9.0 Release Notes

Anaconda supports rhsm for machine provisioning through Kickstart installations for Satellite

Previously, machine provisioning depended on a custom %post script for Kickstart installation on Red Hat Satellite. This %post script imported the custom Satellite self-signed certificate, registered the machine, attached a subscription, and installed packages residing in repositories.

RHEL supports localhost as a static hostname

Starting with RHEL 9, setting localhost as a static hostname in /etc/hostname is valid. In this case, NetworkManager does not try to obtain a transient hostname through DHCP or reverse DNS lookup.

Licensing, system, and user setting configuration screens have been disabled post standard installation

Previously, RHEL users were configuring Licensing, System (Subscription manager), and User Settings prior to the gnome-initial-setup and login screens. With this update, the initial setup screens have been disabled by default to improve user experience.

Anaconda activates network automatically for interactive installations

Previously, when performing an interactive installation without having the network activated by Kickstart or boot options, users had to activate the network manually in the network spoke. With this update, Anaconda activates the network automatically, without requiring users to visit the network spoke and activate it manually.

Image Builder now supports filesystem configuration

With this enhancement, you can specify custom filesystem configuration in your blueprints and you can create images with the desired disk layout. As a result, by having non-default layouts, you can benefit from security benchmarks, consistency with existing setups, performance, and protection against out-of-disk errors.

New options to Lock root account and Allow root SSH login with password

The following new options have been added on the root password configuration screen in the RHEL graphical installation:

Image Builder now supports creating bootable installer images

With this enhancement, you can use Image Builder to create bootable ISO images that consist of a tarball file, which contains a root file system. As a result, you can use the bootable ISO image to install the tarball file system to a bare metal system.

RHEL for Edge now supports Greenboot built-in health checks by default

With this update, RHEL for Edge Greenboot now includes built-in health checks with watchdog feature to ensure that the hardware does not hang or freeze while rebooting. With that, you can benefit from the following features:

RHEL 9 provides rpm-ostree v2022.2

RHEL 9 is distributed with the rpm-ostree version v2022.2, which provides multiple bug fixes and enhancements. Notable changes include:

RHEL 9 provides OSTree v2021.2

RHEL 9 is distributed with the OSTree package version v2021.2, which provides multiple bug fixes and enhancements. Notable changes include:

The rpm-ostree rebase tool supports upgrade from RHEL 8 to RHEL 9

With this enhancement, you can upgrade your RHEL 8 system to RHEL 9 using the rpm-ostree rebase tool. It fully supports the default package set of RHEL for Edge upgrades between the most recent updates of RHEL 8 to the most recent updates of RHEL 9.

Merged system purpose commands under subscription-manager syspurpose

Previously, there were two different commands to set system purpose attributes; syspurpose and subscription-manager. To unify all the system purpose attributes under one module, all the addons, role, service-level, and usage commands from subscription-manager have been moved to the new submodule, subscription-manager syspurpose.

RHEL 9 provides RPM 4.16

RHEL 9 is distributed with RPM version 4.16. Notable bug fixes and enhancements over version 4.14 include:

New RPM plugin notifies fapolicyd about changes during RPM transactions

This update of the rpm packages introduces a new RPM plugin that integrates the fapolicyd framework with the RPM database. The plugin notifies fapolicyd about installed and changed files during an RPM transaction. As a result, fapolicyd now supports integrity checking.

RPM now supports the EdDSA public key algorithm

With this enhancement, the rpm command supports signing keys using the EdDSA public key algorithm. As a result, signing keys generated using EdDSA can now be used for signing and verifying packages.

RPM now supports the Zstandard (zstd) compression algorithm

With this enhancement, the default RPM compression algorithm has switched to Zstandard (zstd). As a result, users can benefit from faster package installations, which can be especially noticeable during large transactions.

New DNF options exclude_from_weak_autodetect and exclude_from_weak

With this enhancement, the default DNF behavior does not install unwanted weak dependencies. To modify this behavior, use the following new options:

RHEL 9 provides libmodulemd 2.13.0

RHEL 9 is distributed with the libmodulemd package version 2.13.0. Notable bug fixes and enhancements over version 2.9.4 include:

Bracketed paste is now enabled in bash by default

The bash readline library version 8.1 is now available, which enables bracketed paste mode by default. When you paste text to your terminal, bash highlights the text, and you must press enter to execute the pasted command. Bracketed paste mode is the default setting to avoid accidentally executing malicious commands.

RHEL 9 includes powerpc-utils 1.3.9

RHEL 9 provides the powerpc-utils package version 1.3.9. Notable bug fixes and enhancements over version 1.3.8 include:

RHEL 9 is distributed with opal-prd 6.7.1

The opal-prd package version 6.7.1 provides the following notable bug fixes and enhancements over the previously available version 6.6.3:

RHEL 9 provides lsvpd 1.7.12

RHEL 9 is distributed with the lsvpd package version 1.7.12. Notable bug fixes and enhancements over version 1.7.11 include:

ppc64-diag version 2.7.7 available

The ppc64-diag package version 2.7.7 is provided in RHEL 9. Notable bug fixes and enhancements over version 2.7.6 include:

RHEL 9 includes Fetchmail 6.4.24

RHEL 9 is distributed with the fetchmail package version 6.4.24. Fetchmail is a remote-mail retrieval and forwarding utility.

RHEL 9 includes Eigen 3.4

RHEL 9 is distributed with the eigen3 package version 3.4. Eigen 3.4 is a C++ template library for linear algebra, which now supports POWER10 matrix multiplication assist instructions.

RHEL 9 introduces the cdrskin package

RHEL 9 introduces the cdrskin package for burning data on CD, DVD, or BD media. The cdrskin package provides a replacement for the cdrecord executable from the wodim package, which is not available in RHEL 9.

The redhat.rhel_mgmt Ansible collection is supported in the RHEL 9 release

This update provides support to the Intelligent Platform Management Interface (IPMI) Ansible modules. IPMI is a specification for a set of management interfaces to communicate with baseboard management controller (BMC) devices. The IPMI modules - ipmi_power and ipmi_boot - are available in the redhat.rhel_mgmt Collection, which you can access by installing the ansible-collection-redhat-rhel_mgmt package.

RHEL 9 introduces the util-linux-core package

In addition to the util-linux package, RHEL 9 provides the util-linux-core subpackage for scenarios where the size of installed packages is a critical feature, for example buildroots, certain containers, and boot images.

Updated systemd-udevd assigns consistent network device names to InfiniBand interfaces

Introduced in RHEL 9, the new version of the systemd package contains the updated systemd-udevd device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd.

s-nail replaces mailx

The s-nail mail processing system has replaced the mailx utility. The s-nail utility is compatible with mailx and adds numerous new features. The mailx package is no longer maintained in the upstream.

TuneD 2.18 is available

RHEL 9 is distributed with TuneD version 2.18. Notable changes over version 2.16 include:

RHEL 9 provides mod_security_crs 3.3

RHEL 9 is distributed with the mod_security_crs package version 3.3. Notable bug fixes and enhancements include:

RHEL 9 provides chrony 4.1

RHEL 9 is distributed with chrony version 4.1. Notable bug fixes and enhancements over version 3.5 include:

System-wide crypto-policies are now more secure

With this update, the system-wide cryptographic policies have been adjusted to provide up-to-date secure defaults:

RHEL 9 provides OpenSSL 3.0.1

RHEL 9 provides openssl packages in upstream version 3.0.1, which includes many improvements and bug fixes over the previous version. The most notable changes include:

OpenSSL now includes providers

The OpenSSL toolkit in version 3.0.1, which is included in RHEL 9, added the concept of providers. Providers are collections of algorithms, and you can choose different providers for different applications. OpenSSL currently includes the following providers: base, default, fips, legacy, and null.

OpenSSL random bit generator now supports CPACF

This release of the openssl packages introduces support for the CP Assist for Cryptographic Functions (CPACF) in the OpenSSL NIST SP800-90A-compliant AES-based deterministic random bit generator (DRBG).

openssl-spkac can now create SPKAC files signed with SHA-1 and SHA-256

The openssl-spkac utility can now create Netscape signed public key and challenge (SPKAC) files signed with hashes different than MD5. You can now create and verify also SPKAC files signed with SHA-1 and SHA-256 hashes.

RHEL 9 provides openCryptoki 3.17.0

RHEL 9 is distributed with openCryptoki version 3.17.0. Notable bug fixes and enhancements over version 3.16.0 include:

GnuTLS provided in version 3.7.3

In RHEL 9, the gnutls packages are provided in upstream version 3.7.3. This provides many improvements and bug fixes over previous versions, most notably:

RHEL 9 provides NSS 3.71

RHEL 9 is distributed with the Network Security Services (NSS) libraries version 3.71. Notable changes include:

NSS no longer support RSA keys shorter than 1023 bits

The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:

Minimal RSA key bit length option in OpenSSH

Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH servers and clients. To define the minimal RSA key length, use the new RSAMinSize option in the /etc/ssh/sshd_config file for OpenSSH servers, and in the /etc/ssh/ssh_config file for OpenSSH clients.

OpenSSH distributed in 8.7p1

RHEL 9 includes OpenSSH in version 8.7p1. This version provides many enhancements and bug fixes over OpenSSH version 8.0p1, which is distributed in RHEL 8.5, most notably:

Locale forwarding disabled by default in OpenSSH

Using the C.UTF-8 locale in small images, such as containers and virtual machines, reduces size and improves performance over using the traditional en_US.UTF-8 locale.

OpenSSH supports U2F/FIDO security keys

Previously, the OpenSSH keys stored in hardware were only supported through the PKCS #11 standard, which limited the use of other security keys in SSH. Support for U2F/FIDO security keys was developed upstream and is now implemented in RHEL 9. This results in an improved usability of security keys within SSH independent of the PKCS #11 interface.

Libreswan provided in version 4.6

In RHEL 9, Libreswan is provided in upstream version 4.6. This version provides many bug fixes and enhancements, most notably improvements on labeled IPsec used with Internet Key Exchange version 2 (IKEv2).

Libreswan does not accept IKEv1 packages by default

Because the Internet Key Exchange v2 (IKEv2) protocol is now widely deployed, Libreswan no longer supports IKEv1 packets by default. IKEv2 provides a more secure environment and more resilience against attacks. If your scenario requires the use of IKEv1, you can enable it by adding the ikev1-policy=accept option to the /etc/ipsec.conf configuration file.

RHEL 9 provides stunnel 5.62

RHEL 9 is distributed with the stunnel package version 5.62. Notable bug fixes and enhancements include:

RHEL 9 provides nettle 3.7.3

RHEL 9 provides the nettle package 3.7.3 version with multiple bug fixes and enhancements. Notable changes are the following:

RHEL 9 provides p11-kit 0.24

RHEL 9 provides p11-kit package with 0.24 version. This version provides multiple bug fixes and enhancements. Notably, the subdirectory for storing distrusted Certificate Authorities has been renamed to blocklist.

cyrus-sasl now uses GDBM instead of Berkeley DB

The cyrus-sasl package is now built without the libdb dependency, and the sasldb plugin uses the GDBM database format instead of Berkeley DB. To migrate your existing Simple Authentication and Security Layer (SASL) databases stored in the old Berkeley DB format, use the cyrusbdb2current tool with the following syntax:

SELinux policy in RHEL 9 is up-to-date with the current kernel

The SELinux policy includes new permissions, classes, and capabilities that are also part of the kernel. Therefore, SELinux can utilize the full potential provided by the kernel. Specifically, SELinux has better granularity for granting permissions, which has subsequent security benefits. This also enables running systems with the MLS SELinux policy because the MLS policy would prevent some systems from starting if the system contained permissions unknown to the policy.

Default SELinux policy disallows commands with text relocation libraries

The selinuxuser_execmod boolean is now off by default to improve the security footprint of installed systems. As a result, SELinux users cannot enter commands using libraries that require text relocation, unless the library files have the textrel_shlib_t label.

OpenSCAP is provided in version 1.3.6

RHEL 9 includes OpenSCAP in version 1.3.6, which provides bug fixes and improvements, most notably:

OSCAP Anaconda Add-on now supports a new add-on name

With this enhancement, you can use the new com_redhat_oscap add-on name as opposed to the legacy org_fedora_oscap add-on name in the Kickstart file for the OSCAP Anaconda Add-on plugin. For example, the Kickstart section can be structured as follows:

CVE OVAL feeds now compressed

With this update, Red Hat provides CVE OVAL feeds in a compressed form. They are no longer available as XML files, but are in the bzip2 format instead. The location of the feeds for RHEL9 has also been updated to reflect this change. Note that third-party SCAP scanners might have problems with scanning rules that use a compressed feed because referencing compressed content is not standardized.

SCAP Security Guide provided in version 0.1.60

RHEL 9 includes the scap-security-guide packages in version 0.1.60. This version provides bug fixes and enhancements, most notably:

SCAP Security Guide profiles supported in RHEL 9.0

With the SCAP Security Guide compliance profiles included in RHEL 9.0, you can harden the system to the recommendations from the issuing organizations. As a result, you can configure and automate compliance of your RHEL 9 systems according to your required hardening level by using the associated remediations and SCAP profiles.

RHEL 9 provides fapolicyd 1.1

RHEL 9 is distributed with the fapolicyd package version 1.1. Most notable enhancements include the following:

Rsyslog includes the mmfields module for higher-performance operations and CEF

Rsyslog now includes the rsyslog-mmfields subpackage which provides the mmfields module. This is an alternative to using the property replacer field extraction, but in contrast to the property replacer, all fields are extracted at once and stored inside the structured data part. As a result, you can use mmfields particularly for processing field-based log formats, for example Common Event Format (CEF), and if you need a large number of fields or reuse specific fields. In these cases, mmfields has better performance than existing Rsyslog features.

logrotate included in a separate rsyslog-logrotate package

The logrotate config was separated from the main rsyslog package into the new rsyslog-logrotate package. This is useful in certain minimal environments, for example where log rotation is not needed, to prevent installing unnecessary dependencies.

sudo supports Python plugins

With the sudo program version 1.9, which is included in RHEL 9, you can write sudo plugins in Python. This makes it easier to enhance sudo to more precisely suit specific scenarios.

libseccomp provided in version 2.5.2

RHEL 9.0 provides the libseccomp packages in upstream version 2.5.2. This version provides many bug fixes and enhancements over previous versions, most notably:

Clevis now supports SHA-256

With this enhancement, the Clevis framework supports the SHA-256 algorithm as the default hash for JSON Web Key (JWK) thumbprints as recommended by RFC 7638. Because the older thumbprints (SHA-1) are still supported, you can still decrypt the previously encrypted data.

The diag modules are now available in the kernel

The diag modules are now included with the kernel image. With this update, the diag modules no longer need to be dynamically loaded when the ss command is used. This allows better debugging of networking issues regardless of the customer policy on kernel modules. Modules included in the kernel:

New core and IPv4-related networking sysctl kernel parameters

The RHEL 9.0 kernel provides the following new core and IPv4 networking sysctl parameters compared to previous RHEL versions:

Changed behavior in firewalld when transmitting packets between zones

In zone-based firewalls, packets enter only one zone. Implicit packet transmission is the concept violation and can allow traffic or services unexpectedly. In Red Hat Enterprise Linux 9 the firewalld service no longer allows implicit packet transmission between two different zones.

Intra-zone forwarding has been enabled by default

The firewalld intra-zone forwarding feature allows forwarding traffic between interfaces or sources within a firewalld zone. Starting with RHEL 9.0, this feature has been enabled by default. Use the --add-forward option of the firewall-cmd utility to enable intra-zone forwarding for a particular zone. The firewall-cmd --list-all command displays whether intra-zone forwarding is enabled or disabled for a zone:

Making Nmstate more inclusive

Red Hat is committed to using conscious language. Therefore the slave term in the nmstate API has been replaced by the term port.

NetworkManager supports interface names set in the rd.znet_ifname kernel option on IBM Z

With this enhancement, on the IBM Z platform, NetworkManager now interprets the rd.znet and rd.znet_ifname kernel command-line options when installing or booting Red Hat Enterprise Linux from the network. As a result, it is possible to specify a name of a network interface identified by the subchannels instead of the default one.

The hostapd package has been added to RHEL 9.0

With this release, RHEL provides the hostapd package. However, Red Hat supports hostapd only to set up a RHEL host as an 802.1X authenticator in Ethernet networks. Other scenarios, such as Wi-Fi access points or authenticators in Wi-Fi networks, are not supported.

ModemManager provided in version 1.18.2

RHEL 9.0 provides the ModemManager packages in upstream version 1.18.2. This version includes bug fixes and enhancements over the previous version, most notably:

NetworkManager allows to change queue_id of bond port

NetworkManager ports in a bond now supports the queue_id parameter. Assuming eth1 is a port of bond interface, you can enable queue_id for a bond port with:

Support for the configuration of blackhole, prohibit and unreachable route types with latest NetworkManager

Kernel supports several route types besides the common unicast, broadcast and local route types. In addition, users can now configure blackhole, prohibit and unreachable static route types in the connection profile of the NetworkManager. The NetworkManager will add a profile when the profile is activated.

RoCE Express Adapters now use an improved interface naming scheme

With this enhancement, RDMA over Converged Ethernet (RoCE) Express adapters use the predictable interface naming scheme and the Peripheral Communication Interface on z-system (zPCI) connector. In this naming scheme, RHEL uses user identifier (UID) or function identifier (FID) to generate unique names. In case that no unique UID is available, RHEL uses FID to set the naming scheme.

Kernel version in RHEL 9.0

Red Hat Enterprise Linux 9.0 is distributed with the kernel version 5.14.0-70.

Red Hat, by default, enables eBPF in all RHEL versions for privileged users only

Extended Berkeley Packet Filter (eBPF) is a complex technology which allows users to execute custom code inside the Linux kernel. Due to its nature, the eBPF code needs to pass through the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures (CVE) instances, where bugs in this code could be misused for unauthorized operations. To mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users only. It is possible to enable eBPF for unprivileged users by using the kernel.command-line parameter unprivileged_bpf_disabled=0.

Red Hat protects kernel symbols only for minor releases

Red Hat guarantees that a kernel module will continue to load in all future updates within an Extended Update Support (EUS) release, only if you compile the kernel module using protected kernel symbols. There is no kernel Application Binary Interface (ABI) guarantee between minor releases of RHEL 9.

RHEL 9 Beta kernels signed with trusted SecureBoot certificates

Previously, RHEL Beta releases required users to enroll a separate Beta public key using the Machine Owner Key (MOK) facility. Starting with RHEL 9 Beta, kernels are signed with trusted SecureBoot certificates, hence users no longer need to enroll a separate Beta public key to use the beta versions on systems having UEFI Secure Boot enabled.

cgroup-v2 enabled by default in RHEL 9

The control groups version 2 (cgroup-v2) feature implements a single hierarchy model that simplifies the management of control groups. Also, it ensures that a process can only be a member of a single control group at a time. Deep integration with systemd improves the end-user experience when configuring resource control on a RHEL system.

Kernel changes potentially affecting third party kernel modules

Linux distributions with a kernel version prior to 5.9 supported exporting GPL functions as non-GPL functions. As a result, users could link proprietary functions to GPL kernel functions through the shim mechanism. With this release, the RHEL kernel incorporates upstream changes that enhance the ability of RHEL to enforce GPL by rebuffing shim.

The 64-bit ARM architecture has a 4 KB page size in RHEL 9

Red Hat has selected a 4 KB page size of physical memory for the 64-bit ARM architecture in Red Hat Enterprise Linux 9. This size pairs well with the workloads and memory amounts present on the majority of ARM-based systems. To employ large page sizes efficiently, use the huge pages option to address a greater amount of memory or workloads with large data sets.

The strace utility now correctly displays SELinux context mismatches

An existing --secontext option of strace has been extended with the mismatch parameter. This parameter enables to print the expected context along with the actual one upon mismatch only. The output is separated by double exclamation marks (!!), first the actual context, then the expected one. In the examples below, the full,mismatch parameters print the expected full context along with the actual one because the user part of the contexts mismatches. However, when using a solitary mismatch, it only checks the type part of the context. The expected context is not printed because the type part of the contexts matches.

perf-top now can sort by a certain column

With this update to the perf-top system profiling tool, you can sort samples by an arbitrary event column. Previously, the events were sorted by the first column in case multiple events in a group were sampled. To sort the samples, use the --group-sort-idx command-line option and press a number key to sort the table by the matching data column. Note that column numbering starts from 0.

New package: jigawatts

Checkpoint/Restore In Userspace (CRIU) is a Linux utility that allows checkpointing and restoring of processes. The jigawatts package contains a Java library, which aims to improve the usability of CRIU mechanisms from Java applications.

The trace-cmd reset command has new behavior

Previously, the trace-cmd reset command resetted the tracing_on configuration to 0. The new behavior of trace-cmd reset is to reset tracing_on to its default value 1.

Extended Berkeley Packet Filter is supported in RHEL 9

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.

RHEL 9 provides the crash utility version 8.0.0

RHEL 9 is distributed with the crash utility version 8.0.0. The bug fixes and and notable enhancements include:

makedumpfile now supports an improved zstd compression capability

With this enhancement, the makedumpfile now includes the Zstandard (zstd) compression capability, which provides high compression ratios. This improvement helps specifically on large memory systems.

numatop enabled on Intel Xeon scalable server processors

numatop is a tool that tracks and analyzes the behavior of the processes and threads running on NUMA systems and displays metrics which can identify NUMA-related performance bottlenecks.

kexec_file_load has been added as the default option for RHEL 9

This update adds the kexec_file_load system call for the 64-bit ARM architecture. It provides an in-kernel kexec loader for kdump. Previously, the kernel prevented the loading of unsigned kernel images when the secure boot option was enabled. The kdump mechanism would first try to detect whether secure boot is enabled and then choose the boot interface to run. Consequently, an unsigned kernel failed to load with secure boot enabled and kexec_file_load() specified.

makedumpfile now includes improved options to get an estimated vmcore size

With this implementation, the makedumpfile utility now includes the following options which help to print an estimate for the dump size for the currently running kernel:

The kexec-tools package now supports the default crashkernel memory reservation values for RHEL 9

The kexec-tools package now maintains the default crashkernel memory reservation values. The kdump service uses the default value to reserve the crashkernel memory for each kernel. This implementation also improves memory allocation for kdump when a system has less than 4GB of available memory.

Core scheduling is supported in RHEL 9

With the core scheduling functionality users can prevent tasks that should not trust each other from sharing the same CPU core. Likewise, users can define groups of tasks that can share a CPU core.

Performance improved on 64-bit ARM architecture using non-strict iommu mode as default

With this upgrade, the 64-bit ARM architecture defaults to using the lazy direct memory access (DMA) domain for system memory management unit (SMMU). While bringing a significant performance gain, it can introduce a window between an address unmap and a Translation Lookaside Buffer (TLB) flush on SMMU. On previous versions, the 64-bit ARM architecture configured the strict DMA domains as default, which caused the performance to drop due to the 4KB page size.

The kernel-rt source tree has been updated to RHEL 9.0 tree

The kernel-rt sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.15-rt19. These updates provide a number of bug fixes and enhancements.

Support for CPU hotplug in the hv_24x7 and hv_gpci PMUs

With this update, PMU counters correctly react to the hot-plugging of a CPU. As a result, if a hv_gpci event counter is running on a CPU that gets disabled, the counting redirects to another CPU.

Metrics for POWERPC hv_24x7 nest events are now available

Metrics for POWERPC hv_24x7 nest events are now available for perf. By aggregating multiple events, these metrics provide a better understanding of the values obtained from perf counters and how effectively the CPU is able to process the workload.

The IRDMA driver has been introduced in RHEL 9

The IRDMA driver enables RDMA functionality on RDMA-capable Intel® network devices. Devices supported by this driver are:

A new parameter for the kernel bonding module: lacp_active

RHEL 9 introduces the lacp_active parameter for the bonding kernel module. This parameter specifies whether to send Link Aggregation Control Protocol Data Unit (LACPDU) frames at specified intervals. The options are as follows:

Boot loader configuration files are unified across CPU architectures

Configuration files for the GRUB boot loader are now stored in the /boot/grub2/ directory on all supported CPU architectures. The /boot/efi/EFI/redhat/grub.cfg file, which GRUB previously used as the main configuration file on UEFI systems, now simply loads the /boot/grub2/grub.cfg file.

Options in Samba utilities have been renamed and removed for a consistent user experience

The Samba utilities have been improved to provide a consistent command-line interface. These improvements include renamed and removed options. Therefore, to avoid problems after the update, review your scripts that use Samba utilities, and update them, if necessary.

GFS2 file systems are now created with format version 1802

GFS2 file systems in RHEL 9 are created with format version 1802. This enables the following features:

RHEL 9 provides nvml package version 1.10.1

RHEL 9.0 updates the nvml package to version 1.10.1. This update adds features and fixes a potential data corruption bug on power loss.

Support for exFAT file system has been added

RHEL 9.0 supports Extensible File Allocation Table (exFAT) file system. You can now mount, format, and generally use this file system, which is usually used by default on flash memory.

rpcctl command now displays SunRPC connection information

With this update, you can use the rpcctl command to display information collected in the SunRPC sysfs files about the system’s SunRPC objects. You can show, remove, and set objects in the SunRPC network layer through the sysfs file system.

Limiting the set of the devices for LVM

By default, LVM in RHEL 9 uses only the devices that you explicitly select. Use the new commands lvmdevices and vgimportdevices to select specific devices. Using the pvcreate, vgcreate, and vgextend commands indirectly selects new devices for lvm, if they have not already been selected. LVM ignores devices that are attached to the system until you select them by using one of these commands. The lvm command saves the list of the selected devices in the devices file /etc/lvm/devices/system.devices. The lvm.conf filter or any other command-line configuration filter does not function when you enable the new devices file feature. If you remove or disable the devices file, LVM applies the filter to all attached devices. For detailed information about this feature, see the lvmdevices(8) man page.

NVMe/TCP host with nvme_tcp.ko is now fully supported

Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) with the nvme_tcp.ko kernel module is now fully supported. The NVMe/TCP target with the nvmet_tcp.ko module is available with an Unmaintained status in RHEL 9.0.

multipathd now supports detecting FPIN-Li events

When you add a new value fpin for the marginal_pathgroups config option, you enable multipathd to monitor the Link Integrity Fabric Performance Impact Notification (PFIN-Li) events and move paths with link integrity issues to a marginal pathgroup. With the fpin value set, multipathd overrides its existing marginal path detection methods and relies on the Fibre Channel fabric to identify link integrity issues.

The resource-stickiness resource meta-attribute now defaults to 1 instead of 0 for newly-created clusters

Previously, the default value for the resource-stickiness resource meta-attribute had a default value of 0 for newly-created clusters. This meta-attribute now defaults to 1.

New LVM volume group flag to control autoactivation

LVM volume groups now support a setautoactivation flag which controls whether logical volumes that you create from a volume group will be automatically activated on startup. When creating a volume group that will be managed by Pacemaker in a cluster, set this flag to n with the vgcreate --setautoactivation n command for the volume group to prevent possible data corruption. If you have an existing volume group used in a Pacemaker cluster, set the flag with vgchange --setautoactivation n.

New pcs resource status display commands

The pcs resource status and the pcs stonith status commands now support the following options:

New reduced output display option for pcs resource safe-disable command

The pcs resource safe-disable and pcs resource disable --safe commands print a lengthy simulation result after an error report. You can now specify the --brief option for those commands to print errors only. The error report now always contains resource IDs of affected resources.

New pcs command to update SCSI fencing device without causing restart of all other resources

Updating a SCSI fencing device with the pcs stonith update command causes a restart of all resources running on the same node where the stonith resource was running. The new pcs stonith update-scsi-devices command allows you to update SCSI devices without causing a restart of other cluster resources.

Ability to configure watchdog-only SBD for fencing on subset of cluster nodes

Previously, to use a watchdog-only SBD configuration, all nodes in the cluster had to use SBD. That prevented using SBD in a cluster where some nodes support it but other nodes (often remote nodes) required some other form of fencing. Users can now configure a watchdog-only SBD setup using the new fence_watchdog agent, which allows cluster configurations where only some nodes use watchdog-only SBD for fencing and other nodes use other fencing types. A cluster may only have a single such device, and it must be named watchdog.

Detailed Pacemaker status display for internal errors

If Pacemaker can not execute a resource or fence agent for some reason, for example the agent is not installed or there has been an internal timeout, the Pacemaker status displays now show a detailed exit reason for the internal error.

The pcmk_delay_base parameter may now take different values for different nodes

When configuring a fence device, you now can specify different values for different nodes with the pcmk_delay_base parameter. This allows a single fence device to be used in a two-node cluster, with a different delay for each node. This helps prevent a situation where each node attempts to fence the other node at the same time. To specify different values for different nodes, you map the host names to the delay value for that node using a similar syntax to pcmk_host_map. For example, node1:0;node2:10s would use no delay when fencing node1 and a 10-second delay when fencing node2.

Support for special characters inside pcmk_host_map values

The pcmk_host_map property now supports special characters inside pcmk_host_map values using a backslash (\) in front of the value. For example, you can specify pcmk_host_map="node3:plug\ 1" to include a space in the host alias.

New fencing agent for OpenShift

The fence_kubevirt fencing agent is now available for use with RHEL High Availability on Red Hat OpenShift Virtualization. For information on the fence_kubevirt agent, see the fence_kubevirt(8) man page.

Local mode version of pcs cluster setup command is now fully supported

By default, the pcs cluster setup command automatically synchronizes all configuration files to the cluster nodes. The pcs cluster setup command now fully supports the --corosync-conf option. Specifying this option switches the command to local mode. In this mode, the pcs command-line interface creates a corosync.conf file and saves it to a specified file on the local node only, without communicating with any other node. This allows you to create a corosync.conf file in a script and handle that file by means of the script.

Automatic removal of location constraint following resource move

When you execute the pcs resource move command, this adds a constraint to the resource to prevent it from running on the node on which it is currently running. By default, the location constraint that the command creates is automatically removed once the resource has been moved. This does not necessarily move the resources back to the original node; where the resources can run at that point depends on how you have configured your resources initially. If you would like to move a resource and leave the resulting constraint in place, use the pcs resource move-with-contraint command.

pcs suppport for OCF Resource Agent API 1.1 standard

The pcs command-line interface now supports OCF 1.1 resource and STONITH agents. As part of the implementation of this support, any agent’s metadata must comply with the OCF schema, whether the agent is an OCF 1.0 or OCF 1.1 agent. If an agent’s metadata does not comply with the OCF schema, pcs considers the agent invalid and will not create or update a resource of the agent unless the --force option is specified. The pcsd Web UI and pcs commands for listing agents now omit agents with invalid metadata from the listing.

pcs now accepts Promoted and Unpromoted as role names

The pcs command-line interface now accepts Promoted and Unpromoted anywhere roles are specified in Pacemaker configuration. These role names are the functional equivalent of the Master and Slave Pacemaker roles in previous RHEL releases, and these are the role names that are visible in configuration displays and help pages.

Updated version of pcsd Web UI

The pcsd Web UI, the graphical user interface to create and configure Pacemaker/Corosync clusters, has been updated. The updated Web UI provides an improved user experience and a standardized interface that is built with the PatternFly framework used in other Red Hat web applications.

Python in RHEL 9

Python 3.9 is the default Python implementation in RHEL 9. Python 3.9 is distributed in a non-modular python3 RPM package in the BaseOS repository and usually installed by default. Python 3.9 will be supported for the whole life cycle of RHEL 9.

Node.js 16 available in RHEL 9

RHEL 9 provides a Long Term Support (LTS) version 16 of Node.js, a software development platform for building fast and scalable network applications in the JavaScript programming language.

RHEL 9 provides Ruby 3.0

RHEL 9 is distributed with Ruby 3.0.3, which provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.7.

RHEL 9 introduces Perl 5.32

RHEL 9 includes Perl 5.32, which provides a number of bug fixes and enhancements over version 5.30.

RHEL 9 includes PHP 8.0

RHEL 9 is distributed with PHP 8.0, which provides a number of bug fixes and enhancements over version 7.4.

RHEL 9 provides Git 2.31 and Git LFS 2.13

RHEL 9 is distributed with Git 2.31 which provides a number of enhancements and performance improvements over version 2.27 available in RHEL 8. Notable changes include:

Subversion 1.14 in RHEL 9

RHEL 9 is distributed with Subversion 1.14. Subversion 1.14 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional Subversion versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.

Notable changes in the Apache HTTP Server

RHEL 9.0 provides version 2.4.51 of the Apache HTTP Server. Notable changes over version 2.4.37 include:

nginx 1.20 available in RHEL 9

RHEL 9 includes the nginx 1.20 web and proxy server. This release provides a number of bug fixes, security fixes, new features and enhancements over version 1.18.

Varnish Cache 6.6 in RHEL 9

RHEL 9 includes Varnish Cache 6.6, a high-performance HTTP reverse proxy.

RHEL 9 introduces Squid 5

RHEL 9 is distributed with Squid 5.2, a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. This release provides a number of bug fixes, security fixes, new features, and enhancements over version 4.

MariaDB 10.5 in RHEL 9

RHEL 9 provides MariaDB 10.5. MariaDB 10.5 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional MariaDB versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.

RHEL 9 includes MySQL 8.0

RHEL 9 is distributed with MySQL 8.0. MySQL 8.0 is the initial version of this Application Stream, which you can install easily as an RPM package. MySQL 8.0 has a shorter life cycle than RHEL 9. For details, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

RHEL 9 provides PostgreSQL 13

PostgreSQL 13 is available with RHEL 9. PostgreSQL 13 is the initial version of this Application Stream, which you can install easily as an RPM package. Additional PostgreSQL versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.

Redis 6.2 in RHEL 9

RHEL 9 is distributed with Redis 6.2, which provides a number of bug and security fixes and enhancements over version 6.0 available in RHEL 8.

New package: perl-Module-Signature

RHEL 9 introduces the perl-Module-Signature Perl module. With this new module, you can enable signature checking for cpan to mitigate CVE-2020-16156. For more information, see How to mitigate CVE-2020-16154 in perl-App-cpanminus and CVE-2020-16156 in perl-CPAN.

RHEL 9 provides support for IBM POWER10 processors

From the Linux kernel, through the system toolchain (GCC, binutils, glibc), Red Hat Enterprise Linux 9 has been updated to include support for IBM’s latest POWER processor, POWER10. RHEL 9 is production ready for workloads on POWER10, with enhancements coming in future releases.

GCC 11.2.1 is available

RHEL 9 is distributed with GCC version 11.2.1. Notable bug fixes and enhancements include:

New command for capturing glibc optimization data

The new ld.so --list-diagnostics command captures data that influences glibc optimization decisions, such as IFUNC selection and glibc-hwcaps configuration, in a single machine-readable file.

Notable changes to binutils

RHEL 9 introduces the following changes to binutils:

sched_getcpu implementation can now, optionally, use rseq (restartable sequences) to improve performance on the 64-bit ARM architectures and other architectures

The previous implementation of sched_getcpu on the 64-bit ARM architectures uses the getcpu system call, which is too slow for efficient use in most parallel algorithms. Other architectures use vDSO (virtual dynamic shared object) acceleration to work around this. Implementing sched_getcpu using rseq greatly improves performance on the 64-bit ARM architectures. Other architectures see a slight improvement.

Updated performance tools and debuggers

The following performance tools and debuggers are available with RHEL 9.0:

DAWR functionality improved in GDB on IBM POWER10

RHEL 9 is distributed with GDB 10.2 that provides improved DAWR functionality. New hardware watchpoint capabilities are enabled for GDB on the IBM POWER10 processors. For example, a new set of DAWR/DAWRX registers has been added.

GDB supports new prefixed instructions on IBM POWER10

GDB 10.2 fully supports the Power ISA 3.1 prefixed instructions on POWER10, which include eight-byte prefixed instructions. In RHEL 8.4, GDB only supported four-byte instructions.

RHEL 9 provides boost 1.75.0

RHEL 9 is distributed with the boost package version 1.75.0. Notable bug fixes and enhancements over version 1.67.0 include:

RHEL 9 provides LLVM Toolset 13.0.1

RHEL 9 is distributed with LLVM Toolset version 13.0.1. Notable bug fixes and enhancements over version 12.0.1 include:

Notable changes in CMake 3.20.2

RHEL 9 is distributed with CMake 3.20.2. To use CMake on a project that requires version 3.20.2 or less, use the command cmake_minimum_required(version 3.20.2).

RHEL 9 provides Go 1.17.7

RHEL 9 is distributed with Go Toolset version 1.17.7. Notable bug fixes and enhancements over version 1.16.7 include:

Go FIPS mode is supported with OpenSSL 3

You can now use the OpenSSL 3 library when in Go FIPS mode.

RHEL 9 provides Rust Toolset 1.58.1

RHEL 9 is distributed with Rust Toolset version 1.58.1. Notable bug fixes and enhancements over version 1.54.0 include:

RHEL 9 provides the pcp package version 5.3.5

RHEL 9 is distributed with the Performance Co-Pilot (pcp) package version 5.3.5. Since version 5.3.1, a new pcp-pmda-bpf sub-package has been added which provides performance data from eBPF programs utilizing BPF CO-RE (libbpf and BTF).

Active Directory authentication for accessing SQL Server metrics in PCP

With this update, a system administrator can configure pmdamssql(1) to connect securely to the SQL Server metrics using Active Directory (AD) authentication.

The new pcp-ss PCP utility is now available

The pcp-ss PCP utility reports socket statistics collected by the pmdasockets(1) PMDA. The command is compatible with many of the ss command line options and reporting formats. It also offers the advantages of local or remote monitoring in live mode and historical replay from a previously recorded PCP archive.

RHEL 9 provides grafana 7.5.11

RHEL 9 is distributed with the grafana package version 7.5.11. Notable changes over version 7.5.9 include:

RHEL 9 provides grafana-pcp 3.2.0

RHEL 9 is distributed with the grafana-pcp package version 3.2.0. Notable bug fixes and enhancements over version 3.1.0 include:

Accessing remote hosts through a central pmproxy for the Vector data source in grafana-pcp

In some environments, the network policy does not allow connections from the dashboard viewer’s browser to the monitored hosts directly. This update makes it possible to customize the hostspec in order to connect to a central pmproxy, which forwards the requests to the individual hosts.

A new package: ansible-pcp

The ansible-pcp package contains roles for Performance Co-Pilot (PCP) and related software, such as Redis and Grafana, used to implement the metrics RHEL system role.

RHEL 9 provides python-jsonpointer 2.0

RHEL 9 is distributed with the python-jsonpointer package version 2.0.

.NET 6.0 is available

RHEL 9 is distributed with .NET version 6.0. Notable improvements include:

Java implementations in RHEL 9

The RHEL 9 AppStream repository includes:

Java tools in RHEL 9

The RHEL 9 AppStream repository includes the following Java tools:

SWIG 4.0 available in the CRB repository

The Simplified Wrapper and Interface Generator (SWIG) version 4.0 is available in the CodeReady Linux Builder (CRB) repository. This release adds support for PHP 8.

Directory Server no longer uses a global changelog

With this enhancement, the Directory Server changelog has been integrated into the main database. Previously, Directory Server used a global changelog. However, this could cause issues if the directory used multiple databases. As a result, each suffix has now its own changelog in the same directory as the regular database files.

ansible-freeipa is now available in the AppStream repository with all dependencies

Previously in RHEL 8, before installing the ansible-freeipa package, you first had to enable the Ansible repository and install the ansible package. In RHEL 8.6 and RHEL 9, you can install ansible-freeipa without any preliminary steps. Installing ansible-freeipa automatically installs the ansible-core package, a more basic version of ansible, as a dependency. Both ansible-freeipa and ansible-core are available in the rhel-9-for-x86_64-appstream-rpms repository.

IdM now supports the automountlocation, automountmap, and automountkey Ansible modules

With this update, the ansible-freeipa package contains the ipaautomountlocation, ipaautomountmap, and ipaautomountkey modules. You can use these modules to configure directories to be mounted automatically for IdM users logged in to IdM clients in an IdM location. Note that currently, only direct maps are supported.

The support for managing subID ranges is available in the shadow-utils

Previously, shadow-utils configured the subID ranges automatically from the /etc/subuid and /etc/subgid files. With this update, the configuration of subID ranges is available in the /etc/nsswitch.conf file by setting a value in the subid field. For more information, see man subuid and man subgid. Also, with this update, an SSSD implementation of the shadow-utils plugin is available, which provides the subID ranges from the IPA server. To use this functionality, add the subid: sss value to the /etc/nsswitch.conf file. This solution might be useful in the containerized environment to facilitate rootless containers.

Support for managing subID ranges is available in IdM

With this update, you can manage ID subranges for users in Identity Management. You can use the ipa CLI tool or IdM WebUI interface to assign automatically configured subID ranges to a user, which might be useful in a containerized environment.

Identity Management installation packages have been demodularized

Previously in RHEL 8, IdM packages were distributed as modules, which required you to enable a stream and install the profile that corresponds to your desired installation. IdM installation packages have been demodularized in RHEL 9, so you can use the following dnf commands to install IdM server packages:

An alternative to the traditional RHEL ansible-freeipa repository: Ansible Automation Hub

With this update, you can download ansible-freeipa modules from the Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By using AAH, you can benefit from the faster updates of the ansible-freeipa modules available in this repository.

ansible-freeipa modules can now be executed remotely on IdM clients

Previously, ansible-freeipa modules could only be executed on IdM servers. This required your Ansible administrator to have SSH access to your IdM server, causing a potential security threat. With this update, you can execute ansible-freeipa modules remotely on systems that are IdM clients. As a result, you can manage IdM configuration and entities in a more secure way.

The ipadnsconfig module now requires action: member to exclude a global forwarder

With this update, excluding global forwarders in Identity Management (IdM) by using the ansible-freeipa ipadnsconfig module requires using the action: member option in addition to the state: absent option. If you only use state: absent in your playbook without also using action: member, the playbook fails. Consequently, to remove all global forwarders, you must specify all of them individually in the playbook. In contrast, the state: present option does not require action: member.

Automatic private groups for AD users support centralized configuring

You can now centrally define how compatible versions of SSSD on IdM clients manage private groups for users from trusted Active Directory domains. With this enhancement, you can now explicitly set the value for SSSD’s auto_private_groups option for an ID range that handles AD users.

Customizable logging settings for BIND

With this enhancement, you can now configure logging settings for the BIND DNS server component of an Identity Management server in the /etc/named/ipa-logging-ext.conf configuration file.

Autodiscovery of IdM servers when retrieving an IdM keytab

With this enhancement, you no longer need to specify an IdM server host name when retrieving a Kerberos keytab with the ipa-getkeytab command. If you do not specify a server host name, DNS discovery is used to find an IdM server. If no servers are found, the command falls back to the host value specified in the /etc/ipa/default.conf configuration file.

RHEL 9 provides Samba 4.15.5

RHEL 9 is distributed with Samba 4.15.5, which provides bug fixes and enhancements over version 4.14:

Tracking client requests using the log analyzer tool

The System Security Services Daemon (SSSD) now includes a log parsing tool which tracks requests from start to finish across log files from multiple SSSD components.

SSSD now logs backtraces by default

With this enhancement, SSSD now stores detailed debug logs in an in-memory buffer and appends them to log files when a failure occurs. By default, the following error levels trigger a backtrace:

SSSD default SSH hashing value is now consistent with the OpenSSH setting

The default value of ssh_hash_known_hosts has been changed to false. It is now consistent with the OpenSSH setting, which does not hash host names by default.

Directory Server 12.0 is based on upstream version 2.0.14

Directory Server 12.0 is based on upstream version 2.0.14 which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Directory Server now stores memory-mapped files of databases on a tmpfs file system

In Directory Server, the nsslapd-db-home-directory parameter defines the location of memory-mapped files of databases. This enhancement changes the default value of the parameter from /var/lib/dirsrv/slapd-instance_name/db/ to /dev/shm/. As a result, with the internal databases stored on a tmpfs file system, the performance of Directory Server increases.

FreeRADIUS support is now redesigned

In RHEL 9, the existing FreeRADIUS offering is now streamlined and aligned more closely with the strategic direction of Identity Management (IdM). In order to provide the best support for IdM customers, Red Hat is strengthening support for these external authentication modules with FreeRADIUS:

GNOME updated to version 40

The GNOME environment is now updated from GNOME 3.28 to GNOME 40 with many new features.

PipeWire is now the default audio service

The Pipewire service now manages all audio output and input. Pipewire replaces the PulseAudio service in general use cases and the JACK service in professional use cases. The system now redirects audio from applications that use PulseAudio, JACK, or the ALSA framework into Pipewire.

Power profiles are available in GNOME

You can now switch between several power profiles in the Power panel of Settings in the GNOME environment. The power profiles optimize various system settings for the selected goal.

Language support is now provided by langpacks

Support for various languages is now available from langpacks packages. You can customize the level of language support that you want to install using the following package names, where code is the short ISO code for the language, such as es for Spanish:

Lightweight, single-application environment

For graphical use cases that only present a single application, a lightweight user interface (UI) is now available.

Security classification banners at login and in the desktop session

You can now configure classification banners to state the overall security classification level of the system. This is useful for deployments where the user must be aware of the security classification level of the system that they are logged into.

The default wallpaper adds a Red Hat logo

The default RHEL wallpaper now displays a Red Hat logo. The logo is located in the upper left corner of the screen.

Firefox now uses stronger encryption in PKCS#12 files

The Firefox web browser uses PKCS#12 files to establish client authentication certificates. Previously, Firefox encrypted these files using legacy algorithms:

The Wayland session is now the default with NVIDIA drivers

When using the NVIDIA drivers, the desktop session now selects the Wayland display protocol by default, if the driver configuration supports Wayland. In previous RHEL releases, the NVIDIA drivers always disabled Wayland.

Smart card authentication for sudo and SSH from the web console

Previously, it was not possible to use smart card authentication to obtain sudo privileges or use SSH in the web console. With this update, Identity Management users can use a smart card to gain sudo privileges or to connect to a different host with SSH.

Kernel security patches without reboot in the web console

This web console update allows users to apply kernel security patches without forcing reboots by using the kpatch framework. Administrators can also automatically subscribe any future kernel to the live patching stream.

RHEL web console provides Insights registration by default

With this update, when you use the Red Hat Enterprise Linux web console to register a RHEL system, the Connect this system to Red Hat Insights. check box is checked by default. If you do not want to connect to the Insights service, uncheck the box.

Cockpit now supports using an existing TLS certificate

With this enhancement, the certificate does not have strict file permission requirements any more (such as root:cockpit-ws 0640), and thus it can be shared with other services.

The Networking system role now supports SAE

In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the Networking RHEL system role supports SAE. As a result, administrators can now use the Networking system role to configure connections to Wi-Fi networks, which use WPA-SAE.

The Networking system role now supports owe

The Networking RHEL system role now supports Opportunistic Wireless Encryption (owe). owe is a wireless authentication key management type that uses encryption between Wi-Fi clients and access points, and protects Wi-Fi clients from sniffing attacks. To use owe, set the wireless authentication key management type,key_mgmt field, to owe.

The Firewall system role now supports setting the firewall default zone

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. Firewall rules for each zone are managed independently enabling the administrator to define complex firewall settings and apply them to the traffic. This feature allows setting the default zone used as the default zone to assign interfaces to, same as firewall-cmd --set-default-zone zone-name.

The Storage RHEL system role now supports LVM VDO volumes

With this enhancement, you can use the Storage system role to manage Logical Manager Volumes (LVM) Virtual Data Optimizer (VDO) volumes. The LVM filesystem manages VDO volumes and with this feature, it is now possible to compress and deduplicate on LVM volumes. As a result, VDO helps to optimize the usage of the storage volumes.

Support for volume sizes expressed as a percentage is available in the Storage system role

This enhancement adds support to the Storage RHEL system role to express LVM volume sizes as a percentage of the pool’s total size. You can specify the size of LVM volumes as a percentage of the pool/VG size, for example: 50% in addition to the human-readable size of the file system, for example, 10g, 50 GiB.

Support for cached volumes is available in the Storage system role

This enhancement adds support to the Storage RHEL system role to create and manage cached LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes, by temporarily storing subsets of an LV’s data on a smaller, faster device, for example, an SSD.

Ability to add or remove sources to the Firewall role

This update enables you to add or remove sources in the firewall settings configuration using the source parameter.

New Ansible Role for Microsoft SQL Server Management

The new microsoft.sql.server role is designed to help IT and database administrators automate processes involved with setup, configuration, and performance tuning of SQL Server on Red Hat Enterprise Linux.

Microsoft SQL system role now supports customized repository for disconnected or Satellite subscriptions

Previously, users in disconnected environments that needed to pull packages from a custom server or Satellite users that needed to point to Satellite or Capsule had no support from the microsoft.sql.server role. This update fixes it by providing the mssql_rpm_key, mssql_server_repository, and mssql_client_repository variables that you can use to customize the repositories to download packages from. If no URL is provided, the mssql role uses the official Microsoft servers to download RPMs.

The MSSQL role consistently uses "Ansible_managed" comment in its managed configuration files

The MSSQL role generates the /var/opt/mssql/mssql.conf configuration file. With this update, the MSSQL role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the MSSQL role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.

Ansible Core support for the RHEL system roles

As of the RHEL 9 GA release, Ansible Core is provided, with a limited scope of support, to enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was provided on previous versions of RHEL in a separate repository. Ansible Core is available in the AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 AppStream.

Support for configuring multiple elasticsearch hosts in one elasticsearch output dictionary

Previously, the server_host parameter used to take a string value for a single host. This enhancement adjusts it to the underlying rsyslog omelasticsearch’s specification, so it now also takes a list of strings to support multiple hosts. Consequently, it is adjusted to hosts, following the underlying rsyslog omelasticsearch’s specification. As a result, users can configure multiple elasticsearch hosts in one elasticsearch output dictionary.

RHEL system roles now support VPN management

Previously, it was difficult to set up secure and properly configured IPsec tunneling and virtual private networking (VPN) solutions on Linux. With this enhancement, you can use the VPN RHEL system role to set up and configure VPN tunnels for host-to-host and mesh connections more easily across large numbers of hosts. As a result, you have a consistent and stable configuration interface for VPN and IPsec tunneling configuration within the RHEL system roles project.

The SSHD RHEL system role now supports non-exclusive configuration snippets

With this feature, you can configure SSHD through different roles and playbooks without rewriting the previous configurations by using namespaces. Namespaces are similar to a drop-in directory, and define non-exclusive configuration snippets for SSHD. As a result, you can use the SSHD RHEL system role from a different role, if you need to configure only a small part of the configuration and not the entire configuration file.

Network Time Security (NTS) option added to the timesync RHEL system role

The NTS option was added to the Timesync RHEL system role to enable NTS on client servers. NTS is a new security mechanism specified for Network Time Protocol (NTP). NTS can secure synchronization of NTP clients without client-specific configuration and can scale to large numbers of clients. The NTS option is supported only with the chrony NTP provider in version 4.0 and later.

Support for HA Cluster RHEL system role

The High Availability Cluster (HA Cluster) role is now fully supported. The following notable configurations are available:

Support for Rsyslog username and password authentication to Elasticsearch

This update adds the Elasticsearch username and password parameters to the Logging system role. As a result, you can enable Rsyslog to authenticate to Elasticsearch using a username and password.

The NBDE Client system role supports static IP addresses

In previous versions of RHEL, restarting a system with a static IP address and configured with the Network Bound Disk Encryption (NBDE) Client system role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE Client system role, and their IP addresses do not change after a reboot.

Support for specifying raid_level for LVM has been added

RHEL 9.0 supports grouping Logical Volume Management (LVM) volumes into RAIDs using the lvmraid feature.

The Certificate role consistently uses "Ansible_managed" comment in its hook scripts

With this enhancement, the Certificate role generates pre-scripts and post-scripts to support providers, to which the role inserts the "Ansible managed" comment using the Ansible standard "ansible_managed" variable:

A new option auto_gateway controls the default route behavior

Previously, the DEFROUTE parameter was not configurable with configuration files but only manually configurable by naming every route. This update adds a new auto_gateway option in the ip configuration section for connections, with which you can control the default route behavior. You can configure auto_gateway in the following ways:

Support to all bonding options added to the network system role

This update provides support to all bonding options to the network RHEL system role. Consequently, it enables you to flexibly control the network transmission over the bonded interface. As a result, you can control the network transmission over the bonded interface by specifying several options to that interface.

NetworkManager supports specifying a network card using its PCI address

Previously, during setting a connection profile, NetworkManager was only allowed to specify a network card using either its name or MAC address. In this case, the device name is not stable and the MAC address requires inventory to maintain record of used MAC addresses. Now, you can specify a network card based on its PCI address in a connection profile.

The Network system role now directly manages the configuration files of Ansible

With this enhancement, the network role generates ifcfg files in /etc/sysconfig/network-scripts. Then, it inserts the comment “Ansible managed”, using the standard ansible_managed variable. This comment indicates that the ifcfg files are not directly editable as the network role may overwrite it. The important difference in handling the ifcfg file to add "Ansible managed" comment is that the network role uses the initscripts package while the NetworkManager uses the nm package.

Ansible Core support for RHEL system roles

In RHEL 9.0, Ansible Core is provided, with a limited scope of support, to enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was previously provided in a separate repository. Ansible Core is available in the AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. Users must manually migrate their systems from Ansible Engine to Ansible Core.

The Cockpit system role is now supported

With this enhancement, you can install and configure the web console in your system. Consequently, you can manage web console in an automated manner.

The Terminal session recording system role uses the "Ansible managed" comment in its managed configuration files

The Terminal session recording role generates 2 configuration files:

The VPN role consistently uses "Ansible_managed" comment in its managed configuration files

The VPN role generates the following configuration file:

The Postfix role consistently uses "Ansible_managed" comment in its managed configuration files

The Postfix role generates the /etc/postfix/main.cf configuration file. With this update, the Postfix role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the configuration files should not be directly edited because the Postfixrole can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.

The Firewall RHEL system role has been added in RHEL 9

With this enhancement, the rhel-system-roles.firewall RHEL system role was added to the rhel-system-roles package. As a result, administrators can automate their firewall settings for managed nodes.

The SSH client RHEL system role now supports new configuration options in OpenSSH 8.7

With this enhancement, OpenSSH was updated to the latest version, which provides new configuration options that are available in the SSH client role for configuring new hosts.

RHEL web console new virtualization features

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

QEMU uses Clang

The QEMU emulator is now built using the Clang compiler. This enables the RHEL 9 KVM hypervisor to use a number of advanced security and debugging features, and makes future feature development more efficient.

SafeStack for virtual machines

In RHEL 9 on AMD64 and Intel 64 hardware (x86_64), the QEMU emulator can use SafeStack, an enhanced compiler-based stack protection feature. SafeStack reduces the ability of an attacker to exploit a stack- based buffer overflow to change return pointers in the stack and create Return-Oriented Programming (ROP) attacks. As a result, virtual machines hosted on RHEL 9 are significantly more secure against ROP-based vulnerabilities.

virtiofs full support on Intel 64, AMD64, and IBM Z

The virtio file system (virtiofs) is now fully supported on Intel 64, AMD64, and IBM Z architectures. Using virtiofs, you can efficiently share files between your host system and its virtual machines.

AMD EPYC 7003 series processors supported on KVM guests

Support for AMD EPYC 7003 series processors (also known as AMD Milan) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use AMD EPYC 7003 series processors.

qemu-kvm now supports additional machine types

A set of new machine types, based on RHEL 9, has been added for use by virtual machines (VMs). To obtain all currently supported machine types on your host, use the /usr/libexec/qemu-kvm -M help command.

Mediated devices are now supported by virtualization CLIs on IBM Z

Using virt-install or virt-xml, you can now attach mediated devices to your VMs, such as vfio-ap and vfio-ccw. This for example enables more flexible management of DASD storage devices and cryptographic coprocessors on IBM Z hosts. In addition, using virt-install, you can create a VM that uses an existing DASD mediated device as its primary disk. For instructions to do so, see the Configuring and Managing Virtualization in RHEL 9 guide.

Modular libvirt daemons

In RHEL 9, the libvirt library uses modular daemons that handle individual virtualization driver sets on your host. For example, the virtqemud daemon handles QEMU drivers. This makes it possible to fine-grain a variety of tasks that involve virtualization drivers, such as resource load optimization and monitoring.

Windows 11 and Windows Server 2022 guests are supported

RHEL 9 supports using Windows 11 and Windows Server 2022 as the guest operating systems on KVM virtual machines.

ksmtuned is now distributed separately from qemu-kvm

To decrease the footprint of the KVM hypervisor, the ksmtuned utility is no longer a dependency of qemu-kvm. As a consequence, if you require configuring kernel same-page merging (KSM), you must install the ksmtuned package manually.

New feature: vTPM

The Virtual Trusted Platform Module (vTPM) is fully supported in RHEL 9. Using vTPM, you can add a TPM virtual crypto-processor to a virtual machine (VM) running in the RHEL 9 KVM hypervisor. This makes it possible to use the VM for generating, storing, and managing cryptographic keys.

Virtualization support for Intel Atom P59 series processors

With this update, virtualization on RHEL 9 adds support for the Intel Atom P59 series processors, formerly known as Snow Ridge. As a result, virtual machines hosted on RHEL 9 can now use the Snowridge CPU model and utilise new features that the processors provide.

RHEL 9 provides WALinuxAgent 2.3.0.2

RHEL 9 is distributed with the Windows Azure Linux Agent (WALinuxAgent) package version 2.3.0.2. Notable bug fixes and enhancements over version 2.2.49 include:

RHEL on Azure now supports MANA

RHEL 9 virtual machines running on Microsoft Azure can now use the Microsoft Azure Network Adapter (MANA).

cloud-init supports the VMware GuestInfo datasource

With this update, the cloud-init utility is able to read the datasource for VMware guestinfo data. As a result, using cloud-init to set up RHEL 9 virtual machines on VMware vSphere is now more efficient and reliable.

RHEL 9 virtual machines are now supported on certain ARM64 hosts on Azure

Virtual machines that use RHEL 9 as the guest operating system are now supported on Microsoft Azure hypervisors running on Ampere Altra ARM-based processors.

cloud-init supports user data on Microsoft Azure

The --user-data option has been introduced for the cloud-init utility. Using this option, you can pass scripts and metadata from the Azure Instance Metadata Service (IMDS) when setting up a RHEL 9 virtual machine on Azure.

New SSH module for cloud-init

With this update, an SSH module has been added to the cloud-init utility, which automatically generates host keys during instance creation.

sos report now offers an estimate mode run

This sos report update adds the --estimate-only option with which you can approximate the disk space required for collecting an sos report from a RHEL server. Running the sos report --estimate-only command:

Podman now supports secure short names

Short-name aliases for images can now be configured in the registries.conf file in the [aliases] table. The short-names modes are:

Changes in the container-tools module

The container-tools module contains the Podman, Buildah, Skopeo, and runc tools. The rolling stream, represented by the container-tools:rhel8 stream in RHEL 8, is named container-tools:latest in RHEL 9. Similarly to RHEL 8, stable versions of container tools are going to be available in numbered streams (for example, 3.0).

The containers-common package is now available

The containers-common package has been added to the container-tools:latest module. The containers-common package contains common configuration files and documentation for the container tools ecosystem, such as Podman, Buildah and Skopeo.

Updating container images with new packages

For instance, to update the registry.access.redhat.com/rhel9 container image with the latest packages, use the following commands:

The container-tools meta-package has been updated

The container-tools RPM meta-package, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.

The podman-py package is now available

The podman-py package has been added to the container-tools:3.0 stable module stream and the container-tools:latest module. The podman-py package is a library of bindings to use the RESTful API of Podman.

Control groups version 2 is now available

The previous version of control groups, cgroups version 1 (cgroups v1) caused performance problems with a variety of applications. The latest release of control groups, cgroups version 2 (cgroups v2) enables system administrators to limit resources for any application without causing performance problems.

The container-tools meta-package is now available

The container-tools RPM meta-package includes Podman, Buildah, Skopeo, CRIU, Udica, and all required libraries, is available in RHEL 9. The stable streams are not available on RHEL 9. To receive stable access to Podman, Buildah, Skopeo, and others, use the RHEL EUS subscription.

Native overlay file system support in the kernel is now available

The overlay file system support is now available from kernel 5.11. The non-root users will have native overlay performance even when running rootless (as a user). Thus, this enhancement provides better performance to non-root users who wish to use overlayfs without the need for bind mounting.

The NFS storage is now available

You can now use the NFS file system as a backend storage for containers and images if your file system has xattr support.

The container-tools meta-package has been updated

The container-tools meta-package includes Podman, Buildah, Skopeo, CRIU, Udica, and all required libraries. This update provides a list of bug fixes and enhancements over the previous version.

The crun container runtime is now the default

The crun container runtime is now the default runtime. The crun container runtime supports an annotation that allows the container to access the rootless user’s additional groups. This is useful for volume mounting in a directory where setgid is set, or where the user only has group access. Both the crun and runc runtimes fully support cgroup v2.

Control group version 2 is now available

The previous version of control groups, cgroup version 1 (cgroup v1) caused performance problems with a variety of applications. The latest release of control groups, cgroup version 2 (cgroup v2) enables system administrators to limit resources for any application without causing performance problems.

Universal Base Images are now available on Docker Hub

Previously, Universal Base Images were only available from the Red Hat container catalog. With this enhancement, Universal Base Images are also available from Docker Hub as a Verified Publisher image.

The openssl container image is now available

The openssl image provides an openssl command-line tool for using the various functions of the OpenSSL crypto library. Using the OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and display certificate information.

Netavark network stack is now available

The Netavark stack is a network configuration tool for containers. In RHEL 9, Netavark stack is fully supported and enabled by default.

Podman now supports auto-building and auto-running pods using a YAML file

The podman play kube command automatically builds and runs multiple pods with multiple containers in the pods using a YAML file.

Podman now has ability to source subUID and subGID ranges from IdM

The subUID and subGID ranges can now be managed by IdM. Instead of deploying the same /etc/subuid and /etc/subgid files onto every host, you can now define range in a single central storage. You have to modify the /etc/nsswitch.conf file and add sss to the services map line: services: files sss.

--leavebootorder no longer changes boot order

Previously, using --leavebootorder for the bootloader kickstart command did not work correctly on UEFI systems and changed the boot order. This caused the installer to add RHEL at the top of the list of installed systems in the UEFI boot menu.

Anaconda sets a static hostname before running the %post scripts

Previously, when Anaconda was setting the installer environment host name to the value from the kickstart configuration (network --hostname), it used to set a transient hostname. Some of the actions performed during %post script run, for example network device activation, were causing the host name reset to a value obtained by reverse dns.

Users can now specify user accounts in the RHEL for Edge Installer blueprint

Previously, performing an update on your blueprint without a user account defined in the edge commit for the upgrade, such as adding a rpm package, would cause users to be locked out of a system, after an upgrade is applied. It caused users to redefine user accounts when upgrading an existing system.This issue has been fixed to allow users to specify user accounts in the RHEL for Edge Installer blueprint, which creates a user on the system at installation time, rather than having the user as part of the ostree commit.

The basic graphics mode has been removed from the boot menu

Previously, the basic graphics mode was used to install RHEL on hardware with an unsupported graphics card or to work around issues in graphic drivers that prevented starting the graphical interface. With this update, the option to install in a basic graphics mode has been removed from the installer boot menu. Use the VNC installation options for graphical installations on unsupported hardware or to work around driver bugs.

virt-who now works correctly with Hyper-V hosts

Previously, when using virt-who to set up RHEL 9 virtual machines (VMs) on a Hyper-V hypervisor, virt-who did not properly communicate with the hypervisor, and the setup failed. This was because of a deprecated encryption method in the openssl package.

Running createrepo_c --update on a modular repository now preserves modular metadata in it

Previously, when running the createrepo_c --update command on an already existing modular repository without the original source of modular metadata present, the default policy was to remove all additional metadata including modular metadata from this repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update command with the additional --keep-all-metadata option.

RHEL 9 provides libservicelog 1.1.19

RHEL 9 is distributed with libservicelog version 1.1.19. Notable bug fixes include:

Hardware optimization enabled in libgcrypt when in the FIPS mode

Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using hardware optimization. Therefore, in previous versions of RHEL, the operation was disabled in the libgcrypt package when in the FIPS mode. RHEL 9 enables hardware optimization in FIPS mode, and as a result, all cryptographic operations are performed faster.

crypto-policies now can disable ChaCha20 cipher usage

Previously, the crypto-policies package used a wrong keyword to disable the ChaCha20 cipher in OpenSSL. Consequently, you could not disable ChaCha20 for the TLS 1.2 protocol in OpenSSL through crypto-policies. With this update, the -CHACHA20 keyword is used instead of -CHACHA20-POLY1305. As a result, you now can use the cryptographic policies for disabling ChaCha20 cipher usage in OpenSSL for TLS 1.2 and TLS 1.3.

64-bit IBM Z systems no longer become unbootable when installing in FIPS mode

Previously, the fips-mode-setup command with the --no-bootcfg option did not execute the zipl tool. Because fips-mode-setup regenerates the initial RAM disk (initrd), and the resulting system needs an update of zipl internal state to boot, this put 64-bit IBM Z systems into an unbootable state after installing in FIPS mode. With this update fips-mode-setup now executes zipl on 64-bit IBM Z systems even if invoked with --no-bootcfg, and as a result, the newly installed system boots successfully.

GNUTLS_NO_EXPLICIT_INIT no longer disables implicit library initialization

Previously, the GNUTLS_NO_EXPLICIT_INIT environment variable disabled implicit library initialization. In RHEL 9, the GNUTLS_NO_IMPLICIT_INIT variable disables implicit library initialization instead.

OpenSSL-based applications now work correctly with the Turkish locale

Because the OpenSSL library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.

kdump no longer crashes due to SELinux permissions

The kdump crash recovery service requires additional SELinux permissions to start correctly. In previous versions, therefore, SELinux prevented kdump from working, kdump reported that it is not operational, and Access Vector Cache (AVC) denials were audited. In this version, the required permissions were added to selinux-policy and as a result, kdump works correctly and no AVC denial is audited.

The usbguard-selinux package is no longer dependent on usbguard

Previously, the usbguard-selinux package was dependent on the usbguard package. This, in combination with other dependencies of these packages, led to file conflicts when installing usbguard. As a consequence, this prevented the installation of usbguard on certain systems. With this version, usbguard-selinux no longer depends on usbguard, and as a result, dnf can install usbguard correctly.

dnf install and dnf update now work with fapolicyd in SELinux

The fapolicyd-selinux package, which contains SELinux rules for fapolicyd, did not contain permissions to watch all files and directories. As a consequence, the fapolicyd-dnf-plugin did not work correctly, causing any dnf install and dnf update commands to make the system stop responding indefinitely. In this version, the permissions to watch any file type were added to fapolicyd-selinux. As a result, the fapolicyd-dnf-plugin works correctly and the commands dnf install and dnf update are operational.

Ambient capabilities are now applied correctly to non-root users

As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, effective, and ambient sets of capabilities.

usbguard-notifier no longer logs too many error messages to the Journal

Previously, the usbguard-notifier service did not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier failed to connect to the interface, and it wrote a corresponding error message to the Journal. Because usbguard-notifier started with the --wait option, which ensured that usbguard-notifier attempted to connect to the IPC interface each second after a connection failure, by default, the log contained an excessive amount of these messages soon.

Wifi and 802.1x Ethernet connections profiles are now connecting properly

Previously, many Wifi and 802.1x Ethernet connections profiles were not able to connect. This bug is now fixed. All the profiles are now connecting properly. Profiles that use legacy cryptographic algorithms still work but you need to manually enable the OpenSSL legacy provider. This is required, for example, when you use DES with MS-CHAPv2 and RC4 with TKIP.

Afterburn no longer sets an overlong hostname in /etc/hostname

The maximum length of a RHEL hostname is 64 characters. However, certain cloud providers use the Fully-Qualified Domain Name (FQDN) as the hostname, which can be up to 255 characters. Previously, the afterburn-hostname service wrote such an overlong hostname directly to the /etc/hostname file. The systemd service truncated the hostname to 64 characters, and NetworkManager derived an incorrect DNS search domain from the truncated value. With this fix, afterburn-hostname truncates hostnames at the first dot or 64 characters, whichever comes first. As a result, NetworkManager no longer sets invalid DNS search domains in /etc/resolv.conf.

modprobe loads out-of-tree kernel modules as expected

The /etc/depmod.d/dist.conf configuration file provides a search order for the depmod utility. Based on the search order, depmod creates the modules.dep.bin file. This file lists module dependencies, which the modprobe utility uses for loading and unloading kernel modules and resolving module dependencies at the same time. Previously, /etc/depmod.d/dist.conf was missing. As a result, modprobe could not load some out-of-tree kernel modules. This update includes the /etc/depmod.d/dist.conf configuration file, which fixes the search order. As a result, modprobe loads out-of-tree kernel modules as expected.

alsa-lib now correctly handles audio devices that use UCM

A bug in the alsa-lib package caused incorrect parsing of the internal Use Case Manager (UCM) identifier. Consequently, some audio devices that used the UCM configuration were not detected or they did not function correctly. The problem occurred more often when the system used the pipewire sound service. With the new release of RHEL 9, the problem has been fixed by updating the alsa-lib library.

Protection uevents no longer cause reload failure of multipath devices

Previously, when a read-only path device was rescanned, the kernel sent out two write protection uevents - one with the device set to read/write, and the following with the device set to read-only. Consequently, upon detection of the read/write uevent on a path device, multipathd tried to reload the multipath device, which caused a reload error message. With this update, multipathd now checks that all the paths are set to read/write before reloading a device read/write. As a result, multipathd no longer tries to reload read/write whenever a read-only device is rescanned.

device-mapper-multipath rebased to version 0.8.7

The device-mapper-multipath package has been upgraded to version 0.8.7, which provides multiple bug fixes and enhancements. Notable changes include:

Pacemaker attribute manager correctly determines remote node attributes, preventing unfencing loops

Previously, Pacemaker’s controller on a node might be elected the Designated Controller (DC) before its attribute manager learned an already-active remote node is remote. When this occurred, the node’s scheduler would not see any of the remote node’s node attributes. If the cluster used unfencing, this could result in an unfencing loop. With the fix, the attribute manager can now learn a remote node is remote by means of additional events, including the initial attribute sync at start-up. As a result, no unfencing loop occurs, regardless of which node is elected DC.

-Wsequence-point warning behavior fixed

Previously, when compiling C++ programs with GCC, the -Wsequence-point warning option tried to warn about very long expressions, it could cause quadratic behavior and therefore significantly longer compilation time. With this update, -Wsequence-point doesn’t attempt to warn about extremely large expressions and as a result, does not increase compilation time.

MS-CHAP authentication with the OpenSSL legacy provider

Previously, FreeRADIUS authentication mechanisms that used MS-CHAP failed because they depended on MD4 hash functions, and MD4 has been deprecated in RHEL 9. With this update, you can authenticate FreeRADIUS users with MS-CHAP or MS-CHAPv2 if you enable the OpenSSL legacy provider.

Running sudo commands no longer exports the KRB5CCNAME environment variable

Previously, after running sudo commands, the environment variable KRB5CCNAME pointed to the Kerberos credential cache of the original user, which might not be accessible to the target user. As a result Kerberos related operations might fail as this cache is not accessible. With this update, running sudo commands no longer sets the KRB5CCNAME environment variable and the target user can use their default Kerberos credential cache.

SSSD correctly evaluates the default setting for the Kerberos keytab name in /etc/krb5.conf

Previously, if you defined a non-standard location for your krb5.keytab file, SSSD did not use this location and used the default /etc/krb5.keytab location instead. As a result, when you tried to log into the system, the login failed as the /etc/krb5.keytab contained no entries.

Authenticating to Directory Server in FIPS mode with passwords hashed with the PBKDF2 algorithm now works as expected

When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue() function is not available. As a consequence, prior to this update, users with a password hashed with the password-based key derivation function 2 (PBKDF2) algorithm were not able to authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the PK11_Decrypt() function to get the password hash data. As a result, authentication with passwords hashed with the PBKDF2 algorithm now works as expected.

The Networking system role no longer fails to set a DNS search domain if IPv6 is disabled

Previously, the nm_connection_verify() function of the libnm library did not ignore the DNS search domain if the IPv6 protocol was disabled. As a consequence, when you used the Networking RHEL system role and set dns_search together with ipv6_disabled: true, the system role failed with the following error:

Postfix role README no longer uses plain role name

Previously, the examples provided in the /usr/share/ansible/roles/rhel-system-roles.postfix/README.md used the plain version of the role name, postfix, instead of using rhel-system-roles.postfix. Consequently, users would consult the documentation and incorrectly use the plain role name instead of Full Qualified Role Name (FQRN). This update fixes the issue, and the documentation contains examples with the FQRN, rhel-system-roles.postfix, enabling users to correctly write playbooks.

Postfix RHEL system role README.md no longer missing variables under the "Role Variables" section

Previously, the Postfix RHEL system role variables, such as postfix_check, postfix_backup, postfix_backup_multiple were not available under the "Role Variables" section. Consequently, users were not able to consult the Postfix role documentation. This update adds role variable documentation to the Postfix README section. The role variables are documented and available for users in the doc/usr/share/doc/rhel-system-roles/postfix/README.md documentation provided by rhel-system-roles.

Role tasks no longer change when running the same output

Previously, several of the role tasks would report as CHANGED when running the same input once again, even if there were no changes. Consequently, the role was not acting idempotent. To fix the issue, perform the following actions:

The logging_purge_confs option correctly deletes unnecessary configuration files

With the logging_purge_confs option set to true, it should delete unnecessary logging configuration files. Previously, however, unnecessary configuration files were not deleted from the configuration directory even if logging_purge_confs was set to true. This issue is now fixed and the option has been redefined as follows: if logging_purge_confs is set to true, Rsyslog removes files from the rsyslog.d directory which do not belong to any rpm packages. This includes configuration files generated by previous runs of the Logging role. The default value of logging_purge_confs is false.

A playbook using the Metrics role completes successfully on multiple runs even if the Grafana admin password is changed

Previously, changes to the Grafana admin user password after running the Metrics role with the metrics_graph_service: yes boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks using the Metrics role, and the affected systems were only partially set up for performance analysis. Now, the Metrics role uses the Grafana deployment API when it is available and no longer requires knowledge of username or password to perform the necessary configuration actions. As a result, a playbook using the Metrics role completes successfully on multiple runs even if the administrator changes the Grafana admin password.

Configuration by the Metrics role now follows symbolic links correctly

When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the Metrics role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the Metrics role changed the symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The issue is now fixed and the follow: yes option to follow the symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the symbolic links and correctly configures the main configuration file.

The timesync role no longer fails to find the requested service ptp4l

Previously, on some versions of RHEL, the Ansible service_facts module, reported service facts incorrectly. Consequently, the timesync role reported an error attempting to stop the ptp4l service. With this fix, the Ansible service_facts module checks the return value of the tasks to stop timesync services. If the returned value is failed, but the error message is Could not find the requested service NAME:, then the module assumes success. As a result, the timesync role now runs without errors like Could not find the requested service ptp4l.

The kernel_settings configobj is available on managed hosts

Previously, the kernel_settings role did not install the python3-configobj package on managed hosts. As a consequence, the role returned an error stating that the configobj Python module could not be found. With this fix, the role ensures that the python3-configobj package is present on managed hosts and the kernel_settings role works as expected.

The Terminal Session Recording role tlog-rec-session is now correctly overlaid by SSSD

Previously, the Terminal Session Recording RHEL system role relied on the System Security Services Daemon (SSSD) files provider and on enabled authselect option with-files-domain to set up correct passwd entries in the nsswitch.conf file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and consequently the tlog-rec-session shell overlay by SSSD did not work. With this fix, the Terminal Session Recording role now updates the nsswitch.conf to ensure tlog-rec-session is correctly overlaid by SSSD.

The SSHD system role can manage systems in FIPS mode

Previously, the SSHD system role could not create the not allowed HostKey type when called. As a consequence, the SSHD system role could not manage RHEL 8 and older systems in Federal Information Processing Standard (FIPS) mode. With this update, the SSHD system role detects FIPS mode and adjusts the default HostKey list correctly. As a result, the system role can manage RHEL systems in FIPS mode with the default HostKey configuration.

The SSHD system role uses the correct template file

Previously, the SSHD system role used a wrong template file. As a consequence, the generated sshd_config file did not contain the ansible_managed comment. With this update, the system role uses the correct template file and sshd_config contains the correct ansible_managed comment.

The Kdump RHEL system role is be able to reboot, or indicate that a reboot is required

Previously, the Kdump RHEL system role ignored managed nodes without any reserved memory for crash kernel. Consequently, the role finished with the "Success" status, even if it did not configure the system properly. With this update of RHEL 9, the problem has been fixed. In cases when managed nodes do not have any memory reserved for the crash kernel, the Kdump RHEL system role fails and suggests that users set the kdump_reboot_ok variable to true to properly configure the kdump service on managed nodes.

The nm provider in the Networking system role now correctly manages bridges

Previously, if you used the initscripts provider, the Networking system role created an ifcfg file which configured NetworkManager to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript actions. For example, the down and absent actions of initscript provider will not change the NetworkManager’s understanding on unmanaged state of this interface if not reloading the connection after the down and absent actions. With this fix, the Networking system role uses the NM.Client.reload_connections_async() function to reload NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages the bridge interface when switching the provider from initscript to nm.

Fixed a typo to support active-backup for the correct bonding mode

Previously, there was a typo,active_backup, in supporting the InfiniBand port while specifying active-backup bonding mode. Due to this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the InfiniBand bonding port.

The Logging system role no longer calls tasks multiple times

Previously, the Logging role was calling tasks multiple times that should have been called only once. As a consequence, the extra task calls slowed down the execution of the role. With this fix, the Logging role was changed to call the tasks only once, improving the Logging role performance.

RHEL system roles now handle multi-line ansible_managed comments in generated files

Previously, some of the RHEL system roles were using # {{ ansible_managed }} to generate some of the files. As a consequence, if a customer had a custom multi-line ansible_managed setting, the files would be generated incorrectly. With this fix, all of the system roles use the equivalent of {{ ansible_managed | comment }} when generating files so that the ansible_managed string is always properly commented, including multi-line ansible_managed values. Consequently, generated files have the correct multi-line ansible_managed value.

The Firewall system role now reloads the firewall immediately when target changes

Previously, the Firewall system role was not reloading the firewall when the target parameter has been changed. With this fix, the Firewall role reloads the firewall when the target changes, and as a result, the target change is immediate and available for subsequent operations.

The group option in the Certificate system role no longer keeps certificates inaccessible to the group

Previously, when setting the group for a certificate, the mode was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.

The Logging role no longer misses quotes for the immark module interval value

Previously, the interval field value for the immark module was not properly quoted, because the immark module was not properly configured. This fix ensures that the interval value is properly quoted. Now, the immark module works as expected.

The /etc/tuned/kernel_settings/tuned.conf file has a proper ansible_managed header

Previously, the kernel_settings RHEL system role had a hard-coded value for the ansible_managed header in the /etc/tuned/kernel_settings/tuned.conf file. Consequently, users could not provide their custom ansible_managed header. In this update, the problem has been fixed so that kernel_settings updates the header of /etc/tuned/kernel_settings/tuned.conf with user’s ansible_managed setting. As a result, /etc/tuned/kernel_settings/tuned.conf has a proper ansible_managed header.

The VPN system role filter plugin vpn_ipaddr now converts to FQCN (Fully Qualified Collection Name)

Previously, the conversion from the legacy role format to the collection format was not converting the filter plugin vpn_ipaddr to FQCN (Fully Qualified Collection Name) redhat.rhel_system_roles.vpn_ipaddr. As a consequence, the VPN role could not find the plugin by the short name and reported an error. With this fix, the conversion script has been changed so that the filter is converted to FQCN format in the collection. And now the VPN role runs without issuing the error.

Job for kdump.service no longer fails

Previously, the Kdump role code for configuring the kernel crash size was not updated for RHEL9, which requires the use of kdumpctl reset-crashkernel. As a consequence, the kdump.service could not start and issued an error. With this update, the kdump.service role uses kdumpctl reset-crashkernel to configure the crash kernel size. Now, kdump.service role successfully starts the kdump service and the kernel crash size is configured correctly.

Hot-unplugging a mounted virtual disk no longer causes the guest kernel to crash on IBM Z

Previously, when detaching a mounted disk from a running virtual machine (VM) on IBM Z hardware, the VM kernel crashed under the following conditions:

UBI 9-Beta containers can run on RHEL 7 and 8 hosts

Previously, the UBI 9-Beta container images had an incorrect seccomp profile set in the containers-common package. As a consequence, containers were not able to deal with certain system calls causing a failure. With this update, the problem has been fixed.

FDO process available as a Technology Preview

The FDO process for automatic provisioning and onboarding RHEL for Edge images is available as a Technology Preview. With that, you can build a RHEL for Edge Simplified Installer image, provision it to a RHEL for Edge image, and use the FDO (FIDO device onboarding) process to automatically provision and onboard your Edge devices, exchange data with other devices and systems connected on the networks. As a result, the FIDO device onboarding protocol performs device initialization at the manufacturing stage and then late binding to actually use the device.

ReaR available on the 64-bit IBM Z architecture as a Technology Preview

Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM environment. Backing up and recovering logical partitions (LPARs) has not been tested.

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

KTLS available as a Technology Preview

RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, an Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

The Intel data streaming accelerator driver for kernel is available as a Technology Preview

The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology.

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

DAX is now available for ext4 and XFS as a Technology Preview

In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.

Stratis is available as a Technology Preview

Stratis is a local storage manager. It provides managed file systems on top of pools of storage with additional features to the user:

NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/developers/nvme-specification/ website.

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Identity Management JSON-RPC API available as Technology Preview

An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

Stratis available as a Technology Preview in the RHEL web console

With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage as a Technology Preview.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

AMD SEV and SEV-ES for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Virtualization is now available on ARM 64

As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM 64 CPUs.

virtio-mem is now available on AMD64 and Intel 64

As a Technology Preview, RHEL 9 introduces the virtio-mem feature on AMD64 and Intel 64 systems. Using virtio-mem makes it possible to dynamically add or remove host memory in virtual machines (VMs).

Intel vGPU available as a Technology Preview

As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

Setting the TMPDIR variable in the ReaR configuration file is deprecated

Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement such as export TMPDIR=…​, does not work and is deprecated.

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, RIPEMD160, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check command.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

ipset and iptables-nft have been deprecated

The ipset and iptables-nft packages have been deprecated in RHEL. The iptables-nft package contains different tools such as iptables, ip6tables, ebtables and arptables. These tools will no longer receive new features and using them for new deployments is not recommended. As a replacement, prefer using the nft command-line tool provided by the nftables package. Existing setups should migrate to nft if possible.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager connection profiles in ifcfg format are deprecated

In RHEL 9.0 and later, connection profiles in ifcfg format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.

The iptables back end in firewalld is deprecated

In RHEL 9, the iptables framework is deprecated. As a consequence, the iptables backend and the direct interface in firewalld are also deprecated. Instead of the direct interface you can use the native features in firewalld to configure the required rules.

ATM encapsulation is deprecated in RHEL 9

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9.

v4l/dvb television and video capture devices are no longer supported

With RHEL 9, Red Hat no longer supports Video4Linux (v4l) and Linux DVB (DVB) devices that consist of various television tuner cards and miscellaneous video capture cards and Red Hat no longer provides their associated drivers.

lvm2-activation-generator and its generated services removed in RHEL 9.0

The lvm2-activation-generator program and its generated services lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation.

libdb has been deprecated

RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive.

SHA-1 in OpenDNSSec is now deprecated

OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone.

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

X.org Server is now deprecated

The X.org display server is deprecated, and will be removed in a future major RHEL release. The default desktop session is now the Wayland session in most cases.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The networking system role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL system role on an RHEL 8 controller to configure a network team on RHEL 9 nodes, shows a warning about its deprecation.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.

Limited support for virtual machine snapshots

Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, which negatively impacts the hypervisor performance for certain workloads.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available in the RHEL web console.

libvirtd has become deprecated

The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.

The virtual floppy driver has become deprecated

The isa-fdc driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 9.

qcow2-v2 image format is deprecated

With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot create disk images in the qcow2-v2 format.

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.

SHA1 hash algorithm within Podman has been deprecated

The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 from the RHBA-2022:5951 advisory have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after the upgrade.

rhel9/pause has been deprecated

The rhel9/pause container image has been deprecated.

The reboot --kexec and inst.kexec commands do not provide a predictable system state

Performing a RHEL installation with the reboot --kexec Kickstart command or the inst.kexec kernel boot parameters do not provide the same predictable system state as a full reboot. As a consequence, switching to the installed system without rebooting can produce unpredictable results.

Local Media installation source is not detected when booting the installation from a USB that is created using a third party tool

When booting the RHEL installation from a USB that is created using a third party tool, the installer fails to detect the Local Media installation source (only Red Hat CDN is detected).

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

Unexpected SELinux policies on systems where Anaconda is running as an application

When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running. To work around this problem, do not run Anaconda on the production system and execute it in a temporary virtual machine. So that the SELinux policy on a production system is not modified. Running anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this issue.

The USB CD-ROM drive is not available as an installation source in Anaconda

Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda cannot find and use this source disk.

Minimal RHEL installation no longer includes the s390utils-base package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. Consequently, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. To work around this problem, manually install the s390utils-base package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file.

Hard drive partitioned installations with iso9660 filesystem fails

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

Anaconda fails to verify existence of an administrator user account

While installing RHEL using a graphical user interface, Anaconda fails to verify if the administrator account has been created. As a consequence, users might install a system without any administrator user account.

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication attempt

When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the current session and login using the no authentication method.

New XFS features prevent booting of PowerNV IBM POWER systems with firmware older than version 5.10

PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement for GRUB. This results in the firmware kernel mounting /boot and Petitboot reading the GRUB config and booting RHEL.

Cannot install RHEL when PReP is not 4 or 8 MiB in size

The RHEL installer cannot install the boot loader if the PowerPC Reference Platform (PReP) partition is of a different size than 4 MiB or 8 MiB on a disk that uses 4 kiB sectors. As a consequence, you cannot install RHEL on the disk.

New XFS features prevent booting of PowerNV IBM POWER systems with firmware kernel older than version 5.10

PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement for GRUB. This results in the firmware kernel mounting /boot and Petitboot reading the GRUB config and booting RHEL.

RHEL installer does not process the inst.proxy boot option correctly

When running Anaconda, the installation program does not process the inst.proxy boot option correctly. As a consequence, you cannot use the specified proxy to fetch the installation image.

RHEL installation fails on IBM Z architectures with multi-LUNs

RHEL installation fails on IBM Z architectures when using multiple LUNs during installation. Due to the multipath setup of FCP and the LUN auto-scan behavior, the length of the kernel command line in the configuration file exceeds 896 bytes.

RHEL installer does not automatically discover or use iSCSI devices as boot devices on aarch64

The absence of the iscsi_ibft kernel module in RHEL installers running on aarch64 prevents automatic discovery of iSCSI devices defined in firmware. These devices are not automatically visible in the installer nor selectable as boot devices when added manually by using the GUI. As a workaround, add the "inst.nonibftiscsiboot" parameter to the kernel command line when booting the installer and then manually attach iSCSI devices through the GUI. As a result, the installer can recognize the attached iSCSI devices as bootable and installation completes as expected.

virt-who cannot connect to ESX servers when in FIPS mode

When using the virt-who utility on a RHEL 9 system in FIPS mode, virt-who cannot connect to ESX servers. As a consequence, virt-who does not report any ESX servers, even if configured for them, and logs the following error message:

The Installation process sometimes becomes unresponsive

When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log file displays the following message at the end:

ReaR fails during recovery if the TMPDIR variable is set in the configuration file

Setting and exporting TMPDIR in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file does not work and is deprecated.

Renaming network interfaces using ifcfg files fails

On RHEL 9, the initscripts package is not installed by default. Consequently, renaming network interfaces using ifcfg files fails. To solve this problem, Red Hat recommends that you use udev rules or link files to rename interfaces. For further details, see Consistent network interface device naming and the systemd.link(5) man page.

The chkconfig package is not installed by default in RHEL 9

The chkconfig package, which updates and queries runlevel information for system services, is not installed by default in RHEL 9.

Both bind and unbound disable validation of SHA-1-based signatures

The bind and unbound components disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT system-wide cryptographic policy.

named fails to start if the same writable zone file is used in multiple zones

BIND does not allow the same writable zone file in multiple zones. Consequently, if a configuration includes multiple zones which share a path to a file that can be modified by the named service, named fails to start. To work around this problem, use the in-view clause to share one zone between multiple views and make sure to use different paths for different zones. For example, include the view names in the path.

Setting the console keymap requires the libxkbcommon library on your minimal install

In RHEL 9, certain systemd library dependencies have been converted from dynamic linking to dynamic loading, so that your system opens and uses the libraries at runtime when they are available. With this change, a functionality that depends on such libraries is not available unless you install the necessary library. This also affects setting the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb command fails.

OpenSSL does not detect if a PKCS #11 token supports the creation of raw RSA or RSA-PSS signatures

The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to work with an RSA key if the key is held by the PKCS #11 token. As a result, TLS communication fails in the described scenario.

OpenSSL incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures

The OpenSSL library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures.

Cryptography not approved by FIPS works in OpenSSL in FIPS mode

Cryptography that is not FIPS-approved works in the OpenSSL toolkit regardless of system settings. Consequently, you can use cryptographic algorithms and ciphers that should be disabled when the system is running in FIPS mode, for example:

OpenSSL cannot use engines in FIPS mode

Engine API is deprecated in OpenSSL 3.0 and is incompatible with OpenSSL Federal Information Processing Standards (FIPS) implementation and other FIPS-compatible implementations. Therefore, OpenSSL cannot run engines in FIPS mode. There is no workaround for this problem.

PSK ciphersuites do not work with the FUTURE crypto policy

Pre-shared key (PSK) ciphersuites are not recognized as performing perfect forward secrecy (PFS) key exchange methods. As a consequence, the ECDHE-PSK and DHE-PSK ciphersuites do not work with OpenSSL configured to SECLEVEL=3, for example with the FUTURE crypto policy. As a workaround, you can set a less restrictive crypto policy or set a lower security level (SECLEVEL) for applications that use PSK ciphersuites.

GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies

The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT cryptographic policy, which is not consistent with the system-wide deprecation of this insecure algorithm for signatures.

Some OpenSSH operations do not used FIPS-approved interfaces

The OpenSSL cryptographic library, which is used by OpenSSH, provides two interfaces: legacy and modern. Because of changes to OpenSSL internals, only the modern interfaces use FIPS-certified implementations of cryptographic algorithms. Because OpenSSH uses legacy interfaces for some operations, it does not comply with FIPS requirements.

gpg-agent does not work as an SSH agent in FIPS mode

The gpg-agent tool creates MD5 fingerprints when adding keys to the ssh-agent program even though FIPS mode disables the MD5 digest. Consequently, the ssh-add utility fails to add the keys to the authentication agent.

SELinux staff_u users can incorrectly switch to unconfined_r

When the secure_mode boolean is enabled, staff_u users can incorrectly switch to the unconfined_r role. As a consequence, staff_u users can perform privileged operations affecting the security of the system.

Default SELinux policy allows unconfined executables to make their stack executable

The default state of the selinuxuser_execstack boolean in the SELinux policy is on, which means that unconfined executables can make their stack executable. Executables should not use this option, and it might indicate poorly coded executables or a possible attack. However, due to compatibility with other tools, packages, and third-party products, Red Hat cannot change the value of the boolean in the default policy. If your scenario does not depend on such compatibility aspects, you can turn the boolean off in your local policy by entering the command setsebool -P selinuxuser_execstack off.

Remediating service-related rules during kickstart installations might fail

During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service enable or disable state remediation is not needed. Consequently, OpenSCAP might set the services on the installed system to a non-compliant state. As a workaround, you can scan and remediate the system after the kickstart installation. This will fix the service-related issues.

SSH timeout rules in STIG profiles configure incorrect options

An update of OpenSSH affected the rules in the following Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) profiles:

fagenrules --load does not work correctly

The fapolicyd service does not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd terminates after receiving the SIGHUP signal. Therefore, the fagenrules --load command does not work properly, and rule updates require manual restarts of fapolicyd. To work around this problem, restart the fapolicyd service after any change in rules, and as a result fagenrules --load will work correctly.

Ansible remediations require additional collections

With the replacement of Ansible Engine by the ansible-core package, the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, running remediations that use Ansible content included within the scap-security-guide package requires collections from the rhc-worker-playbook package.

The nm-cloud-setup service removes manually-configured secondary IP addresses from interfaces

Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain cases, other services on the host can configure interfaces as well. For example, these services could add secondary IP addresses. To avoid that nm-cloud-setup removes secondary IP addresses:

An empty rd.znet option in the kernel command line causes the network configuration to fail

An rd.znet option without any arguments, such as net types or subchannels, in the kernel fails to configure networking. To work around this problem, either remove the rd.znet option from the command line completely or specify relevant net types, subchannels, and other relevant options. For more information about these options, see the dracut.cmdline(7) man page.

Failure to update the session key causes the connection to break

Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a connection break. To work around this problem, disable kTLS. As a result, with the workaround, it is possible to successfully update the session key.

The initscripts package is not installed by default

By default, the initscripts package is not installed. As a consequence, the ifup and ifdown utilities are not available. As an alternative, use the nmcli connection up and nmcli connection down commands to enable and disable connections. If the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown package, which provides a NetworkManager solution for the ifup and ifdown utilities.

The primary IP address of an instance changes after starting the nm-cloud-setup service in Alibaba Cloud

After launching an instance in the Alibaba Cloud, the nm-cloud-setup service assigns the primary IP address to an instance. However, if you assign multiple secondary IP addresses to an instance and start the nm-cloud-setup service, the former primary IP address gets replaced by one of the already assigned secondary IP addresses. The returned list of metadata verifies the same. To work around the problem, configure secondary IP addresses manually to avoid that the primary IP address changes. As a result, an instance retains both IP addresses and the primary IP address does not change.

kdump fails to start on RHEL 9 kernel

The RHEL 9 kernel does not have the crashkernel=auto parameter configured as default. Consequently, the kdump service fails to start by default.

The kdump mechanism fails to capture vmcore on LUKS-encrypted targets

When running kdump on systems with Linux Unified Key Setup (LUKS) encrypted partitions, systems require a certain amount of available memory. When the available memory is less than the required amount of memory, the systemd-cryptsetup service fails to mount the partition. Consequently, the second kernel fails to capture the crash dump file (vmcore) on LUKS-encrypted targets.

Allocating crash kernel memory fails at boot time

On certain Ampere Altra systems, allocating the crash kernel memory for kdump usage fails during boot when the available memory is below 1 GB. Consequently, the kdumpctl command fails to start the kdump service as the required memory is more than the available memory size.

kTLS does not support offloading of TLS 1.3 to NICs

Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. To work around this problem, disable TLS 1.3 if offload is required. As a result, you can offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot be offloaded.

FADump enabled with Secure Boot might lead to GRUB Out of Memory (OOM)

In the Secure Boot environment, GRUB and PowerVM together allocate a 512 MB memory region, known as the Real Mode Area (RMA), for boot memory. The region is divided among the boot components and, if any component exceeds its allocation, out-of-memory failures occur.

Systems in Secure Boot cannot run dynamic LPAR operations

Users cannot run dynamic logical partition (DLPAR) operations from the Hardware Management Console (HMC) if either of these conditions are met:

dkms provides an incorrect warning on program failure with correctly compiled drivers on 64-bit ARM CPUs

The Dynamic Kernel Module Support (dkms) utility does not recognize that the kernel headers for 64-bit ARM CPUs work for both the kernels with 4 kilobytes and 64 kilobytes page sizes. As a result, when the kernel update is performed and the kernel-64k-devel package is not installed, dkms provides an incorrect warning on why the program failed on correctly compiled drivers. To work around this problem, install the kernel-headers package, which contains header files for both types of ARM CPU architectures and is not specific to dkms and its requirements.

New kernels lose previous command-line options

The GRUB boot loader does not apply custom, previously configured kernel command-line options to new kernels. Consequently, when you upgrade the kernel package, the system behavior might change after reboot due to the missing options.

Device Mapper Multipath is not supported with NVMe/TCP

Using Device Mapper Multipath with the nvme-tcp driver can result in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users must enable native NVMe multipathing and not use the device-mapper-multipath tools with NVMe.

The blk-availability systemd service deactivates complex device stacks

In systemd, the default block deactivation code does not always handle complex stacks of virtual block devices correctly. In some configurations, virtual devices might not be removed during the shutdown, which causes error messages to be logged. To work around this problem, deactivate complex block device stacks by executing the following command:

Invalid sysfs value for supported_speeds

The qla2xxx driver reports 20Gb/s instead of the expected 64Gb/s as one of the supported port speeds in the sysfs supported_speeds attribute:

Unable to connect to NVMe namespaces from Broadcom initiator on AMD EPYC systems

By default, the RHEL kernel enables the IOMMU on AMD-based platforms. Consequently, when you use IOMMU-enabled platforms on servers with AMD processors, you might experience NVMe I/O problems, such as I/Os failing due to transfer length mismatches.

The --ssl-fips-mode option in MySQL and MariaDB does not change FIPS mode

The --ssl-fips-mode option in MySQL and MariaDB in RHEL works differently than in upstream.

Certain symbol-based probes do not work in SystemTap on the 64-bit ARM architecture

Kernel configuration disables certain functionality needed for SystemTap. Consequently, some symbol-based probes do not work on the 64-bit ARM architecture. As a result, affected SystemTap scripts may not run or may not collect hits on desired probe points.

RHEL 9 Kerberos client fails to authenticate a user using PKINIT against Heimdal KDC

During the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client, the Heimdal Kerberos Distribution Center (KDC) on RHEL 9 or earlier uses the SHA-1 backup signature algorithm because the Kerberos client does not support the supportedCMSTypes field. However, the SHA-1 algorithm has been deprecated in RHEL 9 and therefore the user authentication fails.

The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL 9 Kerberos agent

If a RHEL 9 Kerberos agent interacts with another, non-RHEL 9 Kerberos agent in your environment, the Public Key Cryptography for initial authentication (PKINIT) authentication of a user fails. To work around the problem, perform one of the following actions:

The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against older RHEL KDCs and AD KDCs

The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm.

Directory Server terminates unexpectedly when started in referral mode

Due to a bug, global referral mode does not work in Directory Server. If you start the ns-slapd process with the refer option as the dirsrv user, Directory Server ignores the port settings and terminates unexpectedly. Trying to run the process as the root user changes SELinux labels and prevents the service from starting in future in normal mode. There are no workarounds available.

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

The dsconf utility has no option to create fix-up tasks for the entryUUID plug-in

The dsconf utility does not provide an option to create fix-up tasks for the entryUUID plug-in. As a result, administrators cannot not use dsconf to create a task to automatically add entryUUID attributes to existing entries. As a workaround, create a task manually:

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

Firefox add-ons are disabled after upgrading to RHEL 9

If you upgrade from RHEL 8 to RHEL 9, all add-ons that you previously enabled in Firefox are disabled.

VNC is not running after upgrading to RHEL 9

After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously enabled.

Matrox G200e shows no output on a VGA display

Your display might show no graphical output if you use the following system configuration:

X.org configuration utilities do not work under Wayland

X.org utilities for manipulating the screen do not work in the Wayland session. Notably, the xrandr utility does not work under Wayland due to its different approach to handling, resolutions, rotations, and layout.

NVIDIA drivers might revert to X.org

Under certain conditions, the proprietary NVIDIA drivers disable the Wayland display protocol and revert to the X.org display server:

Night Light is not available on Wayland with NVIDIA

When the proprietary NVIDIA drivers are enabled on your system, the Night Light feature of GNOME is not available in Wayland sessions. The NVIDIA drivers do not currently support Night Light.

Removing USB host devices using the web console does not work as expected

When you attach a USB device to a virtual machine (VM), the device number and bus number of the USB device might change after they are passed to the VM. As a consequence, using the web console to remove such devices fails due to the incorrect correlation of the device and bus numbers. To workaround this problem, remove the <hostdev> part of the USB device, from the VM’s XML configuration.

Attaching multiple host devices using the web console does not work

When you select multiple devices to attach to a virtual machine (VM) using the web console, only a single device is attached and the rest are ignored. To work around this problem, attach only one device at a time.

Installing a virtual machine over https in some cases fails

Currently, the virt-install utility fails when attempting to install a guest operating system from an ISO source over a https connection - for example using virt-install --cdrom https://example/path/to/image.iso. Instead of creating a virtual machine (VM), the described operation terminates unexpectedly with an internal error: process exited while connecting to monitor message.

Using NVIDIA drivers in virtual machines disables Wayland

Currently, NVIDIA drivers are not compatible with the Wayland graphical session. As a consequence, RHEL guest operating systems that use NVIDIA drivers automatically disable Wayland and load an Xorg session instead. This primarily occurs in the following scenarios:

The Milan VM CPU type is sometimes not available on AMD Milan systems

On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS by default. Consequently, the 'Milan' CPU type might not be available on these systems. In addition, VM live migration between Milan hosts with different feature flag settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host.

Network traffic performance in virtual machines might be reduced

In some cases, RHEL 9.0 guest virtual machines (VMs) have somewhat decreased performance when handling high levels of network traffic.

Disabling AVX causes VMs to become unbootable

On a host machine that uses a CPU with Advanced Vector Extensions (AVX) support, attempting to boot a VM with AVX explicitly disabled currently fails, and instead triggers a kernel panic in the VM.

Failover virtio NICs are not assigned an IP address on Windows virtual machines

Currently, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM fails to assign an IP address to the NIC. Consequently, the NIC is unable to set up a network connection. Currently, there is no workaround.

A hostdev interface with failover settings cannot be hot-plugged after being hot-unplugged

After removing a hostdev network interface with failover configuration from a running virtual machine (VM), the interface currently cannot be re-attached to the same running VM.

Live post-copy migration of VMs with failover VFs fails

Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a device with the virtual function (VF) failover capability enabled. To work around the problem, use the standard migration type, rather than post-copy migration.

SR-IOV performs suboptimally in ARM 64 RHEL 9 virtual machines on Azure

Currently, SR-IOV networking devices have significantly lower throughout and higher latency than expected in ARM 64 RHEL 9 virtual machines VMs running on a Microsoft Azure platform.

Mouse is not usable in RHEL 9 VMs on XenServer 7 with console proxy

When running a RHEL 9 virtual machine (VM) on a XenServer 7 platform with a console proxy, it is not possible to use the mouse in the VM’s GUI. To work around this problem, disable the Wayland compositor protocol in the VM as follows:

Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV causes non-root partitions to disappear

When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a consequence, the following problems occur:

The SR-IOV functionality of a network adapter attached to a Hyper-V virtual machine might not work

Currently, when attaching a network adapter with single-root I/O virtualization (SR-IOV) enabled to a RHEL 9 virtual machine (VM) running on Microsoft Hyper-V hypervisor, the SR-IOV functionality in some cases does not work correctly.

Customizing RHEL 9 guests on ESXi sometimes causes networking problems

Currently, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor does not work correctly with NetworkManager key files. As a consequence, if the guest is using such a key file, it will have incorrect network settings, such as the IP address or the gateway.

Timeout when running sos report on IBM Power Systems, Little Endian

When running the sos report command on IBM Power Systems, Little Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the plugin’s timeout accordingly:

Container images signed with a Beta GPG key can not be pulled

Currently, when you try to pull RHEL 9 Beta container images, podman exits with the error message: Error: Source image rejected: None of the signatures were accepted. The images fail to be pulled due to current builds being configured to not trust the RHEL Beta GPG keys by default.

Podman fails to pull a container "X509: certificate signed by unknown authority"

If you have your own internal registry signed by our own CA certificate, then you have to import the certificate onto your host machine. Otherwise, an error occurs:

Running systemd within an older container image does not work

Running systemd within an older container image, for example, centos:7, does not work:

podman system connection add and podman image scp fails

Podman uses SHA-1 hashes for the RSA key exchange. The regular SSH connection among machines using RSA keys works, while the podman system connection add and podman image scp commands do not work using the same RSA keys, because the SHA-1 hashes are not accepted for key exchange on RHEL 9: