.
For more information, see the default.conf
file.
libva
rebased to version 2.13.0
The libva
library for video acceleration API has been updated to version 2.13.0. Notable improvements and new features include:
-
Two new FourCC video coding formats:
X2R10G10B10
andX2B10G10R10
for capturing, processing, and displaying video in the 10-bit RGB format (excluding Alpha). -
The VAAPI driver mapping for
iris
andcrocus
DRI drivers. -
The
vaSyncBuffer
function for output buffers synchronization. -
The
vaCopy
interface to copy surface and buffer. - The LibVA Protected Content API for digital rights management (DRM) protected video.
- The 3DLUT Filter in Video Processing, which maps input colors to new output values.
powerpc-utils
rebased to version 1.3.10
The powerpc-utils
package, which provides various utilities for a PowerPC platform, has been updated to version 1.3.10. Notable improvements include:
-
Added the capability to parsing the Power architecture platform reference (PAPR) information for energy and frequency in the
ppc64_cpu
tool. -
Improved the
lparstat
utility to display enhanced error messages, when thelparstat -E
command fails on max config systems. Thelparstat
command reports logical partition-related information. -
Fixed reported online memory in legacy format in the
lparstat
command. -
Added support for the
acc
command for changing the quality of service credits (QoS) dynamically for the NX GZIP accelerator. -
Added improvements to format specifiers in
printf()
andsprintf()
calls. The
hcnmgr
utility, which provides the HMC tools to hybrid virtual network, includes following enhancements:-
Added the
wicked
feature to the Hybrid Network VirtualizationHNV FEATURE
list. Thehcnmgr
utility supports wicked hybrid network virtualization (HNV) to use thewicked
functions for bonding. -
hcnmgr
maintains anhcnid
state for later cleanup. -
hcnmgr
excludes NetworkManager (NM)nmcli
code. -
The NM HNV
primary slave
setting was fixed. -
hcnmgr
supports the virtual Network Interface Controller (vNIC) as a backup device.
-
Added the
-
Fixed the invalid hexadecimal numbering system message in
bootlist
. -
The
-l
flag included inkpartx
utility as-p
delimiter value in thebootlist
command. -
Fixes added to
sslot
utility to prevent memory leak when listing IO slots. -
Added the DRC type description strings for the latest peripheral component interconnect express (PCIe) slot types in the
lsslot
utility. -
Fixed the invalid config address to RTAS in
errinjct
tool. -
Added support for non-volatile memory over fabrics (NVMf) devices in the
ofpathname
utility. The utility provides a mechanism for converting a logical device name to an open firmware device path and the other way round. -
Added fixes to the non-volatile memory (NVMe) support in asymmetric namespace access (ANA) mode in the
ofpathname
utility. -
Installed
smt.state
file as a configuration file.
(BZ#2051330)
opencryptoki
rebased to version 3.18.0
The opencryptoki
package, which is an implementation of the Public-Key Cryptography Standard (PKCS) #11, has been updated to version 3.18.0. Notable improvements include:
- Default to Federal Information Processing Standards (FIPS) compliant token data format (tokversion = 3.12).
- Added support for restricting usage of mechanisms and keys with a global policy.
- Added support for statistics counting of mechanism usage.
-
The
ICA/EP11
tokens now supportlibica
library version 4. -
The
p11sak
tool enables setting different attributes for public and private keys. -
The
C_GetMechanismList
does not returnCKR_BUFFER_TOO_SMALL
in the EP11 token.
openCryptoki
supports two different token data formats:
- the earlier data format, which uses non-FIPS-approved algorithms (such as DES and SHA1)
- the new data format, which uses FIPS-approved algorithms only.
The earlier data format no longer works because the FIPS provider allows the use of only FIPS-approved algorithms.
To make openCryptoki work on RHEL 8, migrate the tokens to use the new data format before enabling FIPS mode on the system. This is necessary because the earlier data format is still the default in openCryptoki 3.17
. Existing openCryptoki
installations that use the earlier token data format will no longer function when the system is changed to FIPS-enabled.
You can migrate the tokens to the new data format by using the pkcstok_migrate
utility, which is provided with openCryptoki
. Note that pkcstok_migrate
uses non-FIPS-approved algorithms during the migration. Therefore, use this tool before enabling FIPS mode on the system. For additional information, see Migrating to FIPS compliance - pkcstok_migrate utility.
(BZ#2043845)
The Redfish modules are now part of the redhat.rhel_mgmt
Ansible collection
The redhat.rhel_mgmt
Ansible collection now includes the following modules:
-
redfish_info
-
redfish_command
-
redfish_config
With that, users can benefit from the management automation, by using the Redfish modules to retrieve server health status, get information about hardware and firmware inventory, perform power management, change BIOS settings, configure Out-Of-Band (OOB) controllers, configure hardware RAID, and perform firmware updates.
sysctl
now matches the systemd
directory order
The configuration directory order of the sysctl
utility is now synchronized with the systemd-sysctl
directory order. The configuration directory examines and changes kernel parameters at runtime. The configuration files in /etc/sysctl.d
directory have higher priority than configuration files in /run/sysctl.d
, and no more disruptions to the precedence of files between sysctl
and systemd
happen.
4.3. Infrastructure services
chrony
rebased to version 4.2
The chrony
suite has been updated to version 4.2. Notable enhancements over version 4.1 include:
- The server interleaved mode has been improved to be more reliable and support multiple clients behind a single address translator (Network Address Translation - NAT).
-
Experimental support for the Network Time Protocol Version 4 (NTPv4) extension field has been added to improve time synchronization stability and precision of estimated errors. You can enable this field, which extends the capabilities of the protocol NTPv4, by using the
extfield F323
option. -
Experimental support for NTP forwarding over the Precision Time Protocol (PTP) has been added to enable full hardware timestamping on Network Interface Cards (NIC) that have timestamping limited to PTP packets. You can enable NTP over PTP by using the
ptpport 319
directive.
unbound
rebased to version 1.16.2
The unbound
component has been updated to version 1.16.2. unbound
is a validating, recursive, and caching DNS resolver. Notable improvements include:
-
With the ZONEMD Zone Verification with
RFC 8976
support, recipients can now verify the zone contents for data integrity and origin authenticity. -
With
unbound
, you can now configure persistent TCP connections. -
The SVCB and HTTPS types and handling according to the Service binding and parameter specification via the DNS
draft-ietf-dnsop-svcb-https
document were added. -
unbound
takes the default TLS ciphers from crypto policies. -
You can use a Special-Use Domain
home.arpa.
according to theRFC8375
. This domain is designated for non-unique use in residential home networks. -
unbound
now supports selective enabling oftcp-upstream
queries for stub or forward zones. -
The default of
aggressive-nsec
option is nowyes
. -
The
ratelimit
logic was updated. -
You can use a new
rpz-signal-nxdomain-ra
option for unsetting theRA
flag when a query is blocked by an Unbound response policy zone (RPZ) nxdomain reply. -
With the basic support for Extended DNS Errors (EDE) according to the
RFC8914
, you can benefit from additional error information.
4.4. Security
NSS no longer support RSA keys shorter than 1023 bits
The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:
- Generate RSA keys shorter than 1023 bits.
- Sign or verify RSA signatures with RSA keys shorter than 1023 bits.
- Encrypt or decrypt values with RSA key shorter than 1023 bits.
SCAP Security Guide rebased to 0.1.63
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.63. This version provides various enhancements and bug fixes, most notably:
-
New compliance rules for
sysctl
,grub2
,pam_pwquality
, and build time kernel configuration were added. -
Rules hardening the PAM stack now use
authselect
as the configuration tool. Note: With this change the rules hardening the PAM stack will not be applied if the PAM stack was edited by other means.
SSG CIS profiles aligned to the CIS RHEL 8 benchmark 2.0.0
The SCAP Security Guide (SSG) now contains changes that align the Center for Internet Security (CIS) profiles with CIS Red Hat Enterprise Linux 8 Benchmark version 2.0.0. This version of the benchmark adds new requirements, removed requirements that are no longer relevant, and reordered some existing requirements. The update impacts the references in the relevant rules and the accuracy of the respective profiles.
The RHEL 8 STIG profile is now better aligned with the DISA STIG content
The DISA STIG for Red Hat Enterprise Linux 8 profile (xccdf_org.ssgproject.content_profile_stig
) available in the scap-security-guide
(SSG) package can be used to evaluate systems according to the Security Technical Implementation Guides (STIG) by the Defense Information Systems Agency (DISA). You can remediate your systems by using the content in SSG, but you might need to evaluate them using DISA STIG automated content. With this update, the DISA STIG RHEL 8 profile is better aligned with DISA’s content. This leads to fewer findings against DISA content after SSG remediation.
Note that the evaluations of the following rules still diverge:
-
SV-230264r627750_rule - CCE-80790-9 (
ensure_gpgcheck_globally_activated
) -
SV-230349r833388_rule - CCE-82266-8 (
configure_bashrc_exec_tmux
) -
SV-230311r833305_rule - CCE-82215-5 (
sysctl_kernel_core_pattern
) -
SV-230546r833361_rule - CCE-80953-3 (
sysctl_kernel_yama_ptrace_scope
) -
SV-230287r743951_rule - CCE-82424-3 (
file_permissions_sshd_private_key
) -
SV-230364r627750_rule - CCE-82472-2 (
accounts_password_set_min_life_existing
) -
SV-230343r743981_rule - CCE-86107-0 (
account_passwords_pam_faillock_audit
)
(BZ#1967947)
SSG rules for mount options no longer fail incorrectly if the /tmp
and /var/tmp
partitions do not exist
Previously, the SCAP Security Guide (SSG) rules for mount options of /tmp
and /var/tmp
partitions were incorrectly reporting the fail
result if such partitions did not exist on the system.
This enhancement makes those rules not applicable instead of failing. Now, the rules fail only when the partition exists and the system does not have correct mount options.
If these mount options are essential for a particular policy, a rule that prescribes the existence of such partitions should be present in the profile, and that one rule should fail.
STIG security profile updated to version V1R7
The DISA STIG for Red Hat Enterprise Linux 8
profile in the SCAP Security Guide has been updated to align with the latest version V1R7
.
The profile is more stable and better aligns with the RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense Information Systems Agency (DISA). This iteration brings updates to align the sysctl
content to the new STIG.
You should use only the current version of this profile because older versions are no longer valid.
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
clevis-luks-askpass
is now enabled by default
The /lib/systemd/system-preset/90-default.preset
file now contains the enable clevis-luks-askpass.path
configuration option and the installation of the clevis-systemd
sub-package ensures that the clevis-luks-askpass.path
unit file is enabled. This enables the Clevis encryption client to unlock also LUKS-encrypted volumes that mount late in the boot process. Before this update, the administrator must use the systemctl enable clevis-luks-askpass.path
command to enable Clevis to unlock such volumes.
Added a maximum size option for Rsyslog error files
Using the new action.errorfile.maxsize
option, you can specify a maximum number of bytes of the error file for the Rsyslog log processing system. When the error file reaches the specified size, Rsyslog cannot write any additional errors or other data in it. This prevents the error file from filling up the file system and making the host unusable.
fapolicyd
rebased to 1.1.3
The fapolicyd
packages have been upgraded to version 1.1.3. Notable improvements and bug fixes include:
- Rules can now contain the new subject PPID attribute, which matches the parent PID (process ID) of a subject.
- The OpenSSL library replaced the Libgcrypt library as a cryptographic engine for hash computations.
-
The
fagenrules --load
command now works correctly.
4.5. Networking
The save speed of large iptables
rule sets has been improved
This enhancement optimizes the iptables-save
utility to reduce the overhead when saving large rule sets. The utility has been improved when reading entries from the /etc/protocols
file, and it no longer searches for extension shared object files in cases where this is not necessary. As a result, the run time of iptables-save
has been significantly improved when you save large rule sets in environments with high storage access delays.
(BZ#2058444)
NetworkManager rebased to version 1.40
The NetworkManager
packages have been upgraded to upstream version 1.40, which provides a number of enhancements and bug fixes over the previous version:
-
The device state files in the
/run/NetworkManager/devices/
directory now have new sections,[dhcp4]
and[dhcp6]
, which contain the DHCP options of the current lease. -
NetworkManager supports setting an IPv6 Maximum Transmission Unit (MTU) in the
ipv6.mtu
property of connections. -
NetworkManager uses the
nm.debug
kernel command line option to enable debug logging. - Carrier detection has been improved.
- NetworkManager now restarts the DHCP client for a connection if the MAC address changes on a device.
- Wifi hotspots now use a stable random channel number unless you select a specific channel.
-
NetworkManager now disables the Wi-Fi Protected Access 3 (WPA3) transition mode if you set the
wifi.key-mgmt
property towpa-psk
and the network interface does not support Protected Management Frames (PMF). The transition mode caused problems in certain setups in this scenario. To explicitly enable the WPA3 transitioning mode, setwifi.key-mgmt
tosae
. - NetworkManager now shortens an excessively long hostname received from a DHCP server to the first dot or to 64 characters.
For further information about notable changes, read the upstream release notes.
cloud-init
updates network configuration at every boot on Microsoft Azure
Microsoft Azure does not change the instance ID when an administrator updates the network interface configuration while a VM is offline. With this enhancement, the cloud-init
service always updates the network configuration when the VM boots to ensure that RHEL on Microsoft Azure uses the latest network settings.
As a consequence, if you manually configure settings on interfaces, such as an additional search domain, cloud-init
may override them when you reboot the VM. For further details and a workaround, see the cloud-init-22.1-5 updates network config on every boot solution.
NetworkManger now stores DHCP lease information in the /run/NetworkManager/devices/
directory
NetworkManager now stores lease information from the DHCP server in the /run/NetworkManager/devices/
directory. Previously, the file-based API was not available and this information was only visible in the output of the nmcli -f all devices show DEVICE
command. With this enhancement, other utilities and scripts can access DHCP options without calling nmcli
.
4.6. Kernel
Kernel version in RHEL 8.7
Red Hat Enterprise Linux 8.7 is distributed with the kernel version 4.18.0-425.
The default mitigation of SSBD
and STIBP
has been changed
The default mitigation of the spec_store_bypass_disable
(SSBD
) and spectre_v2_user
(STIBP
) boot parameters has been changed from the seccomp
mode to prctl
. With this update, performance of containers and applications under the control of seccomp
improves.
(BZ#2101938)
The vmcore
dump file generates correctly on the debug kernel variant
With this update, the kdump
mechanism now uses the same version of the non-debug kernel as the capture kernel when the current kernel is debug variant. By using a non-debug kernel as the capture kernel, kdump
consumes less memory than the debug variant. As a result, kdump
generates the vmcore
file correctly and captures the memory contents of the crashed kernel.
(BZ#2006000)
Intel E800 devices now support iWARP and RoCE protocols
With this enhancement, you can now use the enable_iwarp
and enable_roce
devlink parameters to turn on and off iWARP or RoCE protocol support. With this mandatory feature, you can configure the device with one of the protocols. The Intel E800 devices do not support both protocols simultaneously on the same port.
To enable or disable the iWARP protocol for a specific E800 device, first obtain the PCI location of the card:
$ lspci | awk '/E810/ {print $1}' 44:00.0 44:00.1 $
Then enable, or disable, the protocol. You can use use pci/0000:44:00.0
for the first port, and pci/0000:44:00.1
for second port of the card as argument to the devlink command
$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value true cmode runtime $ devlink dev param set pci/0000:44:00.0 name enable_iwarp value false cmode runtime
To enable or disable the RoCE protocol for a specific E800 device, obtain the PCI location of the card as shown above. Then use one of the following commands:
$ devlink dev param set pci/0000:44:00.0 name enable_roce value true cmode runtime $ devlink dev param set pci/0000:44:00.0 name enable_roce value false cmode runtime
(BZ#2096127)
4.7. Boot loader
GRUB is signed by new keys
Due to security reasons, GRUB is now signed with new keys. As a consequence, if you are using RHEL on the little-endian variant of IBM POWER with the Secure Boot feature enabled, you must update the firmware to version FW1010.30 (or later) or FW1020 to be able to boot.
(BZ#2074762)
Configurable disk access retries when booting a VM on IBM POWER
You can now configure how many times the GRUB boot loader retries accessing a remote disk when a logical partition (lpar
) virtual machine (VM) boots on the IBM POWER architecture. Lowering the number of retries can prevent a slow boot in certain situations.
Previously, GRUB retried accessing disks 20 times when disk access failed at boot. This caused problems if you performed a Live Partition Mobility (LPM) migration on an lpar
system that connected to slow Storage Area Network (SAN) disks. As a consequence, the boot might have taken very long on the system until the 20 retries finished.
With this update, you can now configure and decrease the number of disk access retries using the ofdisk_retries
GRUB option. For details, see Configure disk access retries when booting a VM on IBM POWER.
As a result, the lpar
boot is no longer slow after LPM on POWER, and the lpar
system boots without the failed disks.
4.8. File systems and storage
nfsrahead
has been added to RHEL 8
With the introduction of the nfsrahead
tool, you can use it to modify the readahead
value for NFS mounts, and thus affect the NFS read performance.
(BZ#1946283)
rpcctl
command now displays SunRPC connection information
With this update, you can use the rpcctl
command to display the information collected in the SunRPC sysfs
files about the system’s SunRPC objects. You can show, remove, and set objects in the SunRPC network layer through the sysfs
file system.
(BZ#2087187)
multipath.conf
can now include protocol-specific configuration overrides in DM Multipath
You can access paths of multipath devices through various protocols. Because various protocols can have various optimal configurations, it was previously not possible to set the optimal configuration for all protocols in the Device Mapper Multipath feature without a per-protocol option. With this enhancement, you can include protocol-specific configuration overrides in the multipath.conf
file. As a result, you can now configure multipath device paths on a per-protocol basis, allowing for the correct configuration of multipath devices accessible through multiple protocols.
multipathd
now supports detecting FPIN-Li events
When you add a new value fpin
for the marginal_pathgroups
config option, you enable multipathd
to monitor the Link Integrity Fabric Performance Impact Notification (PFIN-Li) events and move paths with link integrity issues to a marginal pathgroup. With the fpin
value set, multipathd
overrides its existing marginal path detection methods and relies on the Fibre Channel fabric to identify link integrity issues.
With this enhancement, the multipathd
method becomes more robust in detecting marginal paths on Fibre Channel fabrics that can issue PFIN-Li events.
4.9. High availability and clusters
pcs
command-line supports updating multipath SCSI devices without requiring a system restart
You can now update multipath SCSI devices with the pcs stonith update-scsi-devices
command. This command updates SCSI devices without causing a restart of other cluster resources running on the same node.
Support for cluster UUID
During cluster setup, the pcs
command now generates a UUID for every cluster. Since a cluster name is not a unique cluster identifier, you can use the cluster UUID to identify clusters with the same name when you administer multiple clusters.
You can display the current cluster UUID with the pcs cluster config [show]
command. You can add a UUID to an existing cluster or regenerate a UUID if it already exists by using the pcs cluster config uuid generate
command.
The multiple-active
resource parameter now accepts a value of stop_unexpected
The multiple-active
resource parameter determines recovery behavior when a resource is active on more than one node when it should not be. By default, this situation requires a full restart of the resource, even if the resource is running successfully where it should be. With this update, the multiple-active
resource parameter accepts a value of stop_unexpected
, which allows you to specify that only unexpected instances of a multiply-active resource are stopped. It is the user’s responsibility to verify that the service and its resource agent can function with extra active instances without requiring a full restart.
New allow-unhealthy-node
Pacemaker resource meta-attribute
Pacemaker now supports the allow-unhealthy-node
resource meta-attribute. When this meta-attribute is set to true
, the resource is not forced off a node due to degraded node health. When health resources have this attribute set, the cluster can automatically detect if the node’s health recovers and move resources back to it.
Support for High Availability on Red Hat OpenStack platform
You can now configure a high availability cluster on the Red Hat OpenStack platform. In support of this feature, Red Hat provides the following new cluster agents:
-
fence_openstack
: fencing agent for HA clusters on OpenStack -
openstack-info
: resource agent to configure theopenstack-info
cloned resource, which is required for an HA cluster on OpenStack -
openstack-virtual-ip
: resource agent to configure a virtual IP address resource -
openstack-floating-ip
: resource agent to configure a floating IP address resource -
openstack-cinder-volume
: resource agent to configure a block storage resource
Pacemaker now supports specifying Access Control Lists (ACLs) for system groups
Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes simpler and would comform better with local policies to specify ACLs for a system group, and to have them apply to all users in that group. The pcs acl group
command was present in earlier releases but had no effect. Now, users can now specify ACLs for a system group using this command.
New pcs stonith config
command option to display the pcs
commands that re-create configured fence devices
The pcs stonith config
command now accepts the --output-format=cmd
option. Specifying this option displays the pcs
commands you can use to re-create configured fence devices on a different system.
New pcs resource config
command option to display the pcs
commands that re-create configured resources
The pcs resource config
command now accepts the --output-format=cmd
option. Specifying this option displays the pcs
commands you can use to re-create configured resources on a different system.
4.10. Dynamic programming languages, web and database servers
The nodejs:18
module stream is now fully supported
The nodejs:18
module stream, previously available as a Technology Preview, is fully supported with the release of the RHSA-2022:8833 advisory. The nodejs:18
module stream now provides Node.js 18.12
, which is a Long Term Support (LTS) version.
Node.js 18
included in RHEL 8.7 provides numerous new features together with bug and security fixes over Node.js 16
available since RHEL 8.5.
Notable changes include:
-
The
V8
engine has been upgraded to version 10.2. -
The
npm
package manager has been upgraded to version 8.18.0. -
Node.js
now provides a new experimentalfetch
API. -
Node.js
now provides a new experimentalnode:test
module, which facilitates the creation of tests that report results in the Test Anything Protocol (TAP) format. -
Node.js
now prefers IPv6 addresses over IPv4.
To install the nodejs:18
module stream, use:
# yum module install nodejs:18
If you want to upgrade from the nodejs:16
stream, see Switching to a later stream.
(BZ#2083073)
nodejs:18
rebased to version 18.14 with npm
rebased to version 9
Node.js 18.14
, released in RHSA-2023:1583, includes a SemVer major upgrade of npm
from version 8 to version 9. This update was necessary due to maintenance reasons and may require you to adjust your npm
configuration.
Notably, auth-related settings that are not scoped to a specific registry are no longer supported. This change was made for security reasons. If you used unscoped authentication configurations, the supplied token was sent to every registry listed in the .npmrc
file.
If you use unscoped authentication tokens, generate and supply registry-scoped tokens in your .npmrc
file.
If you have configuration lines using _auth
, such as //registry.npmjs.org/:_auth
in your .npmrc
files, replace them with //registry.npmjs.org/:_authToken=${NPM_TOKEN}
and supply the scoped token that you generated.
For a complete list of changes, see the upstream changelog.
A new module stream: ruby:3.1
RHEL 8.7 introduces Ruby 3.1.2
in a new ruby:3.1
module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.0
distributed with RHEL 8.5.
Notable enhancements include:
-
The
Interactive Ruby
(IRB) utility now provides an autocomplete feature and a documentation dialog -
A new
debug
gem, which replaceslib/debug.rb
, provides improved performance, and supports remote debugging and multi-process/multi-thread debugging -
The
error_highlight
gem now provides a fine-grained error location in the backtrace - Values in the hash literal data types and keyword arguments can now be omitted
-
The pin operator (
^
) now accepts an expression in pattern matching - Parentheses can now be omitted in one-line pattern matching
- YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD and Intel 64-bit architectures
-
The
TypeProf For IDE
utility has been introduced, which is an experimental static type analysis tool forRuby
code in IDEs
The following performance improvements have been implemented in Method Based Just-in-Time Compiler (MJIT):
-
For workloads like
Rails
, the default maximum JIT cache value has increased from 100 to 10000 -
Code compiled using JIT is no longer canceled when a
TracePoint
for class events is enabled
Other notable changes include:
-
The
tracer.rb
file has been removed -
Since version 4.0, the
Psych
YAML parser uses thesafe_load
method by default
To install the ruby:3.1
module stream, use:
# yum module install ruby:3.1
If you want to upgrade from an earlier ruby
module stream, see Switching to a later stream.
(BZ#2063772)
A new module stream: mercurial:6.2
RHEL 8.7 adds Mercurial 6.2
as a new module stream. This version provides a number of bug fixes, enhancements, and performance improvements over Mercurial 4.8
available since RHEL 8.0.
Notable changes include:
-
Mercurial 6.2
supportsPython 3.6
or later -
Mercurial
no longer supportsPython 2
-
The
hg purge
andhg clean
commands now provide a new-i
option, which enables you to delete ignored files instead of untracked files -
The
hg diff
andhg extdiff
commands now support the--from <revision>
and--to <revision>
arguments -
A new internal merge utility,
internal:mergediff
, is now available - The Zstandard (ZSTD) compression is now used by default for new repositories when available
-
A new way of specifying required extensions is now available that prevents
Mercurial
from starting if the required extensions are not found
In addition, a new mercurial-chg
utility is available, which provides a C wrapper for the hg
command. When you use the chg
command, a Mercurial
command server background process is created, a C program connects to that background process and executes Mercurial
commands. As a result, the performance is significantly increased.
To install the mercurial:6.2
module stream, use:
# yum module install mercurial:6.2
If you want to upgrade from the mercurial:4.8
stream, see Switching to a later stream.
(BZ#2089849)
mariadb-java-client
rebased to version 2.7.1
The mariadb-java-client
package, which provides a MariaDB
connector for applications developed in Java, has been updated to version 2.7.1.
This update introduces the following changes in services:
-
Client authentication plug-ins are now defined as services. As a result, you can easily add new client authentication plug-ins. The driver includes the
caching_sha2_password
andsha256_password
plug-ins for compatibility withMySQL
. -
Credential plug-ins are now permitted to provide credential information. The driver includes three default plug-ins:
AWS IAM
,Environment
, andProperty
. -
The SSL factory service now enables you to use custom SSL implementation. For example, you can create a new
HostnameVerifier
implementation.
Other notable changes include:
-
The
enabledSslProtocolSuites
option now includes TLSv1.2 by default.
redis
rebased to version 6.2.7
Redis 6
, which is an advanced key-value store provided the redis:6
module stream, has been updated to version 6.2.7. This update provides bug fixes, security fixes, and improvements over version 6.0 available since RHEL 8.4.
A new default for the LimitRequestBody
directive in httpd
configuration
To fix CVE-2022-29404, the default value for the LimitRequestBody
directive in the Apache HTTP Server has been changed from 0
(unlimited) to 1 GiB.
On systems where the value of LimitRequestBody
is not explicitly specified in an httpd
configuration file, updating the httpd
package sets LimitRequestBody
to the default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd
returns the 413 Request Entity Too Large
error code.
If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd
configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use:
LimitRequestBody 2147483648
Systems already configured to use any explicit value for the LimitRequestBody
directive are unaffected by this change.
(BZ#2128016)
4.11. Compilers and development tools
New GCC Toolset 12
GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream
repository.
The GCC compiler has been updated to version 12.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.
The following tools and versions are provided by GCC Toolset 12:
Tool | Version |
---|---|
GCC | 12.1.1 |
GDB | 11.2 |
binutils | 2.35 |
dwz | 0.14 |
annobin | 10.76 |
To install GCC Toolset 12, run the following command as root:
# yum install gcc-toolset-12
To run a tool from GCC Toolset 12:
$ scl enable gcc-toolset-12 tool
To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:
$ scl enable gcc-toolset-12 bash
For more information, see Using GCC Toolset.
(BZ#2077276)
GCC Toolset 12: Annobin rebased to version 10.76
In GCC Toolset 12, the Annobin package has been updated to version 10.76.
Notable bug fixes and enhancements include:
-
A new command line option for annocheck tells it to avoid using the
debuginfod
service, if it is unable to find debug information in another way. Usingdebuginfod
provides annocheck with more information, but it can also cause significant slow downs in annocheck’s performance if thedebuginfod
server is unavailable. -
The Annobin sources can now be built using
meson
andninja
rather than configure and make if desired. - Annocheck now supports binaries built by the Rust 1.18 compiler.
Additionally, the following known issue has been reported in the GCC Toolset 12 version of Annobin:
Under some circumstances it is possible for a compilation to fail with an error message that looks similar to the following:
cc1: fatal error: inaccessible plugin file
opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin/gcc-annobin.so
expanded from short plugin name gcc-annobin: No such file or directory
To work around the problem, create a symbolic link in the plugin directory from annobin.so
to gcc-annobin.so
:
# cd /opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin
# ln -s annobin.so gcc-annobin.so
Where architecture is replaced with the architecture being used:
-
aarch64
-
i686
-
ppc64le
-
s390x
-
x86_64
(BZ#2077447)
GCC Toolset 12: binutils
rebased to version 2.38
In GCC Toolset 12, the binutils
package has been updated to version 2.38.
Notable bug fixes and enhancements include:
-
All tools in the
binutils
package now support options to display or warn about the presence of multibyte characters. -
The
readelf
andobjdump
tools now automatically follow any links to separatedebuginfo
files by default. This behavior can be disabled by using the--debug-dump=no-follow-links
option forreadelf
or the--dwarf=no-follow-links
option forobjdump
.
(BZ#2077448)
GCC 12 and later supports _FORTIFY_SOURCE
level 3
With this enhancement, users can build applications with -D_FORTIFY_SOURCE=3
in the compiler command line when building with GCC version 12 or later. _FORTIFY_SOURCE
level 3 improves coverage of source code fortification, thus improving security for applications built with -D_FORTIFY_SOURCE=3
in the compiler command line. This is supported in GCC versions 12 and later and Clang versions 9.0 and later with the __builtin_dynamic_object_size
builtin.
(BZ#2033684)
DNS stub resolver option now supports no-aaaa
option
With this enhancement, glibc
now recognizes the no-aaaa
stub resolver option in /etc/resolv.conf
and the RES_OPTIONS
environment variable. When this option is active, no AAAA queries will be sent over the network. System administrators can disable AAAA DNS lookups for diagnostic purposes, such as ruling out that the superfluous lookups on IPv4-only networks do not contribute to DNS issues.
Added support for IBM Z Series z16 in glibc
The support is now available for the s390
instruction set with the IBM z16
platform in glibc
. IBM z16
provides two additional hardware capabilities that are HWCAP_S390_VXRS_PDE2
and HWCAP_S390_NNPA
. As a result, applications can now use these capabilities to deliver optimized libraries and functions.
(BZ#2077835)
New make-latest
package
This enhancement introduces the make-latest
package which includes the latest version of the make
utility. Previously, we provided the latest make
version through GCC Toolset. Now, you can separately install the make-latest
package and run the latest version with scl enable make43 /bin/bash
(in case the make43
version is the latest).
(BZ#2083419)
GCC Toolset 12: GDB rebased to version 11.2
In GCC Toolset 12, the GDB package has been updated to version 11.2.
Notable bug fixes and enhancements include:
-
New support for Aarch64 MTE. See new commands with the
memory-tag
prefix. --qualified
option for-break-insert
and-dprintf-insert
. This option looks for an exact match of the user’s event location instead of searching in all scopes.For example,
break --qualified foo
will look for a symbol named foo in the global scope. Without--qualified
, GDB will search all scopes for a symbol with that name.-
--force-condition
: Any supplied condition is defined even if it is currently invalid. -
-break-condition --force
: Likewise for the MI command. -
-file-list-exec-source-files
accepts optionalREGEXP
to limit output. .gdbinit
search path includes the config directory. The order is:-
$XDG_CONFIG_HOME/gdb/gdbinit
-
$HOME/.config/gdb/gdbinit
-
$HOME/.gdbinit
-
-
Support for
~/.config/gdb/gdbearlyinit
or~/.gdbearlyinit
. -
-eix
and-eiex
early initialization file options.
Terminal user interface (TUI):
- Support for mouse actions inside terminal user interface (TUI) windows.
- Key combinations that do not act on the focused window are now passed to GDB.
New commands:
-
show print memory-tag-violations
-
set print memory-tag-violations
-
memory-tag show-logical-tag
-
memory-tag with-logical-tag
-
memory-tag show-allocation-tag
-
memory-tag check
-
show startup-quietly
andset startup-quietly
: A way to specify-q
or-quiet
in GDB scripts. Only valid in early initialization files. -
show print type hex
andset print type hex
: Tells GDB to print sizes or offsets for structure members in hexadecimal instead of decimal. -
show python ignore-environment
andset python ignore-environment
: If enabled, GDB’s Python interpreter ignores Python environment variables, much like passing-E
to the Python executable. Only valid in early initialization files. -
show python dont-write-bytecode
andset python dont-write-bytecode
: Ifoff
, these commands suppress GDB’s Python interpreter from writing bytecode compiled objects of imported modules, much like passing-B
to the Python executable. Only valid in early initialization files.
Changed commands:
-
break LOCATION if CONDITION
: If CONDITION is invalid, GDB refuses to set a breakpoint. The-force-condition
option overrides this. -
CONDITION -force N COND
: Same as the previous command. -
inferior [ID]
: When ID is omitted, this command prints information about the current inferior. Otherwise, unchanged. -
ptype[/FLAGS] TYPE | EXPRESSION
: Use the/x
flag to use hexadecimal notation when printing sizes and offsets of struct members. Use the/d
flag to do the same but using decimal. -
info sources
: Output has been restructured.
Python API:
-
Inferior objects contain a read-only
connection_num
attribute. -
New
gdb.Frame.level()
method. -
New
gdb.PendingFrame.level()
method. -
gdb.BreakpoiontEvent
emitted instead ofgdb.Stop
.
(BZ#2077492)
libpfm
now supports AMD Zen 2 and Zen 3 processors
With this enhancement, users now can access the AMD Zen 2 and Zen 3 performance monitoring hardware using libpfm
.
papi
now supports AMD Zen 2 and Zen 3 processors
With this enhancement, users now can access the AMD Zen 2 and Zen 3 performance monitoring hardware using papi
.
Improved hardware identification for ARM processors
With this enhancement, the papi_avail
utility now correctly reports the vendor string and code information for various ARM vendors. This utility allows the PAPI_get_hardware_info()
function to identify processors manufactured by companies other than ARM
limited to the aarch64
architecture. As a result, developers can tune the code for the required architecture.
(BZ#2037427)
Updated Fujitsu A64FX event mappings
The PAPI
library has been updated for Fujitsu A64FX processors. Users can now use additional presets in the output of papi_avail
that can be used to analyze program performance.
These include the IDL
event presets:
PAPI_BRU_IDL
- Branch unit idle
PAPI_FXU_IDL
- Integer unit idle
PAPI_FPU_IDL
- Floating point unit idle
PAPI_LSU_IDL
- Load store unit idle
(BZ#2037417)
The dyninst
packaged rebased to version 12.1
The dyninst
package has been rebased to version 12.1. Notable bug fixes and enhancements include:
-
Initial support for
glibc-2.35
multiple namespaces. - Concurrency fixes for DWARF parallel parsing.
-
Better support for the
CUDA
andCDNA2
GPU binaries. - Better support for IBM POWER Systems (little endian) register access.
- Better support for PIE binaries.
- Corrected parsing for catch blocks.
-
Corrected access to 64-bit ARM (
aarch64
) floating point registers.
The systemtap
package rebased to version 4.7
The systemtap
package has been rebased to version 4.7. Notable bug fixes and enhancements include:
-
A new
--sign-module
option to manually sign modules with a MOK key, for use on SecureBoot systems. -
A new
stap-profile-annotate
tool to produce system-wide profiles of annotated source code. - A new general Python tapset for probing function entry and return.
-
Extended
$foo$
processing for kernel-space probes for strings that may be in user-space. - Extended the regular-expression language for non-capturing groups.
- Added tapset support for several recently added kernel system calls.
Rust Toolset rebased to version 1.62.1
Rust Toolset has been updated to version 1.62.1. Notable changes include:
-
Destructuring assignment allows patterns to assign to existing variables in the left-hand side of an assignment. For example, a tuple assignment can swap to variables:
(a, b) = (b, a);
-
Inline assembly is now supported on 64-bit x86 and 64-bit ARM using the
core::arch::asm!
macro. See more details in theInline assembly
chapter of the reference,/usr/share/doc/rust/html/reference/inline-assembly.html
(online at https://doc.rust-lang.org/reference/inline-assembly.html). -
Enums can now derive the
Default
trait with an explicitly annotated#[default]
variant. -
Mutex
,CondVar
, andRwLock
now use a customfutex
-based implementation rather than pthreads, with new optimizations made possible by Rust language guarantees. -
Rust now supports custom exit codes from
main
, including user-defined types that implement the newly-stabilizedTermination
trait. -
Cargo supports more control over dependency features. The
dep:
prefix can refer to an optional dependency without exposing that as a feature, and a?
only enables a dependency feature if that dependency is enabled elsewhere, likepackage-name?/feature-name
. -
Cargo has a new
cargo add
subcommand for adding dependencies toCargo.toml
. For more details, please see the series of upstream release announcements:
(BZ#2075344)
LLVM Toolset rebased to version 14.0.6
LLVM Toolset has been rebased to version 14.0.6. Notable changes include:
-
On 64-bit x86, support for
AVX512-FP16
instructions has been added. - Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added.
-
On PowerPC, added the
__ibm128
type to represent IBM double-double format, also available as__attribute__((mode(IF)))
.
clang
changes:
-
if consteval
forC++2b
is now implemented. -
On 64-bit x86, support for
AVX512-FP16
instructions has been added. -
Completed support of OpenCL C 3.0 and
C++
for OpenCL 2021 at experimental state. -
The
-E -P
preprocessor output now always omits blank lines, matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the output. -
Support
-Wdeclaration-after-statement
withC99
and later standards, and not just C89, matching GCC’s behavior. A notable use case is supporting style guides that forbid mixing declarations and code, but want to move to newer C standards.
For more information, see the LLVM Toolset and Clang upstream release notes.
(BZ#2061042)
Go Toolset rebased to version 1.18.2
Go Toolset has been rebased to version 1.18.2.
Notable changes include:
- The introduction of generics while maintaining backwards compatibility with earlier versions of Go.
- A new fuzzing library.
-
New
debug
/buildinfo
andnet
/netip
packages. -
The
go get
tool no longer builds or installs packages. Now, it only handles dependencies ingo.mod
. -
If the main module’s
go.mod
file specifiesgo 1.17
or higher, thego mod download
command used without any additional arguments only downloads source code for the explicitly required modules in the main module’sgo.mod
file. To also download source code for transitive dependencies, use thego mod download all
command. -
The
go mod vendor
subcommand now supports a-o
option to set the output directory. -
The
go mod tidy
command now retains additional checksums in thego.sum
file for modules whose source code is required to verify that only one module in the build list provides each imported package. This change is not conditioned on the Go version in the main module’sgo.mod
file.
(BZ#2075162)
The LLVM gold plugin
is now available on the IBM Z architecture
With this enhancement, users can create LTO builds with clang
and ld.bfd
on the IBM Z (s390x
) architecture. The s390x
architecture now supports linking with ld.bfd
and LTO.
(BZ#2088315)
A new module stream: maven:3.8
RHEL 8.7 introduces Maven 3.8
as a new module stream.
To install the maven:3.8
module stream, use:
# yum module install maven:3.8
If you want to upgrade from the maven:3.6
stream, see Switching to a later stream.
(BZ#2083114, BZ#2064785, BZ#2088473)
.NET version 7.0 is available
Red Hat Enterprise Linux 8.7 is distributed with .NET version 7.0. Notable improvements include:
-
Support for IBM Power (
ppc64le
)
For more information, see Release Notes for .NET 7.0 RPM packages and Release Notes for .NET 7.0 containers.
(BZ#2112096)
4.12. Identity Management
SSSD now supports memory caching for SID requests
With this enhancement, SSSD now supports memory caching for SID requests, which are GID and UID lookups by SID and vice versa. Memory caching results in improved performance, for example, when copying large amounts of files to or from a Samba server.
(JIRA:RHELPLAN-123369)
IdM now supports configuring an AD Trust with Windows Server 2022
With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) domains and Active Directory forests that use Domain Controllers running Windows Server 2022.
IdM now supports a limit on the number of LDAP binds allowed after a user password has expired
With this enhancement, you can set the number of LDAP binds allowed when the password of an Identity Management (IdM) user has expired:
- -1
- IdM grants the user unlimited LDAP binds before the user must reset the password. This is the default value, which matches the previous behavior.
- 0
- This value disables all LDAP binds once a password is expired. In effect, the users must reset their password immediately.
- 1-MAXINT
- The value entered allows exactly that many binds post-expiration.
The value can be set in the global password policy and in group policies.
Note that the count is stored per server.
In order for a user to reset their own password they need to bind with their current, expired password. If the user has exhausted all post-expiration binds, then the password must be administratively reset.
IdM now indicates whether a given name is a user or a group in a trusted AD domain during a name search
With this update, new getorigbyusername()
and getorigbygroupname()
calls are added to libsss_nss_idmap
, a utility library for SID-based lookups. This addition makes user and group lookup more robust when Identity Management (IdM) is in a trust with an Active Directory (AD) domain. When performing a user or group lookup, IdM can now display whether the given name belongs to a user or a group in the trusted domain.
New ipasmartcard_server
and ipasmartcard_client
roles
With this update, the ansible-freeipa
package provides Ansible roles to configure Identity Management (IdM) servers and clients for smart card authentication. The ipasmartcard_server
and ipasmartcard_client
roles replace the ipa-advise
scripts to automate and simplify the integration. The same inventory and naming scheme are used as in the other ansible-freeipa
roles.
samba
rebased to version 4.16.1
The samba
packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version:
-
By default, the
smbd
process automatically starts the newsamba-dcerpcd
process on demand to serve Distributed Computing Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always requiressamba-dcerpcd
to use DCERPC. If you disable therpc start on demand helpers
setting in the[global]
section in the/etc/samba/smb.conf
file, you must create asystemd
service unit to runsamba-dcerpcd
in standalone mode. The Cluster Trivial Database (CTDB)
recovery master
role has been renamed toleader
. As a result, the followingctdb
sub-commands have been renamed:-
recmaster
toleader
-
setrecmasterrole
tosetleaderrole
-
-
The CTDB
recovery lock
configuration has been renamed tocluster lock
. - CTDB now uses leader broadcasts and an associated timeout to determine if an election is required.
Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Note that Red Hat does not support downgrading tdb
database files.
After updating Samba, verify the /etc/samba/smb.conf
file using the testparm
utility.
For further information about notable changes, read the upstream release notes before updating.
SSSD now supports direct integration with Windows Server 2022
With this enhancement, you can use SSSD to directly integrate your RHEL system with Active Directory forests that use Domain Controllers running Windows Server 2022.
Directory Server now supports canceling the Auto Membership plug-in task.
Previously, the Auto Membership plug-in task could generate high CPU usage on the server if Directory Server has complex configuration (large groups, complex rules and interaction with other plugins). With this enhancement, you can cancel the Auto Membership plug-in task. As a result, performance issues no longer occur.
Directory Server now supports recursive delete operations when using ldapdelete
With this enhancement, Directory Server now supports the Tree Delete Control [1.2.840.113556.1.4.805]
OpenLDAP control. As a result, you can use the ldapdelete
utility to recursively delete subentries of a parent entry.
You can now set basic replication options during the Directory Server installation
With this enhancement, you can configure basic replication options like authentication credentials and changelog trimming during an instance installation using an .inf
file.
Replication changelog trimming is now enabled by default in Directory Server
Previously, Directory Server was not configured to automatically trim the replication changelog
file by default. Consequently, the changelog
file could become very large. With this update, Directory Server is configured by default to trim changelog entries that are older than seven days, preventing excessive growth of the changelog
file.
pki
packages renamed to idm-pki
The following pki
packages are now renamed to idm-pki
to better distinguish between IDM packages and Red Hat Certificate System ones:
-
idm-pki-symkey
-
idm-pki-tools
-
idm-pki-symkey-debuginfo
-
idm-pki-tools-debuginfo
-
idm-pki-acme
-
idm-pki-base
-
idm-pki-base-java
-
idm-pki-ca
-
idm-pki-kra
-
idm-pki-server
-
python3-idm-pki
pki-core
stays unchanged (this also includes pki-core-debuginfo
and pki-core-debugsource
).
4.13. Graphics infrastructures
Vulkan packages are available on 64-bit IBM POWER
Packages that provide support for the Vulkan 3D graphics API are now available on the little-endian 64-bit IBM POWER architecture (ppc64le
):
-
vulkan-headers
-
vulkan-loader
-
vulkan-loader-devel
-
vulkan-tools
With these packages, you can run software that uses a Vulkan rendering engine.
Previously, these packages were only available on the AMD64 and Intel 64 architecture.
(BZ#2012639)
Support for new AMD GPUs
This release adds support for several AMD Radeon RX 6000 Series GPUs and integrated graphics of the AMD Ryzen 6000 Series CPUs.
The following AMD Radeon RX 6000 Series GPU models are now supported:
- AMD Radeon RX 6400
- AMD Radeon RX 6500 XT
- AMD Radeon RX 6300M
- AMD Radeon RX 6500M
AMD Ryzen 6000 Series includes integrated GPUs found with the following CPU models:
- AMD Ryzen 5 6600U
- AMD Ryzen 5 6600H
- AMD Ryzen 5 6600HS
- AMD Ryzen 7 6800U
- AMD Ryzen 7 6800H
- AMD Ryzen 7 6800HS
- AMD Ryzen 9 6900HS
- AMD Ryzen 9 6900HX
- AMD Ryzen 9 6980HS
- AMD Ryzen 9 6980HX
(JIRA:RHELPLAN-135602)
The force_probe option is no longer required with 12th Gen Intel Core GPUs
Prior to this release, you had to set the i915.alpha_support=1
or i915.force_probe=*
kernel option to enable support for the 12th Gen Intel Core GPUs, formerly known as Alder Lake-S and Alder Lake-P.
With this release, you no longer have to set the option, and full support for these GPUs is enabled by default.
(JIRA:RHELPLAN-136150)
4.14. The web console
RHEL web console now features RHEL as an option for the Download an OS
VM workflow
With this enhancement, the RHEL web console now supports the installation of RHEL virtual machines (VMs) using the default Download an OS
workflow. As a result, you can download and install the RHEL OS as a VM directly within the web console.
(JIRA:RHELPLAN-121982)
A new button in RHEL web console for installing kernel patches separately
With this update, the RHEL web console provides the Install kpatch updates button. You can use it to install only kernel patches without the necessity to install other updates and reboot your system.
(JIRA:RHELPLAN-121981)
The diagnostics reports page now offers new functionalities
In the updated web console diagnostics report (sos
report) page you now can:
- label the report
- encrypt the report with a passphrase
- conceal private data within the report
Additionally, you can see a list of previously generated reports and download or delete them.
(JIRA:RHELPLAN-121983)
Crypto policies setup from the web console UI
With this update, you can change different cryptographic policy levels directly from the RHEL web console user interface (UI). You can access your cryptographic policy configuration options from the Configuration field in the Overview page of your UI.
Note that you must have the administrative access active to be able to change the settings.
(JIRA:RHELPLAN-121980)
Update progress page in the web console now supports an automatic restart option
The update progress page now has a Reboot after completion switch. This reboots the system automatically after installing the updates.
4.15. Red Hat Enterprise Linux system roles
The ha_cluster
RHEL system role now supports SBD fencing and configuration of Corosync settings
The ha_cluster
system role now supports the following features:
- SBD fencing
-
Fencing is a crucial part of HA cluster configuration. SBD provides a means for nodes to reliably self-terminate when fencing is required. SBD fencing can be particularly useful in environments where traditional fencing mechanisms are not possible. It is now possible to configure SBD fencing with the
ha_cluster
system role. - Corosync settings
-
The
ha_cluster
system role now supports the configuration of Corosync settings, such as transport, compression, encryption, links, totem, and quorum. These settings are required to match cluster configuration with customers' needs and environment when the default settings are not suitable.
Users can create connections with IPoIB capability using the network
RHEL system role
The infiniband
connection type of the network
RHEL system role now supports the Internet Protocol over Infiniband (IPoIB) capability. To enable this feature, define a value to the p_key
option of infiniband
. Note that if you specify p_key
, the interface_name
option of the network_connections
variable must be left unset. The previous implementation of the network
RHEL system role did not properly validate the p_key
value and the interface_name
option for the infiniband
connection type. Therefore, the IPoIB functionality never worked before. For more information, see a README file in the /usr/share/doc/rhel-system-roles/network/
directory.
The network
RHEL system role now configures network settings for routing rules
Previously, you could route the packet based on the destination address field in the packet, but you could not define the source routing and other policy routing rules. With this enhancement, network
RHEL system role supports routing rules so that the users have control over the packet transmission or route selection.
The Networking system role now uses the Ansible managed
comment in its managed configuration files
When using the initscripts
provider, the Networking system role now generates commented ifcfg
files in the /etc/sysconfig/network-scripts
directory. The Networking role inserts the Ansible managed
comment using the Ansible standard ansible_managed
variable. The comment declares that an ifcfg
file is managed by Ansible, and indicates that the ifcfg
file should not be edited directly as the Networking role will overwrite the file. The Ansible managed
comment is added when the provider is initscripts
. When using the Networking role with the nm
(NetworkManager) provider, the ifcfg
file is managed by NetworkManager and not by the Networking role.
The new previous:replaced
configuration enables firewall
system role to reset the firewall settings to default
System administrators who manage different sets of machines, where each machine has different pre-existing firewall settings, can now use the previous: replaced
configuration in the firewall
role to ensure that all machines have the same firewall configuration settings. The previous: replaced
configuration can erase all the existing firewall settings and replace them with consistent settings.
Enhanced Microsoft SQL Server RHEL system role
The following new variables are now available for the microsoft.sql.server
RHEL system role:
-
Variables with the
mssql_ha_
prefix to control configuring a high availability cluster. -
The
mssql_tls_remote_src
variable to search formssql_tls_cert
andmssql_tls_private_key
values on managed nodes. If you keep the defaultfalse
setting, the role searches for these files on the control node. -
The
mssql_manage_firewall
variable to manage firewall ports automatically. If this variable is set tofalse
, you must enable firewall ports manually. -
The
mssql_pre_input_sql_file
andmssql_post_input_sql_file
variables to control whether you want to run the SQL scripts before the role execution or after it. These new variables replace the formermssql_input_sql_file
variable, which did not allow you to influence the time of SQL script execution.
(BZ#2066338, BZ#2120713, BZ#2039990, BZ#2120714)
The logging
RHEL system role supports options startmsg.regex
and endmsg.regex
in files inputs
With this enhancement, you can now filter log messages coming from files by using regular expressions. Options startmsg_regex
and endmsg_regex
are now included in the files’ input. The startmsg_regex
represents the regular expression that matches the start part of a message, and the endmsg_regex
represents the regular expression that matches the last part of a message. As a result, you can now filter messages based upon properties such as date-time, priority, and severity.
Support for thinly provisioned volumes is available in the storage
RHEL system role
The storage
RHEL system role can now create and manage thinly provisioned LVM logical volumes. Thin provisioned LVs are allocated as they are written, allowing better flexibility when creating volumes as physical storage provided for thin provisioned LVs can be increased later as the need arises. LVM thin provisioning also allows creating more efficient snapshots because the data blocks common to a thin LV and any of its snapshots are shared.
The logging
RHEL system role now supports template
, severity
and facility
options
The logging
RHEL system role now features new useful severity
and facility
options to the files inputs as well as a new template
option to the files and forwards outputs. Use the template
option to specify the traditional time format by using the parameter traditional
, the syslog protocol 23 format by using the parameter syslog
, and the modern style format by using the parameter modern
. As a result, you can now use the logging
role to filter by the severity and facility as well as to specify the output format by template.
RHEL system roles now available also in playbooks with fact gathering disabled
Ansible fact gathering might be disabled in your environment for performance or other reasons. Previously, it was not possible to use RHEL system roles in such configurations. With this update, the system detects the ANSIBLE_GATHERING=explicit
parameter in your configuration and gather_facts: false
parameter in your playbooks, and use the setup:
module to gather only the facts required by the given role, if not available from the fact cache.
If you have disabled Ansible fact gathering due to performance, you can enable Ansible fact caching instead, which does not cause a performance hit of retrieving them from source.
The sshd
RHEL system role verifies the include directive for the drop-in directory
The sshd
RHEL system role on RHEL 9 manages only a file in the drop-in directory, but previously did not verify that the directory is included from the main sshd_config
file. With this update, the role verifies that sshd_config
contains the include directive for the drop-in directory. As a result, the role more reliably applies the provided configuration.
The sshd
RHEL system role can be managed through /etc/ssh/sshd_config
The sshd
RHEL system role applied to a RHEL 9 managed node places the SSHD configuration in a drop-in directory (/etc/ssh/sshd_config.d/00-ansible_system_role.conf
by default). Previously, any changes to the /etc/ssh/sshd_config
file overwrote the default values in 00-ansible_system_role.conf
. With this update, you can manage SSHD by using /etc/ssh/sshd_config
instead of 00-ansible_system_role.conf
while preserving the system default values in 00-ansible_system_role.conf
.
The firewall
RHEL system role does not require the state
parameter when configuring masquerade
or icmp_block_inversion
When configuring custom firewall zones, variables masquerade
and icmp_block_inversion
are boolean settings. A value of true
implies state: present
and a value of false
implies state: absent
. Therefore, the state
parameter is not required when configuring masquerade
or icmp_block_inversion
.
The metrics
role can export postfix
performance data
You can now use the new metrics_from_postfix
boolean variable in the metrics
role for recording and detailed performance analysis. With this enhancement, setting the variable enables the pmdapostfix
metrics agent on the system, making statistics about postfix
available.
The storage
system role now has less verbosity by default
The storage
role output is now less verbose by default. With this update, users can increase the verbosity of the storage
role output to only produce debugging output if they are using Ansible verbosity level 1 or above.
The metrics
system role now generates files with the proper ansible_managed
comment in the header
Previously, the metrics
role did not add an ansible_managed
header comment to files generated by the role. With this fix, the metrics
role adds the ansible_managed
header comment to files it generates, and as a result, users can easily identify files generated by the metrics
role.
The postfix
system role now generates files with the proper ansible_managed
comment in the header
Previously, the postfix
role did not add an ansible_managed
header comment to files generated by the role. With this fix, the postfix
role adds the ansible_managed
header comment to files it generates, and as a result, users can easily identify files generated by the postfix
role.
New option in the postfix
RHEL system role for overwriting previous configuration
If you manage a group of systems which have inconsistent postfix
configurations, you may want to make the configuration consistent on all of them. With this enhancement, you can specify the previous: replaced
option within the postfix_conf
dictionary to remove any existing configuration and apply the desired configuration on top of a clean postfix
installation. As a result, you can erase any existing postfix
configuration and ensure consistency on all the systems being managed.
You can now add, update, or remove services using absent
and present
states in the firewall
RHEL system role
With this enhancement, you can use the present
state to add ports, modules, protocols, services, and destination addresses, or use the absent
state to remove them. Note that to use the absent
and present
states in the firewall
RHEL system role, set the permanent
option to true
. With the permanent
option set to true
, the state settings apply until changed, and remain unaffected by role reloads.
The firewall
system role can add or remove an interface to the zone using PCI device ID
Using the PCI device ID, the firewall
system role can now assign or remove a network interface to or from a zone. Previously, if only the PCI device ID was known instead of the interface name, users had to first identify the corresponding interface name to use the firewall
system role. With this update, the firewall
system role can now use the PCI device ID to manage a network interface in a zone.
The network
RHEL system role supports network configuration using the nmstate
API
With this update, the network
RHEL system role supports network configuration through the nmstate
API. Users can now directly apply the configuration of the required network state to a network interface instead of creating connection profiles. The feature also allows partial configuration of a network. As a result, the following benefits exist:
- decreased network configuration complexity
- reliable way to apply the network state changes
- no need to track the entire network configuration
New cockpit
system role variable for setting a custom listening port
The cockpit
system role introduces the cockpit_port
variable that allows you to set a custom listening port other than the default 9090 port. Note that if you decide to set a custom listening port, you will also need to adjust your SELinux policy to allow the web console to listen on that port.
The firewall
RHEL system role can provide Ansible facts
With this enhancement, you can now gather the firewall
RHEL system role’s Ansible facts from all of your systems by including the firewall:
variable in the playbook with no arguments. To gather a more detailed version of the Ansible facts, use the detailed: true
argument, for example:
vars: firewall: detailed: true
Added setting of seuser
and selevel
to the selinux
RHEL system role
Sometimes, it is necessary to set seuser
and selevel
parameters when setting SELinux context file system mappings. With this update, you can use the seuser
and selevel
optional arguments in selinux_fcontext
to specify SELinux user and level in the SELinux context file system mappings.
4.16. Virtualization
ap-check
is now available in RHEL 8
The mdevctl
tool now provides a new ap-check
support utility. You can use mdevctl
to persistently configure cryptographic adapters and domains that are allowed for pass-through usage into virtual machines as well as the matrix
and vfio-ap
devices. With mdevctl
, you do not have to reconfigure these adapters, domains, and devices after every IPL. In addition, mdevctl
prevents the distributor from inventing other ways to reconfigure them.
When invoking mdevctl
commands for vfio-ap
devices, the new ap-check
support utility is invoked as part of the mdevctl
command to perform additional validity checks against vfio-ap
device configurations.
In addition, the chzdev
tool now provides the ability to manage the system-wide Adjunct Processor (AP) mask settings, which determine what AP resources are available for vfio-ap
devices. When used, chzdev
makes it possible to persist these settings by generating an associated udev
rule. Using lszdev
, you can can now also query the system-wide AP mask settings.
(BZ#1660911)
Selected VMs on IBM Z can now boot with kernel command lines longer than 896 bytes
Previously, booting a virtual machine (VM) on a RHEL 8 IBM Z host always failed if the kernel command line of the VM was longer than 896 bytes. With this update, the QEMU emulator can handle kernel command lines longer than 896 bytes. As a result, you can now use QEMU direct kernel boot for VMs with very long kernel command lines, if the VM kernel supports it. Specifically, to use a command line longer than 896 bytes, the VM must use Linux kernel version 5.16-rc1 or later.
(BZ#2043830)
VM memory preallocation using multiple threads
You can now define multiple CPU threads for virtual machine (VM) memory allocation in the domain XML configuration, for example as follows:
<memoryBacking> <allocation threads='8'/> </memoryBacking>
This ensures that more than one thread is used for allocating memory pages when starting a VM. As a result, VMs with multiple allocation threads configured start significantly faster, especially if the VMs has large amounts of RAM assigned and backed by hugepages.
ESXi hypervisor and SEV-ES is now fully supported
You can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to secure RHEL virtual machines (VMs) on VMware’s ESXi hypervisor, versions 7.0.2 and later. This feature was previously introduced in RHEL 8.4 as a Technology Preview. It is now fully supported.
(BZ#1904496)
Secure Execution on IBM Z now supports remote attestation
The Secure Execution feature on the IBM Z architecture now supports remote attestation. The pvattest
utility can create a remote attestation request to verify the integrity of a virtual machine (VM) that has Secure Execution enabled.
Additionally, the Guest Interruption State Area (GISA) mechanism has now been enabled for Secure Execution VMs, which allows interrupts to be delivered directly into the VM by completely bypassing the host operating system.
(JIRA:RHELPLAN-98420, BZ#1984905, BZ#2043870)
4.17. RHEL in cloud environments
RHEL virtual machines are now supported on the Ampere Altra architecture
With this update, running a RHEL operating system is now supported on Azure Virtual Machines with processors based on the Ampere® Altra® architecture.
(JIRA:RHELPLAN-121252)
open-vm-tools
rebased to 12.0.5
The open-vm-tools
packages have been upgraded to version 12.0.5, which introduces a number of bug fixes and new features. Most notably, support has been added for the Salt Minion tool to be managed through guest OS variables.
(BZ#2061193)
New SSH module for cloud-init
With this update, an SSH module has been added to the cloud-init
utility, which automatically generates host keys during instance creation.
Note that with this change, the default cloud-init
configuration has been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line.
Otherwise, cloud-init
creates an image which fails to start the sshd
service. If this occurs, do the following to work around the problem:
Make sure the
/etc/cloud/cloud.cfg
file contains the following line:ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']
-
Check whether
/etc/ssh/ssh_host_*
files exist in the instance. If the
/etc/ssh/ssh_host_*
files do not exist, use the following command to generate host keys:cloud-init single --name cc_ssh
Restart the sshd service:
systemctl restart sshd
(BZ#2115791)
4.18. Containers
The Container Tools packages have been updated
The Container Tools packages which contain the Podman, Buildah, Skopeo, crun, and runc tools are now available. This update provides a list of bug fixes and enhancements over the previous version.
Notable changes include:
-
The
podman pod create
command now supports setting the CPU and memory limits. You can set a limit for all containers in the pod, while individual containers within the pod can have their own limits. -
The
podman pod clone
command creates a copy of an existing pod. -
The
podman play kube
command now supports the security context settings using theBlockDevice
andCharDevice
volumes. -
Pods created by the
podman play kube
can now be managed by systemd unit files using apodman-kube@<service>.service
(for examplesystemctl --user start podman-play-kube@$(systemd-escape my.yaml).service
). -
The
podman push
andpodman push manifest
commands now support the sigstore signatures. -
The Podman networks can now be isolated by using the
podman network --opt isolate
command.
Podman has been upgraded to version 4.2, for further information about notable changes, see the upstream release notes.
(JIRA:RHELPLAN-118463)
GitLab Runner is now available on RHEL using Podman
Beginning with GitLab Runner 15.1, you can use Podman as the container runtime in the GitLab Runner Docker Executor. For more details, see GitLab’s Release Note.
(JIRA:RHELPLAN-100037)
Podman now supports the --health-on-failure
option
The podman run
and podman create
commands now support the --health-on-failure
option to determine the actions to be performed when the status of a container becomes unhealthy.
The --health-on-failure
option supports four actions:
-
none
: Take no action, this is the default action. -
kill
: Kill the container. -
restart
: Restart the container. -
stop
: Stop the container.
Do not combine the restart
action with the --restart
option. When running inside of a systemd unit, consider using the kill
or stop
action instead to make use of systemd’s restart policy.
Netavark network stack is now available
The new network stack available starting with Podman 4.0 consists of two tools, the Netavark network setup tool and the Aardvark DNS server. In RHEL 8, the Netavark stack, previously available as a Technology Preview, is now fully supported.
This network stack has the following capabilities:
- Configuration of container networks using the JSON configuration file
- Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces
- Configuring firewall settings, such as network address translation (NAT) and port mapping rules
- IPv4 and IPv6
- Improved capability for containers in multiple networks
- Container DNS resolution using the aardvark-dns project
You have to use the same version of Netavark stack and the Aardvark authoritative DNS server.
(JIRA:RHELPLAN-100039)