Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.0.
4.1. Installer and image creation
Anaconda supports rhsm
for machine provisioning through Kickstart installations for Satellite
Previously, machine provisioning depended on a custom %post
script for Kickstart installation on Red Hat Satellite. This %post
script imported the custom Satellite self-signed certificate, registered the machine, attached a subscription, and installed packages residing in repositories.
With RHEL 9, Satellite support has been added to the rhsm
command for machine provisioning. You can now use rhsm
for all provisioning tasks such as registering the system, attaching RHEL subscriptions, and installing from a Satellite instance.
(BZ#1951709)
RHEL supports localhost
as a static hostname
Starting with RHEL 9, setting localhost
as a static hostname in /etc/hostname
is valid. In this case, NetworkManager does not try to obtain a transient hostname through DHCP or reverse DNS lookup.
(BZ#2190045)
Licensing, system, and user setting configuration screens have been disabled post standard installation
Previously, RHEL users were configuring Licensing, System (Subscription manager), and User Settings prior to the gnome-initial-setup
and login screens. With this update, the initial setup screens have been disabled by default to improve user experience.
If you must run the initial setup for user creation or license display, install the following packages based on the requirements.
Install initial setup packages.
# dnf install initial-setup initial-setup-gui
Enable initial setup while next reboot of the system.
# systemctl enable initial-setup
- Reboot the system to view initial setup.
For Kickstart installations, add initial-setup-gui
to the packages section and enable the initial-setup
service.
firstboot --enable %packages @^graphical-server-environment initial-setup-gui %end
(BZ#1878583)
Anaconda activates network automatically for interactive installations
Previously, when performing an interactive installation without having the network activated by Kickstart or boot options, users had to activate the network manually in the network spoke. With this update, Anaconda activates the network automatically, without requiring users to visit the network spoke and activate it manually.
This update does not change the installation experience for Kickstart installations and installations using the ip=
boot option.
Image Builder now supports filesystem configuration
With this enhancement, you can specify custom filesystem configuration in your blueprints and you can create images with the desired disk layout. As a result, by having non-default layouts, you can benefit from security benchmarks, consistency with existing setups, performance, and protection against out-of-disk errors.
To customize the filesystem configuration in your blueprint, set the following customization:
[[customizations.filesystem]] mountpoint = "MOUNTPOINT" size = MINIMUM-PARTITION-SIZE
After you add a file system customization to your blueprint, the file system is converted to a LVM partition.
New options to Lock root account
and Allow root SSH login with password
The following new options have been added on the root password configuration screen in the RHEL graphical installation:
- Lock root account: Use this option to lock the root access to the machine.
- Allow root SSH login with password: Use this option to enable password-based SSH root logins.
To enable password-based SSH root logins
, add the following line to the Kickstart file before you start the installation process.
%post echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf %end
(BZ#1940653)
Image Builder now supports creating bootable installer images
With this enhancement, you can use Image Builder to create bootable ISO images that consist of a tarball
file, which contains a root file system. As a result, you can use the bootable ISO image to install the tarball
file system to a bare metal system.
4.2. RHEL for Edge
RHEL for Edge now supports Greenboot
built-in health checks by default
With this update, RHEL for Edge Greenboot
now includes built-in health checks with watchdog
feature to ensure that the hardware does not hang or freeze while rebooting. With that, you can benefit from the following features:
-
It makes it simple for
watchdogs
hardware users to adopt the built-in health checks - A set of default health checks that provide value for built-in OS components
-
The
watchdog
is now present as default presets, which makes it easy to enable or disable this feature - Ability to create custom health checks based on the already available health checks.
RHEL 9 provides rpm-ostree
v2022.2
RHEL 9 is distributed with the rpm-ostree
version v2022.2, which provides multiple bug fixes and enhancements. Notable changes include:
-
Kernel arguments can now be updated in an idempotent way, by using the new
--append-if-missing
and--delete-if-present
kargs flags. -
The
Count Me
feature from DNF is now fully disabled by default in all repo queries and will only be triggered by the correspondingrpm-ostree-countme.timer
andrpm-ostree-countme.service
units. See countme. -
The post-processing logic can now process the
user.ima
IMA extended attribute. When anxattr
extended attribute is found, the system automatically translates it tosecurity.ima
in the finalOSTree
package content. -
The
treefile
file has a newrepo-packages
field. You can use it to pin a set of packages to a specific repository.
RHEL 9 provides OSTree
v2021.2
RHEL 9 is distributed with the OSTree
package version v2021.2, which provides multiple bug fixes and enhancements. Notable changes include:
- New APIs for writing files, used in the new ostree-rs-ext project, to improve imports from tarballs.
-
The
rofiles-fuse
command now handlesxattrs
extended attributes. Note: Therofiles-fuse
is considered deprecated, see #2281. -
Improvements to the
introspection
API and testing.
The rpm-ostree rebase
tool supports upgrade from RHEL 8 to RHEL 9
With this enhancement, you can upgrade your RHEL 8 system to RHEL 9 using the rpm-ostree rebase
tool. It fully supports the default package set of RHEL for Edge upgrades between the most recent updates of RHEL 8 to the most recent updates of RHEL 9.
4.3. Subscription management
Merged system purpose commands under subscription-manager syspurpose
Previously, there were two different commands to set system purpose attributes; syspurpose
and subscription-manager
. To unify all the system purpose attributes under one module, all the addons
, role
, service-level
, and usage
commands from subscription-manager have been moved to the new submodule, subscription-manager syspurpose
.
Existing subscription-manager
commands outside the new submodule are deprecated. The separate package (python3-syspurpose
) that provides the syspurpose
command line tool has been removed in RHEL 9.
This update provides a consistent way to view, set, and update all system purpose attributes using a single command of subscription-manager; this replaces all the existing system purpose commands with their equivalent versions available as a new subcommand. For example, subscription-manager role --set SystemRole
becomes subscription-manager syspurpose role --set SystemRole
and so on.
For complete information about the new commands, options, and other attributes, see the SYSPURPOSE OPTIONS
section in the subscription-manager
man page.
(BZ#1898563)
4.4. Software management
RHEL 9 provides RPM 4.16
RHEL 9 is distributed with RPM version 4.16. Notable bug fixes and enhancements over version 4.14 include:
New SPEC features, most notably:
- Fast macro-based dependency generators
-
The
%generate_buildrequires
section that allows for generating dynamic build dependencies - Meta (unordered) dependencies
- Increased parallelism in package builds
- Native version comparison in expressions
- Caret version operator, opposite of tilde
-
%elif
,%elifos
and%elifarch
statements - Optional automatic patch and source numbering
-
%autopatch
now accepts patch ranges -
%patchlist
and%sourcelist
sections - Enforced UTF-8 validation of header data at build-time
-
The rpm database is now based on the
sqlite
library. Read-only support forBerkeleyDB
databases has been retained for migration and query purposes. -
A new
rpm-plugin-audit
plug-in for issuing audit log events on transactions, previously built into RPM itself
(JIRA:RHELPLAN-80734)
New RPM plugin notifies fapolicyd
about changes during RPM transactions
This update of the rpm
packages introduces a new RPM plugin that integrates the fapolicyd
framework with the RPM database. The plugin notifies fapolicyd
about installed and changed files during an RPM transaction. As a result, fapolicyd
now supports integrity checking.
Note that the RPM plugin replaces the DNF plugin because its functionality is not limited to DNF transactions but covers also changes by RPM.
(BZ#1942549)
RPM now supports the EdDSA public key algorithm
With this enhancement, the rpm
command supports signing keys using the EdDSA public key algorithm. As a result, signing keys generated using EdDSA can now be used for signing and verifying packages.
Note that, however signing keys using EdDSA are now supported, RSA continues to be the default public key algorithm in GnuPG.
RPM now supports the Zstandard (zstd
) compression algorithm
With this enhancement, the default RPM compression algorithm has switched to Zstandard (zstd
). As a result, users can benefit from faster package installations, which can be especially noticeable during large transactions.
(JIRA:RHELPLAN-117903)
New DNF options exclude_from_weak_autodetect
and exclude_from_weak
With this enhancement, the default DNF behavior does not install unwanted weak dependencies. To modify this behavior, use the following new options:
exclude_from_weak_autodetect
If enabled, the
exclude_from_weak_autodetect
option autodetects unmet weak dependencies (Recommends: or Supplements:) of packages installed on your system. As a result, providers of these weak dependencies are not installed as weak dependencies, but, if pulled in, they are installed as regular dependencies. The default value istrue
.exclude_from_weak
If enabled, the
exclude_from_weak
option prevents installing packages as weak dependencies (Recommends: or Supplements:). You can specify packages either by a package name or a glob, and separate them by a comma. The default value is[]
.
RHEL 9 provides libmodulemd 2.13.0
RHEL 9 is distributed with the libmodulemd
package version 2.13.0. Notable bug fixes and enhancements over version 2.9.4 include:
- Added support for delisting demodularized packages from a module.
-
Added support for validating
modulemd-packager-v3
documents with a new--type
option of themodulemd-validator
tool. - Fortified parsing integers.
-
Fixed various
modulemd-validator
issues.
4.5. Shells and command-line tools
Bracketed paste is now enabled in bash
by default
The bash readline
library version 8.1 is now available, which enables bracketed paste mode by default. When you paste text to your terminal, bash
highlights the text, and you must press enter
to execute the pasted command. Bracketed paste mode is the default setting to avoid accidentally executing malicious commands.
To disable the bracketed paste mode for a specific user, add the following line to ~/.inputrc
:
set enable-bracketed-paste off
To disable the bracketed paste mode for all users, add the following line to /etc/inputrc
:
set enable-bracketed-paste off
When you disable the bracketed paste mode, commands are directly executed on paste, and you do not need to confirm them by pressing enter
.
RHEL 9 includes powerpc-utils 1.3.9
RHEL 9 provides the powerpc-utils
package version 1.3.9. Notable bug fixes and enhancements over version 1.3.8 include:
-
Increased the log size to 1 MB in
drmgr
. -
Fixed the
HCIND
array size at the boot time. -
Implemented
autoconnect-slaves
on HNV connections inhcnmgr
. -
Improved the HNV bond list connections in
hcnmgr
. -
Use
hexdump
fromutil-linux
inhcnmgr
. -
The
hcn-init.service
starts with the NetworkManager. -
Fixed OF to logical FC lookup for multipath in
ofpathname
. -
Fixed OF to logical lookup with partitions in
ofpathname
. - Fixed bootlist for multipath devices with greater than 5 paths.
-
Added missing substring extraction of
devpart
in l2of_vd() ofofpathname
. -
Introduced
lpamumascore
. -
Fixed the remove by
index operation
indrmgr
. -
Moved the definition of
SYS_PATH
froml2of_vs()
tol2of_scsi()
inofpathname
. -
Added
-x
option to enhance the security in partstat. -
Fixed
nroff
warnings and errors inlparstat
man page. -
Implemented NUMA-based LMB removal in
drmgr
. -
Fixed
ofpathname
race withudev
rename inhcnmgr
. -
Use
NetworkManager
nmcli
to check bonding interface status inhcnmgr
. -
Use
NetworkManager
nmcli
to clean the bond interface at the boot time when HNV does not exist.
(BZ#1873868)
RHEL 9 is distributed with opal-prd 6.7.1
The opal-prd
package version 6.7.1 provides the following notable bug fixes and enhancements over the previously available version 6.6.3:
-
Fixed
xscom
error logging issues caused due toxscom OPAL
call. -
Fixed possible deadlock with the
DEBUG
build. -
Fallback to
full_reboot
iffast-reboot
fails incore/platform
. -
Fixed
next_ungarded_primary
incore/cpu
. - Improved rate limit timer requests and the timer state in Self-Boot Engine (SBE).
(BZ#1869560)
RHEL 9 provides lsvpd 1.7.12
RHEL 9 is distributed with the lsvpd
package version 1.7.12. Notable bug fixes and enhancements over version 1.7.11 include:
-
Added the UUID property in
sysvpd
. -
Improved the
NVMe
firmware version. - Fixed PCI device manufacturer parsing logic.
-
Added
recommends clause
to thelsvpd
configuration file.
(BZ#1869564)
ppc64-diag
version 2.7.7 available
The ppc64-diag
package version 2.7.7 is provided in RHEL 9. Notable bug fixes and enhancements over version 2.7.6 include:
- Improved unit test cases.
-
Added the UUID property in
sysvpd
. -
rtas_errd
service does not run in the Linux containers. -
The obsolete logging options are no longer available in the
systemd
service files.
(BZ#1869567)
RHEL 9 includes Fetchmail 6.4.24
RHEL 9 is distributed with the fetchmail
package version 6.4.24. Fetchmail
is a remote-mail retrieval and forwarding utility.
For more information, see:
-
the
/usr/share/doc/fetchmail/NEWS
file, -
the
fetchmail(1)
man page, -
the
/usr/share/doc/fetchmail/README.SSL
file for SSL-related information in case you need to change configuration.
(BZ#1999276)
RHEL 9 includes Eigen 3.4
RHEL 9 is distributed with the eigen3
package version 3.4. Eigen 3.4
is a C++ template library for linear algebra, which now supports POWER10 matrix multiplication assist instructions.
As a result, users of Eigen 3.4
can perform optimized linear algebra computation on POWER10 systems.
RHEL 9 introduces the cdrskin
package
RHEL 9 introduces the cdrskin
package for burning data on CD, DVD, or BD media. The cdrskin
package provides a replacement for the cdrecord
executable from the wodim
package, which is not available in RHEL 9.
The cdrskin
package includes:
- Blanking, formatting, and burning of data on optical media.
- Multi session on CD.
- Emulated ISO-9660 multi-session on overwriteable DVD+RW, DVD-RW, DVD-RAM, BD-RE.
The cdrskin
package also provides cdrecord
command as a symbolic link to cdrskin
binary, so you do not have to make any changes in user scripts. See cdrskin(1)
manual page for the full set of features.
The redhat.rhel_mgmt
Ansible collection is supported in the RHEL 9 release
This update provides support to the Intelligent Platform Management Interface (IPMI
) Ansible modules. IPMI
is a specification for a set of management interfaces to communicate with baseboard management controller (BMC) devices. The IPMI
modules - ipmi_power
and ipmi_boot
- are available in the redhat.rhel_mgmt
Collection, which you can access by installing the ansible-collection-redhat-rhel_mgmt
package.
(BZ#2023381)
RHEL 9 introduces the util-linux-core
package
In addition to the util-linux
package, RHEL 9 provides the util-linux-core
subpackage for scenarios where the size of installed packages is a critical feature, for example buildroots, certain containers, and boot images.
The util-linux-core
subpackage contains a limited subset of the util-linux
utilities, which are necessary to boot the Linux system, for example the mount
utility.
The util-linux-core
subpackage does not contain any external dependencies. For example, login utilities are not available due to the dependence on a PAM library.
For standard use cases, like installations, use the standard util-linux
package. The util-linux
package depends on util-linux-core
, which means that if you install util-linux
, util-linux-core
is installed automatically.
Updated systemd-udevd
assigns consistent network device names to InfiniBand interfaces
Introduced in RHEL 9, the new version of the systemd
package contains the updated systemd-udevd
device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd
.
You can define custom naming rules for naming InfiniBand interfaces by following the Renaming IPoIB devices procedure.
For more details of the naming scheme, see the systemd.net-naming-scheme(7)
man page.
(BZ#2136937)
4.6. Infrastructure services
s-nail
replaces mailx
The s-nail
mail processing system has replaced the mailx
utility. The s-nail
utility is compatible with mailx
and adds numerous new features. The mailx
package is no longer maintained in the upstream.
(BZ#1940863)
TuneD 2.18 is available
RHEL 9 is distributed with TuneD version 2.18. Notable changes over version 2.16 include:
-
The
net
plugin: added support fortxqueuelen
tuning. -
The
disk
plugin: added support for NVMe disk tuning. -
tuned-gui
bug fixes.
RHEL 9 provides mod_security_crs 3.3
RHEL 9 is distributed with the mod_security_crs
package version 3.3. Notable bug fixes and enhancements include:
-
Introduced
libinjection
. -
Blocked backup files ending with
~
in filenames. -
Added new
LDAP
injection andHTTP
splitting rules. -
Added
.swp
to restricted extensions. - Added Common Attack Pattern Enumeration and Classification (CAPEC) tags for attack classification.
-
Added support to detect
Nuclei
,WFuzz
, andffuf
vulnerability scanners. -
Improved variable to lowercase (
modsec3 behavior fix
) - Added support to detect Unix RCE bypass techniques through uninitialized variables, string concatenations, and globbing patterns.
-
Removed outdated rule tags:
WASCTC
,OWASP_TOP_10
,OWASP_AppSensor/RE1
, andOWASP_CRS/FOO/BAR
.OWASP_CRS
andattack-type
are still included in themod_security_crs
package. -
The format of
crs-setup.conf
variabletx.allowed_request_content_type
has been changed to be in line with the other variables. In case the variable is overridden, please see the example incrs-setup.conf
file for the new separator.
RHEL 9 provides chrony 4.1
RHEL 9 is distributed with chrony
version 4.1. Notable bug fixes and enhancements over version 3.5 include:
- Support for Network Time Security (NTS) authentication has been added. For more information, see Overview of Network Time Security (NTS) in chrony.
-
By default, the Authenticated Network Time Protocol (NTP) sources are trusted over non-authenticated NTP sources. To restore the original behavior, add the
autselectmode ignore
argument in thechrony.conf
file. -
Support for authentication with
RIPEMD
keys -RMD128
,RMD160
,RMD256
,RMD320
- is no longer available. -
Support for long non-standard MACs in NTPv4 packets is no longer available. If you are using
chrony 2.x
,non-MD5/SHA1
keys, you need to configurechrony
with theversion 3
option.
In addition, the following differs from the RHEL 8 version of chrony
:
-
The
seccomp
filter is enabled by default (-F 2
is set in/etc/sysconfig/chronyd
). Theseccomp
filter conflicts with themailonchange
directive. If you have themailonchange
directive in/etc/chrony.conf
, remove the-F 2
setting from/etc/sysconfig/chronyd
.
(BZ#1961131)
4.7. Security
System-wide crypto-policies
are now more secure
With this update, the system-wide cryptographic policies have been adjusted to provide up-to-date secure defaults:
- Disabled TLS 1.0, TLS 1.1, DTLS 1.0, RC4, Camellia, DSA, 3DES, and FFDHE-1024 in all policies.
- Increased minimum RSA key size and minimum Diffie-Hellman parameter size in LEGACY.
- Disabled TLS and SSH algorithms using SHA-1, with an exception of SHA-1 usage in Hash-based Message Authentication Codes (HMACs).
If your scenario requires enabling some of the disabled algorithms and ciphers, use custom policies or subpolicies.
(BZ#1937651)
RHEL 9 provides OpenSSL 3.0.1
RHEL 9 provides openssl
packages in upstream version 3.0.1, which includes many improvements and bug fixes over the previous version. The most notable changes include:
- Added the new Provider concept. Providers are collections of algorithms, and you can choose different providers for different applications.
- Introduced the new versioning scheme in the following format: <major>.<minor>.<patch>.
- Added support for the Certificate Management Protocol (CMP, RFC 4210), the Certificate Request Message Format (CRMF), and HTTP transfer (RFC 6712).
- Introduced an HTTP(S) client that supports GET and POST, redirection, plain and ASN.1-encoded contents, proxies, and timeouts.
- Added new Key Derivation Function API (EVP_KDF) and Message Authentication Code API (EVP_MAC).
-
Added support for Linux Kernel TLS (KTLS) through compiling with the
enable-ktls
configuration option. - Added CAdES-BES signature verification support.
- Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
Added support for new algorithms, for example:
- KDF algorithms "SINGLE STEP" and "SSH".
- MAC algorithms "GMAC" and "KMAC".
- KEM algorithm "RSASVE".
- Cipher algorithm "AES-SIV"
- Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM.
-
The default algorithms for PKCS #12 creation with the
PKCS12_create()
function changed to more modern PBKDF2 and AES-based algorithms. - Added a new generic trace API.
OpenSSL now includes providers
The OpenSSL toolkit in version 3.0.1, which is included in RHEL 9, added the concept of providers. Providers are collections of algorithms, and you can choose different providers for different applications. OpenSSL currently includes the following providers: base
, default
, fips
, legacy
, and null
.
By default, OpenSSL loads and activates the default
provider, which includes commonly used algorithms such as RSA, DSA, DH, CAMELLIA, SHA-1, and SHA-2.
When the FIPS flag is set in the kernel, OpenSSL automatically loads the FIPS provider and uses only FIPS-approved algorithms. As a result, you do not have to manually switch OpenSSL to FIPS mode.
To change to a different provider on the system level, edit the openssl.cnf
configuration file. For example, if your scenario requires using the legacy
provider, uncomment the corresponding section.
Explicitly activating a provider overrides the implicit activation of the default provider and may make the system remotely inaccessible, for example by the OpenSSH suite.
For information on the algorithms included in each provider, see the relevant man pages. For example, the OSSL_PROVIDER-legacy(7)
man page for the legacy
provider.
OpenSSL random bit generator now supports CPACF
This release of the openssl
packages introduces support for the CP Assist for Cryptographic Functions (CPACF) in the OpenSSL NIST SP800-90A-compliant AES-based deterministic random bit generator (DRBG).
(BZ#1871147)
openssl-spkac
can now create SPKAC files signed with SHA-1 and SHA-256
The openssl-spkac
utility can now create Netscape signed public key and challenge (SPKAC) files signed with hashes different than MD5. You can now create and verify also SPKAC files signed with SHA-1 and SHA-256 hashes.
RHEL 9 provides openCryptoki 3.17.0
RHEL 9 is distributed with openCryptoki
version 3.17.0. Notable bug fixes and enhancements over version 3.16.0 include:
-
The
p11sak
utility adds a new function for listing keys. openCryptoki
now supports:- OpenSSL 3.0.
- Event notifications.
- Software fallbacks in ICA tokens.
- The WebSphere Application Server no longer fails to start when the hardware crypto adapter is enabled.
RHEL 9 includes OpenSSL with additional patches, which are specific to RHEL. If the system is in Federal Information Processing Standards (FIPS) mode, OpenSSL automatically loads the FIPS provider and base provider and forces the applications to use the FIPS provider. Therefore, the behavior of openCryptoki
on RHEL 9 differs from the upstream:
- Tokens that rely on OpenSSL’s implementation of the crypto operations (soft tokens and ICA tokens software fallbacks) now support only FIPS-approved mechanisms, even though unapproved mechanisms are still listed as available.
openCryptoki
supports two different token data formats: the old data format, which uses non-FIPS-approved algorithms (such as DES and SHA1), and the new data format, which uses FIPS-approved algorithms only.The old data format no longer works because the FIPS provider allows the use of only FIPS-approved algorithms.
ImportantTo make
openCryptoki
work on RHEL 9, migrate the tokens to use the new data format before enabling FIPS mode on the system. This is necessary because the old data format is still the default inopenCryptoki 3.17
. ExistingopenCryptoki
installations that use the old token data format will no longer function when the system is changed to FIPS-enabled.You can migrate the tokens to the new data format by using the
pkcstok_migrate
utility, which is provided withopenCryptoki
. Note thatpkcstok_migrate
uses non-FIPS-approved algorithms during the migration. Therefore, use this tool before enabling FIPS mode on the system. For additional information, see Migrating to FIPS compliance - pkcstok_migrate utility.
(BZ#1869533)
GnuTLS provided in version 3.7.3
In RHEL 9, the gnutls
packages are provided in upstream version 3.7.3. This provides many improvements and bug fixes over previous versions, most notably:
- Introduced API for FIPS 140-3 explicit indicators.
- Hardened defaults for exporting PKCS#12 files.
- Fixed timing of the early data (zero round trip data, 0-RTT) exchange.
-
The
certutil
tool no longer inherits the Certificate Revocation List (CRL) distribution point from the certificate authority (CA) when signing a certificate signing request (CSR).
(BZ#2033220)
RHEL 9 provides NSS 3.71
RHEL 9 is distributed with the Network Security Services (NSS) libraries version 3.71. Notable changes include:
- Support for the legacy DBM database format has been completely removed. NSS support only the SQLite database format in RHEL 9.
- The PKCS #12 encryption ciphers now use the AES-128-CBC with PBKDF2 and SHA-256 algorithms instead of PBE-SHA1-RC2-40 and PBE-SHA1-2DES.
NSS no longer support RSA keys shorter than 1023 bits
The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:
- Generate RSA keys shorter than 1023 bits.
- Sign or verify RSA signatures with RSA keys shorter than 1023 bits.
- Encrypt or decrypt values with RSA key shorter than 1023 bits.
Minimal RSA key bit length option in OpenSSH
Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH servers and clients. To define the minimal RSA key length, use the new RSAMinSize
option in the /etc/ssh/sshd_config
file for OpenSSH servers, and in the /etc/ssh/ssh_config
file for OpenSSH clients.
OpenSSH distributed in 8.7p1
RHEL 9 includes OpenSSH in version 8.7p1. This version provides many enhancements and bug fixes over OpenSSH version 8.0p1, which is distributed in RHEL 8.5, most notably:
New Features
Support for transfers using the SFTP protocol as a replacement for the previously used SCP/RCP protocol. SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns by the shell on the remote side.
SFTP support is enabled by default. If SFTP is unavailable or incompatible in your scenario, you can use the
-O
flag to force use of the original SCP/RCP protocol.-
The
LogVerbose
configuration directive that allows forcing maximum debug logging by file/function/line pattern lists. -
Client address-based rate-limiting with the new
sshd_config
PerSourceMaxStartups
, andPerSourceNetBlockSize
directives. This provides finer control than the globalMaxStartups
limit. -
The
HostbasedAcceptedAlgorithms
keyword now filters based on the signature algorithm instead of filtering by key type. -
The
Include
sshd_config
keyword in thesshd
daemon that allows including additional configuration files by usingglob
patterns. -
Support for Universal 2nd Factor (U2F) hardware authenticators specified by the FIDO Alliance. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH, FIDO devices are supported by new public key types
ecdsa-sk
anded25519-sk
and by the corresponding certificate types. -
Support for FIDO keys that require a PIN for each use. You can generate these keys by using
ssh-keygen
with the newverify-required
option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. -
The
authorized_keys
file now supports a newverify-required
option. This option requires FIDO signatures to assert token verification of the user’s presence before making the signature. The FIDO protocol supports multiple methods for user verification, OpenSSH currently supports only PIN verification. -
Added support for verifying FIDO
webauthn
signatures.webauthn
is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and therefore require explicit support.
Bug fixes
-
Clarified semantics of the
ClientAliveCountMax=0
keyword. Now, it entirely disables connection killing instead of the previous behavior of instantly killing the connection after the first liveness test regardless of its success.
Security
- Fixed an exploitable integer overflow bug in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it.
- Added protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large “prekey” consisting of random data (currently 16 KB).
Locale forwarding disabled by default in OpenSSH
Using the C.UTF-8
locale in small images, such as containers and virtual machines, reduces size and improves performance over using the traditional en_US.UTF-8
locale.
Most distributions send locale environment variables by default and accept them on the server side. However, this meant that logging in through SSH from clients that used locales other than C
or C.UTF-8
to servers that did not have the glibc-langpack-en
or glibc-all-langpacks
package installed resulted in degraded user experience. Specifically, output in the UTF-8 format was broken and some tools did not work or sent frequent warning messages.
With this update, locale forwarding is switched off by default in OpenSSH. This keeps the locale viable even if clients connect to servers with minimal installations that support only a small set of locales.
OpenSSH supports U2F/FIDO security keys
Previously, the OpenSSH keys stored in hardware were only supported through the PKCS #11 standard, which limited the use of other security keys in SSH. Support for U2F/FIDO security keys was developed upstream and is now implemented in RHEL 9. This results in an improved usability of security keys within SSH independent of the PKCS #11 interface.
Libreswan provided in version 4.6
In RHEL 9, Libreswan is provided in upstream version 4.6. This version provides many bug fixes and enhancements, most notably improvements on labeled IPsec used with Internet Key Exchange version 2 (IKEv2).
(BZ#2017355)
Libreswan does not accept IKEv1 packages by default
Because the Internet Key Exchange v2 (IKEv2) protocol is now widely deployed, Libreswan no longer supports IKEv1 packets by default. IKEv2 provides a more secure environment and more resilience against attacks. If your scenario requires the use of IKEv1, you can enable it by adding the ikev1-policy=accept
option to the /etc/ipsec.conf
configuration file.
RHEL 9 provides stunnel
5.62
RHEL 9 is distributed with the stunnel
package version 5.62. Notable bug fixes and enhancements include:
-
On systems in FIPS mode,
stunnel
now always uses FIPS mode. -
The
NO_TLSv1.1
,NO_TLSv1.2
, andNO_TLSv1.3
options have been renamed toNO_TLSv1_1
,NO_TLSv1_2
, andNO_TLSv1_3
respectively. -
The new service-level
sessionResume
option enables and disables session resumption. -
LDAP is now supported in
stunnel
clients using theprotocol
option. - A Bash-completion script is now available.
RHEL 9 provides nettle
3.7.3
RHEL 9 provides the nettle
package 3.7.3 version with multiple bug fixes and enhancements. Notable changes are the following:
-
Supports new algorithms and modes, for example,
Ed448
,SHAKE256
,AES-XTS
,SIV-CMAC
. - Adds architecture-specific optimizations for existing algorithms.
(BZ#1986712)
RHEL 9 provides p11-kit
0.24
RHEL 9 provides p11-kit
package with 0.24 version. This version provides multiple bug fixes and enhancements. Notably, the subdirectory for storing distrusted Certificate Authorities has been renamed to blocklist
.
(BZ#1966680)
cyrus-sasl
now uses GDBM instead of Berkeley DB
The cyrus-sasl
package is now built without the libdb
dependency, and the sasldb
plugin uses the GDBM database format instead of Berkeley DB. To migrate your existing Simple Authentication and Security Layer (SASL) databases stored in the old Berkeley DB format, use the cyrusbdb2current
tool with the following syntax:
cyrusbdb2current <sasldb_path> <new_path>
SELinux policy in RHEL 9 is up-to-date with the current kernel
The SELinux policy includes new permissions, classes, and capabilities that are also part of the kernel. Therefore, SELinux can utilize the full potential provided by the kernel. Specifically, SELinux has better granularity for granting permissions, which has subsequent security benefits. This also enables running systems with the MLS SELinux policy because the MLS policy would prevent some systems from starting if the system contained permissions unknown to the policy.
(BZ#1941810, BZ#1954145)
Default SELinux policy disallows commands with text relocation libraries
The selinuxuser_execmod
boolean is now off by default to improve the security footprint of installed systems. As a result, SELinux users cannot enter commands using libraries that require text relocation, unless the library files have the textrel_shlib_t
label.
OpenSCAP is provided in version 1.3.6
RHEL 9 includes OpenSCAP in version 1.3.6, which provides bug fixes and improvements, most notably:
-
You can provide local copies of remote SCAP source data stream components instead of downloading them during the scan by using the
--local-files
option -
OpenSCAP accepts multiple
--rule
arguments to select multiple rules on the command line. -
You can skip evaluation of some rules using the
--skip-rule
option. -
You can restrict memory consumed by OpenSCAP probes by using the
OSCAP_PROBE_MEMORY_USAGE_RATIO
environment variable. - OpenSCAP now supports the OSBuild Blueprint as a remediation type.
OSCAP Anaconda Add-on now supports a new add-on name
With this enhancement, you can use the new com_redhat_oscap
add-on name as opposed to the legacy org_fedora_oscap
add-on name in the Kickstart file for the OSCAP Anaconda Add-on plugin. For example, the Kickstart section can be structured as follows:
%addon com_redhat_oscap content-type = scap-security-guide %end
OSCAP Anaconda Add-on is currently compatibile with the legacy add-on name, but support for the legacy add-on name will be removed in a future major RHEL version.
(BZ#1893753)
CVE OVAL feeds now compressed
With this update, Red Hat provides CVE OVAL feeds in a compressed form. They are no longer available as XML files, but are in the bzip2
format instead. The location of the feeds for RHEL9 has also been updated to reflect this change. Note that third-party SCAP scanners might have problems with scanning rules that use a compressed feed because referencing compressed content is not standardized.
SCAP Security Guide provided in version 0.1.60
RHEL 9 includes the scap-security-guide
packages in version 0.1.60. This version provides bug fixes and enhancements, most notably:
-
The rules hardening the PAM stack now use
authselect
as the configuration tool. - SCAP Security Guide now provides a delta tailoring file for the STIG profile. This tailoring file defines a profile that represents the differences between DISA’s automated STIG and SSG automated content.
SCAP Security Guide profiles supported in RHEL 9.0
With the SCAP Security Guide compliance profiles included in RHEL 9.0, you can harden the system to the recommendations from the issuing organizations. As a result, you can configure and automate compliance of your RHEL 9 systems according to your required hardening level by using the associated remediations and SCAP profiles.
Profile name | Profile ID | Policy version |
---|---|---|
French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level |
| 1.2 |
French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level |
| 1.2 |
French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level |
| 1.2 |
French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level |
| 1.2 |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server |
| DRAFT[a] |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server |
| DRAFT[a] |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation |
| DRAFT[a] |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation |
| DRAFT[a] |
[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) |
| r2 |
Australian Cyber Security Centre (ACSC) Essential Eight |
| not versioned |
Health Insurance Portability and Accountability Act (HIPAA) |
| not versioned |
Australian Cyber Security Centre (ACSC) ISM Official |
| not versioned |
[DRAFT] Protection Profile for General Purpose Operating Systems |
| 4.2.1 |
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9 |
| 3.2.1 |
[DRAFT] DISA STIG for Red Hat Enterprise Linux 9 |
| DRAFT[b] |
[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9 |
| DRAFT[b] |
[a]
CIS has not yet published an official benchmark for RHEL 9
[b]
DISA has not yet published an official benchmark for RHEL 9
|
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
(BZ#2045341, BZ#2045349, BZ#2045361, BZ#2045368, BZ#2045374, BZ#2045381, BZ#2045386, BZ#2045393, BZ#2045403)
RHEL 9 provides fapolicyd
1.1
RHEL 9 is distributed with the fapolicyd
package version 1.1. Most notable enhancements include the following:
-
The
/etc/fapolicyd/rules.d/
directory for files containing allow and deny execution rules replaces the/etc/fapolicyd/fapolicyd.rules
file. Thefagenrules
script now merges all component rule files in this directory to the/etc/fapolicyd/compiled.rules
file. See the newfagenrules(8)
man page for more details. -
In addition to the
/etc/fapolicyd/fapolicyd.trust
file for marking files outside of the RPM database as trusted, you can now use the new/etc/fapolicyd/trust.d
directory, which supports separating a list of trusted files into more files. You can also add an entry for a file by using thefapolicyd-cli -f
subcommand with the--trust-file
directive to these files. See thefapolicyd-cli(1)
andfapolicyd.trust(13)
man pages for more information. -
The
fapolicyd
trust database now supports white spaces in file names. -
fapolicyd
now stores the correct path to an executable file when it adds the file to the trust database.
Rsyslog includes the mmfields
module for higher-performance operations and CEF
Rsyslog now includes the rsyslog-mmfields
subpackage which provides the mmfields
module. This is an alternative to using the property replacer field extraction, but in contrast to the property replacer, all fields are extracted at once and stored inside the structured data part. As a result, you can use mmfields
particularly for processing field-based log formats, for example Common Event Format (CEF), and if you need a large number of fields or reuse specific fields. In these cases, mmfields
has better performance than existing Rsyslog features.
logrotate
included in a separate rsyslog-logrotate
package
The logrotate
config was separated from the main rsyslog
package into the new rsyslog-logrotate
package. This is useful in certain minimal environments, for example where log rotation is not needed, to prevent installing unnecessary dependencies.
sudo
supports Python plugins
With the sudo
program version 1.9, which is included in RHEL 9, you can write sudo
plugins in Python. This makes it easier to enhance sudo
to more precisely suit specific scenarios.
For additional information, see the sudo_plugin_python(8)
man page.
libseccomp
provided in version 2.5.2
RHEL 9.0 provides the libseccomp
packages in upstream version 2.5.2. This version provides many bug fixes and enhancements over previous versions, most notably:
-
Updated the syscall table for Linux to version
v5.14-rc7
. -
Added the
get_notify_fd()
function to the Python bindings to get the notification file descriptor. - Consolidated multiplexed syscall handling for all architectures into one location.
- Added multiplexed syscall support to the PowerPC (PPC) and MIPS architectures.
-
Changed the meaning of the
SECCOMP_IOCTL_NOTIF_ID_VALID
operation within the kernel. -
Changed the
libseccomp
file descriptor notification logic to support the kernel’s previous and new usage ofSECCOMP_IOCTL_NOTIF_ID_VALID
. -
Fixed a bug where
seccomp_load()
could only be called once. -
Changed the notification
fd
handling to only request a notificationfd
if the filter has a_NOTIFY
action. -
Added documentation about
SCMP_ACT_NOTIFY
to theseccomp_add_rule(3)
manpage. - Clarified the maintainers’ GPG keys.
Clevis now supports SHA-256
With this enhancement, the Clevis framework supports the SHA-256
algorithm as the default hash for JSON Web Key (JWK) thumbprints as recommended by RFC 7638
. Because the older thumbprints (SHA-1) are still supported, you can still decrypt the previously encrypted data.
(BZ#1956760)
4.8. Networking
The diag
modules are now available in the kernel
The diag
modules are now included with the kernel image. With this update, the diag
modules no longer need to be dynamically loaded when the ss
command is used. This allows better debugging of networking issues regardless of the customer policy on kernel modules. Modules included in the kernel:
CONFIG_INET_DIAG CONFIG_INET_RAW_DIAG CONFIG_INET_TCP_DIAG CONFIG_INET_UDP_DIAG CONFIG_INET_MPTCP_DIAG CONFIG_NETLINK_DIAG CONFIG_PACKET_DIAG CONFIG_UNIX_DIAG
(BZ#1948340)
New core and IPv4-related networking sysctl
kernel parameters
The RHEL 9.0 kernel provides the following new core and IPv4 networking sysctl
parameters compared to previous RHEL versions:
-
net.core.devconf_inherit_init_net
-
net.core.gro_normal_batch
-
net.core.high_order_alloc_disable
-
net.core.netdev_unregister_timeout_secs
-
net.ipv4.fib_multipath_hash_fields
-
net.ipv4.fib_notify_on_flag_change
-
net.ipv4.fib_sync_mem
-
net.ipv4.icmp_echo_enable_probe
-
net.ipv4.ip_autobind_reuse
-
net.ipv4.nexthop_compat_mode
-
net.ipv4.raw_l3mdev_accept
-
net.ipv4.tcp_comp_sack_slack_ns
-
net.ipv4.tcp_migrate_req
-
net.ipv4.tcp_mtu_probe_floor
-
net.ipv4.tcp_no_ssthresh_metrics_save
-
net.ipv4.tcp_reflect_tos
For details about these parameters, install the kernel-doc
package and see the following files:
-
/usr/share/doc/kernel-doc-<version>/Documentation/admin-guide/sysctl/net.rst
-
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.rst
(BZ#2068532)
Changed behavior in firewalld
when transmitting packets between zones
In zone-based firewalls, packets enter only one zone. Implicit packet transmission is the concept violation and can allow traffic or services unexpectedly. In Red Hat Enterprise Linux 9 the firewalld
service no longer allows implicit packet transmission between two different zones.
For more information about this change, see Changed behavior in firewalld
when transmitting packets between zones Knowledge Article.
Intra-zone forwarding has been enabled by default
The firewalld
intra-zone forwarding feature allows forwarding traffic between interfaces or sources within a firewalld zone. Starting with RHEL 9.0, this feature has been enabled by default. Use the --add-forward
option of the firewall-cmd
utility to enable intra-zone forwarding for a particular zone. The firewall-cmd --list-all
command displays whether intra-zone forwarding is enabled or disabled for a zone:
# firewall-cmd --list-all public (active) ... forward: no
Making Nmstate more inclusive
Red Hat is committed to using conscious language. Therefore the slave
term in the nmstate
API has been replaced by the term port
.
NetworkManager supports interface names set in the rd.znet_ifname
kernel option on IBM Z
With this enhancement, on the IBM Z platform, NetworkManager now interprets the rd.znet
and rd.znet_ifname
kernel command-line options when installing or booting Red Hat Enterprise Linux from the network. As a result, it is possible to specify a name of a network interface identified by the subchannels instead of the default one.
The hostapd
package has been added to RHEL 9.0
With this release, RHEL provides the hostapd
package. However, Red Hat supports hostapd
only to set up a RHEL host as an 802.1X authenticator in Ethernet networks. Other scenarios, such as Wi-Fi access points or authenticators in Wi-Fi networks, are not supported.
For details about configuring RHEL as an 802.1X authenticator with a FreeRADIUS back end, see Setting up an 802.1x network authentication service for LAN clients using hostapd with FreeRADIUS backend.
(BZ#2019830)
ModemManager provided in version 1.18.2
RHEL 9.0 provides the ModemManager
packages in upstream version 1.18.2. This version includes bug fixes and enhancements over the previous version, most notably:
- Improved capabilities and modes handling for devices with 5G capabilities
- Additional devices support
NetworkManager allows to change queue_id
of bond port
NetworkManager ports in a bond now supports the queue_id
parameter. Assuming eth1
is a port of bond interface, you can enable queue_id
for a bond port with:
# nmcli connection modify eth1 bond-port.queue-id 1 # nmcli connection up eth1
Any network interface that needs to use this option should configure it with multiple calls until proper priorities are set for all interfaces. For more information, see /usr/share/docs/kernel-doc-_<version>/Documentation/networking/bonding.rst
file that is provided by the kernel-doc
package.
Support for the configuration of blackhole
, prohibit
and unreachable
route types with latest NetworkManager
Kernel supports several route types besides the common unicast
, broadcast
and local
route types. In addition, users can now configure blackhole
, prohibit
and unreachable
static route types in the connection profile of the NetworkManager. The NetworkManager will add a profile when the profile is activated.
(BZ#2060013)
RoCE Express Adapters now use an improved interface naming scheme
With this enhancement, RDMA over Converged Ethernet (RoCE) Express adapters use the predictable interface naming scheme and the Peripheral Communication Interface on z-system (zPCI) connector. In this naming scheme, RHEL uses user identifier (UID) or function identifier (FID) to generate unique names. In case that no unique UID is available, RHEL uses FID to set the naming scheme.
4.9. Kernel
Kernel version in RHEL 9.0
Red Hat Enterprise Linux 9.0 is distributed with the kernel version 5.14.0-70.
Red Hat, by default, enables eBPF in all RHEL versions for privileged users only
Extended Berkeley Packet Filter (eBPF) is a complex technology which allows users to execute custom code inside the Linux kernel. Due to its nature, the eBPF code needs to pass through the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures (CVE) instances, where bugs in this code could be misused for unauthorized operations. To mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users only. It is possible to enable eBPF for unprivileged users by using the kernel.command-line parameter unprivileged_bpf_disabled=0
.
However, note that
-
Applying
unprivileged_bpf_disabled=0
disqualifies your kernel from Red Hat support and opens your system to security risks. -
Red Hat urges you to treat processes with the
CAP_BPF
capability as if the capability was equal toCAP_SYS_ADMIN
. -
Setting
unprivileged_bpf_disabled=0
will not be sufficient to execute many BPF programs by unprivileged users as loading of most BPF program types requires additional capabilities (typicallyCAP_SYS_ADMIN
orCAP_PERFMON
).
For information on how to apply kernel command-line parameters, see Configuring kernel command-line parameters.
(BZ#2091643)
Red Hat protects kernel symbols only for minor releases
Red Hat guarantees that a kernel module will continue to load in all future updates within an Extended Update Support (EUS) release, only if you compile the kernel module using protected kernel symbols. There is no kernel Application Binary Interface (ABI) guarantee between minor releases of RHEL 9.
RHEL 9 Beta kernels signed with trusted SecureBoot certificates
Previously, RHEL Beta releases required users to enroll a separate Beta public key using the Machine Owner Key (MOK) facility. Starting with RHEL 9 Beta, kernels are signed with trusted SecureBoot certificates, hence users no longer need to enroll a separate Beta public key to use the beta versions on systems having UEFI Secure Boot enabled.
cgroup-v2
enabled by default in RHEL 9
The control groups version 2 (cgroup-v2
) feature implements a single hierarchy model that simplifies the management of control groups. Also, it ensures that a process can only be a member of a single control group at a time. Deep integration with systemd
improves the end-user experience when configuring resource control on a RHEL system.
Development of new features is mostly done for cgroup-v2
, which has some features that are missing in cgroup-v1
. Similarly, cgroup-v1
contains some legacy features that are missing in cgroup-v2
. Also, the control interfaces are different. Therefore, third party software with direct dependency on cgroup-v1
may not run properly in the cgroup-v2
environment.
To use cgroup-v1
, you need to add the following parameters to the kernel command-line:
systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller
Both cgroup-v1
and cgroup-v2
are fully enabled in the kernel. There is no default control group version from the kernel point of view, and is decided by systemd
to mount at startup.
Kernel changes potentially affecting third party kernel modules
Linux distributions with a kernel version prior to 5.9 supported exporting GPL functions as non-GPL functions. As a result, users could link proprietary functions to GPL kernel functions through the shim
mechanism. With this release, the RHEL kernel incorporates upstream changes that enhance the ability of RHEL to enforce GPL by rebuffing shim
.
Partners and independent software vendors (ISVs) should test their kernel modules with an early version of RHEL 9 to ensure their compliance with GPL.
The 64-bit ARM architecture has a 4 KB page size in RHEL 9
Red Hat has selected a 4 KB page size of physical memory for the 64-bit ARM architecture in Red Hat Enterprise Linux 9. This size pairs well with the workloads and memory amounts present on the majority of ARM-based systems. To employ large page sizes efficiently, use the huge pages option to address a greater amount of memory or workloads with large data sets.
For more information about huge pages see Monitoring and Managing System Status and Performance.
(BZ#1978382)
The strace
utility now correctly displays SELinux context mismatches
An existing --secontext
option of strace
has been extended with the mismatch
parameter. This parameter enables to print the expected context along with the actual one upon mismatch only. The output is separated by double exclamation marks (!!
), first the actual context, then the expected one. In the examples below, the full,mismatch
parameters print the expected full context along with the actual one because the user part of the contexts mismatches. However, when using a solitary mismatch
, it only checks the type part of the context. The expected context is not printed because the type part of the contexts matches.
[...] $ strace --secontext=full,mismatch -e statx stat /home/user/file statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ... $ strace --secontext=mismatch -e statx stat /home/user/file statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...
SELinux context mismatches often cause access control issues associated with SELinux. The mismatches printed in the system call traces can significantly expedite the checks of SELinux context correctness. The system call traces can also explain specific kernel behavior with respect to access control checks.
perf-top
now can sort by a certain column
With this update to the perf-top
system profiling tool, you can sort samples by an arbitrary event column. Previously, the events were sorted by the first column in case multiple events in a group were sampled. To sort the samples, use the --group-sort-idx
command-line option and press a number key to sort the table by the matching data column. Note that column numbering starts from 0
.
(BZ#1851933)
New package: jigawatts
Checkpoint/Restore In Userspace (CRIU) is a Linux utility that allows checkpointing and restoring of processes. The jigawatts
package contains a Java library, which aims to improve the usability of CRIU mechanisms from Java applications.
The trace-cmd reset
command has new behavior
Previously, the trace-cmd reset
command resetted the tracing_on
configuration to 0. The new behavior of trace-cmd reset
is to reset tracing_on
to its default value 1.
(BZ#1933980)
Extended Berkeley Packet Filter is supported in RHEL 9
The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.
The eBPF bytecode first loads to the kernel. Then the bytecode is verified and translated to the native machine code with just-in-time compilation. Finally, the virtual machine executes the code.
Red Hat ships numerous components that utilize the eBPF virtual machine. In RHEL 9, these components include:
- The BPF Compiler Collection (BCC) package, which provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
- The BCC library, which allows the development of tools similar to those provided in the BCC tools package.
-
The
bpftrace
tracing language. The
libbpf
package, which is crucial forbpf
development andbpf
-related applications likebpftrace
.-
The
XDP
andAF_XDP
API parts of thelibbpf
library are not supported and may be removed in a future release.
-
The
- The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
-
The eXpress Data Path (XDP) feature, which provides access to the received packets before the kernel networking stack processes them. Red Hat supports XDP only if it is used through the
libxdp
library. The
xdp-tools
package, which contains user-space support utilities for the XDP feature and is supported on the AMD64 and Intel64 CPU architectures. Thexdp-tools
package includes:-
The
libxdp
library. -
The
xdp-loader
utility for loading XDP programs. -
The
xdp-filter
example program for packet filtering. -
The
xdpdump
utility for capturing packets from a network interface with XDP enabled. Thexdpdump
utility is currently supported only on AMD64 and Intel64 CPU architectures. It is available for other architectures as Technology Preview.
-
The
-
The
AF_XDP
socket for connecting the eXpress Data Path (XDP) path to user-space.
RHEL 9 provides the crash
utility version 8.0.0
RHEL 9 is distributed with the crash
utility version 8.0.0. The bug fixes and and notable enhancements include:
-
Adds the new
offset
parameter in theadd-symbol-file
command. This support helps to set thekaslr_offset
togdb
. -
Upgrades the
gdb-7.6
togdb-10.2
.
(BZ#1896647)
makedumpfile
now supports an improved zstd
compression capability
With this enhancement, the makedumpfile
now includes the Zstandard (zstd
) compression capability, which provides high compression ratios. This improvement helps specifically on large memory systems.
The zstd
compression capability now has a good balance between the vmcore
dump size and the compression time consumption as compared to prior compression ratios. As a result, the improved compression mechanism now creates a smaller vmcore
file with an acceptable good compression time.
Note that a good compression ratio also depends on how the system is being used and the data type stored in RAM.
(BZ#1988894)
numatop
enabled on Intel Xeon scalable server processors
numatop
is a tool that tracks and analyzes the behavior of the processes and threads running on NUMA systems and displays metrics which can identify NUMA-related performance bottlenecks.
numatop
uses Intel performance counter sampling technologies and associates the performance data with Linux system runtime
information, to provide analysis in production systems.
(BZ#1874125)
kexec_file_load
has been added as the default option for RHEL 9
This update adds the kexec_file_load
system call for the 64-bit ARM architecture. It provides an in-kernel kexec
loader for kdump
. Previously, the kernel prevented the loading of unsigned kernel images when the secure boot option was enabled. The kdump
mechanism would first try to detect whether secure boot is enabled and then choose the boot interface to run. Consequently, an unsigned kernel failed to load with secure boot enabled and kexec_file_load()
specified.
This update fixes the problem and an unsigned kernel works correctly in the described scenario.
(BZ#1895232)
makedumpfile
now includes improved options to get an estimated vmcore
size
With this implementation, the makedumpfile
utility now includes the following options which help to print an estimate for the dump size for the currently running kernel:
-
--dry-run
performs all operations specified by the other options but does not write the output file. -
--show-stats
prints the report messages. This is an alternative to enabling bit 4 in the level provided to--message-level
option.
The following example shows the --dry-run
and --show-stats
usage:
$ makedumpfile --dry-run --show-stats -l --message-level 7 -d 31 /proc/kcore dump.dummy
Note that the dump file size may vary depending on the system state at the time of panic and the estimate provided by the options may differ from the actual state.
The kexec-tools
package now supports the default crashkernel
memory reservation values for RHEL 9
The kexec-tools
package now maintains the default crashkernel
memory reservation values. The kdump
service uses the default value to reserve the crashkernel
memory for each kernel. This implementation also improves memory allocation for kdump
when a system has less than 4GB of available memory.
To query the default crashkernel value:
$ kdumpctl get-default-crashkernel
If the memory reserved by the default crashkernel
value is not sufficient on your system, increase the crashkernel
parameter.
Note that the crashkernel=auto
option in the boot command line is no longer supported in RHEL 9 and later releases.
For more information, see the /usr/share/doc/kexec-tools/crashkernel-howto.txt
file.
(BZ#2034490)
Core scheduling is supported in RHEL 9
With the core scheduling functionality users can prevent tasks that should not trust each other from sharing the same CPU core. Likewise, users can define groups of tasks that can share a CPU core.
These groups can be specified:
- To improve security by mitigating some cross-Symmetric Multithreading (SMT) attacks
- To isolate tasks that need a whole core. For example for tasks in real-time environments, or for tasks that rely on specific processor features such as Single Instruction, Multiple Data (SIMD) processing
For more information, see Core Scheduling.
(JIRA:RHELPLAN-100497)
Performance improved on 64-bit ARM architecture using non-strict iommu mode as default
With this upgrade, the 64-bit ARM architecture defaults to using the lazy direct memory access (DMA) domain for system memory management unit (SMMU). While bringing a significant performance gain, it can introduce a window between an address unmap and a Translation Lookaside Buffer (TLB) flush on SMMU. On previous versions, the 64-bit ARM architecture configured the strict DMA domains as default, which caused the performance to drop due to the 4KB page size.
If you need to use the strict DMA domain mode, specify the iommu.strict=1
mode using the kernel command-line. Note that using strict DMA domains can cause performance drops on 64-bit ARM architectures.
(BZ#2050415)
The kernel-rt
source tree has been updated to RHEL 9.0 tree
The kernel-rt
sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.15-rt19. These updates provide a number of bug fixes and enhancements.
(BZ#2002474)
Support for CPU hotplug in the hv_24x7
and hv_gpci
PMUs
With this update, PMU counters correctly react to the hot-plugging of a CPU. As a result, if a hv_gpci
event counter is running on a CPU that gets disabled, the counting redirects to another CPU.
(BZ#1844416)
Metrics for POWERPC hv_24x7
nest events are now available
Metrics for POWERPC hv_24x7
nest events are now available for perf
. By aggregating multiple events, these metrics provide a better understanding of the values obtained from perf
counters and how effectively the CPU is able to process the workload.
(BZ#1780258)
The IRDMA driver has been introduced in RHEL 9
The IRDMA driver enables RDMA functionality on RDMA-capable Intel® network devices. Devices supported by this driver are:
- Intel® Ethernet Controller E810
- Intel® Ethernet Network Adapter X722
RHEL 9 delivers updated Intel® Ethernet Protocol Driver for RDMA (IRDMA) for the X722 Internet Wide-area RDMA Protocol (iWARP) device. RHEL 9 also introduces a new E810 device that supports iWARP and RDMA over Converged Ethernet (RoCEv2). The IRDMA module replaces the legacy i40iw module for X722 and extends the Application Binary Interface (ABI) defined for i40iw. The change is backward compatible with legacy X722 RDMA-Core provider (libi40iw).
- The X722 device supports only iWARP and a more limited set of configuration parameters.
The E810 device supports the following set of RDMA and congestion management features:
- iWARP and RoCEv2 RDMA transports
- Priority Flow Control (PFC)
- Explicit Congestion Notification (ECN)
(BZ#1874195)
A new parameter for the kernel bonding
module: lacp_active
RHEL 9 introduces the lacp_active
parameter for the bonding
kernel module. This parameter specifies whether to send Link Aggregation Control Protocol Data Unit (LACPDU) frames at specified intervals. The options are as follows:
-
on
(default) - enables to send the LACPDU frames along with the configuredlacp_rate
parameter -
off
- the LACPDU frames act as "speak when spoken to"
Note that the LACPDU state frames are still sent when you initialize or unbind port.
4.10. Boot loader
Boot loader configuration files are unified across CPU architectures
Configuration files for the GRUB boot loader are now stored in the /boot/grub2/
directory on all supported CPU architectures. The /boot/efi/EFI/redhat/grub.cfg
file, which GRUB previously used as the main configuration file on UEFI systems, now simply loads the /boot/grub2/grub.cfg
file.
This change simplifies the layout of the GRUB configuration file, improves user experience, and provides the following notable benefits:
- You can boot the same installation with either EFI or legacy BIOS.
- You can use the same documentation and commands for all architectures.
- GRUB configuration tools are more robust, because they no longer rely on symbolic links and they do not have to handle platform-specific cases.
- The usage of the GRUB configuration files is aligned with images generated by CoreOS Assembler (COSA) and OSBuild.
- The usage of the GRUB configuration files is aligned with other Linux distributions.
(JIRA:RHELPLAN-101246)
4.11. File systems and storage
Options in Samba utilities have been renamed and removed for a consistent user experience
The Samba utilities have been improved to provide a consistent command-line interface. These improvements include renamed and removed options. Therefore, to avoid problems after the update, review your scripts that use Samba utilities, and update them, if necessary.
Samba 4.15 introduces the following changes to the Samba utilities:
- Previously, Samba command-line utilities silently ignored unknown options. To prevent unexpected behavior, the utilities now consistently reject unknown options.
-
Several command-line options now have a corresponding
smb.conf
variable to control their default value. See the man pages of the utilities to identify if a command-line option has ansmb.conf
variable name. -
By default, Samba utilities now log to standard error (
stderr
). Use the--debug-stdout
option to change this behavior. -
The
--client-protection=off|sign|encrypt
option has been added to the common parser. The following options have been renamed in all utilities:
-
--kerberos
to--use-kerberos=required|desired|off
-
--krb5-ccache
to--use-krb5-ccache=CCACHE
-
--scope
to--netbios-scope=SCOPE
-
--use-ccache
to--use-winbind-ccache
-
The following options have been removed from all utilities:
-
-e
and--encrypt
-
-C
removed from--use-winbind-ccache
-
-i
removed from--netbios-scope
-
-S
and--signing
-
To avoid duplicate options, certain options have been removed or renamed from the following utilities:
-
ndrdump
:-l
is no longer available for--load-dso
-
net
:-l
is no longer available for--long
-
sharesec
:-V
is no longer available for--viewsddl
-
smbcquotas
:--user
has been renamed to--quota-user
-
nmbd
:--log-stdout
has been renamed to--debug-stdout
-
smbd
:--log-stdout
has been renamed to--debug-stdout
-
winbindd
:--log-stdout
has been renamed to--debug-stdout
-
Changes in the NFS client and server in RHEL 9
-
RHEL 9.0 NFS server and client no longer support the insecure GSS Kerberos 5 encryption type
des-cbc-crc
. - NFS client no longer supports mounting filesystems using UDP transports.
GFS2 file systems are now created with format version 1802
GFS2 file systems in RHEL 9 are created with format version 1802. This enables the following features:
-
Extended attributes in the
trusted
namespace ("trusted.* xattrs") are recognized bygfs2
andgfs2-utils
. -
The
rgrplvb
option is active by default. This allowsgfs2
to attach updated resource group data to DLM lock requests, so the node acquiring the lock does not need to update the resource group information from disk. This improves performance in some cases.
File systems created with the new format version will not be able to be mounted under earlier RHEL versions and older versions of the fsck.gfs2
utility will not be able to check them.
Users can create a file system with the older format version by running the mkfs.gfs2
command with the option -o format=1801
.
Users can upgrade the format version of an older file system running tunegfs2 -r 1802 device
on an unmounted file system. Downgrading the format version is not supported.
(BZ#1616432)
RHEL 9 provides nvml
package version 1.10.1
RHEL 9.0 updates the nvml
package to version 1.10.1. This update adds features and fixes a potential data corruption bug on power loss.
(BZ#1874208)
Support for exFAT file system has been added
RHEL 9.0 supports Extensible File Allocation Table (exFAT) file system. You can now mount, format, and generally use this file system, which is usually used by default on flash memory.
(BZ#1943423)
rpcctl
command now displays SunRPC connection information
With this update, you can use the rpcctl
command to display information collected in the SunRPC sysfs
files about the system’s SunRPC objects. You can show, remove, and set objects in the SunRPC network layer through the sysfs
file system.
(BZ#2059245)
Limiting the set of the devices for LVM
By default, LVM in RHEL 9 uses only the devices that you explicitly select. Use the new commands lvmdevices
and vgimportdevices
to select specific devices. Using the pvcreate
, vgcreate
, and vgextend
commands indirectly selects new devices for lvm
, if they have not already been selected. LVM ignores devices that are attached to the system until you select them by using one of these commands. The lvm
command saves the list of the selected devices in the devices file /etc/lvm/devices/system.devices
. The lvm.conf
filter or any other command-line configuration filter does not function when you enable the new devices file feature. If you remove or disable the devices file, LVM applies the filter to all attached devices. For detailed information about this feature, see the lvmdevices(8)
man page.
NVMe/TCP host with nvme_tcp.ko
is now fully supported
Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) with the nvme_tcp.ko
kernel module is now fully supported. The NVMe/TCP target with the nvmet_tcp.ko
module is available with an Unmaintained status in RHEL 9.0.
multipathd
now supports detecting FPIN-Li events
When you add a new value fpin
for the marginal_pathgroups
config option, you enable multipathd
to monitor the Link Integrity Fabric Performance Impact Notification (PFIN-Li) events and move paths with link integrity issues to a marginal pathgroup. With the fpin
value set, multipathd
overrides its existing marginal path detection methods and relies on the Fibre Channel fabric to identify link integrity issues.
With this enhancement, the multipathd
method becomes more robust in detecting marginal paths on Fibre Channel fabrics that can issue PFIN-Li events.
4.12. High availability and clusters
The resource-stickiness
resource meta-attribute now defaults to 1 instead of 0 for newly-created clusters
Previously, the default value for the resource-stickiness
resource meta-attribute had a default value of 0 for newly-created clusters. This meta-attribute now defaults to 1.
With a stickiness of 0, a cluster may move resources as needed to balance resources across nodes. This may result in resources moving when unrelated resources start or stop. With a positive stickiness, resources have a preference to stay where they are, and move only if other circumstances outweigh the stickiness. This may result in newly-added nodes not getting any resources assigned to them without administrator intervention. Both approaches have potentially unexpected behavior, but most users prefer having some stickiness. The default value for this meta-attribute has been changed to 1 to reflect this preference.
Only newly-created clusters are affected by this change, so the behavior does not change for existing clusters. Users who prefer the old behavior for their cluster can delete the resource-stickiness
entry from resource defaults.
(BZ#1850145)
New LVM volume group flag to control autoactivation
LVM volume groups now support a setautoactivation
flag which controls whether logical volumes that you create from a volume group will be automatically activated on startup. When creating a volume group that will be managed by Pacemaker in a cluster, set this flag to n
with the vgcreate --setautoactivation n
command for the volume group to prevent possible data corruption. If you have an existing volume group used in a Pacemaker cluster, set the flag with vgchange --setautoactivation n
.
New pcs resource status display commands
The pcs resource status
and the pcs stonith status
commands now support the following options:
-
You can display the status of resources configured on a specific node with the
pcs resource status node=node_id
command and thepcs stonith status node=node_id
command. You can use these commands to display the status of resources on both cluster and remote nodes. -
You can display the status of a single resource with the
pcs resource status resource_id
and thepcs stonith status resource_id
commands. -
You can display the status of all resources with a specified tag with the
pcs resource status tag_id
and thepcs stonith status tag_id
commands.
(BZ#1290830, BZ#1285269)
New reduced output display option for pcs resource safe-disable
command
The pcs resource safe-disable
and pcs resource disable --safe
commands print a lengthy simulation result after an error report. You can now specify the --brief
option for those commands to print errors only. The error report now always contains resource IDs of affected resources.
New pcs
command to update SCSI fencing device without causing restart of all other resources
Updating a SCSI fencing device with the pcs stonith update
command causes a restart of all resources running on the same node where the stonith resource was running. The new pcs stonith update-scsi-devices
command allows you to update SCSI devices without causing a restart of other cluster resources.
Ability to configure watchdog-only SBD for fencing on subset of cluster nodes
Previously, to use a watchdog-only SBD configuration, all nodes in the cluster had to use SBD. That prevented using SBD in a cluster where some nodes support it but other nodes (often remote nodes) required some other form of fencing. Users can now configure a watchdog-only SBD setup using the new fence_watchdog
agent, which allows cluster configurations where only some nodes use watchdog-only SBD for fencing and other nodes use other fencing types. A cluster may only have a single such device, and it must be named watchdog
.
Detailed Pacemaker status display for internal errors
If Pacemaker can not execute a resource or fence agent for some reason, for example the agent is not installed or there has been an internal timeout, the Pacemaker status displays now show a detailed exit reason for the internal error.
(BZ#1470834)
The pcmk_delay_base
parameter may now take different values for different nodes
When configuring a fence device, you now can specify different values for different nodes with the pcmk_delay_base parameter
. This allows a single fence device to be used in a two-node cluster, with a different delay for each node. This helps prevent a situation where each node attempts to fence the other node at the same time. To specify different values for different nodes, you map the host names to the delay value for that node using a similar syntax to pcmk_host_map. For example, node1:0;node2:10s would use no delay when fencing node1 and a 10-second delay when fencing node2.
Support for special characters inside pcmk_host_map
values
The pcmk_host_map
property now supports special characters inside pcmk_host_map
values using a backslash (\) in front of the value. For example, you can specify pcmk_host_map="node3:plug\ 1"
to include a space in the host alias.
New fencing agent for OpenShift
The fence_kubevirt
fencing agent is now available for use with RHEL High Availability on Red Hat OpenShift Virtualization. For information on the fence_kubevirt
agent, see the fence_kubevirt
(8) man page.
Local mode version of pcs cluster setup
command is now fully supported
By default, the pcs cluster setup
command automatically synchronizes all configuration files to the cluster nodes. The pcs cluster setup
command now fully supports the --corosync-conf
option. Specifying this option switches the command to local
mode. In this mode, the pcs
command-line interface creates a corosync.conf
file and saves it to a specified file on the local node only, without communicating with any other node. This allows you to create a corosync.conf
file in a script and handle that file by means of the script.
Automatic removal of location constraint following resource move
When you execute the pcs resource move
command, this adds a constraint to the resource to prevent it from running on the node on which it is currently running. By default, the location constraint that the command creates is automatically removed once the resource has been moved. This does not necessarily move the resources back to the original node; where the resources can run at that point depends on how you have configured your resources initially. If you would like to move a resource and leave the resulting constraint in place, use the pcs resource move-with-contraint
command.
pcs
suppport for OCF Resource Agent API 1.1 standard
The pcs
command-line interface now supports OCF 1.1 resource and STONITH agents. As part of the implementation of this support, any agent’s metadata must comply with the OCF schema, whether the agent is an OCF 1.0 or OCF 1.1 agent. If an agent’s metadata does not comply with the OCF schema, pcs
considers the agent invalid and will not create or update a resource of the agent unless the --force
option is specified. The pcsd
Web UI and pcs
commands for listing agents now omit agents with invalid metadata from the listing.
pcs now accepts Promoted
and Unpromoted
as role names
The pcs
command-line interface now accepts Promoted
and Unpromoted
anywhere roles are specified in Pacemaker configuration. These role names are the functional equivalent of the Master
and Slave
Pacemaker roles in previous RHEL releases, and these are the role names that are visible in configuration displays and help pages.
Updated version of pcsd
Web UI
The pcsd
Web UI, the graphical user interface to create and configure Pacemaker/Corosync clusters, has been updated. The updated Web UI provides an improved user experience and a standardized interface that is built with the PatternFly framework used in other Red Hat web applications.
(BZ#1996067)
4.13. Dynamic programming languages, web and database servers
Python in RHEL 9
Python 3.9 is the default Python implementation in RHEL 9. Python 3.9 is distributed in a non-modular python3
RPM package in the BaseOS repository and usually installed by default. Python 3.9 will be supported for the whole life cycle of RHEL 9.
Additional versions of Python 3 will be distributed as RPM packages with a shorter life cycle through the AppStream repository and will be installable in parallel.
The python
command (/usr/bin/python
), as well as other Python-related commands such as pip
, are available in the unversioned form and point to the default Python 3.9 version.
Python 2 is not distributed with RHEL 9.
For more information about Python in RHEL 9, see Introduction to Python.
(BZ#1941595, JIRA:RHELPLAN-80598)
Node.js 16
available in RHEL 9
RHEL 9 provides a Long Term Support (LTS) version 16 of Node.js
, a software development platform for building fast and scalable network applications in the JavaScript programming language.
Notable changes in Node.js 16
over Node.js 14
include:
-
The
V8
engine has been upgraded to version 9.4. -
The
npm
package manager has been upgraded to version 8.3.1. -
A new
Timers Promises
API provides an alternative set of timer functions that returnPromise
objects. -
Node.js
is now compatible withOpenSSL 3.0
. -
Node.js
now provides a new experimentalWeb Streams
API and an experimental ECMAScript modules (ESM) loader hooks API.
Node.js 16
is the initial version of this Application Stream, which you can install easily as an RPM package. Node.js 16
has a shorter life cycle than RHEL 9. For details, see the Red Hat Enterprise Linux Application Streams Life Cycle document. Additional Node.js
versions will be provided as modules also with a shorter life cycle in future minor releases of RHEL 9.
RHEL 9 provides Ruby 3.0
RHEL 9 is distributed with Ruby 3.0.3
, which provides a number of performance improvements, bug and security fixes, and new features over Ruby 2.7
.
Notable enhancements include:
Concurrency and parallelism features:
-
Ractor
, an Actor-model abstraction that provides thread-safe parallel execution, is provided as an experimental feature. -
Fiber Scheduler
has been introduced as an experimental feature.Fiber Scheduler
intercepts blocking operations, which enables light-weight concurrency without changing existing code.
-
Static analysis features:
-
The
RBS
language has been introduced which describes the structure ofRuby
programs. Therbs
gem has been added to parse type definitions written inRBS
. -
The
TypeProf
utility has been introduced which is a type analysis tool forRuby
code.
-
The
-
Pattern matching with the
case/in
expression is no longer experimental. - One-line pattern matching, which is an experimental feature, has been redesigned.
- Find pattern has been added as an experimental feature.
The following performance improvements have been implemented:
-
Pasting long code to the
Interactive Ruby Shell (IRB)
is now significantly faster. -
The
measure
command has been added toIRB
for time measurement.
Other notable changes include:
- Keyword arguments are now separated from other arguments.
-
The default directory for user-installed gems is now
$HOME/.local/share/gem/
unless the$HOME/.gem/
directory is already present.
Ruby 3.0
is the initial version of this Application Stream which you can install easily as an RPM package. Additional Ruby
versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
(JIRA:RHELPLAN-80758)
RHEL 9 introduces Perl 5.32
RHEL 9 includes Perl 5.32
, which provides a number of bug fixes and enhancements over version 5.30.
Notable enhancement include:
-
Perl
now supports Unicode version 13.0. -
The
qr
quote-like operator has been enhanced. -
The
POSIX::mblen()
,mbtowc
, andwctomb
functions now work on shift state locales and are thread-safe on C99 and above compilers when executed on a platform that has locale thread-safety; the length parameters are now optional. -
The new experimental
isa
infix operator tests whether a given object is an instance of a given class or a class derived from it. - Alpha assertions are no longer experimental.
- Script runs are no longer experimental.
- Feature checks are now faster.
-
Perl
can now dump compiled patterns before optimization.
Perl 5.32
is the initial version of this Application Stream, which you can install easily as an RPM package. Additional Perl
versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
(JIRA:RHELPLAN-80759)
RHEL 9 includes PHP 8.0
RHEL 9 is distributed with PHP 8.0
, which provides a number of bug fixes and enhancements over version 7.4.
Notable enhancements include:
- New named arguments are order-independent and self-documented, and enable you to specify only required parameters.
- New attributes enable you to use structured metadata with PHP’s native syntax.
- New union types enable you to use native union type declarations that are validated at runtime instead of PHPDoc annotations for a combination of types.
- Internal functions now more consistently raise an Error exception instead of warnings if parameter validation fails.
- New Just-In-Time compilation engines significantly improve application performance.
-
The
Xdebug
debugging and productivity extension for PHP has been updated to version 3. This version introduces major changes in functionality and configuration compared toXdebug 2
.
PHP 8.0
is the initial version of this Application Stream, which you can install easily as an RPM package. Additional PHP
versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Using the PHP scripting language.
RHEL 9 provides Git 2.31
and Git LFS 2.13
RHEL 9 is distributed with Git 2.31
which provides a number of enhancements and performance improvements over version 2.27 available in RHEL 8. Notable changes include:
-
The
git status
command now reports the status of sparse checkout. -
You can now use the
--add-file
option with thegit archive
command to include untracked files in a snapshot from a tree-ish identifier. -
You can use the
clone.defaultremotename
configuration variable to customize a nickname of the source remote repository. -
You can configure the maximum length of output file names created by the
git format-patch
command. Previously, the length limit was 64 bytes. - Support for the deprecated PCRE1 library has been removed.
Additionally, the Git Large File Storage (LFS)
extension version 2.13 is now available. Enhancements over version 2.11 distributed in RHEL 8 include:
-
Git LFS
now supports SHA-256 repositories. -
Git LFS
now supports thesocks5h
protocol. -
A new
--worktree
option is available for thegit lfs install
andgit lfs uninstall
commands. -
A new
--above
parameter is available for thegit lfs migrate import
command.
(BZ#1956345, BZ#1952517)
Subversion 1.14
in RHEL 9
RHEL 9 is distributed with Subversion 1.14
. Subversion 1.14
is the initial version of this Application Stream, which you can install easily as an RPM package. Additional Subversion
versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
(JIRA:RHELPLAN-82578)
Notable changes in the Apache HTTP Server
RHEL 9.0 provides version 2.4.51 of the Apache HTTP Server. Notable changes over version 2.4.37 include:
Apache HTTP Server Control Interface (
apachectl
):-
The
systemctl
pager is now disabled forapachectl status
output. -
The
apachectl
command now fails instead of giving a warning if you pass additional arguments. -
The
apachectl graceful-stop
command now returns immediately. -
The
apachectl configtest
command now executes thehttpd -t
command without changing the SELinux context. -
The
apachectl(8)
man page in RHEL now fully documents differences from upstreamapachectl
.
-
The
Apache eXtenSion tool (
apxs
):-
The
/usr/bin/apxs
command no longer uses or exposes compiler optimisation flags as applied when building thehttpd
package. You can now use the/usr/lib64/httpd/build/vendor-apxs
command to apply the same compiler flags as used to buildhttpd
. To use thevendor-apxs
command, you must install theredhat-rpm-config
package first.
-
The
Apache modules:
-
The
mod_lua
module is now provided in a separate package. -
A new
mod_jk
connector for the Apache HTTP Server is a module that utilizes the Apache JServ Protocol (AJP) to connect web servers with Apache Tomcat and other backends. -
A new
mod_proxy_cluster
module provides an httpd-based load balancer that uses a communication channel to forward requests from the load balancer to one of a set of application server nodes. The application server nodes use this connection to transmit server-side load balance factors and lifecycle events back to the load balancer through a custom set of HTTP methods called the Mod-Cluster Management Protocol (MCMP). This additional feedback channel allowsmod_proxy_cluster
to offer a level of intelligence and granularity not found in other load-balancing solutions. This module requires theModCluster
client to be installed on the backend server to successfully communicate.
-
The
Configuration syntax changes:
-
In the deprecated
Allow
directive provided by themod_access_compat
module, a comment (the#
character) now triggers a syntax error instead of being silently ignored.
-
In the deprecated
Other changes:
- Kernel thread IDs are now used directly in error log messages, making them both accurate and more concise.
- Many minor enhancements and bug fixes.
- A number of new interfaces are available to module authors.
There are no backwards-incompatible changes to the httpd
module API since RHEL 8.
Apache HTTP Server 2.4 is the initial version of this Application Stream, which you can install easily as an RPM package.
For more information, see Setting up the Apache HTTP web server.
(JIRA:RHELPLAN-68364, BZ#1931976, JIRA:RHELPLAN-80725)
nginx 1.20
available in RHEL 9
RHEL 9 includes the nginx 1.20
web and proxy server. This release provides a number of bug fixes, security fixes, new features and enhancements over version 1.18.
New features:
-
nginx
now supports client SSL certificate validation with Online Certificate Status Protocol (OCSP). -
nginx
now supports cache clearing based on the minimum amount of free space. This support is implemented as themin_free
parameter of theproxy_cache_path
directive. -
A new
ngx_stream_set_module
module has been added, which enables you to set a value for a variable. -
A new
nginx-mod-devel
package has been added, which provides all necessary files, including RPM macros andnginx
source code, for building external dynamic modules fornginx
.
Enhanced directives:
-
Multiple new directives are now available, such as
ssl_conf_command
andssl_reject_handshake
. -
The
proxy_cookie_flags
directive now supports variables.
Improved support for HTTP/2:
-
The
ngx_http_v2
module now includes thelingering_close
,lingering_time
,lingering_timeout
directives. -
Handling connections in HTTP/2 has been aligned with HTTP/1.x. From
nginx 1.20
, use thekeepalive_timeout
andkeepalive_requests
directives instead of the removedhttp2_recv_timeout
,http2_idle_timeout
, andhttp2_max_requests
directives.
nginx 1.20
is the initial version of this Application Stream, which you can install easily as an RPM package. Additional nginx
versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Setting up and configuring NGINX.
Varnish Cache 6.6
in RHEL 9
RHEL 9 includes Varnish Cache 6.6
, a high-performance HTTP reverse proxy.
Notable changes since version 6.0 include:
-
Improved performance of log-processing tools, such as
varnishlog
- Improved accuracy of statistics
- A number of optimizations in cache lookups
- Various configuration changes
- Numerous enhancements and bugs fixes
Varnish Cache 6
is the initial version of this Application Stream, which you can install easily as an RPM package.
RHEL 9 introduces Squid 5
RHEL 9 is distributed with Squid 5.2
, a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. This release provides a number of bug fixes, security fixes, new features, and enhancements over version 4.
New features:
Squid
improves responsibility by using the Happy Eyeballs (HE) algorithm.-
Squid
now uses a received IP address as soon request forwarding requires it instead of waiting for all of the potential forwarding destinations to be fully resolved. -
New directives are now available:
happy_eyeballs_connect_gap
,happy_eyeballs_connect_limit
, andhappy_eyeballs_connect_timeout
directives. -
The
dns_v4_first
directive has been removed.
-
-
Squid
now uses theCDN-Loop
header as a source for loop detection in Content Delivery Networks (CDN). -
Squid
introduces peering support for SSL bumping. - A new Internet Content Adaptation Protocol (ICAP) trailers feature is available, which enables ICAP agents to reliably send message metadata after the message body.
Changes to configuration options:
-
The
mark_client_packet
configuration option has replacedclientside_mark
. -
The
shared_transient_entries_limit
configuration option has replacedcollapsed_forwarding_shared_entries_limit
.
Squid 5
is the initial version of this Application Stream, which you can install easily as an RPM package.
For more information, see Configuring the Squid caching proxy server.
MariaDB 10.5
in RHEL 9
RHEL 9 provides MariaDB 10.5
. MariaDB 10.5
is the initial version of this Application Stream, which you can install easily as an RPM package. Additional MariaDB
versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Using MariaDB.
RHEL 9 includes MySQL 8.0
RHEL 9 is distributed with MySQL 8.0
. MySQL 8.0
is the initial version of this Application Stream, which you can install easily as an RPM package. MySQL 8.0
has a shorter life cycle than RHEL 9. For details, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
For information about usage, see Using MySQL.
(JIRA:RHELPLAN-78673)
RHEL 9 provides PostgreSQL 13
PostgreSQL 13
is available with RHEL 9. PostgreSQL 13
is the initial version of this Application Stream, which you can install easily as an RPM package. Additional PostgreSQL
versions will be provided as modules with a shorter life cycle in future minor releases of RHEL 9.
For more information, see Using PostgreSQL.
(JIRA:RHELPLAN-78675)
Redis 6.2
in RHEL 9
RHEL 9 is distributed with Redis 6.2
, which provides a number of bug and security fixes and enhancements over version 6.0 available in RHEL 8.
Notably, Redis
server configuration files are now located in a dedicated directory: /etc/redis/redis.conf
and /etc/redis/sentinel.conf
. In the RHEL 8 version, the location of these files was /etc/redis.conf
and /etc/redis-sentinel.conf
respectively.
Redis 6
is the initial version of this Application Stream, which you can install easily as an RPM package.
New package: perl-Module-Signature
RHEL 9 introduces the perl-Module-Signature
Perl module. With this new module, you can enable signature checking for cpan
to mitigate CVE-2020-16156. For more information, see How to mitigate CVE-2020-16154 in perl-App-cpanminus and CVE-2020-16156 in perl-CPAN.
(BZ#2039361)
4.14. Compilers and development tools
RHEL 9 provides support for IBM POWER10 processors
From the Linux kernel, through the system toolchain (GCC, binutils, glibc), Red Hat Enterprise Linux 9 has been updated to include support for IBM’s latest POWER processor, POWER10. RHEL 9 is production ready for workloads on POWER10, with enhancements coming in future releases.
(BZ#2027596)
GCC 11.2.1 is available
RHEL 9 is distributed with GCC version 11.2.1. Notable bug fixes and enhancements include:
General improvements
- GCC now defaults to the DWARF Version 5 debugging format.
- Column numbers shown in diagnostics represent real column numbers by default and respect multicolumn characters.
- The straight-line code vectorizer considers the whole function when vectorizing.
- A series of conditional expressions that compare the same variable can be transformed into a switch statement if each of them contains a comparison expression.
Interprocedural optimization improvements:
-
A new IPA-modref pass, controlled by the
-fipa-modref
option, tracks side effects of function calls and improves the precision of points-to analysis. -
The identical code folding pass, controlled by the
-fipa-icf
option, was significantly improved to increase the number of unified functions and reduce compile-time memory use.
-
A new IPA-modref pass, controlled by the
Link-time optimization improvements:
- Link-time optimization (LTO) enables the compiler to perform various optimizations across all translation units of your program by using its intermediate representation at link time. For more information, see Link time optimization.
- Memory allocation during linking was improved to reduce peak memory use.
-
Using a new
GCC_EXTRA_DIAGNOSTIC_OUTPUT
environment variable in IDEs, you can request machine-readable “fix-it hints” without adjusting build flags. -
The static analyzer, run by the
-fanalyzer
option, is improved significantly with numerous bug fixes and enhancements provided.
Language-specific improvements
C family
- C and C++ compilers support non-rectangular loop nests in OpenMP constructs and the allocator routines of the OpenMP 5.0 specification.
Attributes:
-
The new
no_stack_protector
attribute marks functions that should not be instrumented with stack protection (-fstack-protector
). -
The improved
malloc
attribute can be used to identify allocator and deallocator API pairs.
-
The new
New warnings:
-
-Wsizeof-array-div
, enabled by the-Wall
option, warns about divisions of twosizeof
operators when the first one is applied to an array and the divisor does not equal the size of the array element. -
-Wstringop-overread
, enabled by default, warns about calls to string functions that try to read past the end of the arrays passed to them as arguments.
-
Enhanced warnings:
-
-Wfree-nonheap-object
detects more instances of calls to deallocation functions with pointers not returned from a dynamic memory allocation function. -
-Wmaybe-uninitialized
diagnoses the passing of pointers and references to uninitialized memory to functions that takeconst
-qualified arguments. -
-Wuninitialized
detects reads from uninitialized dynamically allocated memory.
-
C
Several new features from the upcoming C2X revision of the ISO C standard are supported with the
-std=c2x
and-std=gnu2x
options. For example:-
The
standard attribute is supported.
-
The
__has_c_attribute
preprocessor operator is supported. - Labels may appear before declarations and at the end of a compound statement.
-
The
C++
-
The default mode is changed to
-std=gnu++17
. -
The C++ library
libstdc++
has improved C++17 support now. Several new C++20 features are implemented. Note that C++20 support is experimental.
For more information about the features, see C++20 Language Features.
- The C++ front end has experimental support for some of the upcoming C++23 draft features.
New warnings:
-
-Wctad-maybe-unsupported
, disabled by default, warns about performing class template argument deduction on a type with no deduction guides. -
-Wrange-loop-construct
, enabled by-Wall
, warns when a range-based for loop is creating unnecessary and resource inefficient copies. -
-Wmismatched-new-delete
, enabled by-Wall
, warns about calls to operator delete with pointers returned from mismatched forms of operator new or from other mismatched allocation functions. -
-Wvexing-parse
, enabled by default, warns about the most vexing parse rule: the cases when a declaration looks like a variable definition, but the C++ language requires it to be interpreted as a function declaration.
-
Architecture-specific improvements
The 64-bit ARM architecture
-
The Armv8-R architecture is supported through the
-march=armv8-r
option. - GCC can autovectorize operations performing addition, subtraction, multiplication, and the accumulate and subtract variants on complex numbers.
AMD and Intel 64-bit architectures
-
New ISA extension support for Intel AVX-VNNI is added. The
-mavxvnni
compiler switch controls the AVX-VNNI intrinsics. -
AMD CPUs based on the znver3 core are supported with the new
-march=znver3
option. -
Three microarchitecture levels defined in the x86-64 psABI supplement are supported with the new
-march=x86-64-v2
,-march=x86-64-v3
, and-march=x86-64-v4
options.
IBM Z architectures
- GCC 11.2.1 defaults to the IBM z14 processor.
IBM Power Systems
- GCC 11.2.1 defaults to the IBM POWER9 processor.
-
The GCC compiler now supports POWER10 instructions with the new
-mcpu=power10
command-line option
(BZ#1986836, BZ#1870016, BZ#1870025, BZ#1870028, BZ#2019811, BZ#2047296)
New command for capturing glibc
optimization data
The new ld.so --list-diagnostics
command captures data that influences glibc
optimization decisions, such as IFUNC selection and glibc-hwcaps
configuration, in a single machine-readable file.
Notable changes to binutils
RHEL 9 introduces the following changes to binutils
:
-
binutils
now supports Intel’s AMX/TMUL instruction set, resulting in improved performance for applications which can make use of this new feature. - The assembler, linker, and other binary utilities now support the POWER10 instructions.
(BZ#2030554, BZ#1870021)
sched_getcpu
implementation can now, optionally, use rseq
(restartable sequences) to improve performance on the 64-bit ARM architectures and other architectures
The previous implementation of sched_getcpu
on the 64-bit ARM architectures uses the getcpu
system call, which is too slow for efficient use in most parallel algorithms. Other architectures use vDSO (virtual dynamic shared object) acceleration to work around this. Implementing sched_getcpu
using rseq
greatly improves performance on the 64-bit ARM architectures. Other architectures see a slight improvement.
To configure sched_getcpu
to use rseq
, set the GLIBC_TUNABLES=glibc.pthread.rseq=1
environment variable:
# GLIBC_TUNABLES=glibc.pthread.rseq=1 # export GLIBC_TUNABLES
Updated performance tools and debuggers
The following performance tools and debuggers are available with RHEL 9.0:
- GDB 10.2
- Valgrind 3.18.1
- SystemTap 4.6
- Dyninst 11.0.0
- elfutils 0.186
(BZ#2019806)
DAWR functionality improved in GDB on IBM POWER10
RHEL 9 is distributed with GDB 10.2 that provides improved DAWR functionality. New hardware watchpoint capabilities are enabled for GDB on the IBM POWER10 processors. For example, a new set of DAWR/DAWRX registers has been added.
(BZ#1870029)
GDB supports new prefixed instructions on IBM POWER10
GDB 10.2 fully supports the Power ISA 3.1 prefixed instructions on POWER10, which include eight-byte prefixed instructions. In RHEL 8.4, GDB only supported four-byte instructions.
(BZ#1870031)
RHEL 9 provides boost
1.75.0
RHEL 9 is distributed with the boost
package version 1.75.0. Notable bug fixes and enhancements over version 1.67.0 include:
-
The
Boost.Signals
library has been removed and replaced by the header-onlyBoost.Signals2
component. -
The
bjam
tool in theboost-jam
package has been replaced byb2
in theboost-b2
package. New libraries:
-
Boost.Contracts
-
Boost.HOF
-
Boost.YAP
-
Boost.Safe Numerics
-
Boost.Outcome
-
Boost.Histogram
-
Boost.Variant2
-
Boost.Nowide
-
Boost.StaticString
-
Boost.STL_Interfaces
-
Boost.JSON
-
Boost.LEAF
-
Boost.PFR
-
(BZ#1957950)
RHEL 9 provides LLVM Toolset 13.0.1
RHEL 9 is distributed with LLVM Toolset version 13.0.1. Notable bug fixes and enhancements over version 12.0.1 include:
-
Clang now supports guaranteed tail calls with statement attributes
[[clang::musttail]]
in C++ and__attribute__((musttail))
in C. -
Clang now supports the
-Wreserved-identifier
warning, which warns developers when using reserved identifiers in their code. -
Clang’s
-Wshadow
flag now also checks for shadowed structured bindings. -
Clang’s
-Wextra
now also implies-Wnull-pointer-subtraction
. -
Clang now supports guaranteed tail calls with statement attributes
[[clang::musttail]]
in C++ and__attribute__((musttail))
in C.
In RHEL 9, you can install llvm-toolset
easily as an RPM package.
(BZ#2001107)
Notable changes in CMake 3.20.2
RHEL 9 is distributed with CMake 3.20.2. To use CMake on a project that requires version 3.20.2 or less, use the command cmake_minimum_required
(version 3.20.2).
Notable changes include:
-
C++23 compiler modes can now be specified by using the target properties
CXX_STANDARD
,CUDA_STANDARD
,OBJCXX_STANDARD
, or by using thecxx_std_23
meta-feature of the compile features function. - CUDA language support now allows the NVIDIA CUDA compiler to be a symbolic link.
-
The Intel oneAPI NextGen LLVM compilers are now supported with the
IntelLLVM
compiler ID. - CMake now facilitates cross compiling for Android by merging with the Android NDK’s toolchain file.
-
When running
cmake(1)
to generate a project build system, unknown command-line arguments starting with a hyphen are now rejected.
For further information on new features and deprecated functionalities, see the CMake Release Notes.
(BZ#1957948)
RHEL 9 provides Go 1.17.7
RHEL 9 is distributed with Go Toolset version 1.17.7. Notable bug fixes and enhancements over version 1.16.7 include:
- Added an option to convert slices to array pointers.
- Added support for //go:build lines.
- Improvements to function call performance on amd64.
- Function arguments are formatted more clearly in stack traces.
- Functions containing closures can be inlined.
- Reduced resource consumption in x509 certificate parsing.
In RHEL 9, you can install go-toolset
easily as an RPM package.
(BZ#2014087)
Go FIPS mode is supported with OpenSSL 3
You can now use the OpenSSL 3 library when in Go FIPS mode.
RHEL 9 provides Rust Toolset 1.58.1
RHEL 9 is distributed with Rust Toolset version 1.58.1. Notable bug fixes and enhancements over version 1.54.0 include:
-
The Rust compiler now supports the 2021 edition of the language, featuring disjoint capture in closure,
IntoIterator
for arrays, a new Cargo feature resolver, and more. - Added Cargo support for new custom profiles.
- Cargo deduplicates compiler errors.
- Added new open range patterns.
- Added captured identifiers in format strings.
For further information, see Rust 1.55Rust 1.56Rust 1.57Rust 1.58
In RHEL 9, you can install rust-toolset
easily as an RPM package.
(BZ#2002885)
RHEL 9 provides the pcp
package version 5.3.5
RHEL 9 is distributed with the Performance Co-Pilot (pcp
) package version 5.3.5. Since version 5.3.1, a new pcp-pmda-bpf
sub-package has been added which provides performance data from eBPF
programs utilizing BPF CO-RE (libbpf
and BTF
).
Active Directory authentication for accessing SQL Server metrics in PCP
With this update, a system administrator can configure pmdamssql(1)
to connect securely to the SQL Server metrics using Active Directory (AD) authentication.
The new pcp-ss
PCP utility is now available
The pcp-ss
PCP utility reports socket statistics collected by the pmdasockets(1)
PMDA. The command is compatible with many of the ss
command line options and reporting formats. It also offers the advantages of local or remote monitoring in live mode and historical replay from a previously recorded PCP archive.
RHEL 9 provides grafana
7.5.11
RHEL 9 is distributed with the grafana
package version 7.5.11. Notable changes over version 7.5.9 include:
-
Added a new
prepare time series
transformation for backward compatibility of panels that do not support the new data frame format. - Updated password recovery functionality to use HMAC-SHA-256 instead of SHA-1 to generate password reset tokens.
RHEL 9 provides grafana-pcp
3.2.0
RHEL 9 is distributed with the grafana-pcp
package version 3.2.0. Notable bug fixes and enhancements over version 3.1.0 include:
- Added a new MS SQL server dashboard for PCP Redis.
- Added visibility of empty histogram buckets in the PCP Vector eBPF/BCC Overview dashboard.
-
Fixed a bug where the
metric()
function of PCP Redis didn’t return all metric names.
Accessing remote hosts through a central pmproxy
for the Vector data source in grafana-pcp
In some environments, the network policy does not allow connections from the dashboard viewer’s browser to the monitored hosts directly. This update makes it possible to customize the hostspec
in order to connect to a central pmproxy
, which forwards the requests to the individual hosts.
A new package: ansible-pcp
The ansible-pcp
package contains roles for Performance Co-Pilot (PCP) and related software, such as Redis and Grafana, used to implement the metrics
RHEL system role.
(BZ#1957566)
RHEL 9 provides python-jsonpointer
2.0
RHEL 9 is distributed with the python-jsonpointer
package version 2.0.
Notable changes over version 1.9 include:
- The Python versions 2.6 and 3.3 are deprecated.
-
The
python-jsonpointer
module now automatically checks pointers for invalid escape sequences. - You can now write pointers as arguments in the command line.
- Pointers can not be submitted in URL encoded format any more.
.NET 6.0 is available
RHEL 9 is distributed with .NET version 6.0. Notable improvements include:
- Support for 64-bit Arm (aarch64)
- Support for IBM Z and LinuxONE (s390x)
For more information, see Release Notes for .NET 6.0 RPM packages and Release Notes for .NET 6.0 containers.
.NET 6.0 is the initial version of this Application Stream, which you can install easily as an RPM package. .NET 6.0 has a shorter life cycle than RHEL 9. For details, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
(BZ#1986211)
Java implementations in RHEL 9
The RHEL 9 AppStream repository includes:
-
The
java-17-openjdk
packages, which provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
The
java-11-openjdk
packages, which provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
The
java-1.8.0-openjdk
packages, which provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
For more information, see OpenJDK documentation.
(BZ#2021262)
Java tools in RHEL 9
The RHEL 9 AppStream repository includes the following Java tools:
-
Maven 3.6.3
, a software project management and comprehension tool. -
Ant 1.10.9
, a Java library and command-line tool for compiling, assembling, testing, and running Java applications.
Maven 3.6
and Ant 1.10
are the initial versions of these Application Streams, which you can install easily as non-modular RPM packages.
(BZ#1951482)
SWIG 4.0
available in the CRB repository
The Simplified Wrapper and Interface Generator (SWIG) version 4.0 is available in the CodeReady Linux Builder (CRB) repository. This release adds support for PHP 8
.
In RHEL 9, you can install SWIG
easily as an RPM package.
Note that packages included in the CodeReady Linux Builder repository are unsupported.
(BZ#1943580)
4.15. Identity Management
Directory Server no longer uses a global changelog
With this enhancement, the Directory Server changelog has been integrated into the main database. Previously, Directory Server used a global changelog. However, this could cause issues if the directory used multiple databases. As a result, each suffix has now its own changelog in the same directory as the regular database files.
(BZ#1805717)
ansible-freeipa
is now available in the AppStream repository with all dependencies
Previously in RHEL 8, before installing the ansible-freeipa
package, you first had to enable the Ansible repository and install the ansible
package. In RHEL 8.6 and RHEL 9, you can install ansible-freeipa
without any preliminary steps. Installing ansible-freeipa
automatically installs the ansible-core
package, a more basic version of ansible
, as a dependency. Both ansible-freeipa
and ansible-core
are available in the rhel-9-for-x86_64-appstream-rpms
repository.
ansible-freeipa
in RHEL 8.6 and RHEL 9 contains all the modules that it contained in RHEL 8.
(JIRA:RHELPLAN-100359)
IdM now supports the automountlocation
, automountmap
, and automountkey
Ansible modules
With this update, the ansible-freeipa
package contains the ipaautomountlocation
, ipaautomountmap
, and ipaautomountkey
modules. You can use these modules to configure directories to be mounted automatically for IdM users logged in to IdM clients in an IdM location. Note that currently, only direct maps are supported.
(JIRA:RHELPLAN-79161)
The support for managing subID ranges is available in the shadow-utils
Previously, shadow-utils
configured the subID ranges automatically from the /etc/subuid
and /etc/subgid
files. With this update, the configuration of subID ranges is available in the /etc/nsswitch.conf
file by setting a value in the subid
field. For more information, see man subuid
and man subgid
. Also, with this update, an SSSD implementation of the shadow-utils
plugin is available, which provides the subID ranges from the IPA server. To use this functionality, add the subid: sss
value to the /etc/nsswitch.conf
file. This solution might be useful in the containerized environment to facilitate rootless containers.
Note that in case the /etc/nsswitch.conf
file is configured by the authselect
tool, you must follow the procedures described in the authselect
documentation. When it is not the case, you can modify the /etc/nsswitch.conf
file manually.
Support for managing subID ranges is available in IdM
With this update, you can manage ID subranges for users in Identity Management. You can use the ipa
CLI tool or IdM WebUI interface to assign automatically configured subID ranges to a user, which might be useful in a containerized environment.
Identity Management installation packages have been demodularized
Previously in RHEL 8, IdM packages were distributed as modules, which required you to enable a stream and install the profile that corresponds to your desired installation. IdM installation packages have been demodularized in RHEL 9, so you can use the following dnf
commands to install IdM server packages:
For a server without integrated DNS services:
# dnf install ipa-server
For a server with integrated DNS services:
# dnf install ipa-server ipa-server-dns
An alternative to the traditional RHEL ansible-freeipa repository: Ansible Automation Hub
With this update, you can download ansible-freeipa
modules from the Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By using AAH, you can benefit from the faster updates of the ansible-freeipa
modules available in this repository.
In AAH, ansible-freeipa
roles and modules are distributed in the collection format. Note that you need an Ansible Automation Platform (AAP) subscription to access the content on the AAH portal. You also need ansible
version 2.9 or later.
The redhat.rhel_idm
collection has the same content as the traditional ansible-freeipa
package. However, the collection format uses a fully qualified collection name (FQCN) that consists of a namespace and the collection name. For example, the redhat.rhel_idm.ipadnsconfig
module corresponds to the ipadnsconfig
module in ansible-freeipa
provided by a RHEL repository. The combination of a namespace and a collection name ensures that the objects are unique and can be shared without any conflicts.
(JIRA:RHELPLAN-103147)
ansible-freeipa modules can now be executed remotely on IdM clients
Previously, ansible-freeipa
modules could only be executed on IdM servers. This required your Ansible administrator to have SSH
access to your IdM server, causing a potential security threat. With this update, you can execute ansible-freeipa
modules remotely on systems that are IdM clients. As a result, you can manage IdM configuration and entities in a more secure way.
To execute ansible-freeipa
modules on an IdM client, choose one of the following options:
-
Set the
hosts
variable of the playbook to an IdM client host. -
Add the
ipa_context: client
line to the playbook task that uses theansible-freeipa
module.
You can set the ipa_context
variable to client
on an IdM server, too. However, the server context usually provides better performance. If ipa_context
is not set, ansible-freeipa
checks if it is running on a server or a client, and sets the context accordingly. Note that executing an ansible-freeipa
module with context
set to server
on an IdM client host raises an error of missing libraries
.
(JIRA:RHELPLAN-103146)
The ipadnsconfig
module now requires action: member
to exclude a global forwarder
With this update, excluding global forwarders in Identity Management (IdM) by using the ansible-freeipa
ipadnsconfig
module requires using the action: member
option in addition to the state: absent
option. If you only use state: absent
in your playbook without also using action: member
, the playbook fails. Consequently, to remove all global forwarders, you must specify all of them individually in the playbook. In contrast, the state: present
option does not require action: member
.
Automatic private groups for AD users support centralized configuring
You can now centrally define how compatible versions of SSSD on IdM clients manage private groups for users from trusted Active Directory domains. With this enhancement, you can now explicitly set the value for SSSD’s auto_private_groups
option for an ID range that handles AD users.
When the auto_private_groups
option is not explicitly set, it uses a default value:
-
For an
ipa-ad-trust-posix
ID range, the default value isfalse
. SSSD always uses theuidNumber
andgidNumber
of the AD entry. A group with thegidNumber
must exist in AD. -
For an
ipa-ad-trust
ID range, the default value istrue
. SSSD maps theuidNumber
from the entry SID, thegidNumber
is always set to the same value, and a private group is always mapped.
You can also set auto_private_groups
to a third setting: hybrid
. With this setting, SSSD maps a private group if the user entry has a GID equal to the UID but there is no group with this GID. If the UID and GID are different, a group with this GID number must exist.
This feature is useful for administrators that want to stop maintaining separate group objects for the user private groups, but also want to retain the existing user private groups.
(BZ#1957736)
Customizable logging settings for BIND
With this enhancement, you can now configure logging settings for the BIND DNS server component of an Identity Management server in the /etc/named/ipa-logging-ext.conf
configuration file.
Autodiscovery of IdM servers when retrieving an IdM keytab
With this enhancement, you no longer need to specify an IdM server host name when retrieving a Kerberos keytab with the ipa-getkeytab
command. If you do not specify a server host name, DNS discovery is used to find an IdM server. If no servers are found, the command falls back to the host
value specified in the /etc/ipa/default.conf
configuration file.
RHEL 9 provides Samba 4.15.5
RHEL 9 is distributed with Samba 4.15.5, which provides bug fixes and enhancements over version 4.14:
- Options in Samba utilities have been renamed and removed for a consistent user experience
- Server multi-channel support is now enabled by default.
-
The
SMB2_22
,SMB2_24
, andSMB3_10
dialects, which were only used by Windows technical previews, have been removed.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Note that Red Hat does not support downgrading tdb
database files.
After updating Samba, verify the /etc/samba/smb.conf
file using the testparm
utility.
For further information about notable changes, read the upstream release notes before updating.
Tracking client requests using the log analyzer tool
The System Security Services Daemon (SSSD) now includes a log parsing tool which tracks requests from start to finish across log files from multiple SSSD components.
The log analyzer tool allows you to more easily review SSSD debug logs to help you to troubleshoot any issues in SSSD. For example, you can extract and print SSSD logs pertaining only to certain client requests across SSSD processes. To run the analyzer tool, use the sssctl analyze
command.
(JIRA:RHELPLAN-97899)
SSSD now logs backtraces by default
With this enhancement, SSSD now stores detailed debug logs in an in-memory buffer and appends them to log files when a failure occurs. By default, the following error levels trigger a backtrace:
- Level 0: fatal failures
- Level 1: critical failures
- Level 2: serious failures
You can modify this behavior for each SSSD process by setting the debug_level
option in the corresponding section of the sssd.conf
configuration file:
- If you set the debugging level to 0, only level 0 events trigger a backtrace.
- If you set the debugging level to 1, levels 0 and 1 trigger a backtrace.
- If you set the debugging level to 2 or higher, events at level 0 through 2 trigger a backtrace.
You can disable this feature per SSSD process by setting the debug_backtrace_enabled
option to false
in the corresponding section of sssd.conf
:
[sssd] debug_backtrace_enabled = true debug_level=0 ... [nss] debug_backtrace_enabled = false ... [domain/idm.example.com] debug_backtrace_enabled = true debug_level=2 ... ...
SSSD default SSH hashing value is now consistent with the OpenSSH setting
The default value of ssh_hash_known_hosts
has been changed to false. It is now consistent with the OpenSSH setting, which does not hash host names by default.
However, if you need to continue to hash host names, add ssh_hash_known_hosts = True
to the [ssh]
section of the /etc/sssd/sssd.conf
configuration file.
Directory Server 12.0 is based on upstream version 2.0.14
Directory Server 12.0 is based on upstream version 2.0.14 which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-14.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-13.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-12.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-11.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-10.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-9.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-8.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-7.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-6.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-5.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-4.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-3.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-2.html
- https://directory.fedoraproject.org/docs/389ds/releases/release-2-0-1.html
Directory Server now stores memory-mapped files of databases on a tmpfs
file system
In Directory Server, the nsslapd-db-home-directory
parameter defines the location of memory-mapped files of databases. This enhancement changes the default value of the parameter from /var/lib/dirsrv/slapd-instance_name/db/
to /dev/shm/
. As a result, with the internal databases stored on a tmpfs
file system, the performance of Directory Server increases.
FreeRADIUS support is now redesigned
In RHEL 9, the existing FreeRADIUS offering is now streamlined and aligned more closely with the strategic direction of Identity Management (IdM). In order to provide the best support for IdM customers, Red Hat is strengthening support for these external authentication modules with FreeRADIUS:
-
Authentication based on
krb5
and LDAP -
Python 3
authentication
The following modules are no longer supported:
- The MySQL, PostgreSQL, SQlite, and unixODBC database connectors
-
The
Perl
language module - The REST API module
The PAM authentication and other authentication modules that are provided as part of the base package are not affected.
You can find replacements for the removed modules in community-supported packages, for example in the Fedora project.
In addition, the scope of support for the freeradius
package is now limited to the following use cases:
-
Using FreeRADIUS as an authentication provider with IdM as the backend source of authentication. The authentication is happening through the
krb5
and LDAP authentication packages or as PAM authentication in the main FreeRADIUS package. -
Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the
Python 3
authentication package.
(JIRA:RHELDOCS-17553)
4.16. Desktop
GNOME updated to version 40
The GNOME environment is now updated from GNOME 3.28 to GNOME 40 with many new features.
GNOME 40 includes a new and improved Activities Overview design. This gives the overview a more coherent look, and provides an improved experience for navigating the system and launching applications. Workspaces are now arranged horizontally, and the window overview and application grid are accessed vertically.
Other improvements to GNOME include:
- The performance and resource usage of GNOME has been significantly improved.
- The visual style, including the user interface, the icons, and the desktop, has been refreshed.
- GNOME applications no longer use the application menu, which was available from the top panel. The functionality is now located in a primary menu within the application window.
- The Settings application has been redesigned.
- Screen sharing and remote desktop sessions have been improved.
If you use the proprietary NVIDIA drivers, you can now launch applications using the discrete GPU:
- Open the overview.
- Right-click the application icon in the dash.
- Select the Launch on Discrete GPU item in the menu.
- The Power Off / Log Out menu now includes the Suspend option and a new Restart option, which can reboot the system to the boot loader menu when you hold Alt.
- Flatpak applications now update automatically.
- You can now group application icons in the overview together into folders using drag and drop.
- The Terminal application now supports right-to-left and bi-directional text.
- The Pointer Location accessibility feature now works in the Wayland session. When the feature is enabled, pressing Ctrl highlights the pointer location on the screen.
- GNOME shell extensions are now managed by the Extensions application, rather than Software. The Extensions application handles updating extensions, configuring extension preferences, and removing or disabling extensions.
- The notifications popover now includes a Do Not Disturb button. When the button enabled, notifications do not appear on the screen.
- System dialogs that require a password now have an option to reveal the password text by clicking the eye (👁) icon.
- The Software application now automatically detects metered networks, such as mobile data networks. When the current network is metered, Software pauses updates in order to reduce data usage.
- Each connected display can now use a different refresh rate in the Wayland session.
Fractional display scaling is available as an experimental option. It includes several preconfigured fractional ratios.
To enable the experimental fractional scaling, add the
scale-monitor-framebuffer
value to the list of enabled experimental features:$ dconf write \ /org/gnome/mutter/experimental-features \ "['scale-monitor-framebuffer']"
As a result, fractional scaling options are accessible on the Display panel in Settings.
For more details on the changes in GNOME, see versions 3.30 to 40.0 in Release Notes.
(JIRA:RHELPLAN-101240)
PipeWire is now the default audio service
The Pipewire service now manages all audio output and input. Pipewire replaces the PulseAudio service in general use cases and the JACK service in professional use cases. The system now redirects audio from applications that use PulseAudio, JACK, or the ALSA framework into Pipewire.
Benefits of Pipewire over the previous solutions include:
- A unified solution for consumer and professional users
- A flexible, modular architecture
- High performance and low latency, similar to the JACK service
- Isolation between audio clients for better security
You no longer have to configure the JACK service for applications that use it. All JACK applications now work in the default RHEL configuration.
PulseAudio is still available in RHEL, and you can enable it instead of PipeWire. For details, see Switching from PipeWire to PulseAudio.
(JIRA:RHELPLAN-101241)
Power profiles are available in GNOME
You can now switch between several power profiles in the Power panel of Settings in the GNOME environment. The power profiles optimize various system settings for the selected goal.
The following power profiles are available:
- Performance
- Optimizes for high system performance and reduces battery life. This profile is only available on certain selected system configurations.
- Balanced
- Provides standard system performance and power consumption. This is the default profile.
- Power Saver
- Increases battery life and reduces system performance. This profile activates automatically on low battery.
Your power profile configuration persists across system reboots.
The power profiles functionality is available from the power-profiles-daemon
package, which is installed by default.
(JIRA:RHELPLAN-101242)
Language support is now provided by langpacks
Support for various languages is now available from langpacks
packages. You can customize the level of language support that you want to install using the following package names, where code
is the short ISO code for the language, such as es
for Spanish:
langpacks-core-code
Provides a basic language support, including:
-
The
glibc
locale - The default font
- The default input method if the language requires it
-
The
langpacks-core-font-code
- Provides only the default font for the language.
langpacks-code
Provides the complete language support, including the following in addition to the basic language support:
- Translations
- Spell checker dictionaries
- Additional fonts
(JIRA:RHELPLAN-101247)
Lightweight, single-application environment
For graphical use cases that only present a single application, a lightweight user interface (UI) is now available.
You can start GNOME in a single-application session, also known as kiosk mode. In this session, GNOME displays only a full-screen window of an application that you have configured.
The single-application session is significantly less resource intensive than the standard GNOME session.
For more information, see Restricting the session to a single application.
(JIRA:RHELPLAN-102552)
Security classification banners at login and in the desktop session
You can now configure classification banners to state the overall security classification level of the system. This is useful for deployments where the user must be aware of the security classification level of the system that they are logged into.
The classification banners can appear in the following contexts, depending on your configuration:
- Within the running session
- On the lock screen
- On the login screen
The classification banners can take the form of either a notification that you can dismiss, or a permanent banner.
For more information, see Displaying the system security classification.
The default wallpaper adds a Red Hat logo
The default RHEL wallpaper now displays a Red Hat logo. The logo is located in the upper left corner of the screen.
To disable the logo, disable the Background Logo GNOME Shell extension.
Firefox now uses stronger encryption in PKCS#12 files
The Firefox web browser uses PKCS#12 files to establish client authentication certificates. Previously, Firefox encrypted these files using legacy algorithms:
- PBE-SHA1-RC2-40 to encrypt the certificate in the PKCS#12 file
- PBE-SHA1-3DES to encrypt the key in the PKCS#12 file
With this release, Firefox encrypts the files using stronger algorithms by default:
- AES-256-CBC with PBKDF2 to encrypt the certificate in the PKCS#12 file
- AES-128-CBC with PBKDF2 to encrypt the key in the PKCS#12 file
With this change, the PKCS#12 files are now compatible with the Federal Information Processing Standard (FIPS).
The legacy encryption algorithms remain supported in Firefox as a non-default option.
4.17. Graphics infrastructures
The Wayland session is now the default with NVIDIA drivers
When using the NVIDIA drivers, the desktop session now selects the Wayland display protocol by default, if the driver configuration supports Wayland. In previous RHEL releases, the NVIDIA drivers always disabled Wayland.
To enable Wayland with the NVIDIA drivers on your system, add the following options to the kernel command line:
-
nvidia-drm.modeset=1
-
NVreg_PreserveVideoMemoryAllocations=1
Note that Wayland has been the default display protocol with other graphics drivers since RHEL 8.0.
Currently, the Wayland session with the NVIDIA drivers is still incomplete and presents certain known issues. Red Hat is actively working with NVIDIA to address these gaps and problems across the GPU stack.
For some of the limitations of Wayland with the NVIDIA drivers, see the Known issues section.
(JIRA:RHELPLAN-119000)
4.18. The web console
Smart card authentication for sudo and SSH from the web console
Previously, it was not possible to use smart card authentication to obtain sudo privileges or use SSH in the web console. With this update, Identity Management users can use a smart card to gain sudo privileges or to connect to a different host with SSH.
It is only possible to use one smart card to authenticate and gain sudo privileges. Using a separate smart card for sudo is not supported.
(JIRA:RHELPLAN-95126)
Kernel security patches without reboot in the web console
This web console update allows users to apply kernel security patches without forcing reboots by using the kpatch
framework. Administrators can also automatically subscribe any future kernel to the live patching stream.
(JIRA:RHELPLAN-95056)
RHEL web console provides Insights registration by default
With this update, when you use the Red Hat Enterprise Linux web console to register a RHEL system, the Connect this system to Red Hat Insights. check box is checked by default. If you do not want to connect to the Insights service, uncheck the box.
Cockpit now supports using an existing TLS certificate
With this enhancement, the certificate does not have strict file permission requirements any more (such as root:cockpit-ws 0640
), and thus it can be shared with other services.
(JIRA:RHELPLAN-103855)
4.19. Red Hat Enterprise Linux system roles
The Networking system role now supports SAE
In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the Networking RHEL system role supports SAE. As a result, administrators can now use the Networking system role to configure connections to Wi-Fi networks, which use WPA-SAE.
The Networking system role now supports owe
The Networking RHEL system role now supports Opportunistic Wireless Encryption (owe). owe
is a wireless authentication key management type that uses encryption between Wi-Fi clients and access points, and protects Wi-Fi clients from sniffing attacks. To use owe, set the wireless authentication key management type,key_mgmt
field, to owe
.
The Firewall system role now supports setting the firewall default zone
Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. Firewall rules for each zone are managed independently enabling the administrator to define complex firewall settings and apply them to the traffic. This feature allows setting the default zone used as the default zone to assign interfaces to, same as firewall-cmd --set-default-zone zone-name
.
The Storage RHEL system role now supports LVM VDO volumes
With this enhancement, you can use the Storage system role to manage Logical Manager Volumes (LVM) Virtual Data Optimizer (VDO) volumes. The LVM filesystem manages VDO volumes and with this feature, it is now possible to compress and deduplicate on LVM volumes. As a result, VDO helps to optimize the usage of the storage volumes.
Support for volume sizes expressed as a percentage is available in the Storage system role
This enhancement adds support to the Storage RHEL system role to express LVM volume sizes as a percentage of the pool’s total size. You can specify the size of LVM volumes as a percentage of the pool/VG size, for example: 50% in addition to the human-readable size of the file system, for example, 10g, 50 GiB.
Support for cached volumes is available in the Storage system role
This enhancement adds support to the Storage RHEL system role to create and manage cached LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes, by temporarily storing subsets of an LV’s data on a smaller, faster device, for example, an SSD.
Ability to add or remove sources to the Firewall role
This update enables you to add or remove sources in the firewall settings configuration using the source
parameter.
New Ansible Role for Microsoft SQL Server Management
The new microsoft.sql.server
role is designed to help IT and database administrators automate processes involved with setup, configuration, and performance tuning of SQL Server on Red Hat Enterprise Linux.
Microsoft SQL system role now supports customized repository for disconnected or Satellite subscriptions
Previously, users in disconnected environments that needed to pull packages from a custom server or Satellite users that needed to point to Satellite or Capsule had no support from the microsoft.sql.server
role. This update fixes it by providing the mssql_rpm_key
, mssql_server_repository
, and mssql_client_repository
variables that you can use to customize the repositories to download packages from. If no URL is provided, the mssql
role uses the official Microsoft servers to download RPMs.
The MSSQL role consistently uses "Ansible_managed" comment in its managed configuration files
The MSSQL role generates the /var/opt/mssql/mssql.conf
configuration file. With this update, the MSSQL role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed
variable. The comment indicates that the configuration files should not be directly edited because the MSSQL role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
Ansible Core support for the RHEL system roles
As of the RHEL 9 GA release, Ansible Core is provided, with a limited scope of support, to enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was provided on previous versions of RHEL in a separate repository. Ansible Core is available in the AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 AppStream.
If you require Ansible Engine support, or otherwise need support for non-RHEL automation use cases, create a Case at Red Hat Support.
(JIRA:RHELPLAN-103540)
Support for configuring multiple elasticsearch hosts in one elasticsearch output dictionary
Previously, the server_host
parameter used to take a string value for a single host. This enhancement adjusts it to the underlying rsyslog omelasticsearch’s
specification, so it now also takes a list of strings to support multiple hosts. Consequently, it is adjusted to hosts, following the underlying rsyslog omelasticsearch’s
specification. As a result, users can configure multiple elasticsearch
hosts in one elasticsearch
output dictionary.
RHEL system roles now support VPN management
Previously, it was difficult to set up secure and properly configured IPsec tunneling and virtual private networking (VPN) solutions on Linux. With this enhancement, you can use the VPN RHEL system role to set up and configure VPN tunnels for host-to-host and mesh connections more easily across large numbers of hosts. As a result, you have a consistent and stable configuration interface for VPN and IPsec tunneling configuration within the RHEL system roles project.
The SSHD RHEL system role now supports non-exclusive configuration snippets
With this feature, you can configure SSHD through different roles and playbooks without rewriting the previous configurations by using namespaces. Namespaces are similar to a drop-in directory, and define non-exclusive configuration snippets for SSHD. As a result, you can use the SSHD RHEL system role from a different role, if you need to configure only a small part of the configuration and not the entire configuration file.
Network Time Security (NTS) option added to the timesync
RHEL system role
The NTS
option was added to the Timesync RHEL system role to enable NTS
on client servers. NTS is a new security mechanism specified for Network Time Protocol (NTP). NTS can secure synchronization of NTP clients without client-specific configuration and can scale to large numbers of clients. The NTS
option is supported only with the chrony
NTP provider in version 4.0 and later.
Support for HA Cluster RHEL system role
The High Availability Cluster (HA Cluster) role is now fully supported. The following notable configurations are available:
- Configuring fence devices, resources, resource groups, and resource clones including meta attributes and resource operations
- Configuring resource location constraints, resource colocation constraints, resource order constraints, and resource ticket constraints
- Configuring cluster properties
- Configuring cluster nodes, custom cluster names and node names
- Configuring multi-link clusters
- Configuring whether clusters start automatically on boot
Running the role removes any configuration not supported by the role or not specified when running the role.
The HA Cluster system role does not currently support SBD.
Support for Rsyslog username and password authentication to Elasticsearch
This update adds the Elasticsearch username and password parameters to the Logging system role. As a result, you can enable Rsyslog to authenticate to Elasticsearch using a username and password.
The NBDE Client system role supports static IP addresses
In previous versions of RHEL, restarting a system with a static IP address and configured with the Network Bound Disk Encryption (NBDE) Client system role would change the system’s IP address. With this change, systems with static IP addresses are supported by the NBDE Client system role, and their IP addresses do not change after a reboot.
Note that by default, the NBDE role uses DHCP when booting, and switches to the configured static IP when the system is booted.
(BZ#2031555)
Support for specifying raid_level
for LVM has been added
RHEL 9.0 supports grouping Logical Volume Management (LVM) volumes into RAIDs using the lvmraid
feature.
The Certificate role consistently uses "Ansible_managed" comment in its hook scripts
With this enhancement, the Certificate role generates pre-scripts and post-scripts to support providers, to which the role inserts the "Ansible managed" comment using the Ansible standard "ansible_managed" variable:
-
/etc/certmonger/pre-scripts/script_name.sh
-
/etc/certmonger/post-scripts/script_name.sh
The comment indicates that the script files should not be directly edited because the Certificate role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
A new option auto_gateway
controls the default route behavior
Previously, the DEFROUTE
parameter was not configurable with configuration files but only manually configurable by naming every route. This update adds a new auto_gateway
option in the ip
configuration section for connections, with which you can control the default route behavior. You can configure auto_gateway
in the following ways:
-
If set to
true
, default gateway settings apply to a default route. -
If set to
false
, the default route is removed. -
If unspecified, the
network
role uses the default behavior of the selectednetwork_provider
.
Support to all bonding options added to the network
system role
This update provides support to all bonding options to the network
RHEL system role. Consequently, it enables you to flexibly control the network transmission over the bonded interface. As a result, you can control the network transmission over the bonded interface by specifying several options to that interface.
NetworkManager supports specifying a network card using its PCI address
Previously, during setting a connection profile, NetworkManager was only allowed to specify a network card using either its name or MAC address. In this case, the device name is not stable and the MAC address requires inventory to maintain record of used MAC addresses. Now, you can specify a network card based on its PCI address in a connection profile.
The Network system role now directly manages the configuration files of Ansible
With this enhancement, the network
role generates ifcfg
files in /etc/sysconfig/network-scripts
. Then, it inserts the comment “Ansible managed”, using the standard ansible_managed
variable. This comment indicates that the ifcfg
files are not directly editable as the network
role may overwrite it. The important difference in handling the ifcfg
file to add "Ansible managed" comment is that the network
role uses the initscripts
package while the NetworkManager uses the nm
package.
Ansible Core support for RHEL system roles
In RHEL 9.0, Ansible Core is provided, with a limited scope of support, to enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was previously provided in a separate repository. Ansible Core is available in the AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. Users must manually migrate their systems from Ansible Engine to Ansible Core.
The Cockpit system role is now supported
With this enhancement, you can install and configure the web console in your system. Consequently, you can manage web console in an automated manner.
The Terminal session recording system role uses the "Ansible managed" comment in its managed configuration files
The Terminal session recording role generates 2 configuration files:
-
/etc/sssd/conf.d/sssd-session-recording.conf
-
/etc/tlog/tlog-rec-session.conf
With this update, the Terminal session recording role inserts the "Ansible managed" comment into the configuration files, using the standard Ansible variable ansible_managed
. The comment indicates that the configuration files should not be directly edited because the Terminal session recording role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
The VPN role consistently uses "Ansible_managed" comment in its managed configuration files
The VPN role generates the following configuration file:
-
/etc/ipsec.d/mesh.conf
-
/etc/ipsec.d/policies/clear
-
/etc/ipsec.d/policies/private
-
/etc/ipsec.d/policies/private-or-clear
With this update, the VPN role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed
variable. The comment indicates that the configuration files should not be directly edited because the VPN role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
The Postfix role consistently uses "Ansible_managed" comment in its managed configuration files
The Postfix role generates the /etc/postfix/main.cf
configuration file. With this update, the Postfix role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed
variable. The comment indicates that the configuration files should not be directly edited because the Postfixrole can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
The Firewall RHEL system role has been added in RHEL 9
With this enhancement, the rhel-system-roles.firewall
RHEL system role was added to the rhel-system-roles
package. As a result, administrators can automate their firewall settings for managed nodes.
(BZ#2021665)
The SSH client RHEL system role now supports new configuration options in OpenSSH 8.7
With this enhancement, OpenSSH was updated to the latest version, which provides new configuration options that are available in the SSH client role for configuring new hosts.
4.20. Virtualization
RHEL web console new virtualization features
With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:
- Rename a VM
- Create a VM with cloud image authentication
- Add and remove USB and PCI devices to the VM
- Specify network interface model
- Share and unshare files between a host and its VM
(JIRA:RHELPLAN-102009)
QEMU uses Clang
The QEMU emulator is now built using the Clang compiler. This enables the RHEL 9 KVM hypervisor to use a number of advanced security and debugging features, and makes future feature development more efficient.
(BZ#1940132)
SafeStack for virtual machines
In RHEL 9 on AMD64 and Intel 64 hardware (x86_64), the QEMU emulator can use SafeStack, an enhanced compiler-based stack protection feature. SafeStack reduces the ability of an attacker to exploit a stack- based buffer overflow to change return pointers in the stack and create Return-Oriented Programming (ROP) attacks. As a result, virtual machines hosted on RHEL 9 are significantly more secure against ROP-based vulnerabilities.
(BZ#1939509)
virtiofs full support on Intel 64, AMD64, and IBM Z
The virtio file system (virtiofs
) is now fully supported on Intel 64, AMD64, and IBM Z architectures. Using virtiofs
, you can efficiently share files between your host system and its virtual machines.
(JIRA:RHELPLAN-64576)
AMD EPYC 7003 series processors supported on KVM guests
Support for AMD EPYC 7003 series processors (also known as AMD Milan
) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use AMD EPYC 7003 series processors.
(JIRA:RHELPLAN-65223)
qemu-kvm
now supports additional machine types
A set of new machine types, based on RHEL 9, has been added for use by virtual machines (VMs). To obtain all currently supported machine types on your host, use the /usr/libexec/qemu-kvm -M help
command.
In addition, all machine types based on RHEL 7.5.0 or earlier are now unsupported. These also include pc-i440fx-rhel7.5.0
and earlier machine types, which were default in earlier major versions of RHEL. As a consequence, attempting to start a VM with such machine types on RHEL 9 fails with an unsupported configuration
error. If you encounter this problem after upgrading your host to RHEL 9, see the Red Hat KnowledgeBase.
(JIRA:RHELPLAN-75866)
Mediated devices are now supported by virtualization CLIs on IBM Z
Using virt-install
or virt-xml
, you can now attach mediated devices to your VMs, such as vfio-ap and vfio-ccw. This for example enables more flexible management of DASD storage devices and cryptographic coprocessors on IBM Z hosts. In addition, using virt-install
, you can create a VM that uses an existing DASD mediated device as its primary disk. For instructions to do so, see the Configuring and Managing Virtualization in RHEL 9 guide.
(BZ#1995131)
Modular libvirt
daemons
In RHEL 9, the libvirt
library uses modular daemons that handle individual virtualization driver sets on your host. For example, the virtqemud
daemon handles QEMU drivers. This makes it possible to fine-grain a variety of tasks that involve virtualization drivers, such as resource load optimization and monitoring.
In addition, the monolithic libvirt daemon, libvirtd
, has become deprecated. However, if you upgrade from RHEL 8 to RHEL 9, your host will still use libvirtd
, which you can continue using in RHEL 9. Nevertheless, Red Hat recommends switching to modular libvirt
daemons instead.
(JIRA:RHELPLAN-113994)
Windows 11 and Windows Server 2022 guests are supported
RHEL 9 supports using Windows 11 and Windows Server 2022 as the guest operating systems on KVM virtual machines.
(BZ#2036856, BZ#2004161)
ksmtuned
is now distributed separately from qemu-kvm
To decrease the footprint of the KVM hypervisor, the ksmtuned
utility is no longer a dependency of qemu-kvm
. As a consequence, if you require configuring kernel same-page merging (KSM), you must install the ksmtuned
package manually.
(BZ#2069501, BZ#1971678, BZ#1972158)
New feature: vTPM
The Virtual Trusted Platform Module (vTPM) is fully supported in RHEL 9. Using vTPM, you can add a TPM virtual crypto-processor to a virtual machine (VM) running in the RHEL 9 KVM hypervisor. This makes it possible to use the VM for generating, storing, and managing cryptographic keys.
(JIRA:RHELPLAN-98617)
Virtualization support for Intel Atom P59 series processors
With this update, virtualization on RHEL 9 adds support for the Intel Atom P59 series processors, formerly known as Snow Ridge. As a result, virtual machines hosted on RHEL 9 can now use the Snowridge
CPU model and utilise new features that the processors provide.
(BZ#1874187)
4.21. RHEL in cloud environments
RHEL 9 provides WALinuxAgent 2.3.0.2
RHEL 9 is distributed with the Windows Azure Linux Agent (WALinuxAgent
) package version 2.3.0.2. Notable bug fixes and enhancements over version 2.2.49 include:
- Support for RequiredFeatures and GoalStateAggregateStatus APIs has been added.
- Fallback locations for extension manifests have been added.
- Missing calls to str.format() have been added when creating exceptions.
RHEL on Azure now supports MANA
RHEL 9 virtual machines running on Microsoft Azure can now use the Microsoft Azure Network Adapter (MANA).
cloud-init
supports the VMware GuestInfo datasource
With this update, the cloud-init
utility is able to read the datasource for VMware guestinfo data. As a result, using cloud-init
to set up RHEL 9 virtual machines on VMware vSphere is now more efficient and reliable.
(BZ#2040090)
RHEL 9 virtual machines are now supported on certain ARM64 hosts on Azure
Virtual machines that use RHEL 9 as the guest operating system are now supported on Microsoft Azure hypervisors running on Ampere Altra ARM-based processors.
(BZ#1949613)
cloud-init
supports user data on Microsoft Azure
The --user-data
option has been introduced for the cloud-init
utility. Using this option, you can pass scripts and metadata from the Azure Instance Metadata Service (IMDS) when setting up a RHEL 9 virtual machine on Azure.
(BZ#2042351)
New SSH module for cloud-init
With this update, an SSH module has been added to the cloud-init
utility, which automatically generates host keys during instance creation.
Note that with this change, the default cloud-init
configuration has been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg
file contains the ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']
line.
Otherwise, cloud-init
creates an image which fails to start the sshd
service. If this occurs, do the following to work around the problem:
Make sure the
/etc/cloud/cloud.cfg
file contains the following line:ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']
-
Check whether
/etc/ssh/ssh_host_*
files exist in the instance. If the
/etc/ssh/ssh_host_*
files do not exist, use the following command to generate host keys:cloud-init single --name cc_ssh
Restart the sshd service:
systemctl restart sshd
(BZ#2115791)
4.22. Supportability
sos report
now offers an estimate mode run
This sos report
update adds the --estimate-only
option with which you can approximate the disk space required for collecting an sos
report from a RHEL server. Running the sos report --estimate-only
command:
-
executes a dry run of
sos report
- mimics all plugins consecutively and estimates their disk size.
Note that the final disk space estimation is very approximate. Therefore, it is recommended to double the estimated value.
(BZ#2011537)
4.23. Containers
Podman now supports secure short names
Short-name aliases for images can now be configured in the registries.conf
file in the [aliases]
table. The short-names modes are:
-
Enforcing: If no matching alias is found during the image pull, Podman prompts the user to choose one of the unqualified-search registries. If the selected image is pulled successfully, Podman automatically records a new short-name alias in the
$HOME/.cache/containers/short-name-aliases.conf
file (rootless user) and in the/var/cache/containers/short-name-aliases.conf
(root user). If the user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note that theshort-name-aliases.conf
file has precedence overregistries.conf
file if both specify the same alias. - Permissive: Similar to enforcing mode, but Podman does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded.
Example:
unqualified-search-registries=["registry.fedoraproject.org", "quay.io"] [aliases] "fedora"="registry.fedoraproject.org/fedora"
(JIRA:RHELPLAN-74542)
Changes in the container-tools
module
The container-tools
module contains the Podman, Buildah, Skopeo, and runc tools. The rolling stream, represented by the container-tools:rhel8
stream in RHEL 8, is named container-tools:latest
in RHEL 9. Similarly to RHEL 8, stable versions of container tools are going to be available in numbered streams (for example, 3.0).
For more information about the Container Tools Application Stream, see Container Tools AppStream - Content Availability.
(JIRA:RHELPLAN-73678)
The containers-common
package is now available
The containers-common
package has been added to the container-tools:latest
module. The containers-common
package contains common configuration files and documentation for the container tools ecosystem, such as Podman, Buildah and Skopeo.
(JIRA:RHELPLAN-77549)
Updating container images with new packages
For instance, to update the registry.access.redhat.com/rhel9
container image with the latest packages, use the following commands:
# podman run -it registry.access.redhat.com/rhel9 # dnf update -y && rm -rf /var/cache/dnf
To install a particular <package>
enter:
# dnf install <package>
For more information, see Adding software to a running UBI container.
Note that for RHEL 9, updating or installing new packages in the image requires that you are running on an entitled host. You can use the Red Hat Enterprise Linux Developer Subscription for Individuals to gain access to entitled repositories at no-cost.
For more information, see No-cost Red Hat Enterprise Linux Individual Developer Subscription: FAQs.
(JIRA:RHELPLAN-84168)
The container-tools
meta-package has been updated
The container-tools
RPM meta-package, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and enhancements over the previous version.
(JIRA:RHELPLAN-118914)
The podman-py
package is now available
The podman-py
package has been added to the container-tools:3.0
stable module stream and the container-tools:latest
module. The podman-py
package is a library of bindings to use the RESTful API of Podman.
Control groups version 2 is now available
The previous version of control groups, cgroups version 1 (cgroups v1) caused performance problems with a variety of applications. The latest release of control groups, cgroups version 2 (cgroups v2) enables system administrators to limit resources for any application without causing performance problems.
This new version of control groups, cgroups v2, can be enabled in RHEL 8 and is enabled by default in RHEL 9.
(JIRA:RHELPLAN-73697)
The container-tools
meta-package is now available
The container-tools
RPM meta-package includes Podman, Buildah, Skopeo, CRIU, Udica, and all required libraries, is available in RHEL 9. The stable streams are not available on RHEL 9. To receive stable access to Podman, Buildah, Skopeo, and others, use the RHEL EUS subscription.
To install the container-tools
meta-package, enter:
# dnf install container-tools
(BZ#2000871)
Native overlay file system support in the kernel is now available
The overlay file system support is now available from kernel 5.11. The non-root users will have native overlay performance even when running rootless (as a user). Thus, this enhancement provides better performance to non-root users who wish to use overlayfs without the need for bind mounting.
(JIRA:RHELPLAN-99892)
The NFS storage is now available
You can now use the NFS file system as a backend storage for containers and images if your file system has xattr support.
(JIRA:RHELPLAN-74543)
The container-tools
meta-package has been updated
The container-tools
meta-package includes Podman, Buildah, Skopeo, CRIU, Udica, and all required libraries. This update provides a list of bug fixes and enhancements over the previous version.
Notable changes include:
- Due to the changes in the network stack, containers created by Podman v3 and earlier are not usable in Podman v4.0
- Native overlay file system is usable as a rootless user
- NFS storage is now supported within a container
- Control groups version 2 (cgroup v2) is enabled by default
- Downgrading from Podman v4 to v3 is not supported unless all containers are destroyed and recreated
For further information about notable changes in Podman, see the upstream release notes.
(JIRA:RHELPLAN-99889)
The crun
container runtime is now the default
The crun
container runtime is now the default runtime. The crun
container runtime supports an annotation that allows the container to access the rootless user’s additional groups. This is useful for volume mounting in a directory where setgid is set, or where the user only has group access. Both the crun
and runc
runtimes fully support cgroup v2
.
(JIRA:RHELPLAN-99890)
Control group version 2 is now available
The previous version of control groups, cgroup version 1 (cgroup v1) caused performance problems with a variety of applications. The latest release of control groups, cgroup version 2 (cgroup v2) enables system administrators to limit resources for any application without causing performance problems.
In RHEL 9, cgroup v2 is enabled by default.
(JIRA:RHELPLAN-75322)
Universal Base Images are now available on Docker Hub
Previously, Universal Base Images were only available from the Red Hat container catalog. With this enhancement, Universal Base Images are also available from Docker Hub as a Verified Publisher image.
(JIRA:RHELPLAN-100032)
The openssl
container image is now available
The openssl
image provides an openssl
command-line tool for using the various functions of the OpenSSL crypto library. Using the OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and display certificate information.
The openssl
container image is available in these repositories:
- registry.redhat.io/rhel9/openssl
- registry.access.redhat.com/ubi9/openssl
(JIRA:RHELPLAN-100034)
Netavark network stack is now available
The Netavark stack is a network configuration tool for containers. In RHEL 9, Netavark stack is fully supported and enabled by default.
This network stack has the following capabilities:
- Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces
- Configuring firewall settings, such as network address translation (NAT) and port mapping rules
- IPv4 and IPv6
- Improved capability for containers in multiple networks
(JIRA:RHELPLAN-101141)
Podman now supports auto-building and auto-running pods using a YAML file
The podman play kube
command automatically builds and runs multiple pods with multiple containers in the pods using a YAML file.
(JIRA:RHELPLAN-108830)
Podman now has ability to source subUID and subGID ranges from IdM
The subUID and subGID ranges can now be managed by IdM. Instead of deploying the same /etc/subuid
and /etc/subgid
files onto every host, you can now define range in a single central storage. You have to modify the /etc/nsswitch.conf
file and add sss
to the services map line: services: files sss
.
For more details, see the section on Managing subID ranges manually in IdM documentation.
(JIRA:RHELPLAN-100020)