Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.9.

4.1. Installer and image creation

Support to both legacy and UEFI boot for AWS EC2 images

Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with support only for the legacy boot type. As a consequence, it was not possible to take advantage of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which require booting the image with UEFI.

Jira:RHELDOCS-16339^[1]

New boot option inst.wait_for_disks= to add wait time for loading a kickstart file or the kernel drivers

Sometimes, it may take a few seconds to load a kickstart file or the kernel drivers from the device with the OEMDRV label during the boot process. To adjust the wait time, you can now use the new boot option, inst.wait_for_disks=. Using this option, you can specify how many seconds to wait before the installation. The default time is set to 5 seconds, however, you can use 0 seconds to minimize the delay. For more information about this option, see Storage boot options.

Bugzilla:1770969

New network kickstart options to control DNS handling

You can now control DNS handling using the network kickstart command with the following new options. Use these new options with the --device option.

The --ipv4-dns-search and --ipv6-dns-search options allow you to set DNS search domains manually. These options mirror their respective NetworkManager properties, for example:
```
network --device ens3 --ipv4-dns-search domain1.example.com,domain2.example.com
```
The --ipv4-ignore-auto-dns and --ipv6-ignore-auto-dns options allow you to ignore DNS settings from DHCP. They do not require any arguments.

Bugzilla:1656662^[1]

4.2. Security

opencryptoki rebased to 3.21.0

The opencryptoki package has been rebased to version 3.21.0, which provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features:

Concurrent hardware security module (HSM) master key changes
The protected-key option to transform a chosen key into a protected key
Additional key types, such as DH, DSA, and generic secret key types
EP11 host library version 4
AES-XTS key type
IBM-specific Kyber key type and mechanism
Additional IBM-specific Dilithium key round 2 and 3 variants

Additionally, pkcsslotd slot manager no longer runs as root and opencryptoki offers further hardening. With this update, you can also use the following set of new commands:

p11sak set-key-attr: To modify keys
p11sak copy-key: To copy keys
p11sak import-key: To import keys
p11sak export-key: To export keys

Bugzilla:2159697^[1]

fapolicyd now provides rule numbers for troubleshooting

With this enhancement, new kernel and Audit components allow the fapolicyd service to send the number of the rule that causes a denial to the fanotify API. As a result, you can troubleshoot problems related to fapolicyd more precisely.

Jira:RHEL-628

ANSSI-BP-028 security profiles updated to version 2.0

The following French National Agency for the Security of Information Systems (ANSSI) BP-028 profiles in the SCAP Security Guide were updated to be aligned with version 2.0:

ANSSI-BP-028 Minimal Level
ANSSI-BP-028 Intermediary Level
ANSSI-BP-028 Enhanced Level
ANSSI-BP-028 High Level

Bugzilla:2155789

Better definition of interactive users

The rules in the scap-security-guide package were improved to provide more consistent interactive user configuration. Previously, some rules used different approaches for identifying interactive and non-interactive users. With this update, we have unified the definitions of interactive users. User accounts with UID greater than or equal to 1000 are now considered interactive, with the exception of the nobody and nfsnobody accounts and with the exception of accounts that use /sbin/nologin as the login shell.

This change affects the following rules:

accounts_umask_interactive_users
accounts_user_dot_user_ownership
accounts_user_dot_group_ownership
accounts_user_dot_no_world_writable_programs
accounts_user_interactive_home_directory_defined
accounts_user_interactive_home_directory_exists
accounts_users_home_files_groupownership
accounts_users_home_files_ownership
accounts_users_home_files_permissions
file_groupownership_home_directories
file_ownership_home_directories
file_permissions_home_directories
file_permissions_home_dirs
no_forward_files

Bugzilla:2157877, Bugzilla:2178740

The DISA STIG profile now supports audit_rules_login_events_faillock

With this enhancement, the SCAP Security Guide audit_rules_login_events_faillock rule, which references STIG ID RHEL-08-030590, has been added to the DISA STIG profile for RHEL 8. This rule checks if the Audit daemon is configured to record any attempts to modify login event logs stored in the /var/log/faillock directory.

Bugzilla:2167999

OpenSCAP rebased to 1.3.8

The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various bug fixes and enhancements, most notably:

Fixed systemd probes to not ignore some systemd units
Added offline capabilities to the shadow OVAL probe
Added offline capabilities to the sysctl OVAL probe
Added auristorfs to the list of network filesystems
Created a workaround for issues with tailoring files produced by the autotailor utility

Bugzilla:2217441

SCAP Security Guide rebased to version 0.1.69

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This version provides various enhancements and bug fixes, most notably three new SCAP profiles for RHEL 9 which are aligned with three levels of the CCN-STIC-610A22 Guide issued by the National Cryptologic Center of Spain in 2022-10:

CCN Red Hat Enterprise Linux 9 - Basic
CCN Red Hat Enterprise Linux 9 - Intermediate
CCN Red Hat Enterprise Linux 9 - Advanced

Bugzilla:2221695

FIPS-enabled in-place upgrades from RHEL 8.8 and later to RHEL 9.2 and later are supported

With the release of the RHBA-2023:3824 advisory, you can perform an in-place upgrade of a RHEL 8.8 and later system to a RHEL 9.2 and later system with FIPS mode enabled.

Bugzilla:2097003

crypto-policies permitted_enctypes no longer break replications in FIPS mode

Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes krb5 configuration broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode.

With this update, the values of the permitted_enctypes krb5 configuration option depend on the mac and cipher crypto-policy values. That allows the prioritization of the interoperable encryption types by default.

As additional results of this update, the arcfour-hmac-md5 option is available only in the LEGACY:AD-SUPPORT subpolicy and the aes256-cts-hmac-sha1-96 is no longer available in the FUTURE policy.

Note

If you use Kerberos, verify the order of the values of permitted_enctypes in the /etc/crypto-policies/back-ends/krb5.config file. If your scenario requires a different order, apply a custom cryptographic subpolicy.

Bugzilla:2219912

Audit now supports FANOTIFY record fields

This update of the audit packages introduces support for FANOTIFY Audit record fields. The Audit subsystem now logs additional information in the AUDIT_FANOTIFY record, notably:

fan_type to specify the type of a FANOTIFY event
fan_info to specify additional context information
sub_trust and obj_trust to indicate trust levels for a subject and an object involved in an event

As a result, you can better understand why the Audit system denied access in certain cases. This can help you write policies for tools such as the fapolicyd framework.

Bugzilla:2216666

New SELinux boolean to allow QEMU Guest Agent executing confined commands

Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the virt_qemu_ga_unconfined_t domain.

Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined that allows guest-agent to make the transition to virt_qemu_ga_unconfined_t for executables located in any of the following directories:

/etc/qemu-ga/fsfreeze-hook.d/
/usr/libexec/qemu-ga/fsfreeze-hook.d/
/var/run/qemu-ga/fsfreeze-hook.d/

In addition, the necessary rules for transitions for the qemu-ga daemon have been added to the SELinux policy boolean.

As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the virt_qemu_ga_run_unconfined boolean.

Bugzilla:2093355

4.3. Infrastructure services

Postfix now supports SRV lookups

With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to automatically configure mail clients and balance load of servers. Additionally, you can prevent mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using the following SRV-related options in your Postfix configuration:

use_srv_lookup: You can enable discovery for the specified service by using DNS SRV records.
allow_srv_lookup_fallback: You can use a cascading approach to locating a service.
ignore_srv_lookup_error: You can ensure that the service discovery remains functional even if SRV records are not available or encounter errors.

Bugzilla:1787010

You can now specify TLS 1.3 cipher suites in vsftpd

With this enhancement, you can use the new ssl_ciphersuites option to configure which cipher suites vsftpd uses. As a result, you can specify TLS 1.3 cipher suites that differ from the previous TLS versions. To specify multiple cipher suites, separate entries with colons (:).

Bugzilla:2069733

Generic LF-to-CRLF driver is available in cups-filters

With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, by using this driver, you can send an LF character terminated file from your application to a printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of the text-only driver from RHEL 7. The new name reflects its actual functionality.

Bugzilla:2118406^[1]

4.4. Networking

iproute rebased to version 6.2.0

The iproute packages have been upgraded to upstream version 6.2.0, which provides a number of enhancements and bug fixes over the previous version. The most notable changes are:

The new ip stats command manages and shows interface statistics. By default, the ip stats show command displays statistics for all network devices, including bridges and bonds. You can filter the output by using the dev and group options. For further details, see the ip-stats(8) man page.
The ss utility now provides the -T (--threads) option to display thread information, which extends the -p (--processes) option. For further details, see the ss(8) man page.
You can use the new bridge fdb flush command to remove specific forwarding database (fdb) entries which match a supplied option. For further details, see the bridge(8) man page.

Jira:RHEL-424^[1]

Security improvement of the default nftables service configuration

This enhancement adds the do_masquerade chain to the default nftables service configuration in the /etc/sysconfig/nftables/nat.nft file. This reduces the risk of a port shadow attack, which is described in CVE-2021-3773. The first rule in the do_masquerade chain detects suitable packets and enforces source port randomization to reduce the risk of port shadow attacks.

Bugzilla:2061942

NetworkManager supports the no-aaaa DNS option

You can now use the no-aaaa option to configure DNS settings on managed nodes by suppressing AAAA queries generated by the stub resolver. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, you can disable IPv6 resolution by using the nmcli utility. After a restart of the NetworkManager service, the no-aaaa setting gets reflected in the /etc/resolv.conf file, with additional control over DNS lookups.

Bugzilla:2144521

The nm-cloud-setup utility now supports IMDSv2 configuration

Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service Version 2 (IMDSv2) with the nm-cloud-setup utility. To comply with improved security that restricts unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services is necessary to provide advanced features. This enhancement enables the nm-cloud-setup utility to fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available interfaces and IP configuration by using the secured IMDSv2 tokens.

Bugzilla:2151987

The libnftnl package rebased to version 1.2.2

The Netlink API to the in-kernel nf_tables subsystem (libnftnl) package has been rebased. Notable changes and enhancements include:

Added features:
- Nesting of the udata attribute
- Resetting TCP options with the exthdr expression
- The sdif and sdifname meta keywords
- Support for a new attribute NFTNL_CHAIN_FLAGS in the nftnl_chain struct, to communicate flags between the kernel and user space.
- Support for the nftnl_set struct nftables sets backend to add expressions to sets and set elements.
- Comments to sets, tables, objects, and chains
- The nftnl_table struct now has an NFTNL_TABLE_OWNER attribute. Set this attribute to enable the kernel to communicate the owner to the user space.
- Readiness for incremental updates to flowtable device
- The typeof keyword related nftnl_set udata definitions
- The chain ID attribute
- The function to remove expressions from a rule
- A new last expression
Improved bitwise expressions:
- Newly added op and data attributes
- Left and right shifts
- Aligned with debug output of other expressions
Improved socket expressions:
- Added the wildcard attribute
- Support for cgroups v2
Improved debug output:
- Included the key_end data register in set elements
- Dropped unused registers from masq and nat expressions
- Applied fix for verdict map elements
- Removed leftovers from dropped XML formatting
- Support for payload offset of inner header

Bugzilla:2211096

4.5. Kernel

Kernel version in RHEL 8.9

Red Hat Enterprise Linux 8.9 is distributed with the kernel version 4.18.0-513.5.1.

Bugzilla:2232558

The RHEL kernel now supports AutoIBRS

Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability.

Bugzilla:1989283^[1]

The Intel® QAT kernel driver rebased to upstream version 6.2

The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression performance, and other CPU intensive tasks.

The rebase includes many bug fixes and enhancements. The most notable enhancement is the support available for following hardware accelerator devices for QAT GEN4:

Intel Quick Assist Technology 401xx devices
Intel Quick Assist Technology 402xx devices

Bugzilla:2144529^[1]

makedumpfile rebased to version 1.7.2

The makedumpfile tool, which makes the crash dump file small by compressing pages or excluding memory pages that are not required, has been rebased to version 1.7.2. The rebase includes many bug fixes and enhancements.

The most notable change is the added 5-level paging mode for standalone dump (sadump) mechanism on AMD and Intel 64-bit architectures. The 5-level paging mode extends the processor’s linear address width to allow applications access larger amounts of memory. 5-level paging extends the size of virtual addresses from 48 to 57 bits and the physical addresses from 46 to 52 bits.

Bugzilla:2173791

4.6. File systems and storage

Support for specifying a UUID when creating a GFS2 file system

The mkfs.gfs2 command now supports the new -U option, which makes it possible to specify the file system UUID for the file system you create. If you omit this option, the file system’s UUID is generated randomly.

Bugzilla:2180782

fuse3 now allows invalidating a directory entry without triggering umount

With this update, a new mechanism has been added to fuse3 package, that allows invalidating a directory entry without automatically triggering the umount of any mounts that exists on the entry.

Bugzilla:2171095^[1]

4.7. High availability and clusters

Pacemaker’s scheduler now tries to satisfy all mandatory colocation constraints before trying to satisfy optional colocation constraints

Previously, colocation constraints were considered one by one regardless of whether they were mandatory or optional. This meant that certain resources could be unable to run even though a node assignment was possible. Pacemaker’s scheduler now tries to satisfy all mandatory colocation constraints, including the implicit constraints between group members, before trying to satisfy optional colocation constraints. As a result, resources with a mix of optional and mandatory colocation constraints are now more likely to be able to run.

Bugzilla:1876173

IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing

The IPaddr2 and IPsrcaddr cluster resource agents now support policy-based routing, which enables you to configure complex routing scenarios. Policy-based routing requires that you configure the resource agent’s table parameter.

Bugzilla:2040110

The Filesystem resource agent now supports the EFS file system type

The ocf:heartbeat:Filesystem cluster resource agent now supports the Amazon Elastic File System (EFS). You can now specify fstype=efs when configuring a Filesystem resource.

Bugzilla:2049319

The alert_snmp.sh.sample alert agent now supports SNMPv3

The alert_snmp.sh.sample alert agent, which is the sample alert agent provided with Pacemaker, now supports the SNMPv3 protocol as well as SNMPv2. With this update, you can copy the alert_snmp.sh.sample agent without modification to use SNMPv3 with Pacemaker alerts.

Bugzilla:2160206

New enabled alert meta option to disable a Pacemaker alert

Pacemaker alerts and alert recipients now support an enabled meta option.

Setting the enabled meta option to false for an alert disables the alert.
Setting the enabled meta option to true for an alert and false for a particular recipient disables the alert for that recipient.

The default value for the enabled meta option is true. You can use this option to temporarily disable an alert for any reason, such as planned maintenance.

Bugzilla:2078611

Pacemaker Remote nodes now preserve transient node attributes after a brief connection outage

Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its transient node attributes. This was unnecessary if the connection was quickly recoverable and the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now preserve transient node attributes after a brief, recoverable connection outage.

Bugzilla:2030869

Enhancements to the pcs property command

The pcs property command now supports the following enhancements:

The pcs property config --output-format= option
- Specify --output-format=cmd to display the pcs property set command created from the current cluster properties configuration. You can use this command to re-create configured cluster properties on a different system.
- Specify --output-format=json to display the configured cluster properties in JSON format.
- Specify output-format=text to display the configured cluster properties in plain text format, which is the default value for this option.
The pcs property defaults command, which replaces the deprecated pcs property --defaults option
The pcs property describe command, which describes the meaning of cluster properties.

Bugzilla:2166289

4.8. Dynamic programming languages, web and database servers

A new nodejs:20 module stream is fully supported

A new module stream, nodejs:20, previously available as a Technology Preview, is fully supported with the release of the RHEA-2023:7249 advisory. The nodejs:20 module stream now provides Node.js 20.9, which is a Long Term Support (LTS) version.

Node.js 20 included in RHEL 8.9 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 18 available since RHEL 8.7.

Notable changes include:

The V8 JavaScript engine has been upgraded to version 11.3.
The npm package manager has been upgraded to version 9.8.0.
Node.js introduces a new experimental Permission Model.
Node.js introduces a new experimental Single Executable Application (SEA) feature.
Node.js provides improvements to the Experimental ECMAScript modules (ESM) loader.
The native test runner, introduced as an experimental node:test module in Node.js 18, is now considered stable.

To install the nodejs:20 module stream, use:

# yum module install nodejs:20

If you want to upgrade from the nodejs:18 stream, see Switching to a later stream.

For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Bugzilla:2186718

A new filter argument to the Python tarfile extraction functions

To mitigate CVE-2007-4559, Python adds a filter argument to the tarfile extraction functions. The argument allows turning tar features off for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a filter is not specified, the 'data' filter, which is the safest but most limited, is used by default in RHEL. In addition, Python emits a warning when your application has been affected.

For more information, including instructions to hide the warning, see the Knowledgebase article Mitigation of directory traversal attack in the Python tarfile library (CVE-2007-4559).

Jira:RHELDOCS-16405^[1]

The HTTP::Tiny Perl module now verifies TLS certificates by default

The default value for the verify_SSL option in the HTTP::Tiny Perl module has been changed from 0 to 1 to verify TLS certificates when using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny and CVE-2023-31484 for the CPAN Perl module.

To make support for TLS verification available, this update adds the following dependencies to the perl-HTTP-Tiny package:

perl-IO-Socket-SSL
perl-Mozilla-CA
perl-Net-SSLeay

Bugzilla:2228409^[1]

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

The update in RHSA-2024:0256 introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you set this variable to true, the previous, less strict parsing behavior is the default for the entire system:

export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true

However, individual calls to the affected functions can still enable stricter behavior.

You can achieve the same result by creating the /etc/python/email.cfg configuration file with the following content:

[email_addr_parsing]
PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true

For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.

Jira:RHELDOCS-17369^[1]

4.9. Compilers and development tools

Improved string and memory routine performance on Intel® Xeon® v5-based hardware in glibc

Previously, the default amount of cache used by glibc for string and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based systems. With this update, the amount of cache to use has been tuned to improve performance.

Bugzilla:2180462

GCC now supports preserving register arguments

With this update, you can now store argument register content to the stack and generate proper Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting performance.

Bugzilla:2168205^[1]

New GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The GCC compiler has been updated to version 13.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.

The following tools and versions are provided by GCC Toolset 13:

Tool	Version
GCC	13.1.1
GDB	12.1
binutils	2.40
dwz	0.14
annobin	12.20

To install GCC Toolset 13, run the following command as root:

# yum install gcc-toolset-13

To run a tool from GCC Toolset 13:

$ scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:

$ scl enable gcc-toolset-13 bash

For more information, seehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/developing_c_and_cpp_applications_in_rhel_8/additional-toolsets-for-development_developing-applications#gcc-toolset-13_assembly_additional-toolsets-for-development[GCC Toolset 13] and Using GCC Toolset.

Bugzilla:2171898^[1], Bugzilla:2171928, Bugzilla:2188490

GCC Toolset 13: GCC rebased to version 13.1.1

In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable changes include:

General improvements

OpenMP:
- OpenMP 5.0: Fortran now supports some non-rectangular loop nests. Such support was added for C/C++ in GCC 11.
- Many OpenMP 5.1 features have been added.
- Initial support for OpenMP 5.2 features has been added.
A new debug info compression option value, -gz=zstd, is now available.
The -Ofast, -ffast-math, and -funsafe-math-optimizations options no longer add startup code to alter the floating-point environment when producing a shared object with the -shared option.
GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a JSON-based format suited for capturing the results of static analysis tools (like GCC’s -fanalyzer). You can also use SARIF to capture other GCC warnings and errors in a machine-readable format.
Link-time optimization improvements have been implemented.

New languages and language-specific improvements

C family:

A new -Wxor-used-as-pow option warns about uses of the exclusive or (^) operator where the user might have meant exponentiation.
Three new function attributes have been added for documenting int arguments that are file descriptors:
- attribute((fd_arg(N)))
- attribute((fd_arg_read(N)))
- attribute((fd_arg_write(N)))
These attributes are also used by -fanalyzer to detect misuses of file descriptors.
A new statement attribute, attribute((assume(EXPR)));, has been added for C++23 portable assumptions. The attribute is supported also in C or earlier C++.
GCC can now control when to treat the trailing array of a structure as a flexible array member for the purpose of accessing the elements of such an array. By default, all trailing arrays in aggregates are treated as flexible array members. Use the new command-line option -fstrict-flex-arrays to control what array members are treated as flexible arrays.

Several C23 features have been implemented:
- Introduced the nullptr constant.
- Enumerations enhanced to specify underlying types.
- Requirements for variadic parameter lists have been relaxed.
- Introduced the auto feature to enable type inference for object definitions.
- Introduced the constexpr specifier for object definitions.
- Introduced storage-class specifiers for compound literals.
- Introduced the typeof object (previously supported as an extension) and the typeof_unqual object.
- Added new keywords: alignas, alignof, bool, false, static_assert, thread_local, and true.
- Added the [[noreturn]] attribute to specify that a function does not return execution to its caller.
- Added support for empty initializer braces.
- Added support for STDC_VERSION_*_H header version macros.
- Removed the ATOMIC_VAR_INIT macro.
- Added the unreachable macro for the <stddef.h> header.
- Removed trigraphs.
- Removed unprototyped functions.
- Added printf and scanf format checking through the -Wformat option for the %wN and %wfN format length modifiers.
- Added support for identifier syntax of Unicode Standard Annex (UAX) 31.
- Existing features adopted in C23 have been adjusted to follow C23 requirements and are not diagnosed using the -std=c2x -Wpedantic option.
A new -Wenum-int-mismatch option warns about mismatches between an enumerated type and an integer type.

C++:

Implemented excess precision support through the -fexcess-precision option. It is enabled by default in strict standard modes like -std=c++17, where it defaults to -fexcess-precision=standard. In GNU standard modes like -std=gnu++20, it defaults to -fexcess-precision=fast, which restores previous behavior.
The -fexcess-precision option affects the following architectures:
- Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where float and double expressions are evaluated in long double precision.
- 64-bit IBM Z systems where float expressions are evaluated in double precision.
- Several architectures that support the std::float16_t or std::bfloat16_t types, where these types are evaluated in float precision.
Improved experimental support for C++23, including:
- Added support for labels at the end of compound statements.
- Added a type trait to detect reference binding to a temporary.
- Reintroduced support for volatile compound operations.
- Added support for the #warning directive.
- Added support for delimited escape sequences.
- Added support for named universal character escapes.
- Added a compatibility and portability fix for the char8_t type.
- Added static operator() function objects.
- Simplified implicit moves.
- Rewriting equality in expressions is now less of a breaking change.
- Removed non-encodable wide character literals and wide multicharacter literals.
- Relaxed some constexpr function restrictions.
- Extended floating-point types and standard names.
- Implemented portable assumptions.
- Added support for UTF-8 as a portable source file encoding standard.
- Added support for static operator[] subscripts.
New warnings:
- -Wself-move warns when a value is moved to itself with std::move.
- -Wdangling-reference warns when a reference is bound to a temporary whose lifetime has ended.
- The -Wpessimizing-move and -Wredundant-move warnings have been extended to warn in more contexts.
The new -nostdlib++ option enables linking with g++ without implicitly linking in the C++ standard library.

Changes in the libstdc++ runtime library

Improved experimental support for C++20, including:
- Added the <format> header and the std::format function.
- Added support in the <chrono> header for the std::chrono::utc_clock clock, other clocks, time zones, and the std::format function.
Improved experimental support for C++23, including:
- Additions to the <ranges> header: views::zip, views::zip_transform, views::adjacent, views::adjacent_transform, views::pairwise, views::slide, views::chunk, views::chunk_by, views::repeat, views::chunk_by, views::cartesian_product, views::as_rvalue, views::enumerate, views::as_const.
- Additions to the <algorithm> header: ranges::contains, ranges::contains_subrange, ranges::iota, ranges::find_last, ranges::find_last_if, ranges::find_last_if_not, ranges::fold_left, ranges::fold_left_first, ranges::fold_right, ranges::fold_right_last, ranges::fold_left_with_iter, ranges::fold_left_first_with_iter.
- Support for monadic operations for the std::expected class template.
- Added constexpr modifiers to the std::bitset, std::to_chars and std::from_chars functions.
- Added library support for extended floating-point types.
Added support for the <experimental/scope> header from version 3 of the Library Fundamentals Technical Specification (TS).
Added support for the <experimental/synchronized_value> header from version 2 of the Concurrency TS.
Added support for many previously unavailable features in freestanding mode. For example:
- The std::tuple class template is now available for freestanding compilation.
- The libstdc++ library adds components to the freestanding subset, such as std::array and std::string_view.
- The libstdc++ library now respects the -ffreestanding compiler option, so it is no longer necessary to build a separate freestanding installation of the libstdc++ library. Compiling with -ffreestanding will restrict the available features to the freestanding subset, even if the libstdc++ library was built as a full, hosted implementation.

New targets and target-specific Improvements

The 64-bit ARM architecture:

Added support for the armv9.1-a, armv9.2-a, and armv9.3-a arguments for the -march= option.

The 32- and 64-bit AMD and Intel architectures:

For both C and C++, the __bf16 type is supported on systems with Streaming SIMD Extensions 2 and above enabled.
The real __bf16 type is now used for AVX512BF16 instruction intrinsics. Previously, __bfloat16, a typedef of short, was used. Adjust your AVX512BF16 related source code when upgrading GCC 12 to GCC 13.
Added new Instruction Set Architecture (ISA) extensions to support the following Intel instructions:
- AVX-IFMA whose instruction intrinsics are available through the -mavxifma compiler switch.
- AVX-VNNI-INT8 whose instruction intrinsics are available through the -mavxvnniint8 compiler switch.
- AVX-NE-CONVERT whose instruction intrinsics are available through the -mavxneconvert compiler switch.
- CMPccXADD whose instruction intrinsics are available through the -mcmpccxadd compiler switch.
- AMX-FP16 whose instruction intrinsics are available through the -mamx-fp16 compiler switch.
- PREFETCHI whose instruction intrinsics are available through the -mprefetchi compiler switch.
- RAO-INT whose instruction intrinsics are available through the -mraoint compiler switch.
- AMX-COMPLEX whose instruction intrinsics are available through the -mamx-complex compiler switch.
GCC now supports AMD CPUs based on the znver4 core through the -march=znver4 compiler switch. The switch makes GCC consider using 512-bit vectors when auto-vectorizing.

Improvements to the static analyzer

The static analyzer has gained 20 new warnings:
- -Wanalyzer-allocation-size
- -Wanalyzer-deref-before-check
- -Wanalyzer-exposure-through-uninit-copy
- -Wanalyzer-imprecise-fp-arithmetic
- -Wanalyzer-infinite-recursion
- -Wanalyzer-jump-through-null
- -Wanalyzer-out-of-bounds
- -Wanalyzer-putenv-of-auto-var
- -Wanalyzer-tainted-assertion
- Seven new warnings relating to misuse of file descriptors:
  - -Wanalyzer-fd-access-mode-mismatch
  - -Wanalyzer-fd-double-close
  - -Wanalyzer-fd-leak
  - -Wanalyzer-fd-phase-mismatch (for example, calling accept on a socket before calling listen on it)
  - -Wanalyzer-fd-type-mismatch (for example, using a stream socket operation on a datagram socket)
  - -Wanalyzer-fd-use-after-close
  - -Wanalyzer-fd-use-without-check
    Also implemented special-casing handling of the behavior of the open, close, creat, dup, dup2, dup3, pipe, pipe2, read, and write functions.
- Four new warnings for misuses of the <stdarg.h> header:
  - -Wanalyzer-va-list-leak warns about missing a va_end macro after a va_start or va_copy macro.
  - -Wanalyzer-va-list-use-after-va-end warns about a va_arg or va_copy macro used on a va_list object type that has had the va_end macro called on it.
  - -Wanalyzer-va-arg-type-mismatch type-checks va_arg macro usage in interprocedural execution paths against the types of the parameters that were actually passed to the variadic call.
  - -Wanalyzer-va-list-exhausted warns if a va_arg macro is used too many times on a va_list object type in interprocedural execution paths.
Numerous other improvements.

Backwards incompatible changes

For C++, construction of global iostream objects such as std::cout, std::cin is now done inside the standard library, instead of in every source file that includes the <iostream> header. This change improves the startup performance of C++ programs, but it means that code compiled with GCC 13.1 will crash if the correct version of libstdc++.so is not used at runtime. See the documentation about using the correct libstdc++.so at runtime. Future GCC releases will mitigate the problem so that the program cannot be run at all with an earlier incompatible libstdc++.so.

Bugzilla:2172091^[1]

GCC Toolset 13: annobin rebased to version 12.20

GCC Toolset 13 provides the annobin package version 12.20. Notable enhancements include:

Added support for moving annobin notes into a separate debug info file. This results in reduced executable binary size.
Added support for a new smaller note format reduces the size of the separate debuginfo files and the time taken to create these files.

Bugzilla:2171923^[1]

GCC Toolset 13: GDB rebased to version 12.1

GCC Toolset 13 provides GDB version 12.1.

Notable bug fixes and enhancements include:

GDB now styles source code and disassembler by default. If styling interferes with automation or scripting of GDB, you can disable it by using the maint set gnu-source-highlight enabled off and maint set style disassembler enabled off commands.
GDB now displays backtraces whenever it encounters an internal error. If this affects scripts or automation, you can use the maint set backtrace-on-fatal-signal off command to disable this feature.

C/C++ improvements:

GDB now treats functions or types involving C++ templates similarly to function overloads. You can omit parameter lists to set breakpoints on families of template functions, including types or functions composed of multiple template types. Tab completion has gained similar improvements.

Terminal user interface (TUI):

tui layout
tui focus
tui refresh
tui window height
These are the new names for the old layout, focus, refresh, and winheight TUI commands respectively. The old names still exist as aliases to these new commands.
tui window width
winwidth
Use the new tui window width command, or the winwidth alias, to adjust the width of a TUI window when windows are laid out in horizontal mode.
info win
This command now includes information about the width of the TUI windows in its output.

Machine Interface (MI) changes:

The default version of the MI interpreter is now 4 (-i=mi4).
The -add-inferior command with no flag now inherits the connection of the current inferior. This restores the behavior of GDB prior to version 10.
The -add-inferior command now accepts a --no-connection flag that causes the new inferior to start without a connection.
The script field in breakpoint output (which is syntactically incorrect in MI 3 and earlier) has become a list in MI 4. This affects the following commands and events:
- -break-insert
- -break-info
- =breakpoint-created
- =breakpoint-modified
  Use the -fix-breakpoint-script-output command to enable the new behavior with earlier MI versions.

New commands:

maint set internal-error backtrace [on|off]
maint show internal-error backtrace
maint set internal-warning backtrace [on|off]
maint show internal-warning backtrace
GDB can now print a backtrace of itself when it encounters internal error or internal warning. This is enabled by default for internal errors and disabled by default for internal warnings.
exit
You can exit GDB using the new exit command in addition to the existing quit command.
maint set gnu-source-highlight enabled [on|off]
maint show gnu-source-highlight enabled
Enables or disables the GNU Source Highlight library for adding styling to source code. When disabled, the library is not used even if it is available. When the GNU Source Highlight library is not used the Python Pygments library is used instead.
set suppress-cli-notifications [on|off]
show suppress-cli-notifications
Controls if printing the notifications is suppressed for CLI or not. CLI notifications occur when you change the selected context (such as the current inferior, thread, or frame), or when the program being debugged stops (for example: because of hitting a breakpoint, completing source-stepping, or an interrupt).
set style disassembler enabled [on|off]
show style disassembler enabled
When enabled, the command applies styling to disassembler output if GDB is compiled with Python support and the Python Pygments package is available.

Changed commands:

set logging [on|off]
Deprecated and replaced by the set logging enabled [on|off] command.
print
Printing of floating-point values with base-modifying formats like /x has been changed to display the underlying bytes of the value in the desired base.
clone-inferior
The clone-inferior command now ensures that the TTY, CMD, and ARGs settings are copied from the original inferior to the new one. All modifications to the environment variables done using the set environment or unset environment commands are also copied to the new inferior.

Python API:

The new gdb.add_history() function takes a gdb.Value object and adds the value it represents to GDB’s history list. The function returns an integer, which is the index of the new item in the history list.
The new gdb.history_count() function returns the number of values in GDB’s value history.
The new gdb.events.gdb_exiting event is called with a gdb.GdbExitingEvent object that has the read-only attribute exit_code containing the value of the GDB exit code. This event is triggered prior to GDB’s exit before GDB starts to clean up its internal state.
The new gdb.architecture_names() function returns a list containing all of the possible Architecture.name() values. Each entry is a string.
The new gdb.Architecture.integer_type() function returns an integer type given a size and a signed-ness.
The new gdb.TargetConnection object type represents a connection (as displayed by the info connections command). A sub-class, gdb.RemoteTargetConnection, represents remote and extended-remote connections.
The gdb.Inferior type now has a connection property that is an instance of the gdb.TargetConnection object, the connection used by this inferior. This can be None if the inferior has no connection.
The new gdb.events.connection_removed event registry emits a gdb.ConnectionEvent event when a connection is removed from GDB. This event has a connection property, a gdb.TargetConnection object for the connection being removed.
The new gdb.connections() function returns a list of all currently active connections.
The new gdb.RemoteTargetConnection.send_packet(PACKET) method is equivalent to the existing maint packet CLI command. You can use it to send a specified packet to the remote target.
The new gdb.host_charset() function returns the name of the current host character set as a string.
The new gdb.set_parameter(NAME, VALUE) function sets the GDB parameter NAME to VALUE.
The new gdb.with_parameter(NAME, VALUE) function returns a context manager that temporarily sets the GDB parameter NAME to VALUE and then resets it when the context is exited.
The gdb.Value.format_string method now takes a styling argument, which is a boolean. When true, the returned string can include escape sequences to apply styling. The styling is present only if styling is turned on in GDB (see help set styling). When false, which is the default if the styling argument is not given, no styling is applied to the returned string.
The new read-only attribute gdb.InferiorThread.details is either a string containing additional target-specific thread-state information, or None if there is no such additional information.
The new read-only attribute gdb.Type.is_scalar is True for scalar types, and False for all other types.
The new read-only attribute gdb.Type.is_signed should only be read when Type.is_scalar is True, and will be True for signed types and False for all other types. Attempting to read this attribute for non-scalar types will raise a ValueError.
You can now add GDB and MI commands implemented in Python.

For more information see the upstream release notes:

What has changed in GDB?

Bugzilla:2172095^[1]

GCC Toolset 13: bintuils rebased to version 2.40

GCC Toolset 13 provides the binutils package version 2.40. Notable enhancements include:

Linkers:

The new -w (--no-warnings) command-line option for the linker suppresses the generation of any warning or error messages. This is useful in case you need to create a known non-working binary.
The ELF linker now generates a warning message if:
- The stack is made executable
- It creates a memory resident segment with all three of the Read, Write and eXecute permissions set
- It creates a thread local data segment with the eXecute permission set.
  You can disable these warnings by using the --no-warn-exec-stack or --no-warn-rwx-segments options.
The linker can now insert arbitrary JSON-format metadata into binaries that it creates.

Other tools:

A new the objdump tool’s --private option to display fields in the file header and section headers for Portable Executable (PE) format files.
A new --strip-section-headers command-line option for the objcopy and strip utilities to remove the ELF section header from ELF files.
A new --show-all-symbols command-line option for the objdump utility to display all symbols that match a given address when disassembling, as opposed to the default function of displaying only the first symbol that matches an address.
A new -W (--no-weak) option to the nm utility to make it ignore weak symbols.
The objdump utility now supports syntax highlighting of disassembler output for some architectures. Use the --disassembler-color=MODE command-line option, with MODE being one of the following:
- off
- color - This option is supported by all terminal emulators.
- extended-color - This option uses 8-bit colors not supported by all terminal emulators.

Bugzilla:2171924^[1]

GCC Toolset 13: annobin rebased to version 12.20

GCC Toolset 13 provides the annobin package version 12.20. Notable enhancements include:

Added support for moving annobin notes into a separate debug info file. This results in reduced executable binary size.
Added support for a new smaller note format, which reduces the size of the separate debuginfo files and the time taken to create these files.

Bugzilla:2171921^[1]

Valgrind rebased to version 3.21.0

Valgrind has been updated to version 3.21.0. Notable enhancements include:

A new abexit value for the --vgdb-stop-at=event1,event2,… option notifies the gdbserver utility when your program exits abnormally, such as with a non-zero exit code.
A new --enable-debuginfod=[yes|no] option instructs Valgrind to use the debuginfod servers listed in the DEBUGINFOD_URLS environment variable to fetch any missing DWARF debuginfo information for the program running under Valgrind. The default value for this option is yes.
Note
The DEBUGINFOD_URLS environment variable is not set by default.
The vgdb utility now supports the extended remote protocol when invoked with the --multi option. The GDB run command is supported in this mode and, as a result, you can run GDB and Valgrind from a single terminal.
You can use the --realloc-zero-bytes-frees=[yes|no] option to change the behavior of the realloc() function with a size of zero for tools that intercept the malloc() call.
The memcheck tool now performs checks for the use of the realloc() function with a size of zero. Use the new --show-realloc-size-zero=[yes|no] switch to disable this feature.
You can use the new --history-backtrace-size=value option for the helgrind tool to configure the number of entries to record in the stack traces of earlier accesses.
The --cache-sim=[yes|no] cachegrind option now defaults to no and, as a result, only instruction cache read events are gathered by default.
The source code for the cg_annotate, cg_diff, and cg_merge cachegrind utilities has been rewritten and, as a result, the utilities have more flexible command line option handling. For example, they now support the --show-percs and --no-show-percs options as well as the existing --show-percs=yes and --show-percs=no options.
The cg_annotate cachegrind utility now supports diffing (using the --diff, --mod-filename, and --mod-funcname options) and merging (by passing multiple data files). In addition, cg_annotate now provides more information at the file and function level.
A new user-request for the DHAT tool allows you to override the 1024 byte limit on access count histograms for blocks of memory.

The following new architecture-specific instruction sets are now supported:

64-bit ARM:
- v8.2 scalar and vector Floating-point Absolute Difference (FABD), Floating-point Absolute Compare Greater than or Equal (FACGE), Floating-point Absolute Compare Greater Than (FACGT), and Floating-point Add (FADD) instructions.
- v8.2 Floating-point (FP) compare and conditional compare instructions.
- Zero variants of v8.2 Floating-point (FP) compare instructions.
64-bit IBM Z:
- Support for the miscellaneous-instruction-extensions facility 3 and the vector-enhancements facility 2. This enables programs compiled with the -march=arch13 or -march=z15 options to be executed under Valgrind.
IBM Power:
- ISA 3.1 support is now complete.
- ISA 3.0 now supports the deliver a random number (darn) instruction.
- ISA 3.0 now supports the System Call Vectored (scv) instruction.
- ISA 3.0 now supports the copy, paste, and cpabort instructions.

Bugzilla:2124345

systemtap rebased to version 4.9

The systemtap package has been upgraded to version 4.9. Notable changes include:

A new Language-Server-Protocol (LSP) backend for easier interactive drafting of systemtap scripts on LSP-capable editors.
Access to a Python/Jupyter interactive notebook frontend.
Improved handling of DWARF 5 bitfields.

Bugzilla:2186932

elfutils rebased to version 0.189

The elfutils package has been updated to version 0.189. Notable improvements and bug fixes include:

libelf: The elf_compress tool now supports the ELFCOMPRESS_ZSTD ELF compression type.
libdwfl: The dwfl_module_return_value_location function now returns 0 (no return type) for DWARF Information Entries (DIEs) that point to a DW_TAG_unspecified_type type tag.
eu-elfcompress: The -t and --type= options now support the Zstandard (zstd) compression format via the zstd argument.

Bugzilla:2182060

libpfm rebased to version 4.13

The libpfm package has been updated to version 4.13. With this update, libpfm can now access performance monitoring hardware native events for the following processor microarchitectures:

AMD Zen 4
ARM Neoverse N1
ARM Neoverse N2
ARM Neoverse V1
ARM Neoverse V2
4th Generation Intel® Xeon® Scalable Processors
IBM z16

Bugzilla:2185653, Bugzilla:2111987, Bugzilla:2111966, Bugzilla:2111973, Bugzilla:2109907, Bugzilla:2111981, Bugzilla:2047725

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

ARM Neoverse N1
ARM Neoverse N2
ARM Neoverse V1
ARM Neoverse V2

Bugzilla:2111982^[1], Bugzilla:2111988

papi now supports fast performance event count read operations for 64-bit ARM

Previously on 64-bit ARM processors, all performance event counter read operations required the use of a resource-intensive system call. papi has been updated for 64-bit ARM to let processes monitoring themselves with the performance counters use a faster user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access parameter to 1 reduces the average number of clock cycles for papi to read 2 counters from 724 cycles to 29 cycles.

Bugzilla:2161146^[1]

LLVM Toolset rebased to version 16.0.6

LLVM Toolset has been updated to version 16.0.6.

Notable enhancements include:

Improvements to optimization
Support for new CPU extensions
Improved support for new C++ versions.

Notable backwards incompatible changes include:

Clang’s default C++ standard is now gnu++17 instead of gnu++14.
The -Wimplicit-function-declaration, -Wimplicit-int and -Wincompatible-function-pointer-types options now default to error for C code. This might affect the behavior of configure scripts.

By default, Clang 16 uses the libstdc++ library version 13 and binutils 2.40 provided by GCC Toolset 13.

For more information, see the LLVM release notes and Clang release notes.

Bugzilla:2178806

Rust Toolset rebased to version 1.71.1

Rust Toolset has been updated to version 1.71.1. Notable changes include:

A new implementation of multiple producer, single consumer (mpsc) channels to improve performance
A new Cargo sparse index protocol for more efficient use of the crates.io registry
New OnceCell and OnceLock types for one-time value initialization
A new C-unwind ABI string to enable usage of forced unwinding across Foreign Function Interface (FFI) boundaries

For more details, see the series of upstream release announcements:

Bugzilla:2191740

The Rust profiler_builtins runtime component is now available

With this enhancement, the Rust profile_builtins runtime component is now available. This runtime component enables the following compiler options:

-C instrument-coverage: Enables coverage profiling
-C profile-generate: Enables profile-guided optimization

Bugzilla:2213875^[1]

Go Toolset rebased to version 1.20.10

Go Toolset has been updated to version 1.20.10.

Notable enhancements include:

New functions added in the unsafe package to handle slices and strings without depending on the internal representation.
Comparable types can now satisfy comparable constraints.
A new crypto/ecdh package.
The go build and go test commands no longer accept the -i flag.
The go generate and go test commands now accept the -skip pattern option.
The go build, go install, and other build-related commands now support the -pgo and -cover flags.
The go command now disables cgo by default on systems without a C toolchain.
The go version -m command now supports reading more Go binaries types.
The go command now disables cgo by default on systems without a C toolchain.
Added support for collecting code coverage profiles from applications and integration tests instead of collecting them only from unit tests.

Bugzilla:2185260^[1]

grafana rebased to version 9.2.10

The grafana package has been updated to version 9.2.10. Notable changes include:

The time series panel is now the default visualization option, replacing the graph panel.
Grafana provides a new Prometheus and Loki query builder.
Grafana now includes multiple UI/UX and performance improvements.
The license has changed from Apache 2.0 to GNU Affero General Public License (AGPL).
The heatmap panel is now used throughout Grafana.
Geomaps can now measure both distance and area.
The Alertmanager is now based on Prometheus Alertmanager version 0.24.
Grafana Alerting rules now return an Error state by default on execution error or timeout.
Expressions can now be used on public dashboards.
The join transformation now supports inner joins.
Public dashboards now allow sharing Grafana dashboards.
A new Prometheus streaming parser is now available as an opt-in feature.

For more information, see the upstream release notes:

Bugzilla:2193250

grafana-pcp rebased to version 5.1.1

The grafana-pcp package, which provides the Performance Co-Pilot Grafana Plugin, has been updated to version 5.1.1. Notable changes include:

Query editor: Added buttons to disable rate conversation and time utilization conversation
Redis datasource:
- Removed the deprecated label_values(metric, label) function
- Fixed the network error for metrics with many series (requires Performance Co-Pilot version 6 and later)
Set the pmproxy API timeout to 1 minute

Bugzilla:2193270

.NET 8.0 is available

Red Hat Enterprise Linux 8.9 is distributed with .NET version 8.0. Notable improvements include:

Added support for the C#12 and F#8 language versions.
Added support for building container images using the .NET Software Development Kit directly.
Many performance improvements to the garbage collector (GC), Just-In-Time (JIT) compiler, and the base libraries.

Jira:RHELPLAN-164398^[1]

4.10. Identity Management

samba rebased to version 4.18.4

The samba packages have been upgraded to upstream version 4.18.4, which provides bug fixes and enhancements over the previous version. The most notable changes:

Security improvements in previous releases impacted the performance of the Server Message Block (SMB) server for high metadata workloads. This update improves the performance in this scenario.
The new wbinfo --change-secret-at=<domain_controller> command enforces the change of the trust account password on the specified domain controller.
By default, Samba stores access control lists (ACLs) in the security.NTACL extended attribute of files. You can now customize the attribute name with the acl_xattr:<security_acl_name> setting in the /etc/samba/smb.conf file. Note that a custom extended attribute name is not a protected location as security.NTACL. Consequently, users with local access to the server can be able to modify the custom attribute’s content and compromise the ACL.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

Bugzilla:2190417

ipa rebased to version 4.9.12

The ipa package has been upgraded to version 4.9.12. For more information, see the upstream FreeIPA release notes.

Bugzilla:2196425

Multiple IdM groups and services can now be managed in a single Ansible task

With this enhancement in ansible-freeipa, you can add, modify, and delete multiple Identity Management (IdM) user groups and services by using a single Ansible task. For that, use the groups and services options of the ipagroup and ipaservice modules.

Using the groups option available in ipagroup, you can specify multiple group variables that only apply to a particular group. This group is defined by the name variable, which is the only mandatory variable for the groups option.

Similarly, using the services option available in ipaservice, you can specify multiple service variables that only apply to a particular service. This service is defined by the name variable, which is the only mandatory variable for the services option.

Jira:RHELDOCS-16474^[1]

ansible-freeipa ipaserver role now supports Random Serial Numbers

With this update, you can use the ipaserver_random_serial_numbers=true option with the ansible-freeipa ipaserver role. This way, you can generate fully random serial numbers for certificates and requests in PKI when installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.

Important

RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 on all PKI services.

Jira:RHELDOCS-16462^[1]

The ipaserver_remove_on_server and ipaserver_ignore_topology_disconnect options are now available in the ipaserver role

If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain option of the ipaserver ansible-freeipa role leads to a disconnected topology, you must now specify which part of the domain you want to preserve. Specifically, you must do the following:

Specify the ipaserver_remove_on_server value to identify which part of the topology you want to preserve.
Set ipaserver_ignore_topology_disconnect to True.

Note that if removing a replica from IdM by using the remove_server_from_domain option preserves a connected topology, neither of these options is required.

Bugzilla:2127901

The ipaclient role now allows configuring user subID ranges on the IdM level

With this update, the ipaclient role provides the ipaclient_subid option, using which you can configure subID ranges on the Identity Management (IdM) level. Without the new option set explicitly to true, the ipaclient role keeps the default behavior and installs the client without subID ranges configured for IdM users.

Previously, the role configured the sssd authselect profile that in turn customized the /etc/nsswitch.conf file. The subID database did not use IdM and relied only on the local files of /etc/subuid and /etc/subgid.

Bugzilla:2175766

You can now manage IdM certificates using the ipacert Ansible module

You can now use the ansible-freeipa ipacert module to request or retrieve SSL certificates for Identity Management (IdM) users, hosts and services. The users, hosts and services can then use these certificates to authenticate to IdM. You can also revoke the certificates, as well as restore certificates that have been put on hold.

Bugzilla:2127906

MIT Kerberos now supports the Extended KDC MS-PAC signature

With this update, MIT Kerberos, which is used by Red Hat, implements support for one of the two types of the Privilege Attribute Certificate (PAC) signatures introduced by Microsoft in response to recent CVEs. Specifically, MIT Kerberos in RHEL 8 supports the Extended KDC signature that was released in KB5020805 and that addresses CVE-2022-37967.

Note that because of ABI stability constraints, MIT Kerberos on RHEL8 cannot support the other PAC signature type, that is Ticket signature as defined in KB4598347.

To troubleshoot problems related to this enhancement, see the following Knowledgebase resources:

4.11. Graphics infrastructures

Intel Arc A-Series graphics is now fully supported

The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware acceleration, mostly used in PC gaming.

With this release, you no longer have to set the i915.force_probe kernel option, and full support for these GPUs is enabled by default.

Bugzilla:2041686^[1]

4.12. The web console

Podman health check action is now available

You can select one of the following Podman health check actions when creating a new container:

No action (default): Take no action.
Restart: Restart the container.
Stop: Stop the container.
Force stop: Force stops the container, it does not wait for the container to exit.

Jira:RHELDOCS-16247^[1]

Accounts page updates for the web console

This update introduces the following updates to the Accounts page:

It is now possible to add custom user ID and define home directory and shell during the account creation process.
When creating an account, password validation actively performs a check on every keystroke. Additionally, weak passwords are now shown with a warning.
Account detail pages now show the home directory and shell for an account.
It is possible to change shell from the account details page.

Jira:RHELDOCS-16367^[1]

4.13. Red Hat Enterprise Linux system roles

The postgresql RHEL system role is now available

The new postgresql RHEL system role installs, configures, manages, and starts the PostgreSQL server. The role also optimizes the database server settings to improve performance.

The role supports the currently released and supported versions of PostgreSQL on RHEL 8 and RHEL 9 managed nodes.

For more information, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.

Bugzilla:2151371

keylime_server RHEL system role

With the new keylime_server RHEL system role, you can use Ansible playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime is a remote machine attestation tool that uses the trusted platform module (TPM) technology.

Bugzilla:2224387

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

Configuration of resource and resource operation defaults, including multiple sets of defaults with rules.
Loading and blocking of SBD watchdog kernel modules. This makes installed hardware watchdogs available to the cluster.
Assignment of distinct passwords to the cluster hosts and the quorum device. With that, you can configure a deployment where the same quorum hosts are joined to multiple, separate clusters, and the passwords of the hacluster user on these clusters are different.

For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL system role.

Bugzilla:2190483, Bugzilla:2190478, Bugzilla:2216485

storage system role supports configuring the stripe size for RAID LVM volumes

With this update, you can now specify a custom stripe size when creating RAID LVM devices. For better performance, use the custom stripe size for SAP HANA. The recommended stripe size for RAID LVM volumes is 64 KB.

Bugzilla:2141961

podman RHEL system role now supports Quadlets, healthchecks, and secrets

Starting with Podman 4.6, you can use the podman_quadlet_specs variable in the podman RHEL system role. You can define a Quadlet by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. Types of a unit can be the following: container, kube, network, and volume. Note that Quadlets work only with root containers on RHEL 8. Quadlets work with rootless containers on RHEL 9.

The healthchecks are supported only for Quadlet Container types. In the [Container] section, specify the HealthCmd field to define the healthcheck command and HealthOnFailure field to define the action when a container is unhealthy. Possible options are none, kill, restart, and stop.

You can use the podman_secrets variable to manage secrets. For details, see upstream documentation.

Jira:RHELPLAN-154440^[1]

RHEL system roles now have new volume options for mount point customization

With this update, you can now specify mount_user, mount_group, and mount_permissions parameters for your mount directory.

Bugzilla:2181661

kdump RHEL system role updates

The kdump RHEL system role has been updated to a newer version, which brings the following notable enhancements:

After installing kexec-tools, the utility suite no longer generates the /etc/sysconfig/kdump file because you do not need to manage this file anymore.
The role supports the auto_reset_crashkernel and dracut_args variables.

For more details, see resources in the /usr/share/doc/rhel-system-roles/kdump/ directory.

Bugzilla:2211272

The ad_integration RHEL system role can now rejoin an AD domain

With this update, you can now use the ad_integration RHEL system role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin variable to true. If the realm_list output shows that host is already in an AD domain, it will leave the existing domain before rejoining it.

Bugzilla:2211723

The rhc system role now supports setting a proxy server type

The newly introduced attribute scheme under the rhc_proxy parameter enables you to configure the proxy server type by using the rhc system role. You can set two values: http, the default and https.

Bugzilla:2211778

New option in the ssh role to disable configuration backups

You can now prevent old configuration files from being backed up before they are overwritten by setting the new ssh_backup option to false. Previously, backup configuration files were created automatically, which might be unnecessary. The default value of the ssh_backup option is true, which preserves the original behavior.

Bugzilla:2216759

The certificate RHEL system role now allows changing certificate file mode when using certmonger

Previously, certificates created by the certificate RHEL system role with the certmonger provider used a default file mode. However, in some use-cases you might require a more restrictive mode. With this update, you can now set a different certificate and a key file mode using the mode parameter.

Bugzilla:2218204

New RHEL system role for managing systemd units

The rhel-system-role package now contains the systemd RHEL system role. You can use this role to deploy unit files and manage systemd units on multiple systems. You can automate systemd functionality by providing systemd unit files and templates, and by specifying the state of those units, such as started, stopped, masked and other.

Bugzilla:2224388

The network RHEL system role supports the no-aaaa DNS option

You can now use the no-aaaa option to configure DNS settings on managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, you can now suppress AAAA queries generated by the stub resolver.

Bugzilla:2218595

The network RHEL system role supports the auto-dns option to control automatic DNS record updates

This enhancement provides support for defined name servers and search domains. You can now use only the name servers and search domains specified in dns and dns_search properties while disabling automatically configured name servers and search domains such as dns record from DHCP. With this enhancement, you can disable automatically auto dns record by changing the auto-dns settings.

Bugzilla:2211273

firewall RHEL system role supports variables related to ipsets

With this update of the firewall RHEL system role, you can define, modify, and delete ipsets. Also, you can add and remove those ipsets from firewall zones. Alternatively, you can use those ipsets when defining firewall rich rules.

You can manage ipsets with the firewall RHEL system role using the following variables:

ipset
ipset_type
ipset_entries
short
description
state: present or state: absent
permanent: true

The following are some notable benefits of this enhancement:

You can reduce the complexity of the rich rules that define rules for many IP addresses.
You can add or remove IP addresses from sets as needed without modifying multiple rules.

For more details, see resources in the /usr/share/doc/rhel-system-roles/firewall/ directory.

Bugzilla:2140880

Improved performance of the selinux system role with restorecon -T 0

The selinux system role now uses the -T 0 option with the restorecon command in all applicable cases. This improves the performance of tasks that restore default SELinux security contexts on files.

Bugzilla:2192343

The firewall RHEL system role has an option to disable conflicting services, and it no longer fails if firewalld is masked

Previously, the firewall system role failed when the firewalld service was masked on the role run or in the presence of conflicting services. This update brings two notable enhancements:

The linux-system-roles.firewall role always attempts to install, unmask, and enable the firewalld service on role run. You can now add a new variable firewall_disable_conflicting_services to your playbook to disable known conflicting services, for example, iptables.service, nftables.service, and ufw.service. The firewall_disable_conflicting_services variable is set to false by default. To disable conflicting services, set the variable to true.

Bugzilla:2222809

The podman RHEL system role now uses getsubids to get subuids and subgids

The podman RHEL system role now uses the getsubids command to get the subuid and subgid ranges for a user and group, respectively. The podman RHEL system role also uses this command to verify users and groups to work with identity management.

Jira:RHEL-866^[1]

The podman_kube_specs variable now supports pull_image and continue_if_pull_fails fields

The podman_kube_specs variable now supports new fields:

pull_image: ensures the image is pulled before use. The default value is true. Use false if you have some other mechanism to ensure the images are present on the system and you do not want to pull the images.
continue_if_pull_fails: If pulling image fails, it is not treated as a fatal error, and continues with the role. The default is false. Use true if you have some other mechanism to ensure the correct images are present on the system.

Jira:RHEL-858^[1]

Resetting the firewall RHEL system role configuration now requires minimal downtime

Previously, when you reset the firewall role configuration by using the previous: replaced variable, the firewalld service restarted. Restarting adds downtime and prolongs the period of an open connection in which firewalld does not block traffic from active connections. With this enhancement, the firewalld service completes the configuration reset by reloading instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass firewall rules. As a result, using the previous: replaced variable to reset the firewall role configuration now requires minimal downtime.

Bugzilla:2224648

4.14. RHEL in cloud environments

cloud-init supports NetworkManager keyfiles

With this update, the cloud-init utility can use a NetworkManager (NM) keyfile to configure the network of the created cloud instance.

Note that by default, cloud-init still uses the sysconfig method for network setup. To configure cloud-init to use a NM keyfile instead, edit the /etc/cloud/cloud.cfg and set network-manager as the primary network renderer:

# cat /etc/cloud/cloud.cfg

   network:
      renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']

Bugzilla:2219528^[1]

cloud-init now uses VMware datasources by default on ESXi

When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such as the VMware vSphere cloud platform. This improves the performance and stability of creating an ESXi instance of RHEL by using cloud-init. Note, however, that ESXi is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF datasource if a VMware one is not available.

Bugzilla:2230777^[1]

4.15. Supportability

sos rebased to version 4.6

The sos utility, for collecting configuration, diagnostic, and troubleshooting data, has been rebased to version 4.6. This update provides the following enhancements:

sos reports now include the contents of both /boot/grub2/custom.cfg and /boot/grub2/user.cfg files that might contain critical information for troubleshooting boot issues. (BZ#2213951)
The sos plugin for OVN-Kubernetes collects additional logs for the interconnect environment. With this update, sos also collects logs from the ovnkube-controller container when both ovnkube-node and ovnkube-controller containers are merged into one.

In addition, notable bug fixes include:

sos now correctly gathers cgroup data in the OpenShift Container Platform 4 environment (BZ#2186361).
While collecting sos reports with the sudo plugin enabled, sos now removes the bindpw option properly. (BZ#2143272)
The subscription_manager plugin no longer collects proxy usernames and passwords from the /var/lib/rhsm/ path. (BZ#2177282)
The virsh plugin no longer collects the SPICE remote-display passwords in virt-manager logs, which prevents sos from disclosing passwords in its reports. (BZ#2184062)
sos now masks usernames and passwords previously displayed in the /var/lib/iscsi/nodes/<IQN>/<PortalIP>/default file.
Important
The generated archive might contain data considered sensitive. Thus, you should always review the content before passing it to any third party.
(BZ#2187859)
sos completes the tailed log collection even when the size of the log file is exceeded and when a plugin times out. (BZ#2203141)
When entering the sos collect command on a Pacemaker cluster node, sos collects an sos report from the same cluster node. (BZ#2186460)
When collecting data from a host in the OpenShift Container Platform 4 environment, sos now uses the sysroot path, which ensures that only the correct data are assembled. (BZ#2075720)
The sos report --clean command obfuscates all MAC addresses as intended. (BZ#2207562)
Disabling the hpssm plugin no longer raises exceptions. (BZ#2216608)
The sos clean command follows permissions of sanitized files. (BZ#2218279)

For details on each release of sos, see upstream release notes.

Jira:RHELPLAN-156196^[1]

4.16. Containers

Podman supports pulling and pushing images compressed with zstd

You can pull and push images compressed with the zstd format. The zstd compression is more efficient and faster than gzip. It can reduce the amount of network traffic and storage involved in pulling and pushing the image.

Jira:RHELPLAN-154313^[1]

Quadlet in Podman is now available

Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd service file from a container description. The Quadlets might be easier to use than the podman generate systemd command because the description focuses on the relevant container details and without the technical complexity of running containers under systemd. Note that Quadlets work only with rootful containers.

For more details, see the Quadlet upstream documentation and the Make systemd better for Podman with Quadlet article.

Jira:RHELPLAN-154431^[1]

The Container Tools packages have been updated

The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.

Notable changes in Podman v4.6 include:

The podman kube play command now supports the --configmap=<path> option to provide Kubernetes YAML file with environment variables used within the containers of the pod.
The podman kube play command now supports multiple Kubernetes YAML files for the --configmap option.
The podman kube play command now supports containerPort names and port numbers within liveness probes.
The podman kube play command now adds the ctrName as an alias to the pod network.
The podman kube play and podman kube generate commands now support SELinux filetype labels and ulimit annotations.
A new command, podman secret exists, has been added, which verifies if a secret with the given name exists.
The podman create, podman run, podman pod create, and podman pod clone commands now support a new option, --shm-size-systemd, which allows limiting tmpfs sizes for systemd-specific mounts.
The podman create and podman run commands now support a new option, --security-opt label=nested, which allows SELinux labeling within a confined container.
Podman now supports auto updates for containers running inside a pod.
Podman can now use an SQLite database as a backend for increased stability. The default remains the BoltDB database. You can select the database by setting the database_backend field in the containers.conf file.
Podman now supports Quadlets to automatically generate a systemd service file from the container description. The description focuses on the relevant container details and hides the technical complexity of running containers under systemd.

For further information about notable changes, see upstream release notes.

Jira:RHELPLAN-154443^[1]

Podman now supports a Podmansh login shell

Beginning with Podman v4.6, you can use the Podmansh login shell to manage user access and control. To switch to CGroups v2, add systemd.unified_cgroup_hierarchy=1 to the kernel command line. Configure the settings for a user to use the /usr/bin/podmansh command as a login shell instead of a standard shell command, for example, /usr/bin/bash. When a user logs into a system setup, the podmansh command runs the user’s session in a Podman container named podmansh. Containers into which users log in are defined using the Quadlet files, which are created in the /etc/containers/systemd/users/ directory. In these files, set the ContainerName field in the [Container] section to podmansh. Systemd automatically starts podmansh when the user session starts and continues running until all user sessions exit.

For more information, see Podman v4.6.0 Introduces Podmansh: A Revolutionary Login Shell.

Jira:RHELPLAN-163002^[1]

Clients for sigstore signatures with Fulcio and Rekor are now available

With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology Preview, are now fully supported. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.

Add the fulcio section in the policy.json file. To sign container images, use the podman push --sign-by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml commands, where file.yml is the sigstore signing parameter file.

To verify signatures, add the fulcio section and the rekorPublicKeyPath or rekorPublicKeyData fields in the policy.json file. For more information, see containers-policy.json man page.

Jira:RHELPLAN-160659^[1]