9.7 Release Notes

New boot menu entry for fips=1 added to ISO installations

With this update, the DVD and Boot ISO image installations provide a new boot menu entry for setting the fips=1 kernel boot option. This simplifies the process, as enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. By using this boot option, you start the installation with the fips=1 kernel parameter and you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.

The blueprint file customization now supports a URI field for referencing files from external sources

This update adds the URI field support to the blueprint file customization structure. As a result, you can reference and source files from external locations rather than only those included directly in the blueprint, providing more flexible customization of the build system and a more adaptable build experience.

RHEL image builder supports a new image type vagrant-libvirt for vagrant

With this update, RHEL image builder supports the libvirt hypervisor, and you can easily run RHEL virtual machines by using Vagrant. This enhancement provides pre-configured images to ensure a consistent and streamlined setup. It also grants sudo privileges to the vagrant user within the Vagrant box, making it easier to manage and execute administrative tasks. These enhancements deliver a more efficient and seamless experience when working with RHEL virtual machines in Vagrant environments.

RHEL Image Builder GUI supports modularized content discovery

Starting from RHEL 9.7, RHEL Image Builder Graphical User Interface (GUI) supports modularized content discovery. This capability introduces the following enhancements:

RHEL Image Builder now supports WSL2 images

You can now use the RHEL image builder to create Windows Subsystem for Linux (WSL2). The image type is available in the wsl format, and to consume the image, deploy it by double-clicking the generated file.

A new rhel9/bootc-image-builder container image is generally available in RHEL

The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.

The bootc-image-builder tool is generally available in RHEL

The bootc-image-builder tool, now generally available in RHEL, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc-image-builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc-image-builder every time a new update is required.

composefs read-only file system supports bootc/ostree and podman projects

The composefs read-only file system is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images at runtime. As a result, you have a fully verified file-system tree mounted, with opportunistic fine-grained sharing of identical files.

NSS rebased to 3.112

The NSS cryptographic toolkit packages have been rebased to upstream version 3.112, which provides many improvements and fixes. Most notably, the following:

RHEL 9.7 crypto-policies supports post-quantum cryptography

With this update of the system-wide cryptographic policies, you can enable support for post-quantum cryptography (PQC) through the new PQ subpolicy. The most notable changes in RHEL 9.7 crypto-policies include:

OpenSSL rebased to 3.5

OpenSSL is rebased to upstream version 3.5. This version provides important fixes and enhancements, most notably the following:

OpenSSL supports sslkeylogfile

OpenSSL supports the sslkeylogfile format for TLS. As a result, you can log all secrets produced by SSL connections by setting the SSLKEYLOGFILE environment variable.

Hybrid ML-KEM cryptography works in FIPS mode

With this release, Hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) post-quantum cryptographic algorithms are supported in FIPS mode of RHEL. OpenSSL is able to fetch the Elliptic Curve Diffie-Hellman (ECDH) part of the new hybrid post-quantum groups from the FIPS provider when the system is running in FIPS mode. As a result, the OpenSSL library uses FIPS-compliant cryptography for the ECDH part of the hybrid post-quantum key exchanges. When you set the system to the FIPS:PQ cryptographic policy, the hybrid post-quantum groups are enabled and used by default by OpenSSL servers and clients.

crypto-policies support Ed25519 in NSS

With this update to the system-wide cryptographic policies, support for the SHA-512 variant of the Edwards-curve Digital Signature Algorithm (EdDSA), Ed25519, is available for Network Security Services (NSS). As a result, crypto-policies enable Ed25519 in DEFAULT, LEGACY, and FUTURE policies for NSS by default.

New package: rust-rpm-sequoia

RHEL 9.7 introduces the rust-rpm-sequoia package to support quantum-resistant signatures in RPM packages through the multisig DNF plug-in. This addition enables you to verify OpenPGP v6 signatures in RPM packages signed with post-quantum cryptographic (PQC) algorithms.

SCAP Security Guide rebased to 0.1.78

For additional information, see the SCAP Security Guide release notes.

The SELinux policy adds rules and type for the qgs daemon

The qgs daemon was added to RHEL with the linux-sgx package, which supports TDX confidential virtualization. The qgs daemon communicates with QEMU over a UNIX domain socket when the guest OS requests attestation of the virtual machine (VM). To make this possible, the SELinux policy adds a new qgs_t type, access rules, and permissions.

Three RHEL services removed from SELinux permissive mode

The following SELinux domains for RHEL services have been removed from SELinux permissive mode:

tuned-ppd confined in the SELinux policy

RHEL 9.7 adds additional rules to the SELinux policy that confine the tuned-ppd service. Before this update, the service ran with the unconfined_service_t SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule. With this update, the service is no longer unconfined and runs successfully in SELinux enforcing mode.

Keylime rebased to version 7.12.1

The Keylime packages have been rebased to upstream version 7.12.1. The most important fixes and enhancements include:

SELinux assigns a particular type to /dev/diag

With this update, the diagnostic_device_t type is assigned to the /dev/diag device in the SELinux policy. As a result, SELinux can properly control access to the device.

OpenSSL PKCS #11 provider adds support for Ex=RSA ciphers

This update of the OpenSSL PKCS #11 provider enables the use of PKCS #11 tokens with OpenSSL without relying on deprecated functionality. This alternative resolves the unsupported RSA padding mode issue, ensuring seamless use of Ex=RSA ciphers with hardware security modules (HSMs) on RHEL 9. This results in eliminating TLS handshake failures and providing secure communication when establishing TLS 1.2 connections with OpenSSL and PKCS #11 tokens.

New package: fips-provider-next

The fips-provider-next package provides the next version of the FIPS provider that is submitted to the National Institute of Standards and Technology (NIST) for validation. The package is not installed by default because the openssl-fips-provider package is the validated OpenSSL FIPS provider. To switch from ‎openssl-fips-provider to ‎fips-provider-next:

Rsyslog imuxsock provides the new ratelimit.discarded counter

With this update, the imuxsock Rsyslog module includes a new counter, ratelimit.discarded, which tracks the number of messages dropped due to rate-limiting on the Unix socket. This enhancement provides administrators with visibility into message loss due to rate-limiting, enabling them to fine-tune their rate-limiting settings and prevent critical logs from being discarded.

Rsyslog imfile provides the new deleteStateOnFileMove option

With this update, the new deleteStateOnFileMove parameter has been added to the imfile module, available as both a module-level and a per-action option. This enhancement addresses the issue of orphaned state files accumulating in the spool/ directory when monitored log files are rotated or moved. By enabling this parameter, you can automatically clean up these obsolete files when log files are moved, preventing disk space from being wasted and simplifying management.

Simplified status for systems registered to SCA-enabled organizations

Before this update, when registered to a Simple Content Access (SCA) enabled organization, the subscription-manager status command reported Overall Status: Disabled and System Purpose Status: Disabled. Because this status was confusing and often misinterpreted as an error, the status report has been simplified. Now the Overall Status reports either Registered or Not registered and System Purpose Status has been eliminated.

dnf4 can be used to run DNF commands

With this update, you can enter either dnf or dnf4 to run DNF commands.

DNF can verify RPMv6 signatures on RPM packages

Quantum-safe cryptography guarantees integrity and origin of software. However, in quantum computing, standard asymmetric cryptography algorithms, such as RSA, are no longer relevant. With this update, you can use the new multisig DNF plugin to verify RPMv6 signatures on RPM packages, in addition to standard RPMv4 signatures. RPMv6 signatures can be based on quantum-safe algorithms, such as ML-DSA.

createrepo_c supports zstd

This enhancement adds support for the Zstandard (zstd) compression algorithm for createrepo_c commands. As a result, createrepo_c can read and generate metadata compressed with zstd.

dnf marks transient transactions in DNF history

The dnf history info command shows whether a transaction was persistent or transient. As a result, it is easier to keep track of package changes, especially on systems with many transient packages.

RPM records a checksum of the original package during installation

With this update, RPM records the SHA256 and SHA512 digests of the entire .rpm package during its installation. You can then retrieve these digests from the RPM database to verify that the installed package corresponds to a specific .rpm file. As a result, you can improve the integrity of your RHEL system by retrospectively verifying that the installed package set matches, bit-by-bit, a known set of .rpm packages, such as the ones available in a DNF repository.

RPM supports spec-local file attributes and dependency generators

File attributes and their dependency generators are usually shipped in separate packages that you must install prior to building a package that uses these attributes. However, you might need a file attribute to take effect during the build of the package that ships this attribute. You might also need the file attribute just for building the package, without shipping the attribute at all.

New $releasever_major and $releasever_minor variables

The new $releasever_major and $releasever_minor variables are available to better support the Extra Packages for Enterprise Linux (EPEL) repository and other repositories that distribute content per major version of RHEL instead of per minor version. These variables are automatically derived from the $releasever variable or the system-release(releasever_major) and system-release(releasever_minor) virtual provides. As a result, you can use $releasever_major and $releasever_minor to create repository configuration files that work across multiple major or minor versions of RHEL.

openCryptoki provided in version 3.25.0

The openCryptoki packages are provided in version 3.25.0. Support has been added for the following:

GIMP rebased to 3.0.4

The GNU Image Manipulation Program (GIMP) has been rebased to stable upstream version 3.0.4 in RHEL 9.7.

RHEL is now equipped with dyninst version 13.0.0

The dyninst framework is rebased to upstream version 13.0.0 This version offers the following list of enhancements:

RHEL is now equipped with SystemTap version 5.3

SystemTap is rebased to version 5.3, and its multithreaded parsing capability now improves startup performance by reducing initialization time by several seconds.

elfutils is now rebased to version 0.193

elfutils 0.193 is now available in RHEL 9.7. The notable changes in this update include:

valgrind has been upgraded to upstream version 3.25.1

The upgrade from version 3.24.0 (RHEL 9.6) to the upstream version 3.25.1 (RHEL 9.7) provides the following notable enhancements:

valgrind package split into subpackages for flexible installation

Before this update, the ‎valgrind package included all components in a single package. As a consequence, you had to install features that you did not need.

Valkey 8 is now available

Valkey 8, an advanced key-value store, is now available in RHEL. It functions as a data structure server, allowing keys to store various data types, for example:

fs.protected_regular and fs.protected_fifos sysctls parameters are enabled by default

Previously, in the RHEL 9 kernel the fs.protected_regular and fs.protected_fifos sysctls parameters were added to make some data spoofing attacks harder. Now, these parameters are enabled by default which improves the security for installations. To disable these sysctls parameters, add the following lines in the /etc/sysctl.d/60-protected.conf file:

The BrowseOptionsUpdate directive is now available in RHEL

The BrowseOptionsUpdate directive determines the source and update frequency of default printing options. It specifies whether the system retrieves options from a local system or a remote printing server, and if it updates them at service startup, at certain intervals, or not at all.

RHEL 10 provides gpsd in version 3.26.1

In RHEL 10, the gpsd tools package is provided in version 3.26.1. This version offers improved support for u-blox receivers.

Nmstate can assign settings to network interfaces based on PCI addresses

With this enhancement, you can use Nmstate to set up network interfaces based on their PCI address instead of a device name. Use this feature to ensure consistent configuration across nodes in a cluster. For further details, see Configuring an Ethernet connection with a dynamic IP address by using nmstatectl with a device path and Configuring an Ethernet connection with a static IP address by using nmstatectl with a device path.

Bond configurations in Nmstate support optimization settings

With this enhancement, the Nmstate API supports the following bond options:

nmtui now supports configuring the loopback interface

NetworkManager already supports configuring the loopback interface by using the nmcli utility. This enhancement adds the same functionality to the nmtui application. As a result, you can configure IP addresses and routes on the loopback interface.

The NetworkManager-libreswan plugin supports using the Libreswan default values

With this enhancement, you can set the no-nm-default property in Libreswan VPN connection profiles to true to use Libreswan’s instead of NetworkManager’s default values. This ensures the compatibility with configurations defined for native Libreswan. As a result, you can now, for example, configure subnet-to-subnet tunnels.

NetworkManager now supports fixed subnet IDs for downstream interfaces when using IPv6 prefix delegation

With this enhancement, you can now specify a fixed subnet ID for downstream interfaces in NetworkManager when you use IPv6 prefix delegation. In previous releases, when you rebooted the system, the subnet ID for these interfaces could change. With a fixed subnet ID, IPv6 addresses assigned to devices in the downstream network do not change when you reboot the RHEL host.

An NBFT parser was added to nm-initrd-generator

NVMe Boot Firmware Table (NBFT) is a standard method for firmware to pass network and storage configuration from the pre-boot environment directly to the operating system by using an ACPI table. The nm-initrd-generator utility now uses this parser to automatically detect and apply this configuration, and creates the necessary connections without manual setup. This implementation replaces the 95nvmf module in dracut and relies on systemd automation for a more streamlined and robust boot sequence.

Nmstate now supports configuring FEC settings for network interfaces

With this enhancement, you can now use Nmstate to apply Forward Error Correction (FEC) modes, such as RS-FEC, Base-R and Disabled to interfaces. These settings are crucial for improving data transmission reliability by detecting and correcting errors without retransmission. As a result, you can now use Nmstate to apply FEC settings instead of manually configuring them or using platform-specific tools.

Nmstate now supports the mtu and quickack route options

With this enhancement, you can use Nmstate to set the mtu and quickack route options. These settings are important for optimizing the network performance if the maximum transmission unit is different from the default and for tuning the TCP acknowledgment behavior. As a result, you now have more precise control over network traffic behavior.

The mlx5 driver now supports symmetric OR-XOR RSS hash

With this enhancement, the default transform (xfrm) for Receive Side Scaling (RSS) is now symmetric-or-xor.

ModemManager rebased to version 1.22

The ModemManager packages have been upgraded to upstream version 1.22. This version includes bug fixes and support for additional devices.

Nmstate now supports egress and ingress priority mapping for VLAN interfaces

NetworkManager already supports configuring traffic priority mapping for VLAN interfaces. With this enhancement, the Nmstate library can also handle both egress and ingress priority quality of service (QoS) mapping rules. As a result, you can use Nmstate to create VLANs and define bidirectional priority mapping, helping manage traffic more precisely and efficiently.

Nmstate now supports configuring routes by using a MAC address instead of an interface name

With Nmstate, you can create a network connection by assigning it to the MAC address of an interface. With this enhancement, you can use the profile name instead of the interface name in the next-hop-interface parameter in the routing configuration. With this feature, you can create static routes without knowing the interface name.

New network packet drop reasons and MIB counters

The kernel’s networking stack now provides more detailed reasons when it drops network packets. This enhancement also adds two new Management Information Base (MIB) counters: LINUX_MIB_PAWS_TW_REJECTED and LINUX_MIB_PAWS_OLD_ACK. As a result, debugging and diagnosing network problems, is now easier.

The fwctl subsystem has been added to the kernel

If the kernel lock-down feature is enabled, the kernel does not allow access to resource0 files in the /sys/ directory and PCI config spaces for security reasons. The fwctl kernel subsystem manages communication with the firmware in software-defined devices, such as the mlx5 network interface controller. This subsystem establishes a standardized and secure Remote Procedure Call (RPC) interface, that enables user-space applications to interact with device firmware for diagnostics, configuration, and updates. In addition to the new subsystem, the mstflint utility now also uses the fwctl subsystem, and the utility functions fully in these secure environments.

The ice driver now supports reducing the MSI-X vector usage for a PF to free vectors for associated VF

With this enhancement, you can now reduce the Message Signaled Interrupts eXtended (MSI-X) vectors allocated to a physical function (PF) to ensure that a sufficient number of vectors are available for associated virtual functions (VFs). For details, see Reducing the MSI-X vector usage for a physical function to free vectors for associated virtual functions.

iproute rebased to version 6.14.0

The iproute package has been updated to upstream version 6.14.0.

Kernel version in RHEL 9.7

Red Hat Enterprise Linux 9.7 is distributed with the kernel version 5.14.0-611.5.1.

Added support for virtio devices

Before this update, virtio devices inside of KVM guests were all listed as type generic-ccw. With this enhancement, you can easily identify which device type is connected at which device number by using the lszdev command:

kpatch-dnf plugin is updated with improved kernel management

Before this update, the ‎kpatch-dnf plugin did not align kernel upgrades with kpatch support. As a consequence, administrators might install or upgrade to kernels that were not supported by kpatch, thereby increasing the risk of running unsupported kernels and reducing system stability.

Arm SPE support extended to Neoverse-V2 and Cortex CPUs in the kernel

The Arm SPE feature support in kernel has been extended to include Neoverse-V2 and Cortex CPUs. As a result, users can now access Arm SPE capabilities for improved observability and analysis when running workloads on Neoverse-V2 and Cortex CPUs.

Intel Arrow Lake U RAPL energy events support in kernel

Before this update, the Intel Arrow Lake U microarchitecture did not support RAPL (Running Average Power Limit) energy performance counters in the kernel package. As a result, users could not monitor or measure energy consumption for Arrow Lake U systems using standard perf tooling.

Added support for core energy counters in ‎kernel

The kernel supports per-core energy measurement on AMD CPUs. The Power Management Unit (PMU) exposes the ‎power_core PMU and the ‎energy-core event so that you can monitor energy consumption for each CPU core. This enhancement aligns with AMD per‑core energy counter capabilities.

Perf support for Intel Clearwater Forest core counters

Before this update, you could not monitor hardware events on Intel Clearwater Forest CPUs by using perf core counters. With this update, the perf package recognizes the Clearwater Forest Performance Monitoring Unit (PMU). It provides named core events, including Topdown Level 1 metrics, such as front‑end bound, back‑end bound, retiring, and slots. Perf also uses architectural process event‑based sampling (PEBS) on this microarchitecture to provide low‑overhead sampling of selected events. As a result, you can collect core counter data and perform Top-down analyses on Clearwater Forest systems.

Adaptive PEBS enables counter snapshotting support in perf on Intel Panther Lake

Before this update, the Linux kernel’s perf tool relied on software-based sample reads to collect performance event data, which introduced minor timing gaps and additional overhead when reading counters after an event overflow. With this update, adaptive PEBS counter snapshotting is available on Intel Panther Lake CPUs. This hardware feature enables the kernel to capture programmable counters, fixed-function counters, and performance metrics directly in the PEBS record using the PEBS format version 6.

Intel Trace Hub supports Intel Panther Lake

This update adds Intel Trace Hub device IDs for the Panther Lake platforms (P, H, and U). The systems based on Panther Lake can use Intel Trace Hub features for debugging and tracing.

Perf uncore event support for Intel Clearwater Forest

Before this update, uncore event monitoring was not available for Intel Clearwater Forest microarchitecture. With this update, the perf package supports uncore event monitoring on Clearwater Forest systems. As a result, you can perform advanced performance analysis and debugging on supported hardware.

Intel Arrow Lake H microarchitecture support added to ‎⁠intel_th⁠

Before this update, Intel Trace Hub did not recognize Arrow Lake H NPK device IDs, which limited trace and debugging capabilities for systems that use this hardware. With this update, the ‎⁠intel_th⁠ package supports the Intel Arrow Lake H microarchitecture in Intel Trace Hub. As a result, you have enhanced tracing and debugging features on Arrow Lake H platforms.

PerfMon support enabled for Intel Arrow Lake H in kernel

With this update, the kernel package provides PerfMon support for Core, Uncore, Cstate, and MSR features on the Intel Arrow Lake H microarchitecture. As a result, you can monitor and analyze performance metrics specific to Arrow Lake H systems by using the perf tool.

Enhanced pstore functionality in virtual and cloud environments

The pstore kernel feature, which saves crash and panic information persistently, is now easier to use in virtualized environments and cloud platforms. With this release, you can enable the use of EFI variables for pstore without the efi_pstore.pstore_disable=0 kernel parameter while the system is running:

The default measurement module for rteval is now rtla timerlat for better tracing of problem latencies

With this enhancement, you should be able to easily identify the source of problem latencies. The desired cyclictest measurement module can be chosen using the rteval.config file.

KVM modules are integrated into the Realtime Kernel package

This update removes the generation of KVM module packages for the Realtime Kernel in RHEL, aligning with the decision to make the Realtime Kernel a deployment option for base RHEL. This change streamlines the deployment process, integrating KVM modules directly into the Realtime Kernel package and eliminating the separate kernel-rt-kvm package. As a result, users will experience a more seamless and efficient setup when deploying the Realtime Kernel on RHEL, improving the overall user experience.

kernel supports Shadow Stack (SHSTK) Ring 3 kernel

Before this update, the kernel package did not support Shadow Stack (SHSTK) in Ring 3 for x86_64 architectures. As a consequence, user-space applications could be vulnerable to control flow hijacking attacks.

python-drgn rebased to version 0.0.31

python-drgn has been rebased to version 0.0.31. This update introduces several enhancements and new features:

crash rebased to 9.0.0

The crash package, which provides a kernel analysis utility for live systems and various types of dump files, has been rebased to upstream version 9.0.0. This version provides a number of fixes and enhancements, most notably the following:

Support for per-core energy tracking (RAPL perf events) for AMD CPUs

With this enhancement, the addition of the core RAPL counter support is added. As a result, the AMD systems can measure the core-level power information in addition to the package-level power information.

Default configuration now disables jitter entropy source in rng-tools

The jitter entropy source is now disabled by default in rng-tools. Modern CPUs typically provide a hardware entropy source, and most virtual machines offer the /dev/hwrng device as an entropy source from the virtual host. In these environments, the jitter entropy source consumes unnecessary CPU cycles. For older hardware without a hardware entropy source, you can explicitly enable the jitter entropy source in /etc/sysconfig/rngd.

NVMf-FC kdump is now supported on the IBM Power

NVMf-FC kdump now supports the IBM Power system for running kexec-tools. This allows the capture of system memory dumps over a fiber channel network using the NVMe storage devices for high-speed and low-latency access to storage for crash dump data.

Secure boot on aarch64 enabled through Microsoft-signed shim

The ‎shim package for the 64-bit ARM architecture is signed by Microsoft to enable secure boot by default on platforms that trust the Microsoft UEFI CA. This aligns the ARM boot path with x86 and removes the need to add custom ‎PK, ‎KEK, or ‎db entries.

multipathd supports file-based sockets

With this update, the multipathd daemon listens for commands on a file-based socket /run/multipathd.socket in addition to the abstract namespace socket. You can communicate with the host’s multipathd daemon from within a container by using a bind mount for the new socket file.

Automatic RAID checks are enabled by default

With this update, the raid-check service is enabled by default. This ensures that raid-check.service runs automatically at scheduled intervals after the system boots, performing periodic RAID consistency checks without requiring manual intervention.

LVM RAID repairs volumes after multiple simultaneous device failures

With this enhancement, you can use the lvconvert --repair /dev/VG-name/LV-name command to reintegrate missing RAID devices back into a striped RAID (raid4, raid5, and raid6). This repair process works even when the number of temporarily missing devices exceeds the fault tolerance of the RAID level, allowing for recovery once the devices reappear. Note that you must unmount and deactivate the volume and the file system on top before repairing them.

New resource agent for managing etcd in Podman containers is available

Before this update, Red Hat High Availability did not provide a resource agent for managing etcd running in Podman containers.

The Filesystem resource agent supports the aznfs file system type

Before this update, to manage an Azure Network File System file share in a cluster, you had to configure the Filesystem resource agent with fstype=nfs. This method did not support Azure-specific features, such as Encryption in Transit.

Oracle Database 23ai is supported as a cluster resource

Before this update, the Oracle database resource agent was not tested for use with the Oracle Database 23ai release. Therefore, this version was not supported as a highly available resource within a Pacemaker cluster.

The fence_sbd agent can automatically detect the SBD device

Before this update, when configuring a fence_sbd resource, you were required to explicitly specify the SBD device path by using the devices parameter.

Watchdog device listing provides more detailed information

Before this update, when listing available watchdog devices, the output only displayed the device path, such as /dev/watchdog0. This made it difficult for administrators to distinguish between multiple devices on the same system.

pcs warns users before removing the last fencing device

Before this update, pcs allowed users to disable or remove the last fencing device from a cluster without a warning. This could inadvertently leave the cluster in an unsupported state without any STONITH or SBD fencing configured.

The pcs node attribute and pcs node utilization commands now support multiple output formats

Previously, the pcs node attribute and pcs node utilization commands displayed their output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.

The pcs alert config command now supports multiple output formats

Previously, the pcs alert config command displayed its output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.

pcs automatically validates the CIB for potential issues

Previously, the pcs utility did not automatically run advanced validation checks on the Cluster Information Base (CIB). As a consequence, certain cluster misconfigurations could remain undetected during routine operations.

pcs provides more detailed error messages for failed CIB updates

Previously, when a CIB update failed when using the pcs cluster edit or pcs cluster cib-push commands, the error message provided by Pacemaker was generic. It did not explain the specific reason for the failure, which made troubleshooting the invalid configuration difficult.

A new pcs command is available for renaming a cluster

Previously, it was not possible to change the name of an existing cluster using pcs commands. Administrators had to perform a series of manual steps, which were complex and could lead to errors.

New fence agent for Nutanix AHV virtualization is now available

Previously, Red Hat High Availability Add-On did not provide a dedicated fence agent for Nutanix Acropolis Hypervisor (AHV) environments.

The pcs resource meta command is improved to support bundles and prevent guest node misconfiguration

Previously, the pcs resource meta command did not support managing meta attributes for bundle resources. Additionally, the command did not prevent users from incorrectly modifying the connection parameters of a guest node, which could lead to a misconfigured resource.

The IPaddr2 resource agent now detects network link failures

Before this update, the IPaddr2 resource agent did not monitor the link state of the network interface. As a consequence, an IPaddr2 resource continued to report success on a node even if the underlying interface was in a DOWN or LOWERLAYERDOWN state, preventing the cluster from recovering the resource on another node.

The fence_aws agent supports immediate power-off

Previously, when the fence_aws agent performed an off or reboot action, it triggered a graceful shutdown of the instance. This introduced a delay in the fencing process, as the node was not powered off immediately.

The PostGIS extension is available for PostgreSQL 16

This enhancement adds the PostGIS extension to PostgreSQL 16. With this extension, PostgreSQL supports geographic objects, enabling spatial queries and analysis for Geographic Information System (GIS) applications, such as mapping, geolocation, and distance calculations within a relational database.

glibc now supports ‎sched_setattr and ‎sched_getattr for advanced scheduler options

Previously, ‎glibc provided access to only a limited set of Linux scheduler options through functions defined in ‎<sched.h>. This limitation required applications to use direct system calls or Linux kernel headers to access advanced scheduling features.

glibc pthread_gettid_np function added to libc_nonshared.a

Previously, there was no direct method to obtain the Linux task or thread ID (TID) from a glibc ‎pthread_t handle. The newly implemented ‎pthread_gettid_np function, declared in ‎<pthread.h> when ‎_GNU_SOURCE is defined, now allows applications that require TID, such as those using ‎sched_setattr, to retrieve the TID value directly from a ‎pthread_t handle.

glibc fortification support added for inet_ntop and inet_pton

Previously, the ‎glibc APIs ‎inet_ntop and ‎inet_pton did not include Source Fortification support, so the compiler was unable to catch some buffer errors before running the program.

GDB now supports IBM’s z17 CPU architecture

The ‎gdb package is enhanced to support binaries that use new hardware instructions introduced with IBM’s z17 CPU architecture. This update enables developers and system administrators to debug applications compiled for the latest IBM Z hardware on RHEL 9.7.

GCC Toolset 15 is now available

With this update, ‎gcc-toolset-15 is now available in RHEL 9.7. The toolset includes the latest supported versions of GCC and related utilities, enabling developers to build, test, and deploy applications using up-to-date compiler technology.

ELFv2 ABI support for ‎-fpatchable-function-entry on ppc64le

Previously, the ‎-fpatchable-function-entry option in ‎gcc did not support the ELFv2 ABI on the ppc64le architecture, which caused NOP instructions to be generated in incorrect locations for that ABI. This issue prevented the correct use of the option when targeting ELFv2.

llvm-toolset rebased to LLVM 20

The ‎llvm-toolset is updated to LLVM 20, delivering improved code generation, performance optimizations, and expanded language front‑end and library support across C, C++, and Rust workflows. This rebase aligns dependent components in RHEL, including rebuilds for ‎rust, ‎annobin, ‎bcc, ‎bpftrace, ‎qt5-qttools, and ‎mesa. The build is validated with ‎llvm-20.1.8-3.el9.

Improved _r_debug extension support for debugging applications with multiple dynamic linker namespaces

The ‎glibc package now includes the backported the _r_debug extension to support multiple namespaces. Previously, when attaching to running processes or analyzing core dumps, debuggers such as GDB could not display all loaded shared objects if the application used multiple namespaces with ‎dlmopen or audit modules.

Improved Exception Handling Performance in ‎glibc

Before this update, exception handling in large applications was slow, impacting performance, particularly in environments with a high volume of users or frequent exceptions. This was due to the time spent in the __dl_iterate_phdr function, called from _Unwind_Find_FDE.

Hardening of glibc qsort behavior on memory allocation failure

When a memory allocation fails, the qsort and‎ qsort_r functions of the glibc package use a heapsort fallback. This change improves handling of invalid comparison functions and makes performance more predictable if a memory allocation fails.

gdb is rebased to version 16.3

This update of gdb to version 16.3 in RHEL 9.7 provides the following notable enhancements:

AMD GPU pmda is now enabled for global GPU data collection

Before this update, the AMD GPU PMDA (a Performance Co-Pilot metrics agent) was not available in RHEL because the kernel lacked certain features required for full support.

Initial support for IBM Z z17 added to ‎glibc

The dynamic loader in ‎glibc is enhanced to support detecting IBM z17 CPUs or their specific features. As a result, any IBM z17-optimized libraries installed in the ‎/usr/lib64/glibc-hwcap/z17/ directory are loaded automatically on z17 systems. This update improves hardware compatibility and performance for IBM Z z17 platforms.

Rust Toolset rebased to version 1.88.0

RHEL 9.7 is distributed with Rust Toolset in version 1.88.0. This update includes the following notable enhancements:

tzdata includes the NEWS file

With this update, the tzdata package includes its NEWS file with each release to provide precise descriptions of timezone data changes. As a result, you can review the changes in detail. Users can review the included NEWS file to understand what changed in the update.

Metrics role now supports Apache Spark metric collection and export

Previously, users could not directly collect or export Apache Spark metrics using the metrics role. With this update, the ‎rhel-system-roles package adds support to gather and update metrics from Apache Spark. Two new boolean parameters are introduced:

ipa-healthcheck now warns about expiring certificates

With this update, the ipa-healthcheck tool now evaluates user-provided HTTP, DS, and PKINIT certificates for expiration and provides warnings 28 days prior to their expiration date. This is to prevent certificate expirations going potentially unnoticed, which can lead to downtime.

ansible-freeipa rebased to 1.15.1

The ansible-freeipa package, which provides modules and roles to manage Red Hat Identity Management (IdM) environments, has been rebased from version 1.13.2 to 1.15.1. The update includes the following enhancement:

IdM now supports UIDs up to Linux maximum UID limit for legacy systems compatibility

With this update, you can now use User and Group IDs up to 4,294,967,293, or 2^32-1. This aligns IdM’s maximum with the Linux UID limit and can be useful in rare cases where the standard IdM range, up to 2,147,483,647, is insufficient. Specifically, it enables IdM deployment alongside legacy systems that require the full 32-bit POSIX ID space.

Healthcheck warns if krbLastSuccessfulAuth is enabled

Enabling the krbLastSuccessfulAuth setting in the ipaConfigString attribute can lead to performance issues if large numbers of users are authenticating at the same time. Therefore, it is disabled by default. With this update, Healthcheck displays a message if krbLastSuccessfulAuth is enabled, warning about the possible performance problems.

IdM-to-IdM migration now available

IdM-to-IdM migration, previously available as a Technology Preview, is now fully supported with this release. You can use the ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, from one IdM server to another. This can be useful, for example, when moving IdM from a development or staging environment into a production one.

samba rebased to version 4.22.4

The samba package has been updated to upstream version 4.22.4. This version provides bug fixes and enhancements, most notably the following:

389-ds-base rebased to version 2.7.0

The 389-ds-base package has been updated to version 2.7.0.

dsctl healthcheck now warns about creating a substring index on the membership attribute

An entry that contains a membership attribute is usually a group with many members. When changing the value set, substring index is very expensive even for a minor change like deleting a single member. Now, when you add the substring index type, dsctl healthcheck warns about possible high cost of substring index on membership attributes and displays the following error message:

Custom matching rules in the Attribute Uniqueness plug-in to search uniqueness attributes

With this update, in Attribute Uniqueness plug-in configuration, you can specify a matching rule for the attribute you want to enforce uniqueness on. For example, when you want to override the attribute’s syntax from case exact or case ignore.

cockpit-session-recording rebased to 20-1.el9

The cockpit-session-recording package, which records user sessions that are conducted through the Cockpit web interface, is rebased to upstream version 20-1.el9. The package has been migrated to PatternFly 6 user interface system design.

ACME server adds support for the ES256 signature algorithm

Previously, the Automatic Certificate Management Environment (ACME) server did not support the ES256 signature algorithm for JSON Web Key (JWK) validation. This lack of support prevented certain clients, such as the Caddy web server, from successfully obtaining certificates.

HSM is now fully supported in IdM

Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.

OpenGL and Vulkan are supported by default in Toolbox containers based on UBI

OpenGL and Vulkan now work by default inside Toolbox containers created from updated UBI-based toolbox images, matching the behavior on RHEL Workstation hosts. This includes only the free software drivers provided by Mesa, not proprietary ones like NVIDIA.

Low Disk Space notifications include a mount point in the web console

The Low Disk Space notifications include the mount point when multiple volumes have the same name. This enhancement reduces ambiguity about which specific file system requires more space.

cockpit rebased to version 344

The cockpit packages have been rebased to version 344, which provides many improvements and fixes compared to version 334 in RHEL 9.6, most notably:

new subpackage: cockpit-ws-selinux

The SELinux policy for the cockpit_ws processes is provided in a separate subpackage cockpit-ws-selinux. This prevents the RHEL web console from failing when run on a system without SELinux installed, because the package manager installs the selinux_policy packages as dependencies. See the cockpit_ws_selinux(8) man page on your system for more information.

The ad_integration RHEL system role can control the SSSD domain section naming and consolidate duplicates

With this update, users can control the name of the section used in the SSSD config file for the domain or realm-specific settings, as managed by the ad_dyndns_update and ad_integration_sssd_custom_settings parameters. By default, the ad_integration role uses the lower case of the ad_integration_realm variable. However if users want to use the actual case of ad_integration_realm, users can use a new option ad_integration_sssd_realm_preserve_case = true to preserve the case of the realm. This may leave the SSSD config file with multiple sections for the realm. Use the new ad_integration_sssd_remove_duplicate_sections setting to consolidate all of the settings from the multiple sections into the chosen section. As a result, the ad_integration system role can manage domain and realm sections in the SSSD config file correctly.

The journald RHEL system role can monitor disk space

With this update, you can configure the SystemKeepFree option in the journald.conf journal service to set a maximum size for the system journal. This improves overall system stability and performance. As a result, you can use the journald_system_keep_free variable to configure size limit. The value is specified in megabytes. There is no default value - by default, it will use the journald default value.

metrics role supports enabling additional PCP domains

With this update, the rhel-system-roles package introduces the metrics_optional_domains variable in the metrics RHEL system role. Users can specify a list of additional PCP domains to be activated, in addition to those that are automatically managed by the metrics role. As a result, users can enable the domains they require for their specific use cases, improving flexibility in data collection and monitoring.

Introduced a variable MaxRetention to configure the maximum retention parameter for journald

With this update, users can configure the maximum retention parameter for journald, enabling time-based deletion of journal files. This enhancement provides flexibility in managing log data according to specific data retention policies, allowing both time-based log deletion and size-based deletion. It helps with compliance with data retention requirements and improves overall system performance by preventing excessive log storage.

The podman role generates all TOML compliant configuration file

Before this update, the current Jinja-based formatter did not support many TOML features, including tables and inline tables, which were required to configure all aspects of podman. With this enhancement, all features of TOML are supported by using a true TOML formatter instead of a simple Jinja template. As a result, the podman role can generate any TOML compliant configuration file that podman can use.

The firewall RHEL system role now supports including other services

With this enhancement, you can include other services when you use the firewall RHEL system role to create firewalld service definitions. For example, you can create a service webserver that includes the http and https services. If you then enable the webserver service, firewalld open the ports defined in http and https services. For further details, see Creating a custom firewalld service by using the firewall RHEL system role.

Ability to configure the default kernel in rhel-system-roles

Previously, users could not specify which kernel should be set as the default during system boot. This limitation prevented administrators from easily managing the default kernel selection during automation.

Metrics role now supports Apache Spark metric collection and export

Previously, users could not directly collect or export Apache Spark metrics using the metrics role. With this update, the ‎rhel-system-roles package adds support to gather and export metrics from Apache Spark. Two new boolean parameters are introduced:

Enables IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role

With this update, users can customize the chronyd configuration when IPv6 is disabled on a node. The enhancement provides two options: add a setting to the timesync role to disable IPv6, or pass a parameter to set the OPTIONS value for chronyd. These options enable IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role. This improves time synchronization accuracy and stability for environments where IPv6 is disabled.

virtio-mem is available on IBM Z

With this update, virtio-mem, a paravirtualized memory device, can be used on IBM Z hardware. By using virtio-mem, you can dynamically add or remove host memory in virtual machines.

New command for IBM Z hosts: virsh hypervisor-cpu-models

This update introduces the virsh hypervisor-cpu-models command. You can use this command on the IBM Z architecture to display which CPU models your hypervisor recognizes.

Performance-enhanced PCI translation for IBM Z guests

With this update, virtual machines (VMs) on IBM Z hosts can use identity-mapped direct memory access (DMA) for PCI devices. This feature significantly improves the performance of PCI device passthrough. Note that to use the feature, your system must be configured as follows:

New features for virtual machines on 64-bit ARM hosts

The following features are now supported for virtual machines on RHEL hosts that use the 64-bit ARM architecture(aarch64):

New QEMU configuration parameter: migrate_tls_priority

With this update, you can configure the migrate_tls_priority parameter in the /etc/libvirt/qemu.conf file. You can use this parameter to work around QEMU issues with TLS when live migrating virtual machines. To obtain the recommended value to set if the default does not work on your deployment, contact Red Hat customer support.

OTel collector on RHEL supports TPM device

The OpenTelemetry (OTel) Collector on RHEL supports the Trusted Platform Module (TPM) device. With this feature, OTel Collector can read transport layer security (TLS) certificates from the TPM device.

Enhanced automatic registration for eligible RHEL images

With this update, RHEL instances based on eligible images from eligible marketplaces automatically receive content and updates from Red Hat content delivery network (CDN) instead of the Red Hat Update Infrastructure (RHUI). The RHUI repositories are turned off by default.

New package: azure-vm-utils

This update adds the azure-vm-utils package, which provides a collection of utilities and udev rules to optimize the experience of using RHEL 9 as a guest operating system on Microsoft Azure.

RHEL is available on Azure confidential VMs

You can create and run RHEL confidential virtual machines (CVMs) on Microsoft Azure by using RHEL CVM images. The images support full disk encryption through the Confidential OS disk encryption feature in Azure.

Enhanced automatic registration for eligible RHEL images

When purchasing certain eligible cloud marketplace subscriptions for RHEL 9.6 or later and for RHEL 10.0 or later, an improved version of the auto-registration function is available.

sos now collects the Satellite metrics file for improved support diagnostics

The foreman-installer plugin of sos now collects the satellite_metrics.yml file located at /var/lib/foreman-maintain/ directory. It provides insight into which features of Satellite are in use and in what scale.

A new rhel9/valkey-8 container image is generally available in RHEL

The newly available rhel9/valkey-8 container image allows atomic operations and supports various data types like strings, hashes, lists, sets, and sorted sets. The image offers high performance because of its in-memory dataset, which can be persisted to disk or by appending commands to a log.

Improved support for reproducible container builds

Reproducible builds ensure that a given set of inputs consistently generates the same output. This enhancement addresses several factors that previously complicated reproducibility in container image builds. While using -source-date-epoch and -rewrite-timestamp improves the reproducibility of builds and better aligns with common practices like setting and looking for $SOURCE_DATE_EPOCH, it cannot guarantee complete reproducibility.

New artifact endpoints for Podman RESTFUL API

Podman RESTFUL API includes new artifact endpoints, enabling programmatic management of OCI artifacts. This enhancement simplifies integration of OCI artifact operations into existing systems and scripts.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version v1.41.0, and Skopeo has been updated to version 1.20.0.

The ADD and COPY instructions now support the --link option

Buildah and Podman now support the --link flag for ADD and COPY instructions in Containerfiles, which causes the new content to be added as its own layer in the built image.

New container images are available

The new container images are listed in the Red Hat Ecosystem Catalog:

RHEL image mode supports creating root-level directories and symlinks at runtime

With this release, you can use RHEL image mode to create root-level directories and symbolic links after system deployment, then return the filesystem to read-only mode. As a result, you can use a single base image across multiple deployment environments with different file system requirements.

bootc-image-builder uses the local container storage by default

With this release, the bootc-image-builder tool operates in local mode by default, which means it no longer pulls container images from remote registries. To build disk images, you must pre-load the base bootc container image in the local container registry of the system before building disk images. If you have existing workflows that relied on automatic image pulling, you must update them. This change improves security by reducing external network dependencies during the build process.

The command-line assistant supports image mode for RHEL

With this enhancement, you can customize your Containerfile to include the command-line-assistant package, create a disk image from a container image, and boot a system with that image. As a result, the system image has the command-line assistant preinstalled, and you can use it after you register your system with subscription-manager.

The command-line assistant context limit increased to 32KB input

Before this update, the command-line assistant had a 2KB input context limit, causing it to fail when input exceeded this limit. As a consequence, user experience was limited, preventing thorough log analysis due to the 2KB input context limit. With this release, the command-line assistant input context limit has been increased from 2KB to 32KB. As a result, the command-line assistant now supports larger input contexts, enabling better log analysis and potential issue detection.

The command-line assistant for RHEL Lightspeed has better error handling and exit codes

With this enhancement, the command-line assistant brings better error handling and exit codes, such as:

Command-line assistant -w option displays current output

Before this update, when you tried to use the -w option without the current enable-capture mode, the command-line assistant incorrectly displayed output from an earlier session. With this update, the terminal capture log file is actively verified before outputting from the -w option. As a result, the mentioned problem is fixed, and the displayed output is accurate.

Installation no longer fails if a VDO logical volume is present

Before this update, installing RHEL failed when users attempted to remove a pre-existing Logical Volume Manager Virtual Data Optimizer (LVM VDO) volume on systems without the dm_vdo kernel module. With this update, installation succeeds when removing an LVM VDO volume on systems without VDO support.

Installer now respects the BOOTIF boot argument

Previously, the RHEL installer ignored the BOOTIF=<MAC> boot argument and activated all the available network interfaces. With this fix, the installation program now properly processes the BOOTIF argument and ensures that only the designated network device is activated during the installation process.

SSH connection fail no longer displays verbose help message

Before this update, when SSH connection failed, a message with common SSH errors and a link to Red Hat help was displayed. As a consequence, the help message in the error output broke user scripts and automation. With this update, the help message displays only when SSH is run with log level debug1 or higher. As a result, the error output does not include any unexpected messages by default.

OpenSC avoids memory freeing before dereferencing

Before this update, dereferencing would free members when OpenSC was reading public keys. This caused unpredictable behavior of the values stored in the memory. This update avoids freeing the memory before dereferencing. As a result, OpenSC correctly handles reading public keys.

fapolicyd no longer causes the RPM database to crash with repeated updates

Before this update, repeated updates of the RPM database when fapolicyd was in enforcing mode caused a bus error (SIGBUS), which caused the RPM database to terminate unexpectedly. With this release, fapolicyd SIGBUS protection for RPM database updates has been improved. As a result, the RPM database no longer crashes when repeatedly updating it with fapolicyd enabled.

fapolicyd-cli --file add no longer fails when processing non-regular files

Before this update, the fapolicyd-cli --file add command failed to add directories containing non-regular files, such as sockets, to the trust database. With this update, the problem is resolved and fapolicyd-cli --file add no longer fails in the described scenario.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

dnf download --url correctly reports package URLs

Before this update, when you used the dnf download --url command to obtain a package URL, DNF incorrectly reported package addresses relative to the repository metadata location instead of relative to the xml:base attribute.

/var/lib/tftpboot directory is created by default in Image Mode deployments

Previously, in Image Mode deployments, installing the tftp-server package did not create the /var/lib/tftpboot directory. This occurred because changes to the /var directory were not applied when additional packages were added to existing Image Mode deployments.

The top -u command now displays at least one process when you sort the processes by memory

Previously, when you executed the top command with the -u <user> parameter, where the user was different from the one running the command, all processes disappeared when the M key was pressed to sort the processes by memory. With this update, the top command displays at least one process when you sort the processes by memory.

The chronyc reload sources command now correctly handles hostname-specified sources

Previously, the chronyc reload sources command in chronyd incorrectly reloaded sources from the sourcedir directory specified in the chrony.conf file. This behavior caused the chronyd to duplicate sources when a hostname resolved to multiple IP addresses, resulting in an unexpected increase in the number of sources.

httpd works correctly if a DAV repository location is configured by using a regular expression match

Previously, when you configured a Distributed Authoring and Versioning (DAV) repository in the Apache HTTP Server by using a regular expression match, such as LocationMatch, the mod_dav httpd module was unable to determine the root of the repository from the path name. As a consequence, httpd did not handle requests from third-party providers, for example, Subversion’s mod_dav_svn module.

httpd works correctly if a DAV repository location is configured by using a regular expression match

Previously, if a Distributed Authoring and Versioning (DAV) repository was configured in the Apache HTTP Server by using a regular expression match, such as LocationMatch, the mod_dav and httpd modules were unable to determine the root of the repository from the path name. As a consequence, httpd did not handle requests from third-party providers, such as Subversion’s mod_dav_svn module.

The DBD::MySQL driver no longer fails to establish TLS-encrypted connections to MySQL 8 servers that have caching_sha2_password enabled

In previous releases, the perl-DBD-MySQL package was incorrectly linked against the libmariadb library. Consequently, Perl applications failed to establish a connection if all of the following conditions were met:

The custom iproute2 settings in /etc/iproute2/ works as expected

Previously, if you updated to RHEL 9.6, the iproute2 package stored the default configuration in the /usr/share/iproute2/ directory. Additionally, if you had a custom configuration in /etc/iproute2/, the update renamed these files and appended the .rpmsave suffix. As a consequence, the custom settings were no longer applied. If you update to the RHEL 9.7 version of the iproute2 package, the installation script in the package no longer renames custom configuration files and, if it finds files with .rpmsave suffix in /etc/iproute2/, the script removes this suffix. As a result, custom settings work again as expected.

The kernel no longer panics if you reduce the number of SR-IOV VFs at runtime

In previous releases, the Linux kernel could panic if all of the following conditions applied:

The xtables modules are now again marked as deprecated

Before this update, the iptables, ip6tables, arptables, ebtables, and ip_set driver were erroneously marked as unmaintained. As a consequence, RHEL logged an Unmaintained driver is detected: <driver> warning. With this release, the mentioned drivers have been marked again as deprecated. As a result, the system no longer reports the warning with the incorrect support status.

The xdp-loader features command now works as expected

The xdp-loader utility was compiled against the previous version of libbpf. As a consequence, xdp-loader features failed with an error:

Mellanox ConnectX-5 adapter works in the DMFS mode

Previously, while using the Ethernet switch device driver model (switchdev) mode, the mlx5 driver failed if configured in the device managed flow steering (DMFS) mode on the ConnectX-5 adapter. Consequently, the following error message appeared:

VMware vCenter can now correctly remove a SATA disk from a running RHEL VM

Previously, when using the VMWare vCenter interface to remove a SATA disk from a running RHEL 9 guest on the VMware ESXi hypervisor, the disk did not get removed fully. It stopped being functional and disappeared from the guest in the vCenter interface, but the SCSI interface still detected the disk as attached in the guest. With this update, the SCSI interface correctly displays the disk as detached.

Updated the stalld scheduling policy regression to prevent performance degradation

Before this update, the Node Tuning Operator CI was broken because of a change in stalld scheduling policy., This change caused the service to revert to SCHED_OTHER instead of SCHED_FIFO after starting. Consequently, real-time workloads could experience performance degradation, and you could not merge PR. With this update, the systemd unit file sets stalld priority to 10, ensuring that stalld runs with SCHED_FIFO. This restores expected behavior and improves performance for real-time workloads.

osnoise/cpus allows setting a long comma-separated list of cpus

Before this update, you could not set a lengthy comma-separated list of cpus in osnoise/cpus because of an invalid argument error. This restriction impacted latency debugging and troubleshooting. With this release, you can input a long comma-separated list of cpus in osnoise/cpus to enhance RTLA latency debugging and troubleshooting.

irqbalance service buffer overflow on aarch64 systems

Previously, the irqbalance service could crash due to a buffer overflow when running on specific aarch64 machines. As a consequence, latency-sensitive workloads might have experienced performance degradation because interrupts were not appropriately distributed across CPUs. With this update, the buffer overflow issue in the irqbalance service has been fixed.

rtla timerlat does not reset osnoise stop tracing threshold during startup

Before this update, using the rtla timerlat multiple times without clearing the stop_tracing flags would leave/left RTLA in an inconsistent state. As a consequence, tracing did not stop correctly in case stop tracing was not requested via the -a, -T, or -i options. This led to inaccurate data being reported, since RTLA exited when it shouldn’t have. With this update, rtla-timerlat resets stop tracing variables, preventing early exit, and as a result, program stability is improved.

rtla timerlat now handles high-frequency sampling on systems with 100+ CPUs

Before this update, rtla timerlat could not process timerlat samples with 100us period or faster on systems with more than 100 CPUs due to insufficient tracefs buffer handling. As a consequence, samples were dropped and timerlat measurements became inaccurate, affecting real-time performance analysis. With this release, timerlat samples are collected directly on measurement CPUs, eliminating buffer overflow issues. As a result, rtla timerlat provides accurate measurements on high-core-count systems, enabling reliable real-time performance analysis.

multipathd can monitor devices with offline paths

Before this update, when a user created a multipath device while some paths to the device were in the offline state, the multipathd daemon did not monitor the device or its paths. Consequently, if paths failed, they were never restored, even if they became available again. With this update, the multipathd daemon monitors the multipath device and its offline paths. multipathd also adds the paths to the multipath device if they become online.

VDO driver no longer crashes due to null pointer dereference

Before this update, writing a mix of new and duplicate data to a VDO device under certain timing conditions left a dangling pointer. As a consequence, this caused a null pointer dereference and system crash. With this release, the dangling pointer issue is fixed. As a result, the VDO driver continues to run and saves user data.

The RHEL installation program removes corrupted LVM thin volumes

Previously, the presence of corrupted LVM thin volumes caused storage configuration errors, blocking the installation process. With this fix, the RHEL installation program now detects and removes broken thin volumes. As a result, users do not have to intervene in the installation process manually.

System boots correctly when adding a NVMe-FC device as a mount point in /etc/fstab

Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount point in the /etc/fstab file. Consequently, the system entered into an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC device.

pcs commands no longer fail due to improperly capitalized target-role values

Before this update, if a resource’s target-role meta-attribute was set to a value that was not capitalized, such as stopped instead of Stopped, pcs failed to parse the cluster status. This parsing error caused pcs status query resource commands and commands for deleting resources, including pcs resource delete, to fail.

fence_ibm_powervs supports plain text token files

Before this update, the fence_ibm_powervs agent could only read authentication tokens from files that were formatted as JSON. It failed to read tokens from plain text files.

systemd resources with long start or stop times are handled correctly

Before this update, Pacemaker polled for the result of start and stop actions on systemd resources with a fixed timeout. If a resource took longer to start or stop than this timeout, Pacemaker incorrectly marked the resource as failed.

Pacemaker Remote nodes are no longer fenced unnecessarily when quorum is lost

Before this update, in certain cluster configurations, a Pacemaker Remote node could be fenced when its partition lost quorum, even if the resource managing that node could be safely restarted on a different, quorate node. This behavior caused unnecessary downtime for the services running on the Pacemaker Remote node.

fence_kubevirt powers off nodes instantly

Before this update, the fence_kubevirt agent performed a graceful shutdown of the node. This introduced a delay in the fencing process, as the node was not powered off immediately.

fence_sbd is now more resilient to individual SBD device failures

Previously, the fence_sbd agent exited and failed its operation if one or more of its configured SBD devices failed an initial check. This prevented a fencing action from completing, even if other SBD devices were healthy.

Improved support for recursive dlopen calls in audit modules in glibc

Previously, recursive ‎dlopen calls from auditors could trigger an ‎r_state == RT_CONSISTENT assertion failure in glibc’s ‎dl-open.c. As a consequence, applications exited unexpectedly when auditors were active. With this update, the dynamic linker reports consistency of its internal data structures earlier during an in-progress ‎dlopen call. As a result, recursive ‎dlopen operations for auditors are supported in more cases.

glibc: Application crash during early TLS allocation in audit mode

Previously, in audit mode, an internal data structure related to thread-local storage (TLS) management was allocated using the main ‎realloc function before the main ‎malloc was initialized during process startup. As a consequence, applications crashed when ‎realloc was called on memory that was not allocated by ‎malloc.

glibc: ctype.h macros caused segmentation faults in multithreaded programs with multiple libc.so

Previously, the internal state for ‎<ctype.h> in secondary C library copies created by audit or with ‎dlmopen failed to initialize for threads created with ‎pthread_create. As a consequence, using ‎<ctype.h> functionality, either directly or indirectly, in secondary threads and namespaces resulted in program crashes.

glibc audit logging provides complete object life cycle tracking

Previously, the glibc dynamic linker called la_objclose for the proxy ld.so link map in a secondary namespace without a preceding la_objopen, which resulted in incomplete object life cycle reporting for tools that rely on la_objopen to track shared objects.

Certain programs no longer crash when running glibc in auditing mode

Before this update, the glibc dynamic linker in LD_AUDIT mode could allocate internal data structures by using the main calloc function before the linker initialized the main malloc subsystem. As a consequence, the process could terminate unexpectedly in the calloc function when the program started. This update rearranges the process startup sequence. Consequently, the calloc memory allocation occurs before the switch to the main malloc function by using the internal malloc implementation, which is used during the startup. As a result, programs no longer crash during startup in the calloc function when running if the dynamic linker uses the auditing mode.

stdio flushing issues fixed in glibc

Before this update, specific stdio streams in glibc could fail during fclose when attempting to seek back to the correct position after buffered reads, returning EINVAL instead of the expected ESPIPE for non-seekable inputs. As a consequence, applications using fclose on pipes or other non-seekable descriptors might encounter unexpected errors, causing I/O cleanup to fail and leading to inconsistent file positioning behavior.

Applications no longer deadlock when invoking popen and fork in parallel

Before this update, when multi-threaded applications invoked popen and fork in separate threads and the fork occurred when popen held an internal lock, the child process could inherit the locked state and deadlock if it called popen again.

Golist command-line parser fix in go-rpm-macros

Before this update, Golist handled certain files incorrectly due to a replacement of the command-line parser. As a consequence, some programs failed to build. With this update, the original command-line parser restored the original parser into Golist.

ipa-cacert-manage install now permits duplicate CA subjects

Previously, attempting to add a CA certificate with an identical subject but a different private key using ipa-cacert-manage install failed with the message subject public key info mismatch, as IdM prohibited duplicate subjects.

Newly created user password policies are displayed correctly

Before this update, the cosAttribute attribute in the Class of Service (CoS) template had the operational modifier instead of operational-default. As a consequence, when both subtree and user password policies existed, the pwdpolicysubentry attribute pointed to the subtree password policy instead of the user password policy. With this release, the CoS template uses the operational-default modifier. As a result, the user policy is displayed correctly.

The RootDN Access Control plugin with wildcards for IP addresses no longer fails

Before this update, if you tried to set IP addresses with wildcards for the RootDN Access Control plugin configuration, the attempt failed with the Invalid IP address error. With this release, the validation function was updated. As a result, the attempt to set values with wildcards no longer fails.

The Databases menu opens as expected in the Directory Server web console

Before this update, you could not open the Databases menu in the Directory Server web console if the database name that you created had an incorrect suffix syntax, for example, the name included dc=. With this update, Directory Server uses a rollback functionality when mapping tree creation fails during backend creation to prevent orphaned backends. As a result, the Databases menu opens as expected.

Directory Server no longer fails when adding nsslapd-referral

Before this update, when you tried to configure Directory Server to use a referral, the incorrect handling of the paged search result caused the server failure.

The Directory Server monitoring information is available as expected when NDN cache is disabled

Before this update, when the Normalized DN (NDN) cache was disabled, the dsconf <instance_name> monitor dbmon command failed with an error because of improper handling of the backend get-tree command failures. This release adds a rollback functionality to prevent orphaned backends when the tree creation fails during a backend creation. As a result, Directory Server monitoring information is returned as expected.

Directory Server correctly displays the number of child entries under a specific node

Before this update, the numSubordinates and numTombstoneSubordinates attributes were wrongly computed during import. Consequently, when you compared the number of child entries under a specific node, the wrong values were displayed.

The Directory Server web console now shows the server version

Before this update, the web console did not display the server version in the Server Settings>General Settings​​. With this update, the server version is displayed correctly.

Directory Server no longer fails during NDN cache operations

Before this update, the arc-swap library, which was used in the Rust dependency of 389-ds-base, could cause a failure in Directory Server during NDN cache operations. With this release, Directory Server uses an updated version of Rust dependency (concread) 0.5.7 that does not contain the arc-swap library. As a result, Directory Server no longer fails.

Directory Server correctly displays membership in nested groups

Before this update, Directory Server displayed an incorrect value of the memberOf attribute in that entry under the following conditions:

389-ds-base no longer fails during the LMDB offline import

Before this update, a race condition occurred when a worker thread read an entry before another process finished writing the entry. As a result, offline import on an instance with the Lightning Memory-Mapped Database Manager (LMDB) backend caused a segmentation fault.

dsconf correctly returns replication monitoring information

Before this update, if a supplier was configured with a replica starting with 0, such as 010 or 020, the dsconf <instance_name> replication monitor command failed to retrieve information about time of a delay or the replication status.

ipa-healthcheck now ignores the replica busy condition

Before this update, in a topology with more than two suppliers, the ipa-healthcheck tool reported an error about replication agreement status when a supplier was receiving updates from another node. It is a standard replication situation and, with this release, ipa-healthcheck no longer reports an error when replicas are busy.

Directory Server starts correctly in the read-only mode

Before this update, Directory Server did not start if you configured the read-only mode. With this update, the nsslapd-readonly attribute is processed correctly, and the server starts in the read-only mode as expected.

Obsolete /var/log/tallylog log file creation removed

Before this update, an outdated configuration in the pam.conf file caused the creation of the /var/log/tallylog file. Since the system now uses pam_faillock, which replaced the obsolete pam_tally, the /var/log/tallylog file is no longer necessary.

Default GDM session definitions no longer override custom definitions

Before this update, GNOME Display Manager (GDM) sessions at /usr/ directories had higher precedence than the ones at /etc/. As a consequence, custom session definitions at /usr/ would override the ones at /etc/. With this release, sessions at /etc/ have higher precedence. As a result, the custom definitions precedence works correctly as defined in GDM Session Configuration.

encryption_key is no longer masked

Before this update, the encryption_key parameter was incorrectly marked as no_log. This caused the key file path to be replaced by a placeholder string, preventing disk encryption from working. With this update, the encryption_key parameter is no longer marked with the no_log flag, and you can now perform disk encryption using a key file successfully.

RAID now reports clear errors for invalid or unsupported configurations

Before this update, invalid RAID levels or insufficient disks could be specified without raising clear errors. This resulted in failed or inconsistent array creation. As a consequence, the error messages were unclear, and RAID setup was less reliable. With this release, RAID parameters are validated before array creation, and a minimum disk count is enforced. As a result, clear errors are raised, and attempts to create a RAID with inadequate disks are blocked.

LVM RAID now supports encrypted and partitioned devices

Before this update, the LVM RAID code assumed that disks specified in raid_disks were the parent devices of the PVs for all LVM RAID setups. This was not applicable for encrypted or partitioned devices. As a consequence, errors occurred when encrypted LUKS layers added an extra storage layer, or when direct partitions were used without a parent device. With this release, PV resolution in LVM RAID is improved to support encrypted and partitioned devices. As a result, you can now specify the PV partition instead of the underlying disk.

Minor volume size mismatch no longer cause incorrect role reporting

Before this update, when creating or resizing volumes, the system allowed up to a 2% difference between the requested size and the actual size. This adjustment made the volume fit into the available pool free space. As a consequence, the sizes did not match when the role was run again, causing the role to incorrectly assume that something had changed. With this release, small size differences no longer cause the role to misinterpret changes. As a result the role now reports the correct state.

The postfix RHEL system role auto-detects if an IPv6 interface is disabled

The default postfix configuration uses the inet_interfaces = localhost setting which tells postfix to listen on all interfaces resolving to localhost including both IPv4 and IPv6 interfaces. Before this update, a problem occurred if IPv6 was disabled on the host. In this situation, the postfix role and its command-line tools, such as postconf, returned an error. The entire role failed. With this release, the role determines if IPv6 is disabled. If so, then it sets inet_protocols = ipv4 so that postfix only uses the IPv4 interface. As a result, the postfix role works even when IPv6 is disabled.

The timesync RHEL system role no longer removes the OPTIONS="-F 2" default setting from /etc/sysconfig/chronyd

Before this update, the timesync system role replaced the default OPTIONS= setting for the chronyd service with "". As a consequence, this removed the default OPTIONS="-F 2" setting which weakened the security of chronyd. With this release, -F 2 is added as the default setting for OPTIONS, and the user can override or extend this setting. As a result, the timesync role now applies the correct security settings while still allowing user customization.

Improved removal of kernel options with values in ‎rhel-system-roles

Previously, kernel boot options specified as key=value could not be removed when users provided only the key, resulting in persistent unwanted boot parameters and inconsistent management of kernel options by name. With this update, the regular expression in the ‎mod_boot_args function was updated to match and remove kernel options with values correctly, and automated tests were added to verify correct behavior.

GSSAPIIndicators added to sshd role

A new configuration option GSSAPIIndicators for setting Generic Security Services Application Programming Interface (GSS-API) was added to RHEL 10. This update adds the GSSAPIIndicators configuration option to the sshd RHEL system role. As a result, you can configure GSSAPIIndicators on RHEL 10 systems by using RHEL system roles.

bootloader role rejects boolean or null type values

Before this update, the user could specify values such as value: on or value: yes expecting that these would be converted to strings "on" or "yes". But instead, YAML treats these as YAML bool type and writes them as the string "True". Consequently, users who were unaware of YAML boolean handling could not set values such as "on" or "off". With this update, the bootloader RHEL system role rejects any value of boolean or null type. As a result, users must enter such YAML boolean type values as quoted strings to write them to the bootloader configuration. The readme is updated with this information.

sudo role no longer hangs when parsing Alias values

Before this update, the regex in the sudo RHEL system role was not taking into consideration that Alias values, such as Cmnd_Alias, do not have to have spaces on either side of the equal sign =. Consequently, the regex never terminated, and the role appeared to hang. With this update, the role ensures that the regex complies with the eBNF definition of the field from the sudoers file specification. As a result, the Alias values are parsed correctly with and without spaces around =.

Specifying multiple users no longer causes resources to be associated with wrong user

Before this update, user data contamination occurred due to mixing facts and variables for the __podman_user and __podman_user_home_dir variable values when managing multiple users. As a consequence, user data was mixed between multiple users, causing incorrect configuration files to be used for each user. With this release, user data separation is maintained by avoiding the mixing of facts and variables for __podman_user and __podman_user_home_dir. As a result, user data is isolated for multiple users, improving resource management consistency.

selinux role no longer produces error due to undefined tempdir path in Ansible check mode

Before this update, the tempdir path was not defined in Ansible check mode, and the __selinux_item.path could be undefined. Consequently, when running in check mode, the selinux RHEL system role produced an error that various variables are undefined. With this update, the role skips tasks that require the tempdir.path to be defined, and can handle cases where variables are undefined. As a result, the role works correctly in check mode.

Ensures /var/lib/pcsd directory is available when needed by the ha_cluster RHEL system role

Before this update, the /var/lib/pcsd directory was created during the installation of pcs, but newer versions rely on the systemd service to create this directory when the pcsd service starts. As a result, the directory might not exist at the time the role attempts to access it, causing errors or failures in execution.

Using the redhat.rhel_system_roles collection no longer displays a warning about an incompatible Ansible version

Before this update, the redhat.rhel_system_roles collection specified {{requires_ansible: ">=2.15.0"}} in the meta/runtime.yml file, but RHEL 9 contains ansible-core 2.14. As a consequence, if you used the collection in a playbook, Ansible displayed a Collection redhat.rhel_system_roles does not support Ansible version 2.14.x warning. This update changes the meta/runtime.yml file to use {{requires_ansible: ">=2.14.0"}}. As a result, the collection no longer displays the warning.

selinux role persistently sets kernel SELinux parameters

Before this update, the selinux RHEL system role did not set the kernel SELinux parameter when changing the SELinux state to and from disabled. As a consequence, the SELinux state change was not persistent upon reboot. This update ensures that the kernel SELinux parameter is correctly set when the role changes SELinux state to and from disabled. As a result, the SELinux state change to and from disabled is persistent upon reboot.

The systemd role uses file basename to construct the path to the destination

Before this update, if a user specified a file or a template source within a nested directory, the systemd RHEL system role used the whole path instead of the basename for the destination file. As a consequence, files and templates were placed in the same directory structure on the destination, which systemd does not support. With this release, the role uses basenames for destination files in nested directories. As a result, users can use nested directories with the role.

Introducing flexibility for package installation in ad_integration role

Previously, the ad_integration role always attempted to install the required packages, for example, realmd, sssd-ad, adcli, and many more that are listed in __ad_integration_packages. In environments where external systems handled package management, for example, via configuration management outside of this role, pre-baked images, or immutable systems, this step was redundant and undesirable.

The qdevice daemon now restarts automatically after certificate changes

Previously, after updating the TLS certificates used for communication between the quorum device daemon (qnetd) and the cluster nodes (qdevice), the qdevice daemon was not automatically restarted. The daemon would continue to use the old certificates, causing communication with the quorum device to fail.

The ha_cluster RHEL System Role now works with a system-wide HTTP proxy configured

Previously, when a system-wide HTTP proxy was configured, the ha_cluster RHEL System Role would incorrectly attempt to use the proxy for local communication with the pcsd daemon via a unix socket. This caused the role to fail.

The network RHEL system role no longer shows errors due to incorrect routing rule validation

Before this update, the validation part in the network RHEL system role incorrectly checked for routing rule attributes at the top-level NM module instead of the NM.IPRoutingRule class. This caused validation failures and the role displayed errors. With this update, the role uses the API correctly and no longer shows incorrect validation errors.

Boolean option values are correctly rendered in TOML files

Previously, the boolean options were mishandled because the formatter code did not convert the boolean values to the correct string representation. With this fix, boolean values are properly converted to lowercase strings, ensuring correct rendering and handling in TOML files.

Boolean options are correctly written and handled in TOML files

Before this update, boolean options were not correctly handled because the code that formats into TOML format did not convert boolean values to the correct string representation.

The podman RHEL system role does not report changed: true when managing authentication and configuration files

Before this update, the podman RHEL system role changed the parent path mode every time it ran if it managed both authentication and configuration files because it used two different modes for the common parent path for various configuration and authentication files.

Podman role does not fail with UNREACHABLE error

Previously, the podman role did not wait enough for the user state to be in closing status when disabling linger for non-root users. The podman role then restarted systemd-logind to force it to cancel. On some systems, this started a timer that killed the session for root, causing the sshd session to terminate and the Ansible play to fail with UNREACHABLE error.

The network RHEL system role now uses a more robust interface identification method

Before this update, when both an interface name and a MAC address were provided for a network interface, the validation process performed two separate lookups: one using the interface name and another using the MAC address. This could lead to validation failures because a lookup by MAC address might match the interface’s current MAC address rather than its permanent hardware MAC address.

The systemd role unmasks and starts units in a single run

Before this update, the systemd RHEL system role failed to enable and start services when units were masked because the role could not unmask the units first. As a result, users had to run the role twice. With this release, the systemd role correctly unmasks and starts services, eliminating the need for double runs.

Local kdump no longer fails on virtual machines with AMD SEV-SNP

Before this update, local kdump failed on RHEL 10 virtual machines (VMs) that used the AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. As a consequence, you could not capture kernel crash dumps on VMs with AMD SEV-SNP enabled.

The --migrate-disks-detect-zeroes option no longer fails for VM migration

Before this update, when migrating virtual machines (VMs) on RHEL 10, the --migrate-disks-detect-zeroes option might not have worked, and the migration might have proceeded without zeroed block detection on the specified disk. This problem was caused by a bug in QEMU where mirroring jobs relied on punching holes, resulting in a sparse destination file.

VMs sending misaligned discard I/O requests no longer pause when discard_granularity is not configured

Before this update, the host kernel failed misaligned discard I/O requests and QEMU used the werror= policy parameter to respond to such failures. When werror was set to stop: werror=stop, a failed discard request caused the virtual machine (VM) to pause. As a consequence, it was not possible to correct this situation and resume the VM again.

virtiofsd no longer crashes when accessing shared directories with many open files

Before this update, when accessing a virtiofs shared directory with a large number of open files from a virtual machine (VM), the operation might have failed with the following error: Too many open files, and the virtiofsd process crashed.

Customizing RHEL 9 guests on ESXi no longer causes networking problems

Previously, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor did not work correctly with NetworkManager key files. As a consequence, if the guest was using such a key file, it had incorrect network settings, such as the IP address or the gateway. This problem has now been fixed, and NetworkManager key files no longer cause networking issues in the described scenario.

The installation program shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installation program because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installation program was unable to find the expected system disk to install RHEL in the VM.

Windows guests boot more reliably after a v2v conversion on hosts with AMD EPYC CPUs

After using the virt-v2v utility to convert a virtual machine (VM) that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM previously failed to boot. This occurred on hosts that use AMD EPYC series CPUs. Now, the underlying code has been fixed and VMs boot as expected in the described circumstances.

nodedev-dumpxml lists attributes correctly for certain mediated devices

Before this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.

virtiofs devices can now be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.

blob resources now work correctly for virtio-gpu on IBM Z

Previously, the virtio-gpu device was incompatible with blob memory resources on IBM Z systems. As a consequence, if you configured a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM did not have any graphical output.

Reinstalling virtio-win drivers no longer causes DNS configuration to reset on the guest

In virtual machines (VMs) that use a Windows guest operating system, reinstalling or upgrading virtio-win drivers for the network interface card (NIC) previously caused DNS settings in the guest to reset. As a consequence, your Windows guest in some cases lost network connectivity.

VNC viewer correctly initializes a VM display after live migration of ramfb

This update enhances the ramfb framebuffer device, which you can configure as a primary display for a virtual machine (VM). Previously, ramfb was unable to migrate, which resulted in VMs that use ramfb showing a blank screen after live migration. Now, ramfb is compatible with live migration. As a result, you see the VM desktop display when the migration completes.

Nested VM with KVM virtualization and OVMF now boots successfully on Azure or Hyper-V when using an AMD EPYC processor

Previously, a nested virtual machine (VM) with Open Virtual Machine Firmware (OVMF) failed to boot when run on a RHEL VM with KVM virtualization enabled on Microsoft Azure or Hyper-V that used an AMD EPYC processor. The VM failed to boot up with following log message:

The coredump plugin now correctly limits the number of collected coredump files

Previously, the coredump plugin collected coredumpctl dump outputs, which could lead to unnecessary large archives. With this update, the plugin defaults to collecting the three most recent coredump files. Additionally, the plugin continues to provide summary information from coredumpctl info and includes symlinks to help map collected dumps to their respective metadata entries.

Plugin option overrides in sos report no longer disable unrelated options configured in /etc/sos/sos.conf or a preset

Previously, when executing the sos report command with a -k option specifying a particular plugin setting , the sos utility would incorrectly ignore other valid plugin options defined in /etc/sos/sos.conf or in a preset. This led to scenarios where global settings or user-defined presets, were silently disabled despite being correctly configured in the [plugin_options] section of the configuration file or in a preset.

sos-audit package now includes required GPLv2 LICENSE file

Previously, while the sos-audit package was always part of the sos project and built from the same SRPM containing the license, the resulting sos-audit RPM package could be installed separately from the main sos RPM. This meant users installing only the sos-audit subpackage would not find the license readily available. This omission affected all versions of sos-audit up to the current release across RHEL 8 and RHEL 9.

iscsi plugin no longer collects plain-text CHAP credentials in sosreport

Previously, the iscsi plugin in sos collected sensitive CHAP authentication credentials in iscsi configuration files in plain text when generating a report that posed a security risk. With this update, the iscsi plugin has been modified to obscure sensitive fields, ensuring that CHAP usernames and passwords are redacted or excluded from the collected output.

THP plugin now collects complete configuration to accurately reflect Transparent Huge Pages state

Previously, the memory plugin of sos collected only the enabled file from /sys/kernel/mm/transparent_hugepage/ to determine the state of Transparent Huge Pages (THP). However, recent kernel behavior changes have made this approach insufficient. For instance, it is possible for enabled to be set to [never] while shmem_enabled is set to [always], resulting in THP being active for shared memory segments despite appearing disabled.

per-user SSH configuration is now disabled by default

Previously, the ssh plugin in sos collected detailed information from all local user .ssh directories by default. This resulted in significantly prolonged execution time, especially in environments with a large number of local users. With this update, the ssh plugin no longer collects per-user .ssh configuration data by default. To capture user configurations, enable it explicitly by setting ssh.userconfs=on.

sos collect command in the sos 4.10 version no longer produces xz/bz2 tar archive

Before this update, the sos collect command returned a compressed tar archive like tar.xz or tar.bz2. With this release, the sos collect now produces uncompressed tar archives instead of compressed ones, saving time and resources.

Event logs from podman events command are now available

Previously, an error in the journald driver prevented the preservation of network event attributes, so these events were not included in logs. With this update, podman events now displays network create and network rm events.

Parent directories can be created now for the mount targets with mode 0755

In this update, build failures were occurring due to modifications in the handling of --mount parameter permissions in quay.io/buildah/stable:v1 v1.41.3. Previously, specifying UID as an argument resulted in incorrect permissions for the secret. Consequently, users were unable to access build secrets due to incorrect permissions after the buildah update.

Command-line assistant shows a meaningful error message when you try to delete a non-existent chat history

Before this update, users could delete a non-existent chat history without receiving an error message. This enhancement implements an error message for such cases.

Adding a description to an unnamed chat triggers a warning

Before this update, if you added a description to a chat without specifying a name for the chat, there was no error message displayed, nor was the chat with your custom description. With this update, the command-line assistant displays a warning in such cases.

c history shows complete history by default

Before this update, running the c history command without any options returned no history, confusing users. With this update, the default option for --all has been added. As a result, you can easily view all history with the single command: c history.

Command-line assistant no longer displays errors for invalid queries

Before this update, an incorrect data structure for terminal output in response led to unprocessable error messages for user queries. With this enhancement, the chat interface’s terminal output structure has been actively addressed, preventing the command-line assistant from displaying errors for invalid query requests, thereby enhancing your user experience.

Interactive shell starts correctly after a terminal restart

Before this update, the user’s .bashrc file did not include a reference to the .bashrc.d directory, preventing the source command from locating the CLA integration script. As a consequence, users could not access an interactive shell. With this update, a check has been added to ensure that the files necessary for shell integration are loaded. As a result, the interactive shell starts upon terminal restart.

Backend timeout works correctly in query.py

Before this update, extending the backend timeout in the query.py script did not work correctly. The script continued to generate timeout messages every 30 seconds because an internal timeout remained set at 30 seconds by default. With this enhancement, you can extend the backend timeout to any value that suits you by configuring this in the /etc/xdg/command-line-assistant/config.toml file, improving your response time.

cla chat displays help when run without arguments

Before this update, using cla chat without providing additional input caused user confusion, as they expected interactive AI assistance but received no response. With this update, when you use cla chat without arguments, the command-line assistant provides help and indicates additional input, improving your user experience with CLA’s interactive mode.

NVMe over TCP for RHEL installation is now available as a Technology Preview

With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.

Installation of bootable OSTree native containers is now available as a Technology Preview

The ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer:

Boot loader installation and configuration via bootupd / bootupctl in Anaconda is now available as a Technology Preview

As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration via the bootupd/bootupctl tool contained within the container image, even without an explicit boot loader configuration in Kickstart.

Container-based deployments on s390x is now available as a Technology Preview

The RHEL installation program now supports deploying bootable containers in Image Mode on the s390x architectures by using the ostreecontainer Kickstart command as a Technology Preview. This enhancement removes previous limitations and ensures consistent deployment options across supported architectures. Users can now automate installations on s390x systems by using container-based workflows.

Encrypted DNS in RHEL is available as a Technology Preview

You can enable encrypted DNS to secure DNS communication that uses DNS-over-TLS (DoT). Encrypted DNS (eDNS) encrypts all DNS traffic end-to-end, with no fallback to insecure protocols, and aligns with zero trust architecture (ZTA) principles.

New package: fips-provider-next (Technology Preview)

As a Technology Preview, this update adds a new FIPS provider that showcases future code before it obtains FIPS certification.

gnutls now uses kTLS as a Technology Preview

The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

OpenSSL clients can use the QUIC protocol as a Technology Preview

OpenSSL can use the QUIC transport layer network protocol on the client side with the rebase to OpenSSL version 3.2.2 as a Technology Preview.

The io_uring interface is available as a Technology Preview

io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:

FDO now provides storing and querying Owner Vouchers from a SQL backend as a Technology Preview

With this Technology Preview, FDO manufacturer-server, onboarding-server, and rendezvous-server are available for storing and querying Owner Vouchers from a SQL backend. As a result, you can select a SQL datastore in the FDO servers options, along with credentials and other parameters, to store the Owner Vouchers.

RHEL 9.7 provides ReaR on aarch64 as a Technology Preview

RHEL 9.7 introduces the Relax and Recover (ReaR) package for the 64-bit ARM architecture (aarch64) as a Technology Preview. ReaR is a disaster recovery tool that produces a bootable image that you can use to restore the system from a backup. You can currently use the following output methods with ReaR on aarch64: ISO, USB, and PXE.

libabigail: Flexible array conversion warning-suppression available as a Technology Preview

As a Technology Preview, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:

Offloading IPsec encapsulation to a NIC is now available as a Technology Preview

This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.

KTLS available as a Technology Preview

In RHEL, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

The systemd-resolved service is available as a Technology Preview

The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

NetworkManager and the Nmstate API support MACsec hardware offload

You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface controller.

NetworkManager enables configuring HSR and PRP interfaces

High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.

UDP encapsulation in packet offload mode is now available as a Technology Preview

With IPsec packet offload, the kernel can offload the entire IPsec encapsulation process to a NIC to reduce the workload. With this update, the packet offload has been improved by supporting User Datagram Protocol (UDP) encapsulation of ipsec tunnels when in packet offload mode.

The Soft-iWARP driver is available as a Technology Preview

Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the Internet Protocol (TCP/IP) network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.

Socket API for TuneD available as a Technology Preview

The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.

rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview

The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:

Segment Routing over IPv6 (SRv6) is available as a Technology Preview

The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

kTLS was updated to version 6.12

The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.6, we updated kTLS to the 6.12 upstream version.

The PRP and HSR protocols are now available as a Technology Preview

This update adds the hsr kernel module that provides the following protocols:

python-drgn available as a Technology Preview

The python-drgn package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.

The IAA crypto driver is now available as a Technology Preview

The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.

The Neural Processing Unit (NPU) kernel for the RHEL Kernel is available as a Technology Preview on Intel Arrow Lake-based systems

In RHEL 9.6, the kernel introduces the Neural Processing Unit (NPU) as a Technology Preview. NPUs are special chips used for artificial intelligence (AI) and machine learning (ML) tasks on the systems. The kernel in RHEL 9.6 includes the initial driver for Intel NPUs and support infrastructure required to use the NPUs for AI/ML tasks.

The Red Hat Enterprise Linux for Real Time on ARM64 is now available as a Technology Preview

With this Technology Preview, the Red Hat Enterprise Linux for Real Time is now enabled for ARM64. The ARM64 is enabled on ARM (AARCH64), for both 4k and 64k ARM kernels.

Boot from NVMe/TCP is available as a Technology Preview

On systems that boot from SAN over NVMe‑TCP, you can use kdump to write crash dumps to an NVMe namespace. This update fixes failures that occurred when kdump attempted to dump to the NVMe namespace. As a result, panic dumps succeed on these systems, improving recovery and reducing downtime in SAN‑based environments.

NVMe-oF Discovery Service features available as a Technology Preview

The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.

nvme-stas package available as a Technology Preview

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.

NVMe/TCP using TLS is available as a Technology Preview

Encrypting Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) network traffic using TLS configured with Pre-Shared Keys (PSK) has been added as a Technology Preview in RHEL 9.6. For instructions, see Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys.

xfs_scrub utility is available as a Technology Preview

You can check all the metadata on a mounted XFS file system by using the xfs_scrub utility as a Technology Preview. It functions similarly to the xfs_repair -n command for an unmounted XFS filesystem. For details, see the xfs_scrub(8) man page on your system. Note that currently only the scrub feature is available in RHEL 10 kernels and online repair is not enabled.

A new nodejs:22 module stream available as a Technology Preview

A new module stream, nodejs:22, is now available as a Technology Preview. A future update will provide a Long Term Support (LTS) version of Node.js 22, which will be fully supported.

jmc-core and owasp-java-encoder available as a Technology Preview

RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.

A new nodejs:24 module stream is available as a Technology Preview

A new ‎nodejs:24 module stream is available as a Technology Preview in Red Hat Enterprise Linux 9.7. This update introduces Node.js 24, which provides new features, bug fixes, security updates, and performance improvements compared to ‎Node.js 22 included in RHEL 9.6.

eu-stacktrace available as a Technology Preview

The eu-stacktrace utility, which has been distributed through the elfutils package since version 0.192, is available as a Technology Preview feature. eu-stacktrace is a prototype utility that uses the elfutils toolkit’s unwinding libraries to support a sampling profiler to unwind frame pointer-less stack sample data.

DNS over TLS (DoT) in IdM deployments is available as a Technology Preview

Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.

DNSSEC available as Technology Preview in IdM

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Encrypted DNS with DoT is now available in ansible-freeipa installations of IdM as a Technology Preview

You can now use Ansible to ensure that all DNS queries and responses between DNS clients and Identity Management (IdM) DNS servers are encrypted. Encrypted DNS using DNS over TLS (DoT) has been available as a Technology Preview in IdM deployments since RHEL 10. In RHEL 10.1, the functionality is available as a Technology Preview in the freeipa.ansible_freeipa collection.

ACME available as a Technology Preview

The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.

GNOME for the 64-bit ARM architecture available as a Technology Preview

The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.

GNOME for the IBM Z architecture available as a Technology Preview

The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.

The RHEL web console can now manage WireGuard connections

Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.

TDX is available on RHEL hosts as a Technology Preview

As a Technology Preview, you can enable Trust Domain Extensions (TDX) on RHEL hosts. TDX is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

SEV-SNP is available on RHEL hosts as a Technology Preview

As a Technology Preview, you can enable Secure Encrypted Virtualization‑Secure Nested Paging (SEV‑SNP) on RHEL hosts. SEV-SNP is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

Creating nested virtual machines

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.

AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines

As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.

CPU clusters on 64-bit ARM

As a Technology Preview, you can now create KVM virtual machines that use multiple 64-bit ARM CPU clusters in their CPU topology.

New package: trustee-guest-components

As a Technology Preview, this update adds the trustee-guest-components package. This makes it possible for confidential virtual machines to attest themselves and get confidential resources from a Trustee server.

The podman-machine command is unsupported

The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.

A new rhel9/rhel-bootc container image is available as a Technology Preview

The rhel9/rhel-bootc container image is now available in the Red Hat Container Registry as a Technology Preview. With the RHEL bootable container images, you can build, test, and deploy an operating system exactly as a container. The RHEL bootable container images differ from the existing application Universal Base Images (UBI) thanks to the following enhancements: RHEL bootable container images contain additional components necessary to boot, such as, kernel, initrd, bootloader, firmware, between others. There are no changes to existing container images. For more information, see Red Hat Ecosystem Catalog.

Partial pulls for zstd:chunked are available as a Technology Preview

You can pull only the changed parts of the container images compressed with the zstd:chunked format, reducing network traffic and necessary storage. You can enable partial pulls by adding the enable_partial_images = "true" setting to the /etc/containers/storage.conf file. This functionality is available as a Technology Preview.

The podman artifact command is available as a Technology Preview

The podman artifact command, which you can use to work with OCI artifacts at the command-line level, is available as a Technology Preview. For further information, reference the man page.

Podman compatibility with Docker API is available as a Technology Preview

Podman supports the following Docker API versions as a Technology Preview:

Deprecated Kickstart commands

The following Kickstart commands have been deprecated:

The initial-setup package now has been deprecated

The initial-setup package has been deprecated in Red Hat Enterprise Linux 9.3 and will be removed in the next major RHEL release. As a replacement, use gnome-initial-setup for the graphical user interface.

The provider_hostip and provider_fedora_geoip values of the inst.geoloc boot option are deprecated

The provider_hostip and provider_fedora_geoip values that specified the GeoIP API for the inst.geoloc= boot option are deprecated. As a replacement, you can use the geolocation_provider=URL option to set the required geolocation in the installation program configuration file. You can still use the inst.geoloc=0 option to disable the geolocation.

Anaconda built-in help has been deprecated

The built-in documentation from spokes and hubs of all Anaconda user interfaces, which is available during Anaconda installation, has been deprecated. As a replacement, the Anaconda user interfaces will be self-descriptive and users can refer to the official RHEL documentation in future major RHEL releases.

Support for NVDIMM devices has been deprecated

Previously, the installation program allowed reconfiguring NVDIMM devices during installation. This support for NVDIMM devices during the Kickstart and GUI installation has been deprecated, and will be removed in the next major RHEL release. The NVDIMM devices in the sector mode will still be visible and usable in the installation program.

Unable to load an updated driver from the driver update disc in the installation environment

A new version of a driver from the driver update disc might not load if the same driver from the installation initial ramdisk has already been loaded. As a consequence, an updated version of the driver cannot be applied to the installation environment.

X25519-MLKEM768 deprecated and aliased to MLKEM768-X25519 in crypto-policies

The X25519-MLKEM768 value in system-wide cryptographic policies is deprecated and aliased to the MLKEM768-X25519 value. This unifies the concatenation order, allowing both variants to work.

Keylime policy management scripts are deprecated and replaced with keylime-policy

In RHEL 9.6, Keylime is provided with the keylime-policy tool, which replaces the following policy management scripts:

OVAL deprecated in vulnerability scanning applications

The Open Vulnerability Assessment Language (OVAL) data format, which provides declarative security data processed by the OpenSCAP suite, is deprecated and will be removed in a future major release. Red Hat continues to provide declarative security data in the Common Security Advisory Framework (CSAF) format, which is the successor of OVAL.

libgcrypt is deprecated

The Libgcrypt cryptographic library provided by the libgcrypt package is deprecated and may be removed in a future major release. Instead, use the libraries listed in the RHEL core cryptographic components article (Red Hat Knowledgebase).

fips-mode-setup is deprecated

The fips-mode-setup tool, which switches the system to FIPS mode, is deprecated in RHEL 9. You can still use the fips-mode-setup command to check whether FIPS mode is enabled.

Using update-ca-trust without arguments is deprecated

Previously, the command update-ca-trust updated the system certificate authority (CA) store regardless of the arguments entered. This update introduces the extract subcommand for updating the CA store. You can also specify the location to which the CA certificates are extracted by using the --output argument. For compatibility with earlier versions of RHEL, entering update-ca-trust to update the CA store with any argument other than -o or --help, and even without any argument, is still supported for the duration of RHEL 9, but will be removed by the next major release. Update your calls to update-ca-trust extract.

CAfile pointing to trusted root certificate files in Stunnel clients is deprecated

If Stunnel is configured in client mode, the CAfile directive can point to a file that contains trusted root certificates in the BEGIN TRUSTED CERTIFICATE format. This method is deprecated and might be removed in a future major version. In a future version, stunnel will pass the value of the CAfile directive to a function that does not support the BEGIN TRUSTED CERTIFICATE format. As a consequence, if you use CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt, change the location to CAfile = /etc/pki/tls/certs/ca-bundle.crt.

DSA and SEED algorithms have been deprecated in NSS

The Digital Signature Algorithm (DSA), which was created by the National Institute of Standards and Technology (NIST) and is now completely deprecated by NIST, is deprecated in the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA, ECDSA, and EdDSA.

pam_ssh_agent_auth is deprecated

The pam_ssh_agent_auth package is deprecated and might be removed in a future major release.

compat-openssl11 is deprecated

The compatibility library for OpenSSL 1.1, compat-openssl11, is now deprecated, and it might be removed in a future major release. OpenSSL 1.1 is no longer maintained upstream and applications that use the OpenSSL TLS toolkit should be migrated to version 3.x.

SHA-1 is deprecated at SECLEVEL=2 in OpenSSL

The use of the SHA-1 algorithm at SECLEVEL=2 is deprecated in OpenSSL and might be removed in a future major release.

OpenSSL Engines API is deprecated in Stunnel

The use of the OpenSSL Engines API in Stunnel is deprecated and will be removed in a future major release. The most common use is to access hardware security tokens that use PKCS#11 through the openssl-pkcs11 package. As a replacement, you can use pkcs11-provider, which uses the new OpenSSL Providers API.

OpenSSL Engines are deprecated

OpenSSL Engines are deprecated and will be removed in the near future. Instead of using engines, you can use the pkcs11-provider as a replacement.

DSA is deprecated in GnuTLS

The Digital Signature Algorithm (DSA) is deprecated in the GnuTLS secure communications library and will be removed in a future major version of RHEL. DSA was previously deprecated by the National Institute of Standards and Technology (NIST), and is not considered secure. You can use ECDSA instead to ensure compatibility with future versions.

scap-workbench is deprecated

The scap-workbench package is deprecated. The scap-workbench graphical utility was designed to perform configuration and vulnerability scans on a single local or remote system. As an alternative, you can scan local systems for configuration compliance by using the oscap command and remote systems by using the oscap-ssh command. For more information, see Configuration compliance scanning.

oscap-anaconda-addon is deprecated

The oscap-anaconda-addon, which provided means to deploy baseline-compliant RHEL systems by using the graphical installation, is deprecated. As an alternative, you can build RHEL images that comply with a specific standard by Creating pre-hardened images with RHEL image builder OpenSCAP integration.

SHA-1 is deprecated for cryptographic purposes

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

fapolicyd.rules is deprecated

The /etc/fapolicyd/rules.d/ directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SCP is deprecated in RHEL 9

The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.

OpenSSL requires padding for RSA encryption in FIPS mode

OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not use padding but is still supported.

OpenSSL deprecates the Engines API

The OpenSSL 3.0 TLS toolkit deprecated the Engines API. The Engines interface is superseded by the Providers API. The migration of applications and existing engines to Providers is underway. The deprecated Engines API may be removed in a future major release.

openssl-pkcs11 is now deprecated

As a part of the ongoing migration of deprecated OpenSSL engines to the Providers API, the pkcs11-provider package replaces the openssl-pkcs11 package (engine_pkcs11). The openssl-pkcs11 package is now deprecated. The openssl-pkcs11 package may be removed in a future major release.

RHEL 8 and 9 OpenSSL certificate and signing containers are now deprecated

The OpenSSL portable certificate and signing containers available in the ubi8/openssl and ubi9/openssl repositories in the Red Hat Ecosystem Catalog are now deprecated due to low demand.

Digest-MD5 in SASL is deprecated

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release.

/etc/system-fips is now deprecated

Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by displaying the /proc/sys/crypto/fips_enabled file.

libcrypt.so.1 is now deprecated

The libcrypt.so.1 library is now deprecated, and it might be removed in a future version of RHEL.

OpenSSL does not accept explicit curve parameters in FIPS mode

Elliptic curve cryptography parameters, private keys, public keys, and certificates that specified explicit curve parameters no longer work in FIPS mode. Specifying the curve parameters using ASN.1 object identifiers, which use one of the FIPS-approved curves, still works in FIPS mode.

OpenSSL rejects RSA signatures with X9.31 padding in FIPS mode

Because X9.31 RSA signatures were removed from the FIPS 186-5 standard, OpenSSL no longer supports signing or signature verification with RSA keys with X9.31 padding in FIPS mode.

Ignition has been deprecated for image mode for RHEL for Edge images

The Ignition tool, used to inject the user configuration into the Simplified Installer, AMI, and VMDK RHEL for Edge images types at an early stage of the boot process, has been deprecated in RHEL 9 and might be removed in a future major release.

Several subscription-manager modules have been deprecated

Because of a simplified customer experience in Red Hat subscription services, which have transitioned to the Red Hat Hybrid Cloud Console and to account level subscription management with Simple Content Access, the following modules have been deprecated and will be removed in a future major release:

The numberless %patch syntax has been deprecated

Using the %patch directive without a number specified as a shorthand for %patch 0 to apply the zero-th patch has been deprecated. Therefore, if you want to use %patch, a warning message suggests you to use the explicit syntax, for example, %patch 0 or %patch -P 0 to apply the zero-th patch.

The DNF debug plug-in has been deprecated

The DNF debug plug-in, which includes the dnf debug-dump and dnf debug-restore commands, has been deprecated and will be removed from the dnf-plugins-core package in the next major RHEL release.

The support for libreport has been deprecated

The support for the libreport library has been deprecated and will be removed from DNF in the next major RHEL release.

The dump utility from the dump package has been deprecated

The dump utility used for backup of file systems has been deprecated and will not be available in RHEL 9.

The SQLite database backend in Bacula has been deprecated

The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.

The %vmeff metric from the sysstat package has been deprecated

The %vmeff metric from the sysstat package to measure the page reclaim efficiency will no longer be supported in a future major version of RHEL. The values of the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions.

Setting the TMPDIR variable in the ReaR configuration file is deprecated

Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement such as export TMPDIR=…​, is deprecated.

cgroupsv1 is now deprecated in RHEL 9

The cgroups is a kernel subsystem used for process tracking, system resource allocation and partitioning. Systemd service manager supports booting in the cgroups v1 mode as well as in cgroups v2 mode. In Red Hat Enterprise Linux 9, the default mode is v2. In Red Hat Enterprise Linux 10, systemd will not support booting in the cgroups v1 mode and only cgroups v2 mode will be available.

Various packages are now deprecated in infrastructure services

The following packages are deprecated in RHEL 9 and will not be distributed in later major versions of RHEL:

ipset has been deprecated

In RHEL 9, the ipset utility is deprecated and is planned to be removed in a future major release. Red Hat will provide bug fixes and support for this feature during the current release lifecycle, but this feature will no longer receive enhancements. As an alternative to ipset, you can use the nftables sets functionality instead.

The Soft-iWARP driver is deprecated

RHEL 9 provides the Soft-iWARP driver as an unsupported Technology Preview. Starting with RHEL 9.5, this driver is deprecated and will be removed in RHEL 10.