9.6 Release Notes

Added Kickstart support for CA certificates to enable encrypted DNS configuration during installation

Support for the %certificate section in the Kickstart file is added to enable the installation of CA certificates into the installer environment and the installed system. This simplifies the setup process and ensures that the encrypted DNS is operational after installation, reducing manual configuration and security gaps. The certificates are inlined in the Base64 ASCII format and imported through the --dir and --filename options. This enhancement facilitates encrypted DNS configuration as part of Zero Trust Architecture requirements. The encrypted DNS set up during installation ensures secure DNS resolution from the start, improving security and compliance in automated deployments.

RHEL image builder supports creating disk images with advanced partitioning

With this enhancement, RHEL image builderl gained more options for customizing partitioning and creating disk images with advanced partitioning layout. You can create disk images with custom mountpoints, including custom mount options, LVM-based partitions and LVM-based SWAP to, for example, change the size of the / and the /boot directories by using a blueprint file.

bootc-image-builder now supports creating image mode disk images with advanced partitioning

With this enhancement, the bootc-image-builder tool gained more options for customizing partitioning and creating disk images with advanced partitioning layout. You can use the bootc-image-builder tool to create disk images of image-mode RHEL with custom mountpoints, including custom mount options, LVM-based partitions and LVM-based SWAP to, for example, change the size of the / and the /boot directories by using the config.toml.

The bootc image builder tool is generally available in RHEL

The bootc image builder tool, now is generally available in RHEL, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc image builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc image builder every time a new update is required.

pcsd now provides the --disable-polkit option

With this update, you can turn off loading the PolicyKit authorization framework by starting the pcsd service with the --disable-polkit option. Running pcsd without polkit enables accessing PKCS #11 devices in limited environments such as the initial RAM disk. As a result, the Clevis decryption client can use a PKCS #11 device for automated unlocking LUKS-encrypted volumes at boot time.

ssh now provides a link with additional details about SSH login error messages

In case of an early error, the ssh command-line tool provides a link to the Red Hat Customer Portal page that contains additional details about common error messages and steps for resolving them. This helps troubleshoot SSH login problems when you use interactive mode.

pkcs-tool now shows object URI

With this update, the pkcs11-tool -L and pkcs11-tool -O commands contain the uri: field in their outputs. You can use the URI information when configuring the pkcs11 Clevis pin for automated unlocking LUKS-encrypted drives with PKCS #11 devices.

CBC ciphers can now be blocked in crypto-policies

With this update, crypto-policies uses the openssl -CBC CipherString directive. As a result, CBC cipher suites are disabled in OpenSSL if none of them are enabled in crypto-policies.

nettle rebased to 3.10.1

The nettle library package has been rebased to upstream version 3.10.1. This version provides various bug fixes, optimizations and enhancements, most notably:

Rsyslog rebased to 8.2412.0

The rsyslog packages have been rebased to upstream version 8.2412.0 in RHEL 9.6. Among other fixes and enhancements, you can bind a ruleset to the imjournal module. With this optimization, log messages can be filtered and processed at the input stage, which reduces the load on the main message queue. This minimizes resource utilization and ensures smoother handling of high-volume logs.

OpenSCAP rebased to 1.3.12

The OpenSCAP packages have been rebased to upstream version 1.3.12. This version provides bug fixes and various enhancements. For additional information, see the OpenSCAP release notes.

Clevis rebased to version 21 with support for PKCS #11

The clevis packages have been upgraded to version 21. This version contains many enhancements and bug fixes, notably:

New Keylime policy management tool

The new keylime-policy tool integrates all management tasks of Keylime runtime policies and measured boot policies and improves the performance of generating policies.

SELinux assigns a particular type to /dev/hfi1_0

With this update, the hfi1_device_t type is assigned to the /dev/hfi1_0 device in the SELinux policy. As a result, SELinux can properly control access to the device.

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

SCAP Security Guide rebased to 0.1.76

For additional information, see the SCAP Security Guide release notes.

Keylime requires HTTPS for revocation notifications

The Keylime components require the use of the more secure HTTPS protocol for revocation notification webhooks instead of HTTP. As a consequence, the Keylime verifier now requires the revocation notification webhook server CA certificate. You can add it to the trusted_server_ca configuration option or add it to the system trust store.

Support for deploying image mode for RHEL systems by using FDO

With this enhancement, now you can deploy an image mode for RHEL systems by using the FIDO Device Onboarding (FDO) process, available as a Technology Preview, to deliver the configuration to this system. Include a Kickstart file in an ISO build to configure any part of the installation process except the base image deployment. If you use an ISO with a bootc container base image, bootc-image-builder automatically installs ostreecontainer, the command to install the container image. You can still configure anything, except the ostreecontainer command.

RHEL provides the greenboot package in version 0.15.8

The greenboot packages have been updated to version 0.15.8, which provides bug fixes and enhancements. Notable changes include:

Image mode for RHEL users can now use dnf --transient to perform package transactions that reset on reboot

Previously, Image mode for RHEL users could transiently install, remove, and upgrade packages by running the bootc usr-overlay command to unlock the system and then make changes by running DNF commands. If you use bootc usr-overlay, when the system reboots, the /usr directory overlay disappears and all changes made to it will reset. Changes to other directories, including configuration in /etc and program state in /var, persist across reboots.

Improved error message when using DNF on a locked OSTree or bootc system

OSTree and bootc systems cannot be managed by DNF by default. Previously, a DNF error message did not say that this was an expected behavior and how you could change it. With this update, DNF detects whether it runs on a read-only OSTree or bootc system and informs you where to find more details about how to manage such systems with DNF.

DNF Automatic can now notify users about a failed update

With this update, a new send_error_messages boolean option has been added to the [emitters] section of the /etc/dnf/automatic.conf configuration file. As a result, if you set send_error_messages to yes, the DNF Automatic tool notifies you about failed automatic updates by using an emitter configured in the emit_via option.

ignoreduplicates option is now available

With this enhancement, the ignoreduplicates option is added in the logrotate configuration. The option ignores any duplicate file paths in the logrotate configuration, and is not enabled by default.

maven-openjdk21 package is now available

RHEL supports running Maven with multiple Java versions, allowing users to select their preferred JDK. With this enhancement, a new maven-openjdk21 package has been added to enable seamless execution of Maven with OpenJDK 21. The notable changes include the following:

openCryptoki rebased to version 3.24.0

The openCryptoki packages are rebased to version 3.24.0. Support has been added for the following:

libva rebased to 2.22.0

The libva package is rebased to 2.22.0. Notable enhancement includes the following:

A new module stream maven 3.9 is available

A new update to the maven 3.9 package is now available. In version 3.9, maven is not compatible with maven 2. The notable enhancement include the following:

Multipath partner device is now supported

The drmgr is a utility for managing logical and physical hot plug capable resources. With this enhancement, drmgr supports hot plug addition and removal of a multipath drive.

Weak ciphers can be now disabled in CUPS configuration

Previously, when you disabled the weak cipher in the CUPS configurations, the configuration changes did not take effect. With this enhancement, if a user wants to disable a certain cryptographic algorithm via system policy, CUPS honors the system settings, if SSLOptions NoSystem is not in CUPS configuration files, and CUPS does not offer the system-wide disabled algorithm anymore.

Added support for E825C interface

Added support for Ethernet functionality of the E825C network interface for Intel Granite Rapids-D platform to the ice driver.

The i40e driver supports automatic reset behavior on MDD events

The Intel® Network Adapter Driver for PCIe* 40 Gigabit Ethernet can now reset problematic Single Root I/O Virtualization (SR-IOV) virtual functions (VFs) when it detects a malicious driver detection (MDD) event. You can activate this automatic reset behavior through the new mdd-auto-reset-vf option as in the following example command:

NetworkManager now supports configuration of FEC encoding on NIC

With this enhancement, NetworkManager supports forward error correction (FEC) encoding support on the network interface controller (NIC). By disabling FEC encoding on NIC, you will have reduced overhead of redundant data transmission and lower latency of network traffic. Configure FEC settings on NIC by using the following steps:

NetworkManager can automatically add routes to DNS servers

With the ipv4.routed-dns parameter, you can configure NetworkManager so that nameservers are reachable only through the correct network interface. Apart from systemd-resolved and dnsmasq backend DNS services in NetworkManager, other backend services do not support binding nameservers to the correct network interface. As a result, you can use NetworkManager to add an explicit route to the nameserver through the related network interface.

NetworkManager can set ipv4.dhcp-send-hostname`to `false by default

With this feature, you can set the ipv4.dhcp-send-hostname option in NetworkManager to false for all IPv4 connections. To disable this option by default, add the configuration snippet to the /etc/NetworkManager/conf.d/99-no-hostname.conf file as follows:

NetworkManager supports ip-ping-addresses and ip-ping-timeout properties for the connection setting

With this enhancement, you can add an IP address to the ip-ping-addresses and set a timeout with ip-ping-timeout settings. As a result, you can ensure that remote services, such as network file system (NFS), are mounted only after the target network is reachable.

nmstate supports the require-id-on-certificate setting on Libreswan configuration

With this enhancement, libreswan, an implementation of Internet Protocol Security (IPsec) specification, now supports the require-id-on-certificate setting for VPN configurations by using NetworkManager. With this feature, you can configure Subject Alternative Name (SAN) validation by using the require-id-on-certificate option. As a result, this implementation correctly enforces SAN validation based on the specified setting:

NetworkManager DHCP Client supports IPv6-only preferred option for DHCPv4

With this enhancement, the IPv6-only preferred option for DHCPv4 is available for NetworkManager clients for the supported DHCP server. You can use this option in two ways: globally and locally. If enabled globally, this option allows and prioritizes only IPv6 addresses in dual networks that support both IPv4 and IPv6. If enabled locally by setting the ipv6.method disabled option, IPv4 addresses assigned manually are prioritized over DHCP addresses.

xdp-tools rebased to version 1.5.1

The xdp-tools package has been upgraded to version 1.5.1, which provides multiple enhancements and bug fixes. Notable changes include:

wpa_supplicant was rebased to version 2.11

The wpa_supplicant utility has been upgraded to version 2.11, which provides multiple bug fixes and enhancements. Notable changes include:

iproute2 rebased to version 6.11.0

The iproute2 package has been upgraded to version 6.11.0, which provides multiple bug fixes and enhancements. Notable changes include:

Bonding device supports IPsec HW offload with ESN

Previously, a bonding device did not support the IPSec Hardware HW offload feature with Extended Sequence Numbers (ESN). Consequently, setting up IPsec with HW offload and ESN failed on the bonding device. With this fix, you can setup IPsec HW offload with ESN on the bonding device, considering the bond ports already support this feature. As a result, the bonding device offloads IPsec traffic correctly.

New "drop reasons" in the VXLAN implementation

In this update of the RHEL kernel, visibility patches were introduced which add new "drop reasons" in the Virtual eXtensible Local Area Networking (VXLAN) implementation. Visibility patches are important for troubleshooting problems, and thanks to these additions most of the dropped packets in VXLAN now have a reason attached to provide extra context.

Network drivers for modems in RHEL are now fully supported

In the US, device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems.

nmstate now supports configuring IPvLAN

The nmstate API now supports configuring IPvLAN, a virtual network interface, that enhances network management and container networking.

Kernel version in RHEL 9.6

Red Hat Enterprise Linux 9.6 is distributed with the kernel version 5.14.0-570.12.1.

The eBPF facility has been rebased to Linux kernel version 6.12

Notable changes and enhancements include the following:

View the number of instances of each cgroup from cgroup.stat

For cgroup v2, the cgroup.stat control file is enhanced to show the number of instances of each cgroup subsystem in the unified hierarchy, including any dying ones.

kpatch-dnf plugin is updated with improved kernel management

With the updated kpatch-dnf plugin, kernel upgrades are closely aligned with kpatch support. Administrators gain the flexibility to focus kernel updates on those supported by kpatch, leading to more reliable system upgrades and overall stability.

Containerization of the rteval utility

With this update, you can run the rteval utility with all its runtime dependencies from a container image publicly available through the Quay.io container registry. This feature also enables you to, for example:

TPM_TIS rebased to upstream 6.7 for Lenovo hardware

This release introduces an updated version of the Trusted Platform Module (TPM) Integration Services (TPM_TIS) firmware to upstream version 6.7. This update addresses stability and security enhancements for RHEL 9.6.

kdump is rebased to 6.10

This update incorporates the latest improvements, bug fixes, and features from the 6.10 kernel related to crash dumping.

Landlock, a new Linux Security Module (LSM) is released

RHEL 9.6 introduces Landlock, a new security feature that makes your containers safer. Landlock sets strict rules for processes like Podman to limit access to the file system through the kernel API, defining rules for themselves regardless of privilege level and allowing users to create hard limits over the accessible scope of the processes.

New integration testing to validate kdump procedures to prevent system failure

With this enhancement, you can check the log file for kdump procedures after any software or hardware updates to prevent system failure. After the analysis of the output log files, the configuration entries, such as memory issues or blacklist of some drivers, are corrected to validate the kdump procedures and generate the vmcore. This ensures that the kdump procedures are validated and corrected before a system crash after any software or hardware update.

New timerlat-interval INTV_US and cyclictest-interval INTV_US options

With this enhancement, you can use the following new options of the rteval command to modify the base or periodic interval option in running timerlat or cyclictest threads:

NVMf-FC kdump is now supported on the IBM Power

NVMf-FC kdump now supports the IBM Power system for running kexec-tools. This allows the capture of system memory dumps over a fiber channel network using the NVMe storage devices for high-speed and low-latency access to storage for crash dump data.

GRUB Bootloader has been hardened in RHEL 9.6

This enhancement includes fixes for various security flaws discovered as part of a pro-active hardening effort in the GRUB2 code. This ongoing proactive fuzzing effort of the GRUB bootloader yielded several flaws and vulnerabilities, some of which were severe enough to be CVEs, such as the following:

EROFS file system is now supported

EROFS is a lightweight generic read-only file system suitable for various read-only use cases, such as embedded devices or containers. It provides deduplication and transparent compression as options for scenarios that require them.

snapm is now available in RHEL

Snapshot Manager (snapm) is a new component designed to assist in managing system state snapshots. You can use it to roll back updates or changes, and boot into previous system snapshots. Managing snapshots across multiple volumes and configuring boot entries for snapshot boot and snapshot rollback can often be complex and prone to errors. Snapshot Manager automates these common tasks and integrates seamlessly with Boom Boot Manager, simplifying the process. With this update, you can easily take snapshots of the system state, apply updates, and revert to the previous system state if necessary.

NFS with TLS is fully supported

Network File System (NFS) with Transport Layer Security (TLS), introduced in RHEL 9.4 as a Technology Preview, is now fully supported. This feature enhances NFS security by enabling TLS for Remote Procedure Call (RPC) traffic, ensuring encrypted communication between clients and servers. For details, see Configuring an NFS server with TLS support.

VFS mnt_idmap compile-time checking changes backported

This enhancement minimizes conflicts that might occur during the backporting of subsequent fixes or features. As a result, the risk of regressions with subsequent backports is reduced.

CIFS client provides the ability to create special files under SMB shares

Common Internet File System (CIFS) client has the ability to create native Server Message Block (SMB), Network File System (NFS) or Windows Subsystem for Linux (WSL) symlinks. Use the new symlink=default|none|native|unix|mfsymlinks|sfu|nfs|wsl mount option to either completely disallow creating symlinks or to select what kind of symlinks will be created by the client. You can also create special files, such as character devices, block devices, pipes, and sockets, through NFS or WSL reparse points by using the reparse=default|none|nfs|wsl mount option. To create native Windows sockets that are supported by Windows applications on NT File System (NTFS) volumes, use the nativesocket mount option.

Deleting multiple resources with a single pcs command

Before this update, the pcs resource delete, the pcs resource remove, the pcs stonith delete and the pcs stonith remove commands supported the removal of only one resource at a time. With this update, you can now delete multiple resources at once with a single command.

New pcs tag command option for displaying cluster resource tags in text, JSON, and command formats

The pcs tag [config] command now supports the --output-format option for the following use cases:

Support for exporting fencing level configuration in JSON format and as pcs commands

The pcs stonith config and the pcs stonith level config commands now support the --output-format= option to display the fencing level configuration in JSON format and as pcs commands.

Removing Booth cluster tickets from the CIB after removal from the Booth configuration

After you remove a Booth cluster ticket by using the pcs booth ticket remove command, the state of the Booth ticket remains loaded in the Cluster Information Base (CIB). This is also the case after you remove a ticket from the Booth configuration on one site and pull the Booth configuration to another site by using the pcs booth pull command. This might cause problems when you configure a ticket constraint, because a ticket constraint can be granted even after a ticket has been removed. As a consequence, the cluster might freeze or fence a node. As of RHEL 9.6, you can prevent this by removing a Booth ticket from the CIB with the pcs booth ticket cleanup command.

A new module stream: mysql:8.4

MySQL 8.4 is now available as a new module stream, mysql:8.4. Notable enhancements over the previously available version 8.0 include:

ARGON2 password hashing is supported in PHP 8.3

PHP 8.3 is now available as the php:8.3 module stream. With this enhancement, support for the ARGON2I and ARGON2ID password hashing algorithms, provided by the openssl extension, is now available.

nginx 1.26 module stream is now available

The nginx 1.26 module stream includes various bug fixes and enhancements. Notable changes include:

New php:8.3 module stream is now available

The RHEL 9.6 adds PHP 8.3 as a new php:8.3 module stream. Notable enhancements include:

LLVM Toolset updated to 19.1.7

LLVM Toolset has been updated to version 19.1.7.

The llvm-doc package now contains only a reference to the upstream documentation.

In previous versions, the llvm-doc package contained the LLVM documentation in HTML format. With this update, the package provides only the /usr/share/doc/llvm/html/index.html file which contains a reference to the upstream documentation.

Clang and LLVM now support zstd for debug section compression

By default, Clang and LLVM tools use Zlib as the algorithm for debug section compression. With this enhancement, users can alternatively use the Zstandard (zstd) algorithm which can reach a higher compression rate than Zlib.

Rust Toolset rebased to version 1.84.1

Rust Toolset has been updated to version 1.84.1. Notable enhancements since the previously available version 1.79.0 include:

PCP rebased to version 6.3.2

Performance Co-Pilot (PCP) has been updated to version 6.3.2. Notable changes over the previously available version 6.2.2 include:

The glibc library contains improved IBM POWER10 optimizations

With this enhancement, hardware support for the IBM POWER10 platform has been improved in the glibc library. As a result, the performance of the strcmp() and memchr() APIs has been significantly improved on this platform.

valgrind rebased to version 3.24.0

The valgrind suite has been updated to version 3.24.0. Notable enhancements include:

libabigail rebased to version 2.6

The libabigail library has been updated to version 2.6. Notable changes include:

SystemTap rebased to version 5.2

The SystemTap tracing and probing tool has been updated to version 5.2.

elfutils rebased to version 0.192

The elfutils package has been updated to version 0.192. Notable improvements include:

The ld linker now detects if an application uses read, write, and execute permissions for a memory region

A memory region with read, write, and execute permissions at the same time is a potential point of attack because a buffer overflow can allow executable code to be injected into the memory and then executed.

The ld linker now detects if an application uses an executable stack

A stack that is held in an executable region of memory is a potential point of attacks if, due to a buffer overrun, executable code is placed there.

binutils now supports the arch15 extension of the IBM Z instruction set

With this enhancement, binutils supports the arch15 extensions of CPUs on the IBM Z platform. Developers can now use the new features provided by the arch15 extension in assembler source files or, when an updated compiler is available, also in compiled programs. This can result in smaller and faster programs.

The boost-devel package provides BoostConfig.cmake and other official CMake scripts

This enhancement adds BoostConfig.cmake and other official CMake scripts to the boost-devel package. CMake uses these scripts in some cases to test if boost features exists. As a result, CMake projects that test for boost features work now more robustly.

Go Toolset rebased to version 1.23

Go Toolset has been updated to version 1.23. Notable enhancements include:

glibc now supports the GB18030-2022 encoding standard

This enhancement updates the support of the GB18030 encoding standard in glibc from version 2005 to 2022. With version 2022, you can use 31 new transcoding relationships and the additional characters and code points introduced by this standard.

New tool to manage IdM ID range inconsistencies

With this update, Identity Management (IdM) provides the ipa-idrange-fix tool. You can use ipa-idrange-fix tool to analyze existing IdM ID ranges, identify users and groups outside these ranges, and propose to create new ipa-local ranges to include them.

Kerberos now supports the Elliptic Curve Diffie-Hellman key agreement algorithm

The Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm for PKINIT, as defined by RFC5349, is now supported. With this update, the pkinit_dh_min_bits setting in krb5.conf`file can now be configured with `P-256, P-384, or P-521 to use ECDH by default.

ansible-freeipa rebased to 1.14.5

The ansible-freeipa package has been rebased from version 1.13.2 to version 1.14.5. Notable enhancements and bug fixes include:

389-ds-base has been rebased to version 2.6.1

The 389-ds-base package has been rebased to version 2.6.1. Notable bug fixes and enhancements over version 2.5.2 include:

openldap has been rebased to version 2.6.8

The openldap package has been updated to version 2.6.8. The update includes various enhancements and bug fixes, including:

The new memberOfDeferredUpdate: on/off configuration attribute is now available in Directory Server

With this update, Directory Server introduces the new memberOfDeferredUpdate configuration attribute for the MemberOf plug-in. When set to on, the MemberOf plug-in defers the update of group members resulting in improved server responsiveness, especially if the group changes impact a large number of its members.

Directory Server now provides buffering of the error, audit, and audit fail logs

Before this update, only the access and security logs had log buffering. With this update, Directory Server provides buffering of the error, audit, and audit fail logs. Use the following settings to configure log buffering:

Directory Server now can update passwords with the CRYPT or CLEAR hashing algorithm after a successful bind

Before this update, Directory Server had a hardcoded list of hashing algorithms that were excluded from the password update during successful binds. Directory Server did not update user passwords that had the CRYPT or CLEAR hashing algorithm configured in the passwordStorageScheme attribute.

HSM is now fully supported in IdM

Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.

New SSSD option: exop_force

You can use the exop_force option to force a password change even if no grace logins are left. Previously, SSSD did not attempt password changes if the LDAP server indicated that there were no grace logins remaining. Now, if you set ldap_pwmodify_mode = exop_force in the [domain/…​] section of the sssd.conf file, SSSD tries to change the password even if no grace logins are left.

Support for group merging added in authselect

If you are using the authselect utility, you no longer need to manually edit the nssswitch.conf file to enable group merging. With this update, It is now integrated into authselect profiles, eliminating the need for manual changes.

Support for dynamic DoT updates in SSSD

SSSD now supports performing all dynamic DNS (dyndns) queries using DNS-over-TLS (DoT). You can securely update DNS records when IP addresses change, such as Identity Management (IdM) and Active Directory servers. To enable this functionality, you must install the nsupdate tool from the bind9.18-utils package.

New variable in the postfix RHEL system role: postfix_default_database_type

The postfix system role can determine the default database type used by postfix and export it as a variable postfix_default_database_type. As a result, you can set configuration parameters based on the default database type.

New variables in the microsoft.sql.server system role: mssql_tools_versions and mssql_tls_self_sign

The new mssql-tools18 package brings functionality that is not backwards-compatible with the previous versions of the mssql-tools package. Therefore the following variables have been added to the microsoft.sql.server system role to adapt to the changes:

New RHEL system role: aide

You can use the new aide RHEL system role for detecting unauthorized changes to files, directories, and system binaries. With this role, you can accomplish, for example, the following tasks:

New variable in the sudo RHEL system role: sudo_check_if_configured

The sudo RHEL system role now has the following variable:

The microsoft.sql.server system role enables AES 128-bit and AES 256-bit encryption for AD users

Since version 1.1.83, the adutil utility supports the Kerberos protocol with AES 128-bit and AES 256-bit encryption when creating and modifying an Active Directory (AD) user. With this update, the microsoft.sql.server system role automates enabling AES 128-bit and AES 256-bit encryption provided by the Kerberos protocol when creating or modifying AD users. As a result, manual post-configuration tasks are not necessary.

The systemd RHEL system role can manage user units in addition to system units

With this update, the systemd RHEL system role can now also manage user units. For each unit file or unit specified in systemd_unit_files, or systemd_unit_file_templates, or systemd_started_units etc., you can add a user: name if you want that file/unit to be managed for the given user. The default is root which is used for system units.

Support for exporting corosync configuration of an existing cluster

The ha_cluster RHEL system role now supports exporting the corosync configuration of an existing cluster in a format that can be fed back to the role to recreate the same cluster. If you did not use the ha_cluster RHEL system role to create your cluster, or if you have lost the original playbook for the cluster, you can use this feature to build a new playbook for the cluster.

The podman RHEL system role can manage the quadlet units of type Pod

The podman utility of version 5 added support for Pod quadlet types. Consequently, the podman RHEL system role now enables you to also manage the quadlet units of type Pod.

New property added to the network RHEL system role network_connections variable: autoconnect_retries

There is no fine-grained control over the number of automatic retries to reconnect a network connection in the network RHEL system role. This limitation could be problematic for certain use cases where extending the retry process is critical, particularly in environments with unstable networks. The autoconnect_retries property added to the to the network_connections role variable configures how many times NetworkManager attempts to reconnect a network connection after an autoconnect failure. As a result, the network RHEL system role now allows configuring the number of automatic reconnection attempts after an autoconnect failure using the autoconnect_retries property in the network_connections variable. This enhancement provides greater control over network stability and performance, especially in environments with unstable networks.

New property added to the network RHEL system role network_connections variable: wait_ip

This update provides added support for the wait_ip property of the ip option in the network_connections role variable. The property specifies if the system should consider the network connection as activated only when a specific IP stack is configured. You can configure wait_ip with the following values:

The metrics RHEL system role now supports Valkey as an alternative to Redis

This update provides added support for the Valkey in-memory data structure store for the metrics RHEL system role. It is an alternative to Redis, which is no longer open source and is being removed from Linux distributions. Valkey is typically used as a high-performance caching layer. It stores data in memory, which accelerates applications by caching frequently accessed data. Additionally, you can use Valkey for other performance-critical operations, for example:

New variable in the logging RHEL system role: logging_custom_templates

The following variable has been added to the logging RHEL system role:

sshd RHEL system role validates commands and configurations

The sshd role uses the quote command when using the command or shell plugins to ensure you can use these commands safely. The role also validates certain user-supplied role variables passed to these plugins. This improves the security and robustness of using the role because, without validation, user-supplied variables that contain white space could split and not function correctly.

KVM on IBM Z now supports more than one boot device

Guest operating systems running on KVM on IBM Z hosts can attempt booting from additional devices when the primary boot device is not bootable. This feature is supported for the following device types:

Virtual machines supported in RHEL for Real Time

This update introduces full support for real-time virtualization in RHEL for Real Time. You can configure the host and guest operating systems to achieve low-latency and deterministic behavior for virtual machines (VMs). This makes real-time VMs suitable for applications that require real-time performance, such as industrial automation, telecommunications, and automotive systems.

Newly supported features for virtual machines on 64-bit ARM hosts

The following features are now supported for virtual machines on RHEL hosts that use the 64-bit ARM architecture, also known as aarch64:

virt-install now supports creating VMs with SEV-SNP

You can now use the virt-install utility to create a virtual machine (VM) that uses the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature. To do so, use the launchSecurity sev-snp,policy=0x30000 option.

Support for VM live migration with shared virtiofs directory that provides write access to other parties

With this update, you can live migrate a virtual machine (VM) with a virtiofs shared directory, even if multiple other parties, such as the host and other VMs, have write access to that directory.

Virtualization support for IBM z17 processors

With this update, virtualization on RHEL adds support for the IBM z17 CPUs. As a result, virtual machines hosted on an IBM Z system with RHEL can now use new features that the z17 processors provide.

Retrievable secrets are supported for Secure Execution on IBM Z

With this update, you can use generalized host-based secrets for cryptographic devices in Secure Execution virtual machines (VMs) on IBM Z. As a result, it is no longer needed to store secrets in an initramfs image when configuring Secure Execution, which simplifies creating a secure VM image. Note that this feature is currently only supported on IBM z17 processors.

Virtualization support for Intel Xeon v6 processors

With this update, virtualization on RHEL 9 adds support for the Intel Xeon v6 processors, formerly known as Sierra Forest. As a result, virtual machines hosted on RHEL 9 can now use the SierraForest CPU model and utilize new features that the processors provide.

RHEL supports live migrating a VM with a Mellanox virtual function

With this update, you can perform live migration of a virtual machine (VM) with an attached virtual function (VF) of a Mellanox networking device.

Intel TDX in RHEL guests

The Intel Trust Domain Extension (TDX) feature is now fully supported in RHEL 9.5 and later when used as a guest operating system. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 guests, called trust domains (TDs). This increases the isolation of the RHEL guest from the host, and makes it significantly more difficult for the host to access the data on the RHEL guest.

Unified Kernel Image for RHEL is fully supported

Unified Kernel Image (UKI) for RHEL, which was introduced in RHEL 9.2 as a Technology Preview, is now fully supported. To use RHEL UKI, you must first install the kernel-uki-virt package. RHEL UKI can enhance SecureBoot protection in virtualized and cloud environments.

WSL images of RHEL 8 - 10 are available on the Customer Portal

RHEL 8, RHEL 9, and RHEL 10 images for the Windows Subsystem for Linux (WSL) can now be downloaded from the Red Hat Customer Portal. These images are available for all RHEL subscriptions, including no-cost developer subscriptions. By using the WSL images, you can create RHEL instances on your Windows system.

RHEL on HPE can run up to 4096 vCPUs

With this feature, a RHEL virtual machine (VM) instance running with the RHEL KVM hypervisor on Hewlett Packard Enterprise Compute Scale-Up Server now supports up to 4096 virtual CPUs, 32 sockets, and 64 TB of memory to handle in-memory databases and other large compute intensive workloads.

Enhanced automatic registration for eligible RHEL images

When purchasing certain eligible cloud marketplace subscriptions for RHEL 9.6 or later and for RHEL 10.0 or later, an improved version of the auto-registration function is available.

The plugin option names now use only hyphens instead of underscores

To ensure consistency across sos global options, the plugin option names now use only hyphens instead of underscores For example, the networking plugin namespace_pattern option is now namespace-pattern and must be specified by using the --plugin-option networking.namespace-pattern=<pattern> syntax.

The --api-url option is now available

With the --api-url option you can call another API as per requirement. For instance, the API for an OCP cluster. Example: sos collect --cluster-type=ocp --cluster-option ocp.api-url=_<API_URL> --alloptions.

The new --skip-cleaning-files option is now available

The --skip-cleaning-files option for the sos report command allows you to skip cleaning selected files. The option supports globs and wildcards. Example: sos report -o host --batch --clean --skip-cleaning-files 'hostname'.

Podman supports pushing and pulling images compressed with zstd:chunked

You can push images compressed with the zstd:chunked format to reduce the image size and use partial pulls.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is now available. The Buildah has been updated to version 1.39.0, Skopeo has been updated toversion 1.18.0. Podman v5.4 contains the following notable bug fixes and enhancements over the previous version:

Enhanced healthcheck output configuration is now available in Podman

Podman now offers enhanced configurability for healthcheck outputs on a per-container basis. Before this update, healthcheck outputs were limited to the five most recent executions, each capped at 500 characters, accessible only by using the podman inspect command. You can now adjust the amount of healthcheck output stored for each container, allowing for more comprehensive debugging information when needed. This feature is particularly beneficial for diagnosing intermittent healthcheck failures without disrupting the running service. Additionally, to address concerns about sensitive data and storage efficiency, you can opt to limit or disable healthcheck output storage for specific containers.

Deploying a container image by using a single command is now available

You can deploy a container image into a RHEL cloud instance by using a signal command. The system-reinstall-bootc command installs performs the following actions:

Creating custom bootc images from scratch is now supported

You can create bootc images from scratch and fully control the contents of the image and tailor the system environment to meet specific requirements. With the bootc-base-imgectl command, you can create custom bootc images based on an existing bootc base image. Bootc Image from Scratch are derived from container images and do not automatically receive updates from the default base image. To include such updates, you must incorporate them manually as part of your container pipeline. Additionally, you can use the rechunk subcommand in bootc-base-imgectl on any bootc container image to optimize or restructure the image as needed.

A new image build progressing bar available for bootc-image-builder

Previously, you could not check if an image build was progressing by looking into the logs. With this enhancement, you can check the progress of the image build that you created by using bootc-image-builder. You can revert to the previous behavior by using the --progress=verbose argument when building images.

The command-line assistant powered by RHEL Lightspeed is generally available in RHEL

The command-line assistant powered by RHEL Lightspeed is available within the RHEL command line. The generative AI that powers the assistant is trained on information from the RHEL product documentation and Red Hat Knowledgebase, and can help you to understand, configure, and troubleshoot your RHEL systems in a more accessible way, whether you are new to RHEL or already an experienced user.

The command line assistant supports using the systemd-creds as a password store manager

The command-line assistant powered by RHEL Lightspeed integrates command line assistant daemon (clad) by using the systemd-creds, a password store manager shipped with RHEL. This means that you can securely store your passwords by using databases such as PostgreSQL or MySQL as your history backend. As a result, you can use the tool for listing, showing, encrypting and decrypting unit credentials in a secure manner.

shlibsign now works in FIPS mode

Before this update, the shlibsign program did not work in FIPS mode. Consequently, when you rebuilt an NSS library in FIPS mode, you had to leave FIPS mode to sign the library. The program has been fixed, and you can now use shlibsign in FIPS mode.

Audit now loads rules referencing /usr/lib/modules/

Prior to this update, when the ProtectKernelModules option was set to true for the auditd.service, the Audit subsystem did not load rules that reference files in the /usr/lib/modules/ directory with the error message Error sending add rule data request (No such file or directory). With this update, Audit loads also these rules, and you no longer have to reload the rules by using the auditctl -R or augenrules --load commands.

update-ca-trust extract no longer fails to extract certificates with long names

When extracting certificates from the trust store, the trust tool internally derives the file name from the certificates’ object label. For long enough labels, the resulting path might previously have exceeded the system’s maximum file name length. As a consequence, the trust tool failed to create a file with a name that exceeded the maximum file name length of a system. With this update, the derived name is always truncated to within 255 characters. As a result, file creation does not fail when the object label of a certificate is too long.

Rule to allow dac_override and dac_read_search for qemu-guest-agent added to the SELinux policy

Previously, the SELinux policy did not have rules to allow qemu-guest-agent the dac_override and dac_read_search capabilities. As a consequence, freezing and thawing virtual machine file systems did not work properly when the file system mount point DAC permission did not grant access to the user root. This update has added the missing rule to the policy. As a result, fsfreeze, which is an important qemu-ga command for creating consistent snapshots, works correctly.

OpenSSL cipher suites no longer enable cipher suites with disabled hashes or MACs

Previously, applying custom cryptographic policies could leave certain TLS 1.3 cipher suites enabled even if their hashes or MACs were disabled, because the OpenSSL TLS 1.3-specific Ciphersuites option values were controlled only by the ciphers option of the cryptographic policy. With this update, crypto-policies takes more algorithms into account when deciding whether to enable a cipher suite. As a result, OpenSSL on systems with custom cryptographic policies might refuse to negotiate some of the previously enabled TLS 1.3 cipher suites in better accordance with the system configuration.

RHEL web console Subscription Manager plugin now detects Insights data upload failures

Before this update, the systemd service manager automatically restarted insights-client service in the case of failure, which broke the built-in detection in the Subscription Manager plugin in the RHEL web console. This detection checked for the failed service state, which was correctly prevented. Consequently, the RHEL web console did not display any warning when an Insights data upload failed. With this update, the detection of the status of insights-client has been improved to account for the new status when an upload fails. As a result, Subscription Manager in the web console detects Insights data upload failures correctly.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

dnf needs-restarting --reboothint now correctly reports whether a reboot is needed on systems with a real-time clock not running in UTC

Before this update, if you updated a package which required a system reboot to fully apply the update on a system with a real time clock not running in UTC, the dnf needs-restarting --reboothint command might not have reported that the reboot was needed. With this update, the systemd UnitsLoadStartTimestamp property is added as a preferred source of a boot time. As a result, dnf needs-restarting --reboothint is now more reliable outside of containers on systems with a real-time clock running in local time.

The repository metadata is now stored directly in the requested directory when using dnf reposync

Before this update, the dnf reposync command did not respect the --norepopath option for downloading a repository metadata. Consequently, this metadata was stored in a subdirectory named after the repository. With this update, the dnf reposync command now respects the --norepopath option, and the repository metadata is stored directly in the requested directory.

%patch N no longer applies a patch number 0

Before this update, when you used the %patch N syntax, where N is the number of a patch, the syntax also applied the patch number 0 (Patch0) in addition to the patch specified by N. With this update, the %patch N syntax has been fixed to only apply the patch number N.

lparstat -E now displays correct values for busy and idle states

Previously, some values were not taken into account while calculating the idle ticks. As a consequence, the lparstat -E command displayed the busy and idle states under the Normalized and Actual sections, for example, lparstat -E 4 4. With this update, the calculation of the idle tick has been fixed. As a result, the lparstat -E utility now displays the correct values for busy and idle states.

Traceroute now defaults to IPv6

Previously, traceroute defaulted to IPv4 addresses even when IPv6 addresses were available. With this enhancement, traceroute now defaults to IPv6 if available.

Networking interface configuration persists after lldpad termination

Before this update, the networking interface configuration was removed when Link Layer Discovery Protocol Agent Daemon (lldpad) was terminated by systemd or manually. This update fixes the lldpad source-code so that the service does not reset interface configuration after termination.

RHEL displays the correct number of CPUs on a system of 512 CPUs

The rps_default_mask configuration setting controls the default Receive Packet Steering (rps) mechanism to direct incoming network packets towards specific CPUs. The flow_limit_cpu_bitmap parameter enables or disables flow control per CPU. With this fix, RHEL displays total CPUs along with its parameter values on the console correctly.

The netdev device attributes are removed from ethtool output

Due to changes in network device feature flags stored in the kernel, the following features will no longer appear in the output of the ethtool -k command:

NetworkManager can mitigate the impact of CVE-2024-3661 (TunnelVision) in VPN connection profiles

VPN connections rely on routes to redirect traffic through a tunnel. However, if a DHCP server uses the classless static route option (121) to add routes to a client’s routing table, and the routes propagated by the DHCP server overlap with the VPN, traffic can be transmitted through the physical interface instead of the VPN. CVE-2024-3661 describes this vulnerability, which is also know as TunnelVision. As a consequence, an attacker can access traffic that the user expects to be protected by the VPN.

The xdp-loader features command now works as expected

The xdp-loader utility was compiled against the previous version of libbpf. As a consequence, xdp-loader features failed with an error:

Mellanox ConnectX-5 adapter works in the DMFS mode

Previously, while using the Ethernet switch device driver model (switchdev) mode, the mlx5 driver failed if configured in the device managed flow steering (DMFS) mode on the ConnectX-5 adapter. Consequently, the following error message appeared:

multipathd no longer crashes because of errors encountered by the ontap prioritizer

Before this update, multipathd crashed when it was configured to use the ontap prioritizer on an unsupported path, because the prioritizer only works with NetApp storage arrays. This failure occurred due to a bug in the prioritizer’s error logging code, which caused it to overflow the error message buffer. With this update, the error logging code has been fixed, and multipathd no longer crashes because of errors encountered by the ontap prioritizer.

Native NVMe multipathing no longer causes a memory leak when enable_foreign is set to monitor natively multipathed NVMe devices

Before this update, enabling native NVMe multipathing caused a memory leak if the enable_foreign configuration parameter was set to monitor natively multipathed NVMe devices. With this update, the memory leak was fixed in multipathd monitoring code. As a result, multipathd can now monitor natively multipathed NVMe devices without increasing memory usage.

RHEL installer now discovers and uses iSCSI devices as boot devices on aarch64

Previously, the absence of the iscsi_ibft kernel module in RHEL installers running on aarch64 prevented the automatic discovery of iSCSI devices defined in firmware. As a result, these devices were not automatically visible nor selectable as boot devices in the installer during manual addition GUI.

fstrim enabled by default on LUKS2 root in ostree-based new installations done by Anaconda

Previously, installing ostree-based systems, such as Image Mode, by using ostreesetup or ostreecontainer Kickstart commands with LUKS2 encryption enabled on the / (root) mount point resulted in systems where fstrim was not enabled. This could cause issues such as unresponsive systems or broken file chooser dialogs. With this fix, fstrim (discards) is now enabled by default in the LUKS2 metadata on newly installed systems.

Systems with NVMe over TCP controllers no longer crash because of a data transfer failure

Before this update, on 64-bit ARM architecture systems with NVMe over TCP storage controllers where optimal IO size is bigger than the PAGE_SIZE and an MD device uses a bitmap, the system could crash with the following error message:

System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab

Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.

Resource constraints with expired rules no longer display

Before this update, the pcs constraint location config resources command displayed resource constraints with expired rules in the output. With this update, the command no longer displays constraints with expired rules if you do not specify the --all option.

Status of a cloned resource running with only one instance now displays properly

Before this update, when you queried the status of the instances of a cluster resource clone with only one running instance, the pcs status query command displayed an error message. With this update, the command reports the resource status properly.

Successful recovery of an interrupted Pacemaker remote connection

Before this update, when network communication was interrupted between a Pacemaker remote node and the cluster node hosting its connection during the TLS handshake portion of the initial connection, the connection in some cases blocked and could not be recovered on another cluster node. With this update, the TLS handshake is asynchronous and a remote connection is successfully recovered elsewhere.

Cluster status of a disaster recovery site now displays correctly

Before this update, when you configured a disaster recovery recovery site and ran the pcs dr status command to display the status of the local and remote cluster sites, the command displayed an error instead of the cluster status. With this update, the cluster status of the local and remote sites displays correctly when you execute this command.

Cluster alerts now take immediate effect

Before this update, when you configured an alert in a Pacemaker cluster, the alert did not immediately take effect without a cluster restart. With this update, the cluster detects updates to cluster alerts immediately.

The glibc getenv function provides a limited form of thread safety

The glibc getenv function is not thread safe. Previously, if an application still called the functions getenv, setenv, unsetenv, putenv, and clearenv at the same time, the application they could terminate unexpectedly or getenv could return incorrect values. With this bug fix, the getenv function provides a limited form of thread safety. As a result, applications no longer crash if they call the functions concurrently. Additionally, getenv returns only environment values that have been using setenv or which were present at the start of the program, and reports previously-set environment variables as unset only if there has been a potentially unordered unsetenv call.

The pcp package now sets the correct owner and group for the /var/lib/pcp/config/pmie/config.default file

Previously, if you installed the pcp package for the first time, the package installation process incorrectly set the ownership of the /var/lib/pcp/config/pmie/config.default file to root:root. As a consequence, the pmie service failed to start because the pmieconf utility, which is executed by this service, requires pcp:pcp ownership for this file. When the service failed to start, it logged the following error in the /var/log/pcp/pmie/pmie_check.log file:

pcp-xsos provides a rapid summary of a system

The large number of configurable components in the Performance Co-Pilot (PCP) toolkit means that you often use several different tools to understand a system’s performance. Many of these tools require additional processing time when you work with large, compressed time series data volumes. This enhancement adds the pcp-xsos utility to PCP. This utility can perform a fast, high-level analysis of an individual point in time from a PCP archive. As a result, pcp-xsos can help you gain insight into high level performance issues and also identify further targeted performance analysis tasks.

iconv in-place conversions no longer result in corrupted output

The iconv utility can write the converted output to the same file. Previously, when you performed an in-place conversion and the source file exceeded a certain size, iconv overwrite the file before the processing was completed. Consequently, the file was corrupted. With this update, the utility creates a temporary file if the source and the output file are the same and overrides the source file after the conversion is complete. As a result, in-place conversions can no longer result in corrupted files.

Improvements in the glibc stub resolver and getaddrinfo() API calls

Previously, the glibc stub resolver and getaddrinfo() API calls could result in longer than expected delays in the following cases:

The glibc exit function no longer crashes on simultaneous calls

Previously, multiple simultaneous calls to the exit function and calls to this function with simultaneous <stdio.h> stream operations were not synchronized. As a consequence, applications could terminate unexpectedly and data streams could be corrupted if a concurrent exit function call occurred in a multi-threaded application. With this update, exit now locks <stdio.h> streams when flushing them, and simultaneous calls to exit and quick_exit select one call to proceed. As a result, applications no longer crash in this scenario.

The implementation of POSIX thread condition variables in glibc to wake waiting threads has been improved

Previously, a defect in the POSIX thread condition variable implementation could allow a pthread_signal() API call to fail to wake a waiting thread. Consequently, a thread could wait indefinitely for a next signal or broadcast. With this bug fix, the implementation of POSIX thread condition variables now includes a sequence-relative algorithm to avoid the missed signal condition and to provide stronger guarantees that waiting threads are woken correctly.

The Boost.Asio no longer shows an exception when reusing a moved TCP socket

Previously, if an application used the Boost.Asio library and reused a moved TCP socket, the application failed with an bad_executor exception. This update fixes the issue, and the Boost.Asio library no longer fails in the described scenario.

Migrating an IdM deployment no longer results in duplicate HBAC rules

Previously, migrating from one Identity Management (IdM) deployment to another by using the ipa-migrate utility sometimes led to duplicate host-based access control (HBAC) rules on the destination server. Consequently, the "allow_all" and "allow_systemd-user" HBAC rules appeared twice when running the "ipa hbacrule-find" command on that server.

Bypassing two-factor authentication using an expired token is no longer possible

Previously, it was possible to bypass two-factor authentication by creating an OTP token with a specific end-validity period.

When starting an instance with a sub suffix, an incorrect error is no longer logged

Before this update, when starting an instance with a sub suffix, you could see the following incorrect message in the error log:

ldapsearch now respects the NETWORK_TIMEOUT setting as expected

Previously, an ldapsearch command ignored the timeout when the server was unreachable and, as a consequence, the search hung indefinitely instead of timing out. With this update, the logic error in TLS handling was fixed by adjusting connection retries and socket options.

A race condition with paged result searches no longer closes the connection with a T3 error code

Previously, Directory Server did not use the proper thread protection when checking the connection’s paged result data for a timeout event. As a consequence, the paged result timeout value changed unexpectedly and triggered a false timeout when a new operation arrived. This caused a time out error and the connection was closed with the following T3 error code:

Directory Server no longer fails when reindexing a VLV index with the sort attribute indexed with an extended matching rule

Before this update, a race condition was triggered during reindexing a virtual list views (VLV) index that had the sort attribute indexed with an extended matching rule. As a result, memory leaked and Directory Server failed. With this update, Directory Server serializes the VLV index key generation and no longer fails.

OpenLDAP library no longer fails when trying to free resources

Before this update, the OpenLDAP library tried to release memory by using the SSL_CTX_free() function in its destructor when an application had already cleaned up these resources by invoking the OPENSSL_cleanup() function, either directly or via the atexit() function. As a consequence, users experienced failures or undefined behavior when the invalid SSL_CTX_free() call tried to release already-cleaned-up SSL context resources.

High connection load no longer overloads a single thread in Directory Server

Before this update, even though Directory Server supports multiple listening threads, the first incoming connections were assigned to the same listener thread overloading it. As a result, some requests created high wtime and poor performance. With this update, Directory Server distributes the connection load across all listening threads.

VLV index cache now matches the VLV index as expected when using LMDB

Before this update, the virtual list views (VLV) index cache did not match the VLV index itself on instances with Lightning Memory-Mapped Database (LMDB), which caused the VLV index to return invalid values. With this update, the VLV index cache matches the VLV index, and the correct values are returned.

The online backup no longer fails

Before this update, the online backup task could hang sporadically because of the incorrect lock order. With this update, the online backup works as expected and no longer fails.

cleanAllRUV no longer blocks itself

Before this update, when you ran the cleanAllRUV task after a replica deletion from replication topology, the task was trying to update the replication configuration entry while the same task was purging the replication changelog of the old replica ID (rid). As a result, the server was unresponsive.

Reindexing no longer fails when an entry RDN have the same value as the suffix DN

Before this update, if an entry’s relative distinguished name (RDN) had the same value as the suffix distinguished name (DN) in the directory, then the entryrdn index got broken. As a result, Directory Server could perform slow search requests, get invalid results, and write alarming messages in the error log.

The Account Policy plug-in now uses a proper flag for an update in a replication topology

Before this update, the Account Policy plugin did not use the proper flag for an update. As a result, in a replication topology, the Account Policy plugin updated the login history, but this update failed on a consumer server logging the following error message:

On a supplier with LMDB, an offline import no longer generates duplicates of nsuniqueid

Before this update, an offline import of basic entries (with no replicated data) on a supplier with Lightning Memory-Mapped Database (LMDB) generated duplicates of the nsuniqueid operational attribute that must be unique. As a result, problems with replication occurred. With this update, the offline import no longer generates duplicates on the supplier.

TLS 1.3 can now be used to connect to an LDAP server running in FIPS mode

Before this update, when you tried to explicitly set TLS 1.3 when connecting to an LDAP server in FIPS mode, the used TLS version still remained 1.2. As a result, an attempt to connect to the LDAP server by using TLS 1.3 failed. With this update, the upper limit of the TLS version in FIPS mode was changed to 1.3, and the attempt to connect to an LDAP server with TLS 1.3 no longer fails.

Directory Server backup no longer fails after the previous unsuccessful attempt

Before this update, if an initial backup attempt was unsuccessful, the next Directory Server backup failed because backends stayed busy trying to complete the previous backup. As a result, the instance restart was required. With this update, Directory Server backup no longer fails after the previous unsuccessful attempt and the instance restart is no longer needed.

Failed replication between suppliers when using certificate-based authentication now has a more descriptive error message

Before this update, when a required CA certificate file was missing and a TLS connection setup was failing during replication between supplies, the error message was unclear to identify the problem. With this update, when a TLS setup error occurs, Directory Server logs more detailed error information. It now includes messages, such as No such file or directory for a missing certificate, making the problem solving easier.

dsconf config replace can now handle multivalued attributes as expected

Before this update, the dsconf config replace command could set only one value for an attribute, such as nsslapd-haproxy-trusted-ip. With this release, you can set several values by using the following command:

Directory Server now returns the correct set of entries when compound filters with OR (|) and NOT (!) operators are used

Before this update, when LDAP searches with OR (|) and NOT (!) operators were used, Directory Server did not return the correct set of entries. The reason was that Directory Server incorrectly evaluated access rights and entry matching and performed these steps in one phase. With this update, Directory Server performs access rights evaluation and entry matching in two separated phases and searches with compound filters with OR (|) and NOT (!) operators return the correct set of entries.

Consumer status in a replication agreement on a supplier is displayed correctly after the Directory Server restart

Before this update, on a supplier in a replication topology, the status of the consumer in a replication agreement was reset during the Directory Server restart. As a result, the displayed consumer initialization time and the replication status were incorrect.

The new sshd_allow_restart variable enables the sshd service to be restarted when needed

Before this update, the sshd RHEL system role was not restarting the sshd service on a managed node when required. As a consequence, some changes related to configuration files from the`/etc/sysconfig/` directory and environment files were not applied. To fix the problem, the sshd_allow_restart (boolean, defaults to true) variable has been introduced to restart the sshd service on the managed node when necessary. As a result, the sshd RHEL system role now correctly applies all changes and ensures the sshd service actually uses those changes.

The podman RHEL system role no longer fails to process secrets when using the run_as_user variable

Before this update, the podman RHEL system role failed to process secrets that were specified for a particular user using the run_as_user variable due to missing user information. This caused errors when attempting to process secrets which have run_as_user set. The issue has been fixed, and the podman RHEL system role correctly handles secrets which are specified for a particular user using the run_as_user variable.

The firewall RHEL system role reports changed: True when there were changes applied

During playbook processing, the firewall_lib.py module from the firewall RHEL system role was replacing the changed message with False when using the interface variable in the playbook and a pre-existing networking interface on the managed node. As a consequence, firewall reported the changed: False message even when there had been changes done, and the contents from the forward_port variable were not saved as permanent. With this update, the firewall RHEL system role ensures the changed value is not reset to False. As a result, the role reports changed: True when there are changes, and forward_port contents are saved as persistent.

The certificate RHEL system role correctly reports an error when an issued certificate is missing the private key

When the private key of a certificate was removed, the certmonger utility on a managed node entered an infinite loop. Consequently, the certificate RHEL system role on the control node became unresponsive when re-issuing a certificate that had the private key deleted. With this update, the certificate RHEL system role stops processing and provides an error message with instructions for remedy. As a result, certificate no longer becomes unresponsive in the described scenario.

The postgresql RHEL system role no longer fails to set the paths to a TLS certificate and private key

The postgresql_cert_name variable of the postgresql RHEL system role defines the base path to the TLS certificate and private key without suffix on the managed node. Before this update, the role did not define internal variables for the certificate and private key. As a consequence, if you set postgresql_cert_name, the Ansible task failed with the following error message:

The network RHEL system role prioritizes permanent MAC address matching

When all of the following conditions were met:

The ansible-doc command provides the documentation again for the redhat.rhel_system_roles collection

Before this update, the vpn RHEL system role did not include documentation for the internal Ansible filter vpn_ipaddr. Consequently, using the ansible-doc command to list documentation for the redhat.rhel_system_roles collection would trigger an error. With this update the vpn RHEL system role includes the correct documentation in the correct format for the vpn_ipaddr filter. As a result, ansible-doc does not trigger any error and provides the correct documentation.

The storage RHEL system role correctly resizes logical volumes

The physical volume was not resized to its maximum size when using the grow_to_fill feature in the storage RHEL system role to automatically resize LVM physical volumes after resizing the underlying virtual disks. Consequently, not all of the storage free space was available when resizing existing or creating new additional logical volumes; and the storage RHEL system role failed. This update fixes the problem in the source code to ensure the role always resizes the physical volumes to their maximum size when using grow_to_fill.

The storage RHEL system role now runs as expected on RHEL managed nodes with VDO

Before this update, the blivet module required the kmod-kvdo package on RHEL managed nodes using Virtual Data Optimizer (VDO). However, kmod-kvdo failed to install, and as a consequence caused even the storage RHEL system role to fail. The fix to this problem ensures that kmod-kvdo is not a required package for managed nodes with RHEL. As a result, storage no longer fails when managed nodes with RHEL use VDO.

High-memory VMs now report their state correctly

Previously, live migrating a virtual machine (VM) that was using 1 TB of memory or more caused libvirt to report the state of the VM incorrectly. This problem has been fixed and the status of live-migrated VMs with high amounts of memory is now reported accurately by libvirt.

Network boot for VMs now works correctly without an RNG device

Previously, when a virtual machine (VM) did not have an RNG device configured and its CPU model did not support the RDRAND feature, it was not possible to boot the VM from the network. With this update, the problem has been fixed, and VMs that do not support RDRAND can boot from the network even without an RNG device configured.

vGPU live migration no longer reports excessive amount of dirty pages

Previously, when performing virtual machine (VM) live migration with an attached NVIDIA vGPU, an excessive amount of dirty pages could have been incorrectly reported during the migration. This problem could have increased the required VM downtime during the migration and the migration could have potentially failed.

vGPU live migration no longer fails if vGPU driver versions are different on source and destination hosts

Previously, virtual machine (VM) live migration with an attached NVIDIA vGPU would fail if driver versions on source and destination hosts were different.

Virtual machines no longer incorrectly report an AMD SRSO vulnerability

Previously, virtual machines (VMs) running on a RHEL 9 host with the AMD Zen 3 and 4 CPU architecture incorrectly reported a vulnerability to a Speculative Return Stack Overflow (SRSO) attack.

The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.

Windows guests boot more reliably after a v2v conversion on hosts with AMD EPYC CPUs

After using the virt-v2v utility to convert a virtual machine (VM) that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM previously failed to boot. This occurred on hosts that use AMD EPYC series CPUs. Now, the underlying code has been fixed and VMs boot as expected in the described circumstances.

nodedev-dumpxml lists attributes correctly for certain mediated devices

Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.

virtiofs devices can now be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.

blob resources now work correctly for virtio-gpu on IBM Z

Previously, the virtio-gpu device was incompatible with blob memory resources on IBM Z systems. As a consequence, if you configured a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM did not have any graphical output.

Reinstalling virtio-win drivers no longer causes DNS configuration to reset on the guest

In virtual machines (VMs) that use a Windows guest operating system, reinstalling or upgrading virtio-win drivers for the network interface card (NIC) previously caused DNS settings in the guest to reset. As a consequence, your Windows guest in some cases lost network connectivity.

VNC viewer correctly initializes a VM display after live migration of ramfb

This update enhances the ramfb framebuffer device, which you can configure as a primary display for a virtual machine (VM). Previously, ramfb was unable to migrate, which resulted in VMs that use ramfb showing a blank screen after live migration. Now, ramfb is compatible with live migration. As a result, you see the VM desktop display when the migration completes.

The sos clean on an existing archive no longer fails

Previously, an existing archive could not be cleaned by running sos clean due to a regression in the sos code that incorrectly detected the root directory of a tarball and prevented it from cleaning data. As a consequence, sos clean running on an existing sosreport tarball does not clean anything within the tarball. This update adds an implementation of a proper detection of the root directory in the reordered tarball content. As a result, sos clean performs sensitive data obfuscation on an existing sosreport tarball correctly.

The sos stops collecting user’s .ssh configuration

Previously, the sos utility collected the .ssh configuration by default from a user. As a consequence, this action caused a broken system for users that are mounted by using automount utility. With this update, the sos utility no longer collects the .ssh configuration.

The sos now obfuscates proxy passwords in several places

Previously, the sos utility did not obfuscate passwords from proxy links. For example HTTP_PROXY and HTTPS_PROXY in the /etc/environment file. As a consequence, the sos utility could collect sosreports with customer proxy passwords unless cleaned up before submitting. This may pose a security concern. Several of those places were discovered and fixed to obfuscate the passwords.

NVMe over TCP for RHEL installation is now available as a Technology Preview

With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.

Installation of bootable OSTree native containers is now available as a Technology Preview

The ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer:

Boot loader installation and configuration via bootupd / bootupctl in Anaconda is now available as a Technology Preview

As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration via the bootupd/bootupctl tool contained within the container image, even without an explicit boot loader configuration in Kickstart.

A new rhel9/bootc-image-builder container image is generally available in RHEL

The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.

Encrypted DNS in RHEL is available as a Technology Preview

You can enable encrypted DNS to secure DNS communication that uses DNS-over-TLS (DoT). Encrypted DNS (eDNS) encrypts all DNS traffic end-to-end, with no fallback to insecure protocols, and aligns with zero trust architecture (ZTA) principles.

gnutls now uses kTLS as a Technology Preview

The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

OpenSSL clients can use the QUIC protocol as a Technology Preview

OpenSSL can use the QUIC transport layer network protocol on the client side with the rebase to OpenSSL version 3.2.2 as a Technology Preview.

The io_uring interface is available as a Technology Preview

io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:

FDO now provides storing and querying Owner Vouchers from a SQL backend as a Technology Preview

With this Technology Preview, FDO manufacturer-server, onboarding-server, and rendezvous-server are available for storing and querying Owner Vouchers from a SQL backend. As a result, you can select a SQL datastore in the FDO servers options, along with credentials and other parameters, to store the Owner Vouchers.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

GIMP available as a Technology Preview in RHEL 9

GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

Offloading IPsec encapsulation to a NIC is now available as a Technology Preview

This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.

KTLS available as a Technology Preview

In RHEL, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

NetworkManager and the Nmstate API support MACsec hardware offload

You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface card.

NetworkManager enables configuring HSR and PRP interfaces

High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.

UDP encapsulation in packet offload mode is now available as a Technology Preview

With IPsec packet offload, the kernel can offload the entire IPsec encapsulation process to a NIC to reduce the workload. With this update, the packet offload has been improved by supporting User Datagram Protocol (UDP) encapsulation of ipsec tunnels when in packet offload mode.

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

Segment Routing over IPv6 (SRv6) is available as a Technology Preview

The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

kTLS was updated to version 6.12

The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.6, we updated kTLS to the 6.12 upstream version.

python-drgn available as a Technology Preview

The python-drgn package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.

The IAA crypto driver is now available as a Technology Preview

The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.

The Neural Processing Unit (NPU) kernel for the RHEL Kernel is available as a Technology Preview on Intel Arrow Lake-based systems

In RHEL 9.6, the kernel introduces the Neural Processing Unit (NPU) as a Technology Preview. NPUs are special chips used for artificial intelligence (AI) and machine learning (ML) tasks on the systems. The kernel in RHEL 9.6 includes the initial driver for Intel NPUs and support infrastructure required to use the NPUs for AI/ML tasks.

The Red Hat Enterprise Linux for Real Time on ARM64 is now available as a Technology Preview

With this Technology Preview, the Red Hat Enterprise Linux for Real Time is now enabled for ARM64. The ARM64 is enabled on ARM (AARCH64), for both 4k and 64k ARM kernels.

NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

NVMe/TCP using TLS is available as a Technology Preview

Encrypting Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) network traffic using TLS configured with Pre-Shared Keys (PSK) has been added as a Technology Preview in RHEL 9.6. For instructions, see Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys.

A new nodejs:22 module stream available as a Technology Preview

A new module stream, nodejs:22, is now available as a Technology Preview. A future update will provide a Long Term Support (LTS) version of Node.js 22, which will be fully supported.

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

libabigail: Flexible array conversion warning-suppression available as a Technology Preview

As a Technology Preview, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:

eu-stacktrace available as a Technology Preview

The eu-stacktrace utility, which has been distributed through the elfutils package since version 0.192, is available as a Technology Preview feature. eu-stacktrace is a prototype utility that uses the elfutils toolkit’s unwinding libraries to support a sampling profiler to unwind frame pointer-less stack sample data.

DNS over TLS (DoT) in IdM deployments is available as a Technology Preview

Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

IdM-to-IdM migration is available as a Technology Preview

IdM-to-IdM migration is available in Identity Management as a Technology Preview. You can use a new ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

The RHEL web console can now manage WireGuard connections

Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

CPU clusters on 64-bit ARM

As a Technology Preview, you can now create KVM virtual machines that use multiple 64-bit ARM CPU clusters in their CPU topology.

New package: trustee-guest-components

As a Technology Preview, this update adds the trustee-guest-components package. This makes it possible for confidential virtual machines to attest themselves and get confidential resources from a Trustee server.

RHEL is available on Azure confidential VMs as a Technology Preview

With the updated RHEL kernel, you can create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview from RHEL 9.3. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

A new rhel9/rhel-bootc container image is available as a Technology Preview

The rhel9/rhel-bootc container image is now available in the Red Hat Container Registry as a Technology Preview. With the RHEL bootable container images, you can build, test, and deploy an operating system exactly as a container. The RHEL bootable container images differ from the existing application Universal Base Images (UBI) thanks to the following enhancements: RHEL bootable container images contain additional components necessary to boot, such as, kernel, initrd, bootloader, firmware, between others. There are no changes to existing container images. For more information, see Red Hat Ecosystem Catalog.

The composefs file system is available as Technology Preview

The composefs read-only file system available as Technology Preview is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified file-system tree mounted, with opportunistic fine-grained sharing of identical files.

Partial pulls for zstd:chunked are available as a Technology Preview

You can pull only the changed parts of the container images compressed with the zstd:chunked format, reducing network traffic and necessary storage. You can enable partial pulls by adding the enable_partial_images = "true" setting to the /etc/containers/storage.conf file. This functionality is available as a Technology Preview.

The podman artifact command is available as a Technology Preview

The podman artifact command, which you can use to work with OCI artifacts at the command-line level, is available as a Technology Preview. For further information, please reference the man page.

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

The initial-setup package now has been deprecated

The initial-setup package has been deprecated in Red Hat Enterprise Linux 9.3 and will be removed in the next major RHEL release. As a replacement, use gnome-initial-setup for the graphical user interface.

The provider_hostip and provider_fedora_geoip values of the inst.geoloc boot option are deprecated

The provider_hostip and provider_fedora_geoip values that specified the GeoIP API for the inst.geoloc= boot option are deprecated. As a replacement, you can use the geolocation_provider=URL option to set the required geolocation in the installation program configuration file. You can still use the inst.geoloc=0 option to disable the geolocation.

Capturing screenshots from the Anaconda GUI with a global hotkey is deprecated

Previously, users could capture screenshots of the Anaconda GUI by using a global hotkey. This meant that users could extract the screenshots manually from the installation environment for any further usage. This functionality has been deprecated.

Anaconda built-in help has been deprecated

The built-in documentation from spokes and hubs of all Anaconda user interfaces, which is available during Anaconda installation, has been deprecated. As a replacement, the Anaconda user interfaces will be self-descriptive and users can refer to the official RHEL documentation in future major RHEL releases.

Support for NVDIMM devices has been deprecated

Previously, the installation program allowed reconfiguring NVDIMM devices during installation. This support for NVDIMM devices during the Kickstart and GUI installation has been deprecated, and will be removed in the next major RHEL release. The NVDIMM devices in the sector mode will still be visible and usable in the installation program.

Unable to load an updated driver from the driver update disc in the installation environment

A new version of a driver from the driver update disc might not load if the same driver from the installation initial ramdisk has already been loaded. As a consequence, an updated version of the driver cannot be applied to the installation environment.

Keylime policy management scripts are deprecated and replaced with keylime-policy

In RHEL 9.6, Keylime is provided with the keylime-policy tool, which replaces the following policy management scripts:

OVAL deprecated in vulnerability scanning applications

The Open Vulnerability Assessment Language (OVAL) data format, which provides declarative security data processed by the OpenSCAP suite, is deprecated and will be removed in a future major release. Red Hat continues to provide declarative security data in the Common Security Advisory Framework (CSAF) format, which is the successor of OVAL.

libgcrypt is deprecated

The Libgcrypt cryptographic library provided by the libgcrypt package is deprecated and may be removed in a future major release. Instead, use the libraries listed in the RHEL core cryptographic components article (Red Hat Knowledgebase).

fips-mode-setup is deprecated

The fips-mode-setup tool, which switches the system to FIPS mode, is deprecated in RHEL 9. You can still use the fips-mode-setup command to check whether FIPS mode is enabled.

Using update-ca-trust without arguments is deprecated

Previously, the command update-ca-trust updated the system certificate authority (CA) store regardless of the arguments entered. This update introduces the extract subcommand for updating the CA store. You can also specify the location to which the CA certificates are extracted by using the --output argument. For compatibility with earlier versions of RHEL, entering update-ca-trust to update the CA store with any argument other than -o or --help, and even without any argument, is still supported for the duration of RHEL 9, but will be removed by the next major release. Update your calls to update-ca-trust extract.

CAfile pointing to trusted root certificate files in Stunnel clients is deprecated

If Stunnel is configured in client mode, the CAfile directive can point to a file that contains trusted root certificates in the BEGIN TRUSTED CERTIFICATE format. This method is deprecated and might be removed in a future major version. In a future version, stunnel will pass the value of the CAfile directive to a function that does not support the BEGIN TRUSTED CERTIFICATE format. As a consequence, if you use CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt, change the location to CAfile = /etc/pki/tls/certs/ca-bundle.crt.

DSA and SEED algorithms have been deprecated in NSS

The Digital Signature Algorithm (DSA), which was created by the National Institute of Standards and Technology (NIST) and is now completely deprecated by NIST, is deprecated in the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA, ECDSA, and EdDSA.

pam_ssh_agent_auth is deprecated

The pam_ssh_agent_auth package is deprecated and might be removed in a future major release.

compat-openssl11 is deprecated

The compatibility library for OpenSSL 1.1, compat-openssl11, is now deprecated, and it might be removed in a future major release. OpenSSL 1.1 is no longer maintained upstream and applications that use the OpenSSL TLS toolkit should be migrated to version 3.x.

SHA-1 is deprecated at SECLEVEL=2 in OpenSSL

The use of the SHA-1 algorithm at SECLEVEL=2 is deprecated in OpenSSL and might be removed in a future major release.

OpenSSL Engines API is deprecated in Stunnel

The use of the OpenSSL Engines API in Stunnel is deprecated and will be removed in a future major release. The most common use is to access hardware security tokens that use PKCS#11 through the openssl-pkcs11 package. As a replacement, you can use pkcs11-provider, which uses the new OpenSSL Providers API.

OpenSSL Engines are deprecated

OpenSSL Engines are deprecated and will be removed in the near future. Instead of using engines, you can use the pkcs11-provider as a replacement.

DSA is deprecated in GnuTLS

The Digital Signature Algorithm (DSA) is deprecated in the GnuTLS secure communications library and will be removed in a future major version of RHEL. DSA was previously deprecated by the National Institute of Standards and Technology (NIST), and is not considered secure. You can use ECDSA instead to ensure compatibility with future versions.

scap-workbench is deprecated

The scap-workbench package is deprecated. The scap-workbench graphical utility was designed to perform configuration and vulnerability scans on a single local or remote system. As an alternative, you can scan local systems for configuration compliance by using the oscap command and remote systems by using the oscap-ssh command. For more information, see Configuration compliance scanning.

oscap-anaconda-addon is deprecated

The oscap-anaconda-addon, which provided means to deploy baseline-compliant RHEL systems by using the graphical installation, is deprecated. As an alternative, you can build RHEL images that comply with a specific standard by Creating pre-hardened images with RHEL image builder OpenSCAP integration.

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

OpenSSL requires padding for RSA encryption in FIPS mode

OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not use padding but is still supported.

OpenSSL deprecates the Engines API

The OpenSSL 3.0 TLS toolkit deprecated the Engines API. The Engines interface is superseded by the Providers API. The migration of applications and existing engines to Providers is underway. The deprecated Engines API may be removed in a future major release.

openssl-pkcs11 is now deprecated

As a part of the ongoing migration of deprecated OpenSSL engines to the Providers API, the pkcs11-provider package replaces the openssl-pkcs11 package (engine_pkcs11). The openssl-pkcs11 package is now deprecated. The openssl-pkcs11 package may be removed in a future major release.

RHEL 8 and 9 OpenSSL certificate and signing containers are now deprecated

The OpenSSL portable certificate and signing containers available in the ubi8/openssl and ubi9/openssl repositories in the Red Hat Ecosystem Catalog are now deprecated due to low demand.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by displaying the /proc/sys/crypto/fips_enabled file.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

Ignition has been deprecated for image mode for RHEL for Edge images

The Ignition tool, used to inject the user configuration into the Simplified Installer, AMI, and VMDK RHEL for Edge images types at an early stage of the boot process, has been deprecated in RHEL 9 and might be removed in a future major release.

Several subscription-manager modules have been deprecated

Because of a simplified customer experience in Red Hat subscription services, which have transitioned to the Red Hat Hybrid Cloud Console and to account level subscription management with Simple Content Access, the following modules have been deprecated and will be removed in a future major release:

The deprecated --token option of subscription-manager register will stop working at the end of November 2024

The deprecated --token=<TOKEN> option of the subscription-manager register command will no longer be a supported authentication method from the end of November 2024. The default entitlement server, subscription.rhsm.redhat.com, will no longer be allowing token-based authentication. As a consequence, if you use subscription-manager register --token=<TOKEN>, the registration will fail with the following error message:

The numberless %patch syntax has been deprecated

Using the %patch directive without a number specified as a shorthand for %patch 0 to apply the zero-th patch has been deprecated. Therefore, if you want to use %patch, a warning message suggests you to use the explicit syntax, for example, %patch 0 or %patch -P 0 to apply the zero-th patch.

The DNF debug plug-in has been deprecated

The DNF debug plug-in, which includes the dnf debug-dump and dnf debug-restore commands, has been deprecated and will be removed from the dnf-plugins-core package in the next major RHEL release.

The support for libreport has been deprecated

The support for the libreport library has been deprecated and will be removed from DNF in the next major RHEL release.

The perl(Mail::Sender) module is now deprecated

The perl(Mail::Sender) module is now deprecated and will be removed from the next major release without any replacement. As a result, the checkbandwidth script from net-snmp-perl package does not support email alerts when bandwidth high/low levels for a host or interface are reached.

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

The %vmeff metric from the sysstat package has been deprecated

The %vmeff metric from the sysstat package to measure the page reclaim efficiency will no longer be supported in a future major version of RHEL. The values of the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions.

Setting the TMPDIR variable in the ReaR configuration file is deprecated

Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement such as export TMPDIR=…​, is deprecated.

cgroupsv1 is now deprecated in RHEL 9

The cgroups is a kernel subsystem used for process tracking, system resource allocation and partitioning. Systemd service manager supports booting in the cgroups v1 mode as well as in cgroups v2 mode. In Red Hat Enterprise Linux 9, the default mode is v2. In Red Hat Enterprise Linux 10, systemd will not support booting in the cgroups v1 mode and only cgroups v2 mode will be available.

Client-side and server-side DHCP packages are deprecated

Internet Systems Consortium (ISC) has announced the end of maintenance for ISC DHCP as of the end of 2022. As a result, Red Hat has decided to deprecate the use of client-side and server-side DHCP packages in RHEL 9 and not to distribute them in later major versions of RHEL. Customers must prepare for the transition to available alternatives, such as dhcpcd and ISC Kea.

Various packages are now deprecated in infrastructure services

The following packages are deprecated in RHEL 9 and will not be distributed in later major versions of RHEL:

ipset has been deprecated

In RHEL 9, the ipset utility is deprecated and is planned to be removed in a future major release. Red Hat will provide bug fixes and support for this feature during the current release lifecycle, but this feature will no longer receive enhancements. As an alternative to ipset, you can use the nftables sets functionality instead.

The Soft-iWARP driver is deprecated

RHEL 9 provides the Soft-iWARP driver as an unsupported Technology Preview. Starting with RHEL 9.5, this driver is deprecated and will be removed in RHEL 10.

The dhcp-client package is deprecated

Previously, you could configure NetworkManager in RHEL 9 to use a DHCP client from the dhcp-client package. However, the option to use the dhclient utility is now deprecated and results in a warning being displayed at the NetworkManager startup. To configure NetworkManager as described above, switch to the internal DHCP library. In RHEL 10, the dhcp-client package is no longer available and the applications configured to use the dhclient utility use the internal DHCP library instead.

Network teams are deprecated in RHEL 9

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager connection profiles in ifcfg format are deprecated

In RHEL 9.0 and later, connection profiles in ifcfg format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.

The iptables back end in firewalld is deprecated

In RHEL 9, the iptables framework is deprecated. As a consequence, the iptables back end and the direct interface in firewalld are also deprecated. Instead of the direct interface you can use the native features in firewalld to configure the required rules.

The firewalld lockdown feature is deprecated.

The lockdown feature in firewalld is deprecated because it cannot prevent processes that are running as root from adding themselves to the allow list. The lockdown feature may be removed in a future major RHEL release.

The connection.master, connection.slave-type, and connection.autoconnect-slaves properties are deprecated

Red Hat is committed to using conscious language. For details about this initiative, see Making open source more inclusive. Therefore, the connection.master, connection.slave-type, and connection.autoconnect-slaves properties were renamed. To ensure backward compatibility, aliases have been created that map the old property names to the new ones:

The PF_KEYv2 kernel API is deprecated

Applications can configure the kernel’s IPsec implementation by using the PV_KEYv2 and the newer netlink API. PV_KEYv2 is not actively maintained upstream and misses important security features, such as modern ciphers, offload, and extended sequence number support. As a result, starting with RHEL 9.3, the PV_KEYv2 API is deprecated and will be removed in the next major RHEL release. If you use this kernel API in your application, migrate it to use the modern netlink API as an alternative.

ATM encapsulation is deprecated in RHEL 9

Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9.

The kexec_load system call for kexec-tools has been deprecated

The kexec_load system call, which loads the second kernel, will not be supported in future RHEL releases. The kexec_file_load system call replaces kexec_load and is now the default system call on all architectures.

Support for the block translation table driver has been deprecated

Support for the block translation table driver (btt.ko) has been deprecated and will be removed in the future major RHEL release. Red Hat will provide bug fixes and support for configuring Non-Volatile Dual In-line Memory Modules (NVDIMM) namespaces by using sector mode during the current release lifecycle. However, this feature will no longer receive enhancements and will be removed.

The nvme_core.multipath parameter is deprecated

In RHEL 9.6, the nvme_core.multipath parameter is deprecated and is planned to be removed in a future release. Red Hat will provide bug fixes and support for this feature during the current release lifecycle, but this feature will no longer receive enhancements and will be removed in a future major release.

Support for NVMe devices has been deprecated from the lsscsi package

Support for Non-volatile Memory Express (NVMe) devices has been deprecated and will be removed from the lsscsi package in the future major RHEL release. Use native tools such as nvme-cli, lsblk, and blkid instead.

Support for NVMe devices has been deprecated from the sg3_utils package

Support for Non-volatile Memory Express (NVMe) devices has been deprecated and will be removed from the sg3_utils package in the future major RHEL release. You can use native tools (nvme-cli) instead.

lvm2-activation-generator and its generated services removed in RHEL 9.0

The lvm2-activation-generator program and its generated services lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation.

Persistent Memory Development Kit (pmdk) and support library have been deprecated in RHEL 9

pmdk is a collection of libraries and tools for System Administrators and Application Developers to simplify managing and accessing persistent memory devices. pmdk and support library have been deprecated in RHEL 9. This also includes the -debuginfo packages.

The md-linear, md-faulty, and md-multipath modules have been deprecated

The following MD RAID kernel modules have been deprecated and will be removed in a future major RHEL release:

The VDO sysfs parameters have been deprecated

The Virtual Data Optimizer (VDO) sysfs parameters have been deprecated and will be removed in a future major RHEL release. Except for log_level, all module-level sysfs parameters for the kvdo module will be removed. For individual dm-vdo targets, all sysfs parameters specific to VDO will also be removed. There is no change for the parameters that are common to all DM targets. Configuration values for dm-vdo targets, which are currently set by updating the removed module-level parameters, can no longer be changed.

Deprecated high availability features

The following features were deprecated as of Red Hat Enterprise Linux 9.5 and will be removed in the next major release. The pcs command-line interface produces a warning when you attempt to configure a system with these features.

Resilient Storage Add-On has been deprecated

The Red Hat Enterprise Linux (RHEL) Resilient Storage Add-On has been deprecated as of RHEL 9. The Resilient Storage Add-On will no longer be supported starting with Red Hat Enterprise Linux 10 and any subsequent releases after RHEL 10. The RHEL Resilient Storage Add-On will continue to be supported with earlier versions of RHEL (7, 8, 9) and throughout their respective maintenance support lifecycles.

libdb has been deprecated

RHEL 9 currently provide Berkeley DB (libdb) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive.

Redis will be replaced with Valkey in Grafana, PCP, and grafana-pcp

The Redis key-value store has been deprecated and will be replaced with Valkey in the next major version of RHEL. As a result, Grafana, PCP, and the grafana-pcp plug-in will use Valkey to store data instead of Redis in RHEL 10.

HTML content of llvm-doc is deprecated

The HTML content of the llvm-doc package will be removed in a future RHEL release and replaced with a single HTML file pointing to online documentation at llvm.org. Users of llvm-doc that do not have network access will need an alternative way to access LLVM documentation.

Smaller size of keys than 2048 are deprecated by openssl 3.0 in Go’s FIPS mode

Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and no longer work in Go’s FIPS mode.

Some PKCS1 v1.5 modes are now deprecated in Go’s FIPS mode

Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work in Go’s FIPS mode.

32-bit packages are deprecated

Linking against 32-bit multilib packages is deprecated. The *.i686 packages will remain supported for the life cycle of Red Hat Enterprise Linux 9, but will be removed in the next major version of RHEL.

The pam_console module is deprecated

In RHEL 9.5, the pam_console module is deprecated and is planned to be removed in a future release. The pam_console module grants file permissions and authentication capabilities to users logged in at the physical console or terminals, and adjusts these privileges based on console login status and user presence. As an alternative to pam_console, you can use the systemd-logind system service instead. For configuration details, see the logind.conf(5) man page.

SHA-1 in OpenDNSSec is now deprecated

OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 algorithm is no longer supported. With the RHEL 9 release, SHA-1 in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone.

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

The ad_allow_remote_domain_local_groups option has been deprecated

The ad_allow_remote_domain_local_groups option in sssd.conf has been deprecated in Red Hat Enterprise Linux (RHEL) 9.6. The ad_allow_remote_domain_local_groups option might be removed from a future release of RHEL.

The sss_ssh_knownhostsproxy tool has been deprecated

The sss_ssh_knownhostsproxy has been deprecated and will be replaced by a more efficient tool in RHEL 10. sss_ssh_knownhostsproxy will be kept for backwards compatibility in RHEL 9 and will be removed in RHEL 10. Support for the ssh KnownHostsCommand option will be added in a future release.

The SSSD files provider has been deprecated

The SSSD files provider has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The files provider might be removed from a future release of RHEL.

The enumeration feature has been deprecated for AD and IdM

The enumeration feature enables you to list all users or groups by using getent passwd or getent group commands without arguments for Active Directory (AD), Identity Management (IdM), and LDAP providers. Support for the enumeration feature has been deprecated for AD and IdM in Red Hat Enterprise Linux (RHEL) 9. The enumeration feature will be removed for AD and IdM in RHEL 10.

The libsss_simpleifp subpackage has been deprecated

The libsss_simpleifp subpackage that provides the libsss_simpleifp.so library has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The libsss_simpleifp subpackage might be removed from a future release of RHEL.

The SMB1 protocol is deprecated in Samba

Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.

Firefox and Thunderbird Flatpak images have been deprecated

The rhel9/firefox-flatpak and rhel9/thunderbird-flatpak Flatpak images, which are available in RHEL 9 as Technology Previews, have been deprecated will be replaced by their RHEL 10 versions.

Evince has been deprecated

Evince, a document viewer for the GNOME desktop, has been deprecated and will be removed in a future major release.

power-profile-daemon is deprecated

The power-profile-daemon package has been deprecated and is replaced by the tuned-ppd package. In new installations of RHEL 9.6, the tuned-ppd package is installed by default.

Totem media player has been deprecated

The Totem media player has been deprecated in RHEL 9.5 and will be removed in a future major release.

power-profiles-daemon has been deprecated

The power-profiles-daemon package that provides the power mode configuration in GNOME has been deprecated and will be removed in a future major release.

gedit is deprecated

gedit, the default graphical text editor in Red Hat Enterprise Linux, has been deprecated and will be removed in a future major release. Instead, use GNOME Text Editor.

Qt 5 libraries have been deprecated

Qt 5 libraries have been deprecated and will be removed in a future major release. Qt 5 libraries are replaced with Qt 6 libraries, with new functionality and better support.

WebKitGTK has been deprecated

The WebKitGTK web browser engine has been deprecated and will be removed in a future major release.

Evolution has been deprecated

Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The application and its plugins has been deprecated and will be removed in a future major version. You can find an alternative in a third party source, for example on Flathub.

Festival has been deprecated

The Festival speech synthesizer has been deprecated and will be removed in a future major version.

The Eye of GNOME has been deprecated

The Eye of GNOME (eog) image viewer application has been deprecated in RHEL 9.

Cheese has been deprecated

The Cheese camera application has been deprecated and will be removed in a future major version.

Devhelp has been deprecated

Devhelp, a graphical developer tool for browsing and searching API documentation, has been deprecated and will be removed in a future major version. You can now find API documentation online in specific upstream projects.

gtkmm based on GTK 3 has been deprecated

gtkmm is a C++ interface for the GTK graphical toolkit. The gtkmm version that was based on GTK 3 has been deprecated with all its dependencies and will be removed in a future major version. To access gtkmm in RHEL 10, migrate to the gtkmm version based on GTK 4.

Inkscape has been deprecated

The Inkscape vector graphics editor has been deprecated and will be removed in a future major version.

GTK 2 is now deprecated

The legacy GTK 2 toolkit and the following, related packages have been deprecated:

LibreOffice is deprecated

The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.

TigerVNC is deprecated

The TigerVNC remote desktop solution is now deprecated. It will be removed in a future major RHEL release and replaced by a different remote desktop solution.

The PulseAudio daemon is deprecated

The PulseAudio daemon, and its packages pulseaudio and alsa-plugins-pulseaudio, have been deprecated and will be removed in a future major release.

Motif has been deprecated

The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.

The Intel vGPU feature has been removed

Previously, as a Technology Preview, it was possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices could then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs shared the performance of a single physical Intel GPU, however only selected Intel GPUs were compatible with this feature.

The sshd variable deprecated and replaced by sshd_config

To unify coding standards across the RHEL system roles, the sshd variable has been replaced by the sshd_config variable. The sshd variable is now deprecated and may be removed from the sshd Ansible role in a future major version of RHEL.

The mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula variable has been deprecated

With a future major update of RHEL, the mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula variable will no longer be supported in the mssql system role because the role can now install the odbc driver for mssql_tools version 17 and 18. Therefore, you must use the mssql_accept_microsoft_odbc_driver_for_sql_server_eula variable without the version number instead.

Deprecated variables in the podman RHEL system role: container_image_user and container_image_password

The container_image_user and container_image_password variables are deprecated. In a future major release of RHEL, these variables will be removed. You can use the podman_registry_username and podman_registry_password variables instead.

The network System Role displays a deprecation warning when configuring teams on RHEL 9 nodes

The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL System Role on a RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.

NIC device drivers related to iPXE are deprecated in RHEL 9

Internet Preboot eXecution Environment (iPXE) firmware provides a range of boot options over a network often used in environments, where machines need to boot remotely. Among others, it contains a large number of device drivers. The following have been marked as deprecated and will be removed in the RHEL 10 release:

libvirtd has become deprecated

The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.

Using Windows Server 2012 or Windows 8 as a guest operating system is not supported

Because Microsoft ended support for the following versions of Windows, Red Hat also removed support for using these versions as a guest operating system in this update.

Internal snapshots for VMs have been deprecated

Creating and reverting to a virtual machine (VM) snapshot has become deprecated for snapshots that use the internal snapshot mechanism, and will be removed in a future major release of RHEL. Instead, use snapshots with the external mechanism.

virt-manager has been deprecated

The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager might not be yet available in the RHEL web console.

SecureBoot image verification using SHA1-based signatures is deprecated

Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA-2 algorithm, or later.

The virtual floppy driver has become deprecated

The isa-fdc driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 9.6.

qcow2-v2 image format is deprecated

With RHEL 9.6, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 9.6 Image Builder cannot create disk images in the qcow2-v2 format.

Legacy CPU models are now deprecated

A significant number of CPU models have become deprecated and will become unsupported for use in virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows:

RDMA-based live migration is deprecated

With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.

pmem device passthrough has become deprecated

With this update, the non-volatile memory library (nvml) packages have become deprecated, and will be removed in a future major version of RHEL. As a consequence, when the package removal occurs, it will no longer be possible to pass persistent memory (pmem) devices to the virtual machines (VMs). Note that emulated NVDIMM devices backed by volatile memory or files will still be available, but will not be possible to configure as persistent.

Converting Xen virtual machines from RHEL 5 by using virt-v2v has been deprecated.

Using the virt-v2v tool to convert virtual machines from a RHEL 5 Xen host to KVM has become deprecated, and will be removed in a future major release of RHEL. For details, see the Red Hat Knowledge Base.

The rsyslog container image has been deprecated

The rsyslog container image has been deprecated and will be removed in a future major release.

The runc container runtime has been deprecated

The runc is deprecated and will be removed in RHEL 10.0. The default container runtime in RHEL 9 is crun. The crun is a fast and low-memory footprint OCI container runtime written in C. The crun binary is up to 50 times smaller and up to twice as fast as the runc binary. Using crun, you can also set a minimal number of processes when running your container. The crun runtime also supports OCI hooks.

The podman-tests package has been deprecated

The podman-tests package has been deprecated.

nodejs-18 and nodejs-18-minimal are deprecated

The nodejs-18 and nodejs-18-minimal container images are now deprecated and will no longer receive feature updates. Use nodejs-22 and nodejs-22-minimal instead.

The Podman v5.0 deprecations

In RHEL 9.5, the following is deprecated in Podman v5.0:

The runc container runtime has been deprecated

The runc container runtime is deprecated and will be removed in a future major release of RHEL. The default container runtime is crun.

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.

SHA1 hash algorithm within Podman has been deprecated

The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after the upgrade.

rhel9/pause has been deprecated

The rhel9/pause container image has been deprecated.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed from Podman in a future minor release of RHEL. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.

The Inkscape and LibreOffice Flatpak images are deprecated

The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as Technology Previews, have been deprecated.

pasta as a network name has been deprecated

The support for pasta as a network name value is deprecated and will not be accepted in the next major release of Podman, version 5.0. You can use the pasta network name value to create a unique network mode within Podman by employing the podman run --network and podman create --network commands.

The BoltDB database backend has been deprecated

The BoltDB database backend is deprecated as of RHEL 9.4. In a future version of RHEL, the BoltDB database backend will be removed and will no longer be available to Podman. For Podman, use the SQLite database backend, which is now the default as of RHEL 9.4.

The CNI network stack has been deprecated

The Container Network Interface (CNI) network stack is deprecated and will be removed in a future release. Use the Netavark network stack instead. For more information, see Switching the network stack from CNI to Netavark.

The Podman v5.0 upcoming deprecations

The following will be deprecated in the upcoming Podman v5.0, which will be released in RHEL 9.5 and RHEL 10.0 Beta:

The rhel9/openssl has been deprecated

The rhel9/openssl container image has been deprecated.

The auth and authconfig Kickstart commands require the AppStream repository

The authselect-compat package is required by the auth and authconfig Kickstart commands during installation. Without this package, the installation fails if auth or authconfig are used. However, by design, the authselect-compat package is only available in the AppStream repository.

Unexpected SELinux policies on systems where Anaconda is running as an application

When Anaconda is running as an application on an already installed system (for example to perform another installation to an image file using the –image anaconda option), the system is not prohibited to modify the SELinux types and attributes during installation. As a consequence, certain elements of SELinux policy might change on the system where Anaconda is running.

Local Media installation source is not detected when booting the installation from a USB that is created using a third party tool