9.5 Release Notes

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a Kickstart file.

NSS rebased to 3.101

The NSS cryptographic toolkit packages have been rebased to upstream version 3.101, which provides many bug fixes and enhancements. The most notable changes are the following:

Libreswan accepts IPv6 SAN extensions

Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the pluto daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.

Custom key sizes in ssh-keygen

You can now configure the size of keys generated by the /usr/libexec/openssh/sshd-keygen script by setting environment variables SSH_RSA_BITS and SSH_ECDSA_BITS in the /etc/sysconfig/sshd environment file.

fips-mode-setup checks for use of Argon2 KDF in open LUKS volumes before enabling FIPS mode

The fips-mode-setup system management command now detects key derivation functions (KDF) used in currently open LUKS volumes, and aborts if it detects usage of Argon2 KDF. This is because Argon2 KDF is not FIPS-compatible, so preventing its use helps ensure FIPS compliance. As a result, switching into FIPS mode on a system with open LUKS volumes that use Argon2 as a KDF is blocked until those volumes are closed or converted to a different KDF.

New SELinux boolean to allow QEMU Guest Agent executing confined commands

Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the virt_qemu_ga_unconfined_t domain.

OpenSSL rebased to 3.2.2

The OpenSSL packages have been rebased to upstream version 3.2.2. This update brings various enhancements and bug fixes, most notably the following:

crypto-policies provide algorithm selection in Java

The crypto-policies packages have been updated to extend its control to algorithm selection in Java. This is caused by the evolution of the Java cryptographic agility configuration and crypto-policies needing to catch up to provide a better mapping for a more consistent system-wide configuration. Specifically, the update has the following changes:

The selinux-policy git repository for Centos Stream 10 is now publicly accessible

CentOS Stream contributors now can participate in the development of the SELinux policy by contributing to the c10s branch of the fedora-selinux/selinux-policy git repository.

clevis rebased to version 20

The clevis packages have been upgraded to version 20. The most notable enhancements and fixes include the following:

ca-certificates provide trusted CA roots in the OpenSSL directory format

This update populates the /etc/pki/ca-trust/extracted/pem/directory-hash/ directory with trusted CA root certificates. As a consequence, lookups and validations are faster when OpenSSL is configured to load certificates from this directory, for example, by setting the SSL_CERT_DIR environment variable to /etc/pki/ca-trust/extracted/pem/directory-hash/.

The nbdkit service is confined by SELinux

The nbdkit-selinux sub-package adds new rules to the SELinux policy, and as a result, nbdkit is confined in SELinux. Therefore, the systems that run nbdkit are more resilient against privilege escalation attacks.

libreswan rebased to 4.15

The libreswan packages have been rebased to upstream version 4.15. This version provides substantial improvements over the previous version 4.9 that was provided in previous releases.

jose rebased to version 14

The jose package has been upgraded to upstream version 14. jose is a C-language implementation of the Javascript Object Signing and Encryption (JOSE) standards. The most important enhancements and fixes include the following:

Four RHEL services removed from SELinux permissive mode

The following SELinux domains for RHEL services have been removed from SELinux permissive mode:

The bootupd service is SELinux confined

The bootupd service supports updating the bootloader, and therefore needs to be confined. This update to the SELinux policy adds additional rules, and as a result, the bootupd service runs in the bootupd_t SELinux domain.

Support available to file system customization for the simplified-installer and raw image types

With this enhancement, now you can add file system customizations to a blueprint when building the following image types:

The default value for the DefaultLimitCore systemd configuration option is now set to unlimited:unlimited

Previously, the default value for the DefaultLimitCore systemd configuration option was set to 0:infinity. As a result, all processes started by systemd had a soft process limit for core files set to 0, and no core files were created by default. However, the process adjusted the limit as required.

openCryptoki rebased to version 3.23.0

The openCryptoki packages are updated to version 3.23.0, which provides multiple bug fixes and enhancements. Notable changes include:

librtas rebased to version 2.0.6

The librtas package is updated to version 2.0.6. With this update, you can use the lockdown-compatible ABI provided by the kernel.

The BIND 9.18 is now supported in RHEL

BIND 9.18 has been added in RHEL 9.5 in the new bind9.18 package. The notable feature enhancements include the following:

NetworkManager now supports the leftsubnet parameter for IPsec VPNs

With this update, NetworkManager supports the leftsubnet parameter to define the private subnet behind the local participant used to configure subnet-to-subnet scenarios in Internet Protocol Security (IPsec) VPNs.

nmstate now supports the congestion window clamp (cwnd) option

With this update, you can use the cwnd option of the nmstate utility to set a maximum limit on the TCP congestion window size. This way you can control the maximum amount of unacknowledged data expressed as a number of packets that can be in transit over the network at any given time. The following example YAML file sets the cwnd option:

The NetworkManager-libreswan plugin supports the rightcert option

You can use the rightcert option when configuring Libreswan connections through NetworkManager. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using a certificate.

The nmstate utility now supports the rightcert option

You can use the rightcert option when configuring Libreswan connections through the nmstate utility. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using the certificate. The following example YAML file sets the rightcert option:

nmstate now supports the leftsubnet option

You can define entire subnets for IPsec (Internet Protocol Security) connections when configuring Libreswan connections through the nmstate utility by using the leftsubnet option. This ensures secure communication between different network segments. The following example YAML file sets the leftsubnet option:

NetworkManager supports connecting to IPsec VPNs that use IPv6 addressing

Previously, NetworkManager supported only IPv4 addressing when using the NetworkManager-libreswan plugin to connect to Internet Protocol Security (IPsec) VPN. With this update, you can connect to IPsec VPNs that use IPv6 addressing.

You can use both firewalld and nftables services simultaneously

The firewalld and nftables systemd services are available to use simultaneously. Previously, users could enable only one of these services at a time. With this enhancement, these systemd services no longer conflict with each other.

Kernel version in RHEL 9.5

Red Hat Enterprise Linux 9.5 is distributed with the kernel version 5.14.0-503.11.1.

The eBPF facility has been rebased to Linux kernel version 6.8

Notable changes and enhancements include:

rteval now supports relative CPU lists for loads

With this enhancement, the --loads-cpulist now accepts relative CPU lists as arguments. The syntax is the same for the default measurement CPU list when using the parameter --measurement-cpulist.

A support for 420xx devices is added to QAT

With this update, QAT supports 420xx devices. It includes a new device driver that supports updates to the firmware loader and other capabilities. Compared to 4xxx devices, the 420xx devices now have more acceleration engines, 16 service engines, and 1 administrative engine, and support the wireless cipher algorithms ZUC and Snow 3G.

Introducing noswap option when mounting TMPFS filesystem

TMPFS is an in-memory filesystem largely utilized for quickly sharing information across multiple processes. Starting with version 2.2, glibc expects a tmpfs filesystem to be mounted at dev/shm to support POSIX shared memory. This mount point is necessary for shm_open and shm_unlink subroutines to function correctly. TMPFS blocks can be swapped out when there is a memory shortage, which poses a problem for certain performance- or privacy-critical workloads.

Introducing rteval container for real-time performance testing

The rteval container provides tools and methods for accurately measuring system latencies. With this feature, users can measure the real-time performance of their systems. It evaluates the configuration of the Linux kernel for optimal real-time performance to analyze performance based on specific application needs.

NVMf-FC kdump is now supported on the IBM Power

NVMf-FC kdump now supports the IBM Power system for running kexec-tools. This allows the capture of system memory dumps over a fiber channel network using the NVMe storage devices for high-speed and low-latency access to storage for crash dump data.

File system quotas for tmpfs file system are now supported

The /tmp directory is typically mounted using tmpfs, and it is accessible to all users by default. This presents a risk where a single user can potentially fill up the entire system memory by writing excessively to this directory.

NVMe TP 8006 in-band authentication with NVMe/TCP is now supported

NVMe TP 8006 in-band authentication for NVMe over Fabrics (NVMe-oF) was introduced in RHEL 9.2 as a Technology Preview, which is now fully supported. This feature provides DH-HMAC-CHAP in-band authentication protocol for NVMe-oF, which is defined in the NVMe Technical Proposal 8006. For details, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-connect(1) man page.

New pcs status wait command

The pcs command-line interface now provides a pcs status wait command. This command ensures that Pacemaker has completed any actions required by changes to the Cluster Information Base (CIB) and does not need to take any further actions in order to make the actual cluster state match the requested cluster state.

pcs support for new commands to query the status of a resource in a cluster

The pcs command-line interface now provides pcs status query resource commands to query various attributes of a single resource in a cluster. These commands query:

New pcs resource defaults and pcs resource op defaults option for displaying configuration in text, JSON, and command formats

The pcs resource defaults and pcs resource op defaults commands and their aliases pcs stonith defaults and pcs stonith op defaults now provide the --output-format option.

New Pacemaker option to leave a panicked node shut down without rebooting automatically

You can now set the PCMK_panic_action variable in the /etc/sysconfig/pacemaker configuration file to off or sync-off. When you set this variable to off or sync-off, a node remains shut down after a panic condition instead of rebooting automatically.

Support for new pcsd Web UI features

The pcsd Web UI now supports the following features:

Increased performance of the Python interpreter

All supported versions of Python in RHEL 9 are now compiled with GCC’s -O3 optimization flag, which is the default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter itself.

httpd rebased to 2.4.62

The httpd package has been updated to version 2.4.62 that includes various bug fixes, security fixes, and new features. Notable feature include :

mod_md rebased to version 2.4.26

The mod_md module has been updated to version 2.4.26. Notable changes over the previous version include:

PostgreSQL 16 now provides the pgvector extension

The postgresql:16 module stream is now distributed with the pgvector extension. With the pgvector extension, you can store and query high-dimensional vector embeddings directly within PostgreSQL databases and perform a vector similarity search. Vector embeddings are numerical representations of data that are often used in machine learning and AI applications to capture the semantic meaning of text, images, or other data types.

A new db_converter tool to convert a libdb database to the GDBM format

The deprecated Berkeley DB (libdb) now provides the db_converter tool for converting a lidbd database to the GNU dbm (GDBM) database format. The db_converter tool is distributed in the libdb-utils subpackage.

System GCC rebased to version 11.5

The system version of GCC in RHEL 9 has been updated to version 11.5. This update provides numerous bug fixes.

A new tunable for glibc is available to improve performance by placing dynamic objects closer together

Previously, the dynamic loader of glibc placed dynamic objects randomly throughout the available address space to enhance security. Consequently, objects were often too far apart, which led to inefficient calls between them.

glibc now supports dynamic linking of Intel APX-enabled functions

An incompatible dynamic linker trampoline was identified as a potential source of incompatibilities for Intel Advanced Performance Extensions (APX) applications. As a workaround, it was possible to use the BIND_NOW executable or use only the standard calling convention. With this update, the dynamic linker of glibc preserves APX-related registers.

Optimization of AMD Zen 3 and Zen 4 performance in glibc

Previously, AMD Zen 3 and Zen 4 processors sometimes used the Enhanced Repeat Move String (ERMS) version of the memcpy and memmove library routines regardless of the most optimal choice. With this update to glibc, AMD Zen 3 and Zen 4 processors use the most optimal versions of memcpy and memmove.

System version of GDB rebased to version 14.2 and GDB removed from GCC Toolset

GDB has been updated to version 14.2. Starting with RHEL 9.5, GDB is transitioning into a rolling Application Stream with its system version rebased in minor releases of RHEL. Therefore, GDB is not included in GCC Toolset 14 in RHEL 9.

elfutils rebased to version 0.191

The elfutils package has been updated to version 0.191. Notable improvements include:

SystemTap rebased to version 5.1

The SystemTap tracing and probing tool has been updated to version 5.1. Notable changes include:

valgrind rebased to version 3.23.0

The Valgrind suite has been updated to version 3.23.0. Notable enhancements include:

libabigail rebased to version 2.5

The libabigail library has been updated to version 2.5. Notable changes include:

New GCC Toolset 14

GCC Toolset 14 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

GCC Toolset 14: GCC rebased to version 14.2

In GCC Toolset 14, the GNU Compiler Collection (GCC) has been updated to version 14.2.

GCC Toolset 14: annobin rebased to version 12.70

In GCC Toolset 14, annobin has been updated to version 12.70. The updated set of the annobin tools for testing binaries provides various bug fixes, introduces new tests, and updates the tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers. With the enhanced tools, you can detect new issues in programs that are built in a non-standard way.

GCC Toolset 14: binutils rebased to version 2.41

RHEL 9.5 is distributed with GCC Toolset 14 binutils version 2.41. New features include:

LLVM Toolset updated to 18.1.8

LLVM Toolset has been updated to version 18.1.8.

Rust Toolset rebased to version 1.79.0

Rust Toolset has been updated to version 1.79.0. Notable enhancements since the previously available version 1.75.0 include:

Go Toolset rebased to version 1.22

Go Toolset has been updated to version 1.22.

PCP rebased to version 6.2.2

Performance Co-Pilot (PCP) has been updated to version 6.2.2. Notable changes over the previously available version 6.2.0 include:

Grafana rebased to version 10.2.6

The Grafana platform has been updated to version 10.2.6.

GCC Toolset 13: GCC supports AMD Zen 5

The GCC Toolset 13 version of GCC adds support for the AMD Zen 5 processor microarchitecture. To enable the support, use the -march=znver5 command-line option.

Red Hat build of OpenJDK 17 is now the default Java implementation in RHEL 9

The default RHEL 9 Java implementation is being changed from OpenJDK 11, which has reached its End Of Life (EOL), to OpenJDK 17. After this update, the java-17-openjdk packages, which provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit, will also provide the java and java-devel packages. For more information, see the OpenJDK documentation.

python-jwcrypto rebased to version 1.5.6

The python-jwcrypto package has been updated to version 1.5.6. This version includes a security fix to an issue where an attacker could cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio.

ansible-freeipa rebased to 1.13.2

The ansible-freeipa package has been rebased from version 1.12.1 to 1.13.2 Notable enhancements include:

ipa rebased to version 4.12.0

The ipa package has been updated from version 4.11 to 4.12.0. Notable changes include:

certmonger rebased to version 0.79.20

The certmonger package has been rebased to version 0.79.20. The update includes various bug fixes and enhancements, most notably:

samba rebased to version 4.20.2

The samba packages have been upgraded to upstream version 4.20.2, which provides bug fixes and enhancements over the previous version. The most notable changes are:

389-ds-base rebased to version 2.5.2

The 389-ds-base package has been updated to version 2.5.2. Notable bug fixes and enhancements over version 2.4.5 include:

Improved MIT krb5 TCP connection timeout handling

Previously, TCP connections timed out after 10 seconds. With this update, MIT krb5 TCP connection handling has been modified to no longer use a default timeout. The request_timeout setting now limits the total request duration rather than the duration of individual TCP connections. This change addresses integration issues with SSSD, especially for two-factor authentication use cases. As a result, users experience more consistent handling of TCP connections, as the request_timeout setting now effectively controls the global request maximum duration.

New SSSD option: failover_primary_timeout

You can use the failover_primary_timeout option to specify the time interval in seconds for the sssd service to attempt reconnecting to the primary IdM server after switching to a backup server. The default value is 31 seconds. Previously, if the primary server was unavailable, SSSD would automatically switch to a backup server after the fixed timeout of 31 seconds.

GNOME Online Accounts can restrict which features providers can use

You can use the new goa.conf file in the system configuration directory, usually named /etc/goa.conf, to limit what features each provider can use.

New package: cockpit-files

The cockpit-files package provides the File manager page in the RHEL web console. With the File manager, you can perform the following actions:

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

Support for configuring GFS2 file systems by using RHEL system roles

Red Hat Enterprise Linux 9.5 supports the configuration and management of the Red Hat Global File System 2 (GFS2) by using the gfs2 RHEL system role. The role creates GFS2 file systems in a Pacemaker cluster managed with the pcs command-line interface.

New sudo RHEL system role

sudo is a critical part of RHEL system configuration. With the new sudo RHEL system role, you can consistently manage sudo configuration at scale across your RHEL systems.

The storage RHEL system role can now manage Stratis pools

With this enhancement, you can use the storage RHEL system role to complete the following tasks:

New variables in the journald RHEL system role: journald_rate_limit_interval_sec and journald_rate_limit_burst

The following two variables have been added to the journald RHEL system role:

New variables in the podman RHEL system role: podman_registry_username and podman_registry_password

The podman RHEL system role now enables you to specify the container image registry credentials either globally or on a per-specification basis. For that purpose, you must configure both role variables:

New variable in the postfix RHEL system role: postfix_files

The postfix RHEL system role now enables you to configure extra files for the Postfix mail transfer agent. For that purpose, you can use the following role variable:

The snapshot RHEL system role now supports managing snapshots of LVM thin pools

With thin provisioning, you can use the snapshot RHEL system role to manage snapshots of LVM thin pools. These thin snapshots are space-efficient and only grow as data is written or modified after the snapshot is taken. The role automatically detects if the specified volume is scheduled for a thin pool. The added feature could be useful in environments where you need to take frequent snapshots without consuming a lot of physical storage.

New option in the logging RHEL system role: reopen_on_truncate

The files input type of the logging_inputs variable now supports the following option:

New variable in the logging RHEL system role: logging_custom_config_files

You can provide custom logging configuration files by using the following variable for the logging RHEL system role:

The logging RHEL system role can set ownership and permissions for rsyslog files and directories

The files output type of the logging_outputs variable now supports the following options:

Using the storage RHEL system role creates fingerprints on managed nodes

If not already present, storage creates a unique identifier (fingerprint) every time you run this role. The fingerprint has the form of the # system_role:storage string written to the /etc/fstab file on your managed nodes. As a result, you can track which nodes are managed by storage.

New variables in the podman RHEL system role: podman_registry_certificates and podman_validate_certs

The following two variables have been added to the podman RHEL system role:

New variable in the podman RHEL system role: podman_credential_files

Some operations need to pull container images from registries in an automated or unattended way and cannot use the podman_registry_username and podman_registry_password variables.

The nbde_client RHEL system role now enables you to skip running certain configurations

With the nbde_client RHEL system role you can now disable the following mechanisms:

The ssh RHEL system role now recognizes the ObscureKeystrokeTiming and ChannelTimeout configuration options

The ssh RHEL system role has been updated to reflect addition of the following configuration options in the OpenSSH utility suite:

The src parameter was added to the network RHEL system role

The src parameter to the route sub-option of the ip option for the network_connections variable has been added. This parameter specifies the source IP address for a route. Typically, it is useful for the multi-WAN connections. These setups ensure that a machine has multiple public IP addresses, and outbound traffic uses a specific IP address tied to a particular network interface. As a result, support for the src parameter provides better control over traffic routing by ensuring a more robust and flexible network configuration capability in the described scenarios.

The storage RHEL system role can now resize LVM physical volumes

If the size of a block device has changed and you use this device in an LVM, you can adjust the LVM physical volume as well. With this enhancement, you can use the storage RHEL system role to resize LVM physical volumes to match the size of the underlying block devices after you resized it. To enable automatic resizing, set grow_to_fill: true on the pool in your playbook.

RHEL supports live migrating VMs with attached NVIDIA vGPUs

With this update, you can now live migrate a running virtual machine with attached vGPUs to another KVM host. Currently, this is only possible with NVIDIA GPUs.

nbdkit rebased to version 1.38

The nbdkit package has been rebased to upstream version 1.38, which provides various bug fixes and enhancements. The most notable changes are the following:

OpenTelemetry Collector for RHEL on public cloud platforms

When running RHEL on a public cloud platform, you can now use the OpenTelemetry (OTel) framework to collect and send telemetry data, such as logs, metrics, and traces. This helps you maintain and debug your RHEL cloud instances. With this update, RHEL includes the OTel Collector service, which you can use to manage logs. The OTel Collector gathers, processes, transforms, and exports logs to and from various formats and external back ends. You can also use the OTel Collector to aggregate the collected data and generate metrics useful for analytics services. For example, you can configure OTel Collector to send data to Amazon Web Services (AWS) CloudWatch, which enhances the scope and accuracy of data obtained by CloudWatch from RHEL instances .

awscli2 is generally available for RHEL on AWS

With the awscli2 utility, you can now use Amazon Web Services (AWS) APIs from a RHEL instance to deploy new infrastructure offerings, as well as manage existing deployments. Note that installing awscli2 from a Red Hat Enterprise Linux repository ensures that awscli2 is installed from a trusted source and receives automatic updates. As a result, you can gather information regarding cloud deployment services, manage infrastructure resources, and refer to built-in documentation provided with awscli2.

Log collection on Azure is now disabled by default

Previously, the Windows Azure Linux Agent (WALA) in Microsoft Azure collected debugging logs on virtual machines (VMs) by default. However, these agent logs might contain confidential information. To improve data security, WALA is now disabled by default, and does not collect any data on the VM. To re-enable log collection, do the following:

The --api-url option is now available

With the --api-url option you can call another API as per requirement. For instance, the API for an OCP cluster. Example: sos collect --cluster-type=ocp --cluster-option ocp.api-url=_<API_URL> --alloptions.

The new --skip-cleaning-files option is now available

The --skip-cleaning-files option for the sos report command allows you to skip cleaning selected files. The option supports globs and wildcards. Example: sos report -o host --batch --clean --skip-cleaning-files 'hostname'.

The plugin option names now use only hyphens instead of underscores

To ensure consistency across sos global options, the plugin option names now use only hyphens instead of underscores For example, the networking plugin namespace_pattern option is now namespace-pattern and must be specified by using the --plugin-option networking.namespace-pattern=<pattern> syntax.

Image mode for RHEL now supports FIPS mode

With this enhancement, you can enable the FIPS mode when building a bootc image to configure the system to use only FIPS-approved modules. You can use bootc-image-builder, which requires enabling the FIPS crypto policy in the Containerfile configuration, or use the RHEL Anaconda installation, that additionally to enabling FIPS mode in the Containerfile, also requires adding the fips=1 kernel argument when booting the system installation. See Installing the system with FIPS mode enabled for more details.

Image mode for RHEL now supports logically bound app images

With this enhancement, you have support for container images that are lifecycle bound to the base bootc image. This helps unite different operational processes for applications and operating systems and the app images are referenced from the base image as image files or an equivalent. As a result, you can manage multiple container images for system installations, for example, for a disconnected installation, the system must all be mirrored, not just one.

Podman and Buildah support adding OCI artifacts to image indexes

With this update, you can create artifact manifests and add them to image indexes.

Option is available to disable Podman healthcheck event

This enhancement adds a new healthcheck_events option in the containers.conf configuration file under the [engine] section to disable the generation of health_status events. Set healthcheck_events=false to disable logging healthchek events.

Runtime resource changes in Podman are persistent

The updates of container configuration by using the podman update command are persistent. Note that this enhancement is for both SQLite and BoltDB database backends.

Building multi-architecture images is fully supported

The podman farm build command that creates multi-architecture container images is now fully supported.

Quadlets for pods in Podman are available

Beginning with Podman v5.0, you can use Quadlet to automatically generate a systemd service file from a pod description.

The Podman v2.0 RESTful API has been updated

The new fields has been added to the libpod/images/json endpoint:

Kubernetes YAML now supports a data volume container as an init container

A list of images to automatically mount as volumes can now be specified in Kubernetes YAML by using the "io.podman.annotations.kube.image.automount/$ctrname" annotation. Image-based mounts using podman run --mount type=image,source=<image>,dst=<path>,subpath=<path> now support a new option, subpath, to mount only part of the image into the container.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:

The --compat-volumes option is available for Podman and Buildah

You can use the new --compat-volumes option with the buildah build, podman build, and podman farm build commands. This option triggers special handling for the contents of directories marked using the VOLUME instruction such that their contents can subsequently only be modified by ADD and COPY instructions. Any changes made in those locations by RUN Instructions will be discarded. Previously, this behavior was the default, but it is now disabled by default.

A new rhel10-beta/rteval container image

The real-time registry.redhat.io/rhel10-beta/rteval container image is now available in the Red Hat Container Registry to run latency analysis on either a standalone RHEL installation. With rhel10-beta/rteval container image, you can perform latency testing within a containerized setup to determine if such a solution is viable for your real-time workloads or to compare results against a bare-metal run of rteval. To use this feature, subscribe to RHEL with real-time support. No tuning guidelines are provided.

The containers.conf file is now read-only

The system connections and farm information stored in the containers.conf file is now read-only. The system connections and farm information will now be stored in the podman.connections.json file, managed only by Podman. Podman continues to support the old configuration options such as [engine.service_destinations] and the [farms] section. You can still add connections or farms manually if needed however, it is not possible to delete a connection from the containers.conf file with the podman system connection rm command.

macvlan and ipvlan network interface names are configurable in containers.conf

To specify macvlan and ipvlan networks, you can adjust the name of the network interface created inside containers by using the new interface_name field in the containers.conf configuration file.

bootc-image-builder now supports defining and injecting custom Kickstart files to ISO builds

With this enhancement, now you can define a Kickstart by setting users, customize partitioning, inject key, and inject the kickstart file to an ISO build to configure the installation process. The resulting disk image creates a self-contained installer that automates and deploys devices, disconnected systems, edge devices, between others. As a result, it is much easier to create customized media with bootc-image-builder.

Support to building GCP images by using bootc-image-builder

By using the bootc-image-builder tool you can now generate .gce disk images and provision the instances on the Google Compute Engine (GCE) platform.

Support to creating and deploying VMDK with bootc-image-builder

With this enhancement, now you can create a Virtual Machine Disk (VMDK) from a bootc image, by using the bootc-image-builder tool, and deploy VMDK images to VMware vSphere.

The podman pod inspect command now provides a JSON array regardless of the number of pods

Previously, the podman pod inspect command omitted the JSON array when inspecting a single pod. With this update, the podman pod inspect command now produces a JSON array in the output regardless of the number of pods inspected.

The composefs filesystem is now available

The composefs read-only filesystem is now fully supported. This is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified filesystem tree mounted, with opportunistic fine-grained sharing of identical files.

The Kickstart installations now applies the dhcpclass option correctly

The application of the kickstart configuration is moved from NetworkManager to Anaconda by using the NetworkManager API. Previously, Anaconda handled only commands specified in the %pre section. During installation, this change had caused omission of the dhcpclass option in the kickstart network command, which led to incorrect application of network configuration. With this update, the handling of the dhcpclass option in Anaconda by using the NetworkManager API has been corrected. As a result, the dhcpclass option defined in kickstart configurations is now properly applied during the installation process.

Improved installer stability during virtual network devices configuration

Previously, the installer could crash when creating a VLAN network device over an existing virtual network device (for example, Team or Bond) in the GUI. This occurred when the underlying device’s state changed during the configuration update to the user interface for the new device state.

Stale network link configuration files no longer cause rendering your OS unbootable

Previously, the RHEL installer created stale /etc/systemd/network/ link configuration files during the installation. The outdated configuration files interfere with the intended network settings. This leads to an unbootable system if the boot is from NVMe over TCP. With this fix, users no longer need to manually remove, /etc/systemd/network/10-anaconda-ifname-nbft*.link files and regenerate the initramfs by running the dracut -f command.

Non-constant time code paths removed from OpenSSL EC signatures

Previously, OpenSSL used non-constant time code paths for Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. This could have exposed the signature operations to attacks similar to the Minerva attack and potentially reveal the private key. This update removes non-constant time code paths in OpenSSL EC signatures, and as a result, this vulnerability is no longer present.

SELinux policy correctly labels npm

Previously, the npm service executable was labeled with the generic lib_t SELinux type. As a consequence, npm could not be executed. In this update, the npm executable has been explicitly labeled in the SELinux policy with the bin_t type. As a result, the npm service starts successfully and runs in the unconfined_service_t domain.

SELinux policy adds rules for sysadm_r users to define input/output log directory through sudo

Previously, the SELinux policy did not contain rules to allow confined administrators to run any command to specify the input/output log directory by using sudo when the iolog_dir option was defined in the sudo configuration. As a consequence, confined administrators in the sysadm_r role could not execute commands by using sudo with the iolog_dir option. This update adds a rule to the SELinux policy, and as a result, sysadm_r users can execute commands by using sudo with iolog_dir.

Audit rules for /proc are now correctly loaded during the boot

Before this update, the system failed to load Audit watch rules for the /proc directory during the boot phase. Consequently, the administrator had to load the rules manually later, and the rules were not applied during the boot. The bug has been fixed, and the system now loads the Audit rules related to /proc during the boot phase.

Audit in the immutable mode no longer prevents auditd from starting

Previously, if the Audit system was set to the immutable mode by adding the -e 2 rule, the augenrules command exited with a return code of 1 instead of 0 when restarting the auditd service or running the augenrules --load command. Consequently, the system interprets the return code of 1 as an error, and this prevents it from starting auditd at boot. With this update, augenrules exits with a zero return code when Audit is set to the immutable mode, and the system can correctly start auditd in this scenario.

IPsec ondemand connections no longer fail to establish

Previously, when an IPsec connection with the ondemand option was set up by using the TCP protocol, the connection failed to establish. With this update, the new Libreswan package makes sure that the initial IKE negotiation completes over TCP. As a result, Libreswan successfully establishes the connection even in TCP mode of IKE negotiation.

update-ca-trust extract no longer fails to extract certificates with long names

When extracting certificates from the trust store, the trust tool internally derives the file name from the certificates’ object label. For long enough labels, the resulting path might previously have exceeded the system’s maximum file name length. As a consequence, the trust tool failed to create a file with a name that exceeded the maximum file name length of a system. With this update, the derived name is always truncated to within 255 characters. As a result, file creation does not fail when the object label of a certificate is too long.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

The dnf autoremove command behavior is now consistent with the man page documentation and the command now considers the package installation reason

Previously, when you removed unnecessary packages by using the dnf autoremove command, installed packages marked as installonly were removed. However, the dnf(8) man page documentation contained information that installonly packages were excluded from the dnf autoremove operations.

The dnf-automatic systemd service no longer fails to apply security updates

Previously, when you used the dnf-automatic-install systemd service to only apply security fixes, the automatic upgrade of the samba-client-libs package failed. With this update, dnf-automatic applies security updates the same way as the DNF tool. As a result, the dnf-automatic service no longer fails to apply security updates.

dnf remove --duplicates no longer exits with non-zero exit code and error message

Previously, if you ran the dnf remove --duplicates command when no duplicate packages were present on the system, dnf exited with non-zero exit code and the No duplicated packages found for removal. error on standard error output (stderr). With this update, dnf now exits with 0 and does not write anything on stderr. Note that the same issue was also fixed for the dnf remove --oldinstallonly command when no older versions of installonly packages are installed.

dnf remove-n now removes only packages with the matching RPM names

Previously, if you had installed some package and another package that has the name of the former package in the RPM Provides directive, a first invocation of the dnf remove-n command removed the former package. A repeated invocation of the command removed the latter package.

dnf reinstall now respects a cost of the repositories when reinstalling a package

Previously, if you reinstalled a package available in multiple repositories, the package was not reinstalled from a repository with the lowest cost. With this update, the DNF tool supplies packages from all repositories to a dependency solver if the packages have the equal name-epoch-version-release-architecture identifier. As a result, the dnf reinstall command now respects the cost of the repositories.

dnf-system-upgrade now points to its documentation by using a secure HTTPS link

Previously, the dnf-system-upgrade service documentation used the insecure HTTP link to access its documentation. With this update, the URL now uses the secure HTTPS schema.

dnf history rollback now correctly executes during a repeated rollback of an RPM transaction that includes installation and upgrade of the same package

Previously, when you performed a repeated rollback on an RPM transaction that included installation and upgrade of the same package, the dnf history rollback command attempted to perform a bogus transaction. This transaction failed instead of doing nothing because the rollback to the latest transaction had nothing to roll back.

microdnf no longer fails to reinstall packages that conflict with an RPM symbol they provide

Previously, when you reinstalled a package with the microdnf package manager, the RPM transaction failed. With this update, libdnf creates an RPM transaction where the package being reinstalled provides an RPM symbol that the package also conflicts with. As a result, microdnf can now reinstall packages that conflict with an RPM symbol they provide.

Interpreting the Anaconda kickstart script no longer hangs when you install the system

Previously, when you installed the system with the Anaconda kickstart script, interpreting this script randomly hung. With this update, the libdnf memory management allows applying a query after increasing the number of available packages. As a result, system installation does not hang because the libdnf library does not throw an exception after enabling a repository.

DNF(8) now includes information about dnf makecache --timer not trying further mirrors if the first mirror fails

Previously, the information that the dnf makecache --timer command does not try further mirrors in a repository mirrorlist if the first mirror failed was not included in the DNF(8) man page. With this update, the documentation was updated to include this information.

The pkla-compact binary is executed when the polkit is called on the logind-session-monitor event

Previously, re-verification of the authorizations for polkit actions was triggered by any logind-session-monitor event for all users, for example, login, logout, session state change. Adittionally, each CheckAuthorization request executed the polkit-pkla-compat binary to check for legacy .pkla configuration files even if no such files are present on the system, which causes CPU usage to increase by the polkit daemon.

Improved dovecot stability for missing sieve scripts

Previously, dovecot did not properly track optional sieve scripts. As a result, if the hash group for the path of the missing script matched that of another script, the LDA process could crash during the email delivery.

The print-config option in nvram command does not result in segmentation fault

Previously, when the nvram command was run with the print-config option, it resulted in segmentation fault. The segmentation fault occurred because the code tried to access memory beyond the limit of the data present in the varlen index. The varlen index is the length of the string provided by the user.

The nvram --nvram-size command does not result in segmentation fault

Previously, when the nvram-size command exceeded the default size value, a segmentation fault was encountered.

ReaR now interprets square brackets enclosing IPv6 addresses in URLs as expected

Previously, square brackets in OUTPUT_URL and BACKUP_URL were not interpreted correctly. Specifying an IPv6 address instead of a host name requires enclosing the address in square brackets, for example, [::1] for localhost. Since the brackets were not interpreted correctly, using an IPv6 address in a sshfs:// or nfs:// URL was not possible.

CPU usage rises negligibly when NetworkManager processes large regularly updated routing tables

Previously, when external routing daemons updated big IPv6 tables of more than thousands of routes, NetworkManager increased its CPU usage to almost 100%. This could slow down the overall system performance and network configuration. The problem has been fixed by updating the NetworkManager source code to ignore the changes to routes for routing protocols other than a small set of protocols. As a result, the CPU usage rises negligibly in the previously described circumstances.

The value for ipv6.ip6-privacy no longer changes between connection activations

Originally, when the global default value was not set for the ipv6.ip6-privacy parameter, its value reverted to the value from the /proc/sys/net/ipv6/conf/default/use_tempaddr file. A recent change to the NetworkManager source code caused it to incorrectly fall back to the value read from the /proc/sys/net/ipv6/conf/IFNAME/use_tempaddr file instead. As a consequence, IPv6 address generation changed, and the value for ipv6.ip6-privacy could change between connection activations. The problem has been fixed by reverting back to the original behavior. As a result, the value for ipv6.ip6-privacy does not change anymore between connection activations.

The xdp-loader features command now works as expected

The xdp-loader utility was compiled against the previous version of libbpf. As a consequence, xdp-loader features failed with an error:

Mellanox ConnectX-5 adapter works in the DMFS mode

Previously, while using the Ethernet switch device driver model (switchdev) mode, the mlx5 driver failed if configured in the device managed flow steering (DMFS) mode on the ConnectX-5 adapter. Consequently, the following error message appeared:

eBPF programs in Linux Falcon Sensor caused a kernel panic on load

Previously, eBPF programs used by the Linux Falcon Sensor in user-mode caused kernel panics. As a consequence, some of the kernels of RHEL v9.4 were affected when loading such programs.

RHEL previously failed to recognize NVMe disks when VMD was enabled

When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially when resetting a server or working with a VM machine.

multipathd now displays a message instead of being unresponsive

Previously, on executing the multipathd show maps topology command or any other command without any multipath devices, the command used to hang and timeout without any other response. With this update, the multipathd command now displays ok where there is no output to return without hanging and timing out.

multipath now correctly associates the paths with native multipathd NVMe devices

Previously, the multipath command displayed native multipathd NVMe devices with namespace 1, as the first defined namespace in their path, instead of displaying the correct path. With this fix, multipath now correctly matches the paths to the native multipathd NVMe devices while listing them. As a result, while using multipath to view native multipathd NVMe devices, you can see the correct paths, where the namespace ID of the path matches the namespace ID of NVMe devices.

Modification in flush_on_last_del parameter of multipathd resolves service hanging issue

Previously, multipathd could hang while trying to automatically remove an unused multipath device whose last path was deleted. In this case, the multipath device was set to queue IO when there were no usable paths

System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab

Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.

LUNs are now visible during the operating system installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

pcs output no longer wrapped when piped to the grep utility

Previously, when the pcs output was piped to another process, the output width always defaulted to 80 characters. This made it difficult to use the grep utility to look for specific lines in the output. With this change, pcs does not wrap its output when piped to grep.

pcsd processes now consistently stop correctly and promptly

Previously, the creation method for pcsd processes sometimes caused a deadlock during process termination. The processes were then terminated only after a systemd timeout. This fix changes the process creation method and there is no longer a deadlock when the processes are stopped. As a result, pcsd consistently stops correctly within a short time.

pcs validation of SBD options

Previously, when you enabled SBD with the pcs stonith sbd enable command and specified values for SBD options that are not valid, it resulted in SBD misconfiguration. The pcs command-line interface has been updated to validate the values for SBD options. When the values are not valid, pcs reports the error and does not create or update an SBD configuration.

Ability to remove Booth configuration from a Booth arbitrator node

Previously, running the pcs booth destroy command to remove Booth configuration from a Booth arbitrator node yielded an error. This happened because the command did not remove Booth configuration from nodes that are not part of the cluster. It is now possible to remove Booth configuration from Booth arbitrators.

pcs no longer validates fencing topology with fencing levels greater than 9

The Pacemaker cluster resource manager ignores fencing topology levels greater than 9. Configuring levels greater than 9 may lead to failed fencing. With this update, you can configure fencing levels with values of only 1 to 9 in the pcs command-line interface and fencing topology works correctly.

The CIB manager no longer increases in size indefinitely with each request from an asynchronous client

Previously, when the CIB manager received a request from an asynchronous client, it leaked a small amount of memory. This caused the CIB manager process gradually to grow in size. With this fix, the relevant memory is freed for asynchronous clients and the CIB manager process does not grow in size indefinitely.

The crm_node -i command now correctly parses a node ID

Previously, the crm_node -i and the equivalent crm_node --cluster-id commands would sometimes show a "Node is not known to cluster" message instead of the local node’s cluster ID as expected. With this fix, node IDs are properly parsed and the command works as intended.

GCC Toolset 13: GCC now compiles code correctly on IBM POWER9, Little Endian with vectorization enabled

Previously, when compiling code on IBM POWER9, Little Endian with vectorization enabled, the GCC compiler generated incorrect code. The Register Transfer Language (RTL) pattern in the expander has been fixed, and the code now compiles correctly.

glibc dynamic linker prevents reentrant malloc calls made by applications using TLS access from custom malloc implementations

Some applications provide a custom malloc dynamic memory allocation implementation that uses global-dynamic thread-local storage (TLS) instead of initial-exec TLS. Prior to this update, applications with bundled malloc calls that use global-dynamic TLS could experience reentrant calls into the application’s malloc subsystem. As a consequence, the application malloc call crashed due to stack exhaustion or unexpected state of internal data structures. With this update, the glibc dynamic linker detects TLS access from custom malloc implementations. If a TLS access during a malloc call is detected, further calls during TLS processing are skipped, and reentrant malloc calls are prevented.

TLS data is no longer overwritten by calls to dlopen() from an ELF constructor

Previously, the glibc dynamic linker did not track the initialization status of thread-local storage (TLS) correctly in certain cases where the dlopen() function was invoked from an ELF constructor. Consequently, TLS data was reverted to its original value after it had been modified by the application. With this update, the dynamic linker uses a separate flag to track TLS initialization for each shared object. As a result, TLS data is no longer unexpectedly overwritten by calls to the dlopen() function from an ELF constructor.

Perftools no longer fail to process LTO debug information

Previously, the Binary File Descriptor (BFD) library from the binutils collection, which is used by performance tools to read debug information from binary files, was unable to handle debug information generated by the GCC compiler with the Link Time Optimization (LTO) enabled. As a consequence, perftools displayed error messages and failed to execute correctly when examining files that contained LTO debug information. The BFD library has been updated to handle debug information generated during compilation with LTO enabled, and the affected perftools successfully process such debug information.

The ipa-replica-manage command no longer resets the nsslapd-ignore-time-skew setting during forced replication

Previously, the ipa-replica-manage force-sync command reset the nsslapd-ignore-time-skew setting to off, regardless of the configured value. With this update, the nsslapd-ignore-time-skew setting is no longer overwritten during forced replication.

The ipa idrange-add command now warns that Directory Server must be restarted on all IdM servers

Previously, the ipa idrange-add command did not warn the administrator that they must restart the Directory Server (DS) service on all IdM servers after creating a new range. As a consequence, the administrator sometimes created a new user or group with a UID or GID belonging to the new range without restarting the DS service. The addition resulted in the new user or group not having an SID assigned. With this update, a warning that DS needs to be restarted on all IdM servers is added to the command output.

certmonger now correctly renews KDC certificates on hidden replicas

Previously, when the certificate was about to expire, certmonger failed to renew the KDC certificate on hidden replicas. This happened because the renewal process only considered non-hidden replicas as active KDCs. With this update, the hidden replicas are treated as active KDCs, and certmonger renews the KDC certificate successfully on these servers.

AD administrators can now deploy IdM replicas

Previously, during the installation of a RHEL Identity Management (IdM) replica, checking if the provided Kerberos principal had the required privilege did not extend to checking user ID overrides. Consequently, a replica connection check failed while trying to deploy a replica using the credentials of an AD administrator that had an ID override with the needed privilege.

Integration between shadow-utils and sss_cache for local user caching is disabled

In RHEL 9, the SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, was disabled by default. However, the integration in shadow-utils was not fully disabled, which resulted in calls to sss_cache when adding or deleting local users. The unnecessary cache updates caused performance issues for some users. With this update, the shadow-utils integration with sss_cache is fully disabled, and the performance issues caused by unnecessary cache updates no longer occur.

Directory Server no longer ignores nsslapd-idletimeout

Previously, if a connection was open by a non Directory Manager user, Directory Server could ignore the nsslapd-idletimeout value and did not close the connection after the specified amount of time. With this update, Directory Server closes connection as expected after reaching the configured idle time.

Search operations now return large groups faster

Previously, if searches of large static groups used a filter that contained equality matching components with the uniquemember attribute, for example, '(uniquemember=uid=foo,ou=people,<suffix>)', such searches were slow and CPU-intensive. With this update, during search filter evaluation, Directory Server uses an internal structure where the member distinguished names (DNs) are sorted, which makes searches of large groups faster and less CPU-intensive.

One-level scoped search no longer fails to return sub-suffixes

Previously, when you ran the ldapsearch command with the -s option set to one, the search result did not contain sub-suffixes of the entry specified in the -b option. With this update, the one-level scoped search successfully returns immediate children of the entry.

The Referential Integrity plug-in no longer leads to the server failure

Previously, when you used the Referential Integrity plug-in with the deferred check, the thread that processed the check could access the released data structure at shutdown leading to server failure. With this update, the plug-in no longer releases the data structure until the deferred checking thread stops and no failure occurs.

The dscreate ds-root command now accepts a relative path

Previously, when you tried to create an instance as a non-root user and provided a bin_dir argument value that contained a relative path, the relative path was written to the defaults.inf file causing the instance creation failure. With this update, when you provide a relative path as the bin_dir argument value, the instance is now created successfully.

Offline import of LDIF files now runs correctly

Previously, before an offline import the cache autotuning operation was not triggered. As a result, the import operation was slow when performed by the ldif2db script. With this update, Directory Server triggers the cache autotuning before the ldif2db operation increasing the import performance.

The dsconf schema matchingrules list command now displays the new inchainMatch matching rule

Previously, the dsconf utility did not display the supported inchainMatch matching rule in the list of matching rules because inchainMatch was registered without matching syntax. With this update, the syntax for the inchainMatch is defined, and when you run the dsconf schema matchingrules list command, the inchainMatch is displayed in the list.

The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default truststore and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.

cockpit-machines now correctly removes USB host devices

The cockpit-machines add-on did not correctly handle removals of USB host devices from running virtual machines. Consequently, when you clicked Remove in the RHEL web console, instead of successful removal, you saw the following error message:

Implementation of multiple sets of key-value pairs of node attributes is now consistent with other cluster configuration components

The ha_cluster RHEL system role supports only one set of key-value pairs for each configuration item. Previously, when you configured multiple sets of node attributes, the sets were merged into a single set. With this update, the role uses only the first set you define and ignores the other sets. This behavior is now consistent with how the role implements multiple sets of key-value pairs for other configuration components that use a key-value pair structure.

No property conflicts between the NetworkManager service and the NetworkManager plugin

Previously, the network RHEL system role did not request user consent to restart the NetworkManager service when updates were available to networking packages, particularly, due to wireless interface changes. Consequently, this led to potential conflicts between the NetworkManager service and the NetworkManager plugin. Alternatively, the NetworkManager plugin was failing to run correctly. The problem has been fixed by making the network RHEL system role ask user for their consent to restart the NetworkManager service. As a result, there are no property conflicts between the NetworkManager service and the NetworkManager plugin in the described scenario.

GRUB2 on RHEL 9 and RHEL 10 Beta UEFI managed nodes correctly prompts for a password

Previously, the bootloader RHEL system role incorrectly placed the password information in the /boot/efi/EFI/redhat/user.cfg file on managed nodes that ran RHEL 9 and RHEL 10 Beta with UEFI Secure Boot feature. The correct location was the /boot/grub2/user.cfg file. Consequently, when you rebooted the managed node to modify any boot loader entry, GRUB2 did not prompt you for a password. This update fixes the problem by setting the path for user.cfg to /boot/grub2/ in the source code. When you reboot the OS on a UEFI Secure Boot managed node to modify any boot loader entry, GRUB2 prompts you to input your password.

You cannot set the name parameter for the imuxsock input type

Previously, the logging RHEL system role incorrectly set a name parameter for the imuxsock input type. As a consequence, this input type did not support the name parameter and the rsyslog utility on the managed node printed this error …​parameter 'name' not known — typo in config file?…​. This update fixes the logging RHEL system role to ensure that the name parameter is not associated with the imuxsock input type.

Running the storage RHEL system role on a system with a pre-existing Stratis pool works as expected

Previously, the storage RHEL system role could not process the existing devices and device formats. This caused the role to fail on systems with a pre-existing Stratis pool, when checking if Stratis format conformed to the configuration specified by the playbook. Consequently, the playbook failed with an error, however the Stratis pool itself was not damaged or changed. This update makes the storage RHEL system role work correctly with Stratis devices and other formats without labelling support. As a result, running a playbook on a system with a pre-existing Stratis pool no longer fails.

Removing Quadlet-defined networks using podman works irrespective of a custom NetworkName directive

When removing networks, the podman RHEL system role was using the "systemd- + name of the Quadlet file" syntax for the network name. Consequently, if the Quadlet file had a different NetworkName directive in it, the removal would fail. With this update, the podman source code has been updated to use "the Quadlet file name + the NetworkName directive from that file" as a name of the network to remove. As a result, removal of networks defined by Quadlet files using the podman RHEL system role works both with and without a custom NetworkName directive in the Quadlet file.

The storage RHEL system role is idempotent again

The storage RHEL system role in some cases incorrectly calculated sizes of existing devices. Consequently, running the same playbook again without changes caused the role to attempt resizing the device that already had the correct size, instead of passing without errors. With this update, the size calculation was fixed. As a result, the role now correctly identifies that the device already has the size specified by the playbook and does not try to resize it.

The network units in the Quadlet unit files are now properly cleaned up

The podman RHEL system role was not correctly managing the network units defined under the [Network] section in the Quadlet unit files. Consequently, the network units were not stopped and disabled and subsequent runs would fail due to those units not being cleaned up properly. With this update, podman manages the [Network] units, including stopping and removing. As a result, the [Network] units in the Quadlet unit files are properly cleaned up.

The podman RHEL system role creates new secrets if necessary

The podman RHEL system role incorrectly did not check whether a secret with the same name already existed if you used the skip_existing: true option of the podman_secrets role variable. Consequently, the role did not create any new secret if using that option. This update fixes the podman RHEL system role to check for existing secrets if you use skip_existing: true. As a result, the role properly creates new secrets if they do not exist. Conversely, it does not create a secret of the same name if you use skip_existing: true.

The linger feature can be canceled for the correct users

When processing the instruction list of configuration items from kube files or Quadlet files, the podman RHEL system role was incorrectly using the user ID associated with the entire list. It did not use the user ID associated with the list item to compile the linger file name. Consequently, the linger file was not created and therefore the podman RHEL system role could not cancel the linger feature for the actual user if necessary. With this update, podman uses the correct username to construct the linger file name. As a result, the linger feature can be canceled for the correct users.

The podman RHEL system role can set the ownership of the host directory again

Previously, the podman RHEL system role was using the become keyword with the user when setting the ownership of the host directory. As a consequence, the role could not properly set the ownership. With this update, the podman RHEL system role does not use become with the ordinary user. Instead, it uses the root user. As a result, podman can set the ownership of the host directory.

The podman RHEL system role now correctly searches for subgid values

Subordinate group IDs (subgid) is a range of group ID values assigned to non-root users. By using these values, you can run processes with different group IDs inside a container compared to the host system. Previously, the podman RHEL system role was incorrectly searching in the subgid values using the group name instead of using the user name. Consequently, the difference between the user name and the group name made podman fail to look up the subgid values. This update fixes podman to correctly search for subgid values and the problem no longer appears in this scenario.

The sshd RHEL system role can configure the second sshd service correctly

Running the sshd RHEL system role to configure the second sshd service on your managed nodes caused an error if you did not specify the sshd_config_file role variable. Consequently, your playbook would fail and the sshd service would not be configured correctly. To fix the problem, deriving of the main configuration file has been improved. Also, the documentation resources in the /usr/share/doc/rhel-system-roles/sshd/ directory have been made clearer to avoid this problem. As a result, configuring the second sshd service as described in the above scenario works as expected.

The bootloader RHEL system role generates the missing /etc/default/grub configuration file if necessary

Previously, the bootloader RHEL system role expected the /etc/default/grub configuration file to be present. In some cases, for example on OSTtree systems, /etc/default/grub can be missing. As a consequence, the role failed unexpectedly. With this update, the role generates the missing file with default parameters if necessary.

The cockpit RHEL system role installs all cockpit-related packages that match a wildcard pattern

Previously, the dnf module used through the cockpit RHEL system role did not install all cockpit-related packages. As a consequence, some requested packages were not installed. With this update, the source code of the cockpit RHEL system role was changed to use the dnf module directly with an asterisk wildcard package name and a list of packages to exclude. As a result, the role correctly installs all requested packages that match the wildcard pattern.

The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.

Virtual machines with a large amount of vCPUs and virtual disks no longer fail

Previously, assigning a large amount of vCPUs and virtual disks to a RHEL virtual machine (VM) might have caused the VM to fail to boot. With this update, the problem has been fixed and virtual machines work normally in these cases.

Using NBD to migrate a VM storage over a TLS connection works correctly

Previously, when migrating a virtual machine (VM) and its storage device by using the Network Block Device (NBD) protocol over a TLS connection, a data race in the TLS handshake might have made the migration appear to be successful. However, it could have caused the QEMU process on the destination VM to become unresponsive to further interactions.

The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.

Windows guests boot more reliably after a v2v conversion on hosts with AMD EPYC CPUs

After using the virt-v2v utility to convert a virtual machine (VM) that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM previously failed to boot. This occurred on hosts that use AMD EPYC series CPUs. Now, the underlying code has been fixed and VMs boot as expected in the described circumstances.

nodedev-dumpxml lists attributes correctly for certain mediated devices

Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.

virtiofs devices can now be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.

blob resources now work correctly for virtio-gpu on IBM Z

Previously, the virtio-gpu device was incompatible with blob memory resources on IBM Z systems. As a consequence, if you configured a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM did not have any graphical output.

Resuming a postcopy VM migration now works correctly.

Previously, when performing a postcopy migration of a virtual machine (VM), if a proxy network failure occured during the RECOVER phase of the migration, the VM became unresponsive and the migration could not be resumed. Instead, the recovery command displayed the following error:

Reinstalling virtio-win drivers no longer causes DNS configuration to reset on the guest

In virtual machines (VMs) that use a Windows guest operating system, reinstalling or upgrading virtio-win drivers for the network interface card (NIC) previously caused DNS settings in the guest to reset. As a consequence, your Windows guest in some cases lost network connectivity.

VNC viewer correctly initializes a VM display after live migration of ramfb

This update enhances the ramfb framebuffer device, which you can configure as a primary display for a virtual machine (VM). Previously, ramfb was unable to migrate, which resulted in VMs that use ramfb showing a blank screen after live migration. Now, ramfb is compatible with live migration. As a result, you see the VM desktop display when the migration completes.

The sos clean on an existing archive no longer fails

Previously, an existing archive could not be cleaned by running sos clean due to a regression in the sos code that incorrectly detected the root directory of a tarball and prevented it from cleaning data. As a consequence, sos clean running on an existing sosreport tarball does not clean anything within the tarball. This update adds an implementation of a proper detection of the root directory in the reordered tarball content. As a result, sos clean performs sensitive data obfuscation on an existing sosreport tarball correctly.

The sos stops collecting user’s .ssh configuration

Previously, the sos utility collected the .ssh configuration by default from a user. As a consequence, this action caused a broken system for users that are mounted by using automount utility. With this update, the sos utility no longer collects the .ssh configuration.

Netavark no longer fails resolving DNS TCP queries

Previously, when you ran a container in a Podman network, some domain names would not resolve even though they worked on the host system or in a container not using the Podman network. With this update, Netavark supports TCP DNS queries and the problem is fixed.

NVMe over TCP for RHEL installation is now available as a Technology Preview

With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.

Installation of bootable OSTree native containers is now available as a Technology Preview

The ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer:

Boot loader installation and configuration via bootupd / bootupctl in Anaconda is now available as a Technology Preview

As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration via the bootupd/bootupctl tool contained within the container image, even without an explicit boot loader configuration in Kickstart.

The bootc image builder tool is available as a Technology Preview

The bootc image builder tool, now available as a Technology Preview, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc image builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc image builder every time a new update is required.

A new rhel9/bootc-image-builder container image is available as a Technology Preview

The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.

gnutls now uses kTLS as a Technology Preview

The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

OpenSSL clients can use the QUIC protocol as a Technology Preview

OpenSSL can use the QUIC transport layer network protocol on the client side with the rebase to OpenSSL version 3.2.2 as a Technology Preview.

The io_uring interface is available as a Technology Preview

io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:

FDO now provides storing and querying Owner Vouchers from a SQL backend as a Technology Preview

With this Technology Preview, FDO manufacturer-server, onboarding-server, and rendezvous-server are available for storing and querying Owner Vouchers from a SQL backend. As a result, you can select a SQL datastore in the FDO servers options, along with credentials and other parameters, to store the Owner Vouchers.

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

UDP encapsulation in packet offload mode is now available as a Technology Preview

With IPsec packet offload, the kernel can offload the entire IPsec encapsulation process to a NIC to reduce the workload. With this update, the packet offload has been improved by supporting User Datagram Protocol (UDP) encapsulation of ipsec tunnels when in packet offload mode.

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

kTLS available as a Technology Preview

RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. kTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

The PRP and HSR protocols are now available as a Technology Preview

This update adds the hsr kernel module that provides the following protocols:

NetworkManager and the Nmstate API support MACsec hardware offload

You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface card.

NetworkManager enables configuring HSR and PRP interfaces

High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.

Offloading IPsec encapsulation to a NIC is now available as a Technology Preview

This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.

Network drivers for modems in RHEL are available as Technology Preview

Device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat Enterprise Linux provides the drivers for the following modems with limited functionality as a Technology Preview:

Segment Routing over IPv6 (SRv6) is available as a Technology Preview

The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

kTLS rebased to version 6.3

The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.3, kTLS was rebased to the 6.3 upstream version, and notable changes include:

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

SGX available as a Technology Preview

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

python-drgn available as a Technology Preview

The python-drgn package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.

The IAA crypto driver is now available as a Technology Preview

The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.

NVMe-oF Discovery Service features are now fully supported

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014 was introduced in Red Hat Enterprise Linux 9.0 as a Technology Preview, is now fully supported. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

A new nodejs:22 module stream available as a Technology Preview

A new module stream, nodejs:22, is now available as a Technology Preview. A future update will provide a Long Term Support (LTS) version of Node.js 22, which will be fully supported.

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

libabigail: Flexible array conversion warning-suppression available as a Technology Preview

As a Technology Preview, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

HSM support is available as a Technology Preview

Hardware Security Module (HSM) support is now available in Identity Management (IdM) as a Technology Preview. You can store your key pairs and certificates for your IdM CA and KRA on an HSM. This adds physical security to the private key material.

LMDB database type is available in Directory Server as a Technology Preview

The Lightning Memory-Mapped Database (LMDB) is available in Directory Server as an unsupported Technology Preview.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

IdM-to-IdM migration is available as a Technology Preview

IdM-to-IdM migration is available in Identity Management as a Technology Preview. You can use a new ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

The RHEL web console can now manage WireGuard connections

Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

Intel TDX in RHEL guests

As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.

A unified kernel image of RHEL is now available as a Technology Preview

As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.

CPU clusters on 64-bit ARM

As a Technology Preview, you can now create KVM virtual machines that use multiple 64-bit ARM CPU clusters in their CPU topology.

Live migrating a VM with a Mellanox virtual function is now available as a Technology Preview

As a Technology Preview, you can now live migrate a virtual machine (VM) with an attached virtual function (VF) of a Mellanox networking device.

RHEL is now available on Azure confidential VMs as a Technology Preview

With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.

composefs filesystem is available as a Technology Preview

composefs is the default backend for container storage. The key technologies composefs uses are:

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

A new rhel9/rhel-bootc container image is available as a Technology Preview

The rhel9/rhel-bootc container image is now available in the Red Hat Container Registry as a Technology Preview. With the RHEL bootable container images, you can build, test, and deploy an operating system exactly as a container. The RHEL bootable container images differ from the existing application Universal Base Images (UBI) thanks to the following enhancements: RHEL bootable container images contain additional components necessary to boot, such as, kernel, initrd, bootloader, firmware, between others. There are no changes to existing container images. For more information, see Red Hat Ecosystem Catalog.

Pushing and pulling images compressed with zstd:chunked is available as a Technology Preview

The zstd:chunked compression is now available as a Technology Preview.

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

The initial-setup package now has been deprecated

The initial-setup package has been deprecated in Red Hat Enterprise Linux 9.3 and will be removed in the next major RHEL release. As a replacement, use gnome-initial-setup for the graphical user interface.

The provider_hostip and provider_fedora_geoip values of the inst.geoloc boot option are deprecated

The provider_hostip and provider_fedora_geoip values that specified the GeoIP API for the inst.geoloc= boot option are deprecated. As a replacement, you can use the geolocation_provider=URL option to set the required geolocation in the installation program configuration file. You can still use the inst.geoloc=0 option to disable the geolocation.

Capturing screenshots from the Anaconda GUI with a global hotkey is deprecated

Previously, users could capture screenshots of the Anaconda GUI by using a global hotkey. This meant that users could extract the screenshots manually from the installation environment for any further usage. This functionality has been deprecated.

Anaconda built-in help has been deprecated

The built-in documentation from spokes and hubs of all Anaconda user interfaces, which is available during Anaconda installation, has been deprecated. As a replacement, the Anaconda user interfaces will be self-descriptive and users can refer to the official RHEL documentation in the future major RHEL release.

Support for NVDIMM devices has been deprecated

Previously, the installation program allowed reconfiguring NVDIMM devices during installation. This support for NVDIMM devices during the Kickstart and GUI installation has been deprecated, and will be removed in the next major RHEL release. The NVDIMM devices in the sector mode will still be visible and usable in the installation program.

Unable to load an updated driver from the driver update disc in the installation environment

A new version of a driver from the driver update disc might not load if the same driver from the installation initial ramdisk has already been loaded. As a consequence, an updated version of the driver cannot be applied to the installation environment.

OVAL deprecated in vulnerability scanning applications

The Open Vulnerability Assessment Language (OVAL) data format, which provides declarative security data processed by the OpenSCAP suite, is deprecated and will be removed in a future major release. Red Hat continues to provide declarative security data in the Common Security Advisory Framework (CSAF) format, which is the successor of OVAL.

libgcrypt is deprecated

The Libgcrypt cryptographic library provided by the libgcrypt package is deprecated and may be removed in a future major release. Instead, use the libraries listed in the RHEL core cryptographic components article (Red Hat Knowledgebase).

Using update-ca-trust without arguments is deprecated

Previously, the command update-ca-trust updated the system certificate authority (CA) store regardless of the arguments entered. This update introduces the extract subcommand for updating the CA store. You can also specify the location to which the CA certificates are extracted by using the --output argument. For compatibility with earlier versions of RHEL, entering update-ca-trust to update the CA store with any argument other than -o or --help, and even without any argument, is still supported for the duration of RHEL 9, but will be removed by the next major release. Update your calls to update-ca-trust extract.

CAfile pointing to trusted root certificate files in Stunnel clients is deprecated

If Stunnel is configured in client mode, the CAfile directive can point to a file that contains trusted root certificates in the BEGIN TRUSTED CERTIFICATE format. This method is deprecated and might be removed in a future major version. In a future version, stunnel will pass the value of the CAfile directive to a function that does not support the BEGIN TRUSTED CERTIFICATE format. As a consequence, if you use CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt, change the location to CAfile = /etc/pki/tls/certs/ca-bundle.crt.

DSA and SEED algorithms have been deprecated in NSS

The Digital Signature Algorithm (DSA), which was created by the National Institute of Standards and Technology (NIST) and is now completely deprecated by NIST, is deprecated in the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA, ECDSA, SHB-DSA, ML-DSA, and FN-DSA.

pam_ssh_agent_auth is deprecated

The pam_ssh_agent_auth package is deprecated and might be removed in a future major release.

SHA-1 is deprecated at SECLEVEL=2 in OpenSSL

The use of the SHA-1 algorithm at SECLEVEL=2 is deprecated in OpenSSL and might be removed in a future major release.

OpenSSL Engines API is deprecated in Stunnel

The use of the OpenSSL Engines API in Stunnel is deprecated and will be removed in a future major release. The most common use is to access hardware security tokens that use PKCS#11 through the openssl-pkcs11 package. As a replacement, you can use pkcs11-provider, which uses the new OpenSSL Providers API.

OpenSSL Engines are deprecated

OpenSSL Engines are deprecated and will be removed in the near future. Instead of using engines, you can use the pkcs11-provider as a replacement.

scap-workbench is deprecated

The scap-workbench package is deprecated. The scap-workbench graphical utility was designed to perform configuration and vulnerability scans on a single local or remote system. As an alternative, you can scan local systems for configuration compliance by using the oscap command and remote systems by using the oscap-ssh command. For more information, see Configuration compliance scanning.

oscap-anaconda-addon is deprecated

The oscap-anaconda-addon, which provided means to deploy baseline-compliant RHEL systems by using the graphical installation, is deprecated. As an alternative, you can build RHEL images that comply with a specific standard by Creating pre-hardened images with RHEL image builder OpenSCAP integration.

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

OpenSSL requires padding for RSA encryption in FIPS mode

OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not use padding but is still supported.

OpenSSL deprecates the Engines API

The OpenSSL 3.0 TLS toolkit deprecated the Engines API. The Engines interface is superseded by the Providers API. The migration of applications and existing engines to Providers is underway. The deprecated Engines API may be removed in a future major release.

openssl-pkcs11 is now deprecated

As a part of the ongoing migration of deprecated OpenSSL engines to the Providers API, the pkcs11-provider package replaces the openssl-pkcs11 package (engine_pkcs11). The openssl-pkcs11 package is now deprecated. The openssl-pkcs11 package may be removed in a future major release.

RHEL 8 and 9 OpenSSL certificate and signing containers are now deprecated

The OpenSSL portable certificate and signing containers available in the ubi8/openssl and ubi9/openssl repositories in the Red Hat Ecosystem Catalog are now deprecated due to low demand.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check command.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

Several subscription-manager modules have been deprecated

Because of a simplified customer experience in Red Hat subscription services, which have transitioned to the Red Hat Hybrid Cloud Console and to account level subscription management with Simple Content Access, the following modules have been deprecated and will be removed in a future major release:

The deprecated --token option of subscription-manager register will stop working at the end of November 2024

The deprecated --token=<TOKEN> option of the subscription-manager register command will no longer be a supported authentication method from the end of November 2024. The default entitlement server, subscription.rhsm.redhat.com, will no longer be allowing token-based authentication. As a consequence, if you use subscription-manager register --token=<TOKEN>, the registration will fail with the following error message:

The DNF debug plug-in has been deprecated

The DNF debug plug-in, which includes the dnf debug-dump and dnf debug-restore commands, has been deprecated and will be removed from the dnf-plugins-core package in the next major RHEL release.

The support for libreport has been deprecated

The support for the libreport library has been deprecated and will be removed from DNF in the next major RHEL release.

The perl(Mail::Sender) module is now deprecated

The perl(Mail::Sender) module is now deprecated and will be removed from the next major release without any replacement. As a result, the checkbandwidth script from net-snmp-perl package does not support email alerts when bandwidth high/low levels for a host or interface are reached.

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

The %vmeff metric from the sysstat package has been deprecated

The %vmeff metric from the sysstat package to measure the page reclaim efficiency will no longer be supported in a future major version of RHEL. The values of the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions.

Setting the TMPDIR variable in the ReaR configuration file is deprecated

Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement such as export TMPDIR=…​, is deprecated.

cgroupsv1 is now deprecated in RHEL 9

The cgroups is a kernel subsystem used for process tracking, system resource allocation and partitioning. Systemd service manager supports booting in the cgroups v1 mode as well as in cgroups v2 mode. In Red Hat Enterprise Linux 9, the default mode is v2. In Red Hat Enterprise Linux 10, systemd will not support booting in the cgroups v1 mode and only cgroups v2 mode will be available.

Client-side and server-side DHCP packages are deprecated

Internet Systems Consortium (ISC) has announced the end of maintenance for ISC DHCP as of the end of 2022. As a result, Red Hat has decided to deprecate the use of client-side and server-side DHCP packages in RHEL 9 and not to distribute them in later major versions of RHEL. Customers must prepare for the transition to available alternatives, such as dhcpcd and ISC Kea.

Various packages are now deprecated in infrastructure services

The following packages are deprecated in RHEL 9 and will not be distributed in later major versions of RHEL:

The Soft-iWARP driver is deprecated

RHEL 9 provides the Soft-iWARP driver as an unsupported Technology Preview. Starting with RHEL 9.5, this driver is deprecated and will be removed in RHEL 10.

The dhcp-client package is deprecated

Previously, you could configure NetworkManager in RHEL 9 to use a DHCP client from the dhcp-client package. However, the option to use the dhclient utility is now deprecated and results in a warning being displayed at the NetworkManager startup. To configure NetworkManager as described above, switch to the internal DHCP library. In RHEL 10, the dhcp-client package is no longer available and the applications configured to use the dhclient utility use the internal DHCP library instead.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager connection profiles in ifcfg format are deprecated

In RHEL 9.0 and later, connection profiles in ifcfg format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.

The iptables back end in firewalld is deprecated

In RHEL 9, the iptables framework is deprecated. As a consequence, the iptables backend and the direct interface in firewalld are also deprecated. Instead of the direct interface you can use the native features in firewalld to configure the required rules.

The firewalld lockdown feature is deprecated.

The lockdown feature in firewalld is deprecated because it cannot prevent processes that are running as root from adding themselves to the allow list. The lockdown feature may be removed in a future major RHEL release.

The connection.master, connection.slave-type, and connection.autoconnect-slaves properties are deprecated

Red Hat is committed to using conscious language. For details about this initiative, see Making open source more inclusive. Therefore, the connection.master, connection.slave-type, and connection.autoconnect-slaves properties were renamed. To ensure backward compatibility, aliases have been created that map the old property names to the new ones:

The PF_KEYv2 kernel API is deprecated

Applications can configure the kernel’s IPsec implementation by using the PV_KEYv2 and the newer netlink API. PV_KEYv2 is not actively maintained upstream and misses important security features, such as modern ciphers, offload, and extended sequence number support. As a result, starting with RHEL 9.3, the PV_KEYv2 API is deprecated and will be removed in the next major RHEL release. If you use this kernel API in your application, migrate it to use the modern netlink API as an alternative.

ATM encapsulation is deprecated in RHEL 9

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9.

The kexec_load system call for kexec-tools has been deprecated

The kexec_load system call, which loads the second kernel, will not be supported in future RHEL releases. The kexec_file_load system call replaces kexec_load and is now the default system call on all architectures.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

Support for NVMe devices has been deprecated from the lsscsi package

Support for Non-volatile Memory Express (NVMe) devices has been deprecated and will be removed from the lsscsi package in the future major RHEL release. Use native tools such as nvme-cli, lsblk, and blkid instead.

Support for NVMe devices has been deprecated from the sg3_utils package

Support for Non-volatile Memory Express (NVMe) devices has been deprecated and will be removed from the sg3_utils package in the future major RHEL release. You can use native tools (nvme-cli) instead.

lvm2-activation-generator and its generated services removed in RHEL 9.0

The lvm2-activation-generator program and its generated services lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation.

Persistent Memory Development Kit (pmdk) and support library have been deprecated in RHEL 9

pmdk is a collection of libraries and tools for System Administrators and Application Developers to simplify managing and accessing persistent memory devices. pmdk and support library have been deprecated in RHEL 9. This also includes the -debuginfo packages.

The md-linear and md-faulty modules have been deprecated

The following MD RAID kernel modules have been deprecated, and will be removed in a future major RHEL release:

The VDO sysfs parameters have been deprecated

The Virtual Data Optimizer (VDO) sysfs parameters have been deprecated and will be removed in a future major RHEL release. Except for log_level, all module-level sysfs parameters for the kvdo module will be removed. For individual dm-vdo targets, all sysfs parameters specific to VDO will also be removed. There is no change for the parameters that are common to all DM targets. Configuration values for dm-vdo targets, which are currently set by updating the removed module-level parameters, can no longer be changed.

Deprecated high availability features

The following features have been deprecated in Red Hat Enterprise Linux 9.5 and will be removed in the next major release. The pcs command-line interface produces a warning when you attempt to configure a system with these features.

Resilient Storage Add-On has been deprecated

The Red Hat Enterprise Linux (RHEL) Resilient Storage Add-On has been deprecated as of RHEL 9. The Resilient Storage Add-On will no longer be supported starting with Red Hat Enterprise Linux 10 and any subsequent releases after RHEL 10. The RHEL Resilient Storage Add-On will continue to be supported with earlier versions of RHEL (7, 8, 9) and throughout their respective maintenance support lifecycles.

libdb has been deprecated

RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive.

Redis will be replaced with Valkey in Grafana, PCP, and grafana-pcp

The Redis key-value store has been deprecated and will be replaced with Valkey in the next major version of RHEL. As a result, Grafana, PCP, and the grafana-pcp plug-in will use Valkey to store data instead of Redis in RHEL 10.

HTML content of llvm-doc is deprecated

The HTML content of the llvm-doc package will be removed in a future RHEL release and replaced with a single HTML file pointing to online documentation at llvm.org. Users of llvm-doc that do not have network access will need an alternative way to access LLVM documentation.

Smaller size of keys than 2048 are deprecated by openssl 3.0 in Go’s FIPS mode

Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and no longer work in Go’s FIPS mode.

Some PKCS1 v1.5 modes are now deprecated in Go’s FIPS mode

Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work in Go’s FIPS mode.

32-bit packages are deprecated

Linking against 32-bit multilib packages is deprecated. The *.i686 packages will remain supported for the life cycle of Red Hat Enterprise Linux 9, but will be removed in the next major version of RHEL.

The pam_console module is deprecated

In RHEL 9.5, the pam_console module is deprecated and is planned to be removed in a future release. The pam_console module grants file permissions and authentication capabilities to users logged in at the physical console or terminals, and adjusts these privileges based on console login status and user presence. As an alternative to pam_console, you can use the systemd-logind system service instead. For configuration details, see the logind.conf(5) man page.

BDB backend is deprecated in 389-ds-base

The libdb library that implements the Berkeley Database (BDB) version used by 389-ds-base is deprecated in RHEL 9.0. As a result, Directory Server deprecated the BDB backend. Support for BDB will be removed in the future major version of Directory Server.

The sss_ssh_knownhostsproxy tool has been deprecated

The sss_ssh_knownhostsproxy has been deprecated and will be replaced by a more efficient tool in RHEL 10. sss_ssh_knownhostsproxy will be kept for backwards compatibility in RHEL 9 and will be removed in RHEL 10. Support for the ssh KnownHostsCommand option will be added in a future release.

SHA-1 in OpenDNSSec is now deprecated

OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone.

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

The SSSD files provider has been deprecated

The SSSD files provider has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The files provider might be removed from a future release of RHEL.

The enumeration feature has been deprecated for AD and IdM

The enumeration feature enables you to list all users or groups by using getent passwd or getent group commands without arguments for Active Directory (AD), Identity Management (IdM), and LDAP providers. Support for the enumeration feature has been deprecated for AD and IdM in Red Hat Enterprise Linux (RHEL) 9. The enumeration feature will be removed for AD and IdM in RHEL 10.

The libsss_simpleifp subpackage has been deprecated

The libsss_simpleifp subpackage that provides the libsss_simpleifp.so library has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The libsss_simpleifp subpackage might be removed from a future release of RHEL.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

Totem media player has been deprecated

The Totem media player has been deprecated in RHEL 9.5 and will be removed in a future major release.

power-profiles-daemon has been deprecated

The power-profiles-daemon package that provides the power mode configuration in GNOME has been deprecated and will be removed in a future major release.

gedit is deprecated

gedit, the default graphical text editor in Red Hat Enterprise Linux, has been deprecated and will be removed in a future major release. Instead, use GNOME Text Editor.

Qt 5 libraries have been deprecated

Qt 5 libraries have been deprecated and will be removed in a future major release. Qt 5 libraries are replaced with Qt 6 libraries, with new functionality and better support.

WebKitGTK has been deprecated

The WebKitGTK web browser engine has been deprecated and will be removed in a future major release.

Evolution has been deprecated

Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The application and its plugins has been deprecated and will be removed in a future major version. You can find an alternative in a third party source, for example on Flathub.

Festival has been deprecated

The Festival speech synthesizer has been deprecated and will be removed in a future major version.

The Eye of GNOME is removed

The Eye of GNOME (eog) image viewer application is removed in RHEL 10.

Cheese has been deprecated

The Cheese camera application has been deprecated and will be removed in a future major version.

Devhelp has been deprecated

Devhelp, a graphical developer tool for browsing and searching API documentation, has been deprecated and will be removed in a future major version. You can now find API documentation online in specific upstream projects.

gtkmm based on GTK 3 has been deprecated

gtkmm is a C++ interface for the GTK graphical toolkit. The gtkmm version that was based on GTK 3 has been deprecated with all its dependencies and will be removed in a future major version. To access gtkmm in RHEL 10, migrate to the gtkmm version based on GTK 4.

GTK 2 is now deprecated

The legacy GTK 2 toolkit and the following, related packages have been deprecated:

LibreOffice is deprecated

The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.

TigerVNC is deprecated

The TigerVNC remote desktop solution is now deprecated. It will be removed in a future major RHEL release and replaced by a different remote desktop solution.

The PulseAudio daemon is deprecated

The PulseAudio daemon, and its packages pulseaudio and alsa-plugins-pulseaudio, have been deprecated and will be removed in a future major release.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

Deprecated variables in the podman RHEL system role: container_image_user and container_image_password

The container_image_user and container_image_password variables are deprecated. In a future major release of RHEL, these variables will be removed. You can use the podman_registry_username and podman_registry_password variables instead.

The network System Role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL System Role on a RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.

NIC device drivers related to iPXE are deprecated in RHEL 9

Internet Preboot eXecution Environment (iPXE) firmware provides a range of boot options over a network often used in environments, where machines need to boot remotely. Among others, it contains a large number of device drivers. The following have been marked as deprecated and will be removed in the RHEL 10 release:

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA-2 algorithm, or later.

The virtual floppy driver has become deprecated

The isa-fdc driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 9.

qcow2-v2 image format is deprecated

With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot create disk images in the qcow2-v2 format.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager might not be yet available in the RHEL web console.

libvirtd has become deprecated

The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.

Legacy CPU models are now deprecated

A significant number of CPU models have become deprecated and will become unsupported for use in virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows:

RDMA-based live migration is deprecated

With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.

The Intel vGPU feature has been removed

Previously, as a Technology Preview, it was possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices could then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs shared the performance of a single physical Intel GPU, however only selected Intel GPUs were compatible with this feature.

pmem device passthrough has become deprecated

With this update, the non-volatile memory library (nvml) packages have become deprecated, and will be removed in a future major version of RHEL. As a consequence, when the package removal occurs, it will no longer be possible to pass persistent memory (pmem) devices to the virtual machines (VMs). Note that emulated NVDIMM devices backed by volatile memory or files will still be available, but will not be possible to configure as persistent.

Using Windows Server 2012 or Windows 8 as a guest operating system is not supported

Because Microsoft ended support for the following versions of Windows, Red Hat also removed support for using these versions as a guest operating system in this update.

Converting Xen virtual machines from RHEL 5 by using virt-v2v has been deprecated.

Using the virt-v2v tool to convert virtual machines from a RHEL 5 Xen host to KVM has become deprecated, and will be removed in a future major release of RHEL. For details, see the Red Hat Knowledge Base.

The Podman v5.0 deprecations

In RHEL 9.5, the following is deprecated in Podman v5.0:

The runc container runtime has been deprecated

The runc container runtime is deprecated and will be removed in a future major release of RHEL. The default container runtime is crun.

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.

SHA1 hash algorithm within Podman has been deprecated

The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after the upgrade.

rhel9/pause has been deprecated

The rhel9/pause container image has been deprecated.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed from Podman in a future minor release of RHEL. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.

The Inkscape and LibreOffice Flatpak images are deprecated

The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as Technology Previews, have been deprecated.

pasta as a network name has been deprecated

The support for pasta as a network name value is deprecated and will not be accepted in the next major release of Podman, version 5.0. You can use the pasta network name value to create a unique network mode within Podman by employing the podman run --network and podman create --network commands.

The BoltDB database backend has been deprecated

The BoltDB database backend is deprecated as of RHEL 9.4. In a future version of RHEL, the BoltDB database backend will be removed and will no longer be available to Podman. For Podman, use the SQLite database backend, which is now the default as of RHEL 9.4.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed in a future release. Use the Netavark network stack instead. For more information, see Switching the network stack from CNI to Netavark.

The Podman v5.0 upcoming deprecations

The following will be deprecated in the upcoming Podman v5.0, which will be released in RHEL 9.5 and RHEL 10.0 Beta:

The rhel9/openssl has been deprecated

The rhel9/openssl container image has been deprecated.