Chapter 10. Deprecated functionality
Deprecated devices are fully supported, which means that they are tested and maintained, and their support status remains unchanged within Red Hat Enterprise Linux 9. However, these devices will likely not be supported in the next major version release, and are not recommended for new deployments on the current or future major versions of RHEL.
For the most recent list of deprecated functionality within a particular major release, see the latest version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life Cycle and Red Hat Enterprise Linux Application Streams Life Cycle.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from the product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.
For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations in adopting RHEL 9.
10.1. Installer and image creation
Deprecated Kickstart commands
The following Kickstart commands have been deprecated:
-
timezone --ntpservers
-
timezone --nontp
-
logging --level
-
%packages --excludeWeakdeps
-
%packages --instLangs
-
%anaconda
-
pwpolicy
Note that where only specific options are listed, the base command and its other options are still available and not deprecated. Using the deprecated commands in Kickstart files prints a warning in the logs. You can turn the deprecated command warnings into errors with the inst.ksstrict
boot option.
Bugzilla:1899167
User and Group customizations in the edge-commit
and edge-container
blueprints have been deprecated
Specifying a user or group customization in the blueprints is deprecated for the edge-commit
and edge-container
image types, because the user customization disappears when you upgrade the image and do not specify the user in the blueprint again. Therefore, you should specify the users and groups directly in the blueprints for edge image types which are used to deploy an existing OSTree commit, such as edge-raw-image
, edge-installer
, and edge-simplified-installer
.
Note that specifying a user or group customization in blueprints remains supported, but the support will be eventually removed.
10.2. Subscription management
The --token
option of the subscription-manager
command is deprecated
The --token=<TOKEN>
option of the subscription-manager register
command is an authentication method that helps register your system to Red Hat. This option depends on capabilities offered by the entitlement server. The default entitlement server, subscription.rhsm.redhat.com
, is planning to turn off this capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN>
might fail with the following error message:
Token authentication not supported by the entitlement server
You can continue registering your system using other authorization methods, such as including paired options --username / --password
and --org / --activationkey
of the subscription-manager register
command.
10.3. Shells and command-line tools
Setting the TMPDIR
variable in the ReaR configuration file is deprecated
Setting the TMPDIR
environment variable in the /etc/rear/local.conf
or /etc/rear/site.conf
ReaR configuration file), by using a statement such as export TMPDIR=…
, does not work and is deprecated.
To specify a custom directory for ReaR temporary files, export the variable in the shell environment before executing ReaR. For example, execute the export TMPDIR=…
statement and then execute the rear
command in the same shell session or script.
The dump
utility from the dump
package has been deprecated
The dump
utility used for backup of file systems has been deprecated and will not be available in RHEL 9.
In RHEL 9, Red Hat recommends using the tar
, dd
, or bacula
, backup utility, based on type of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems.
Note that the restore
utility from the dump
package remains available and supported in RHEL 9 and is available as the restore
package.
Bugzilla:1997366
The SQLite database backend in Bacula has been deprecated
The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the SQLite backend in new deployments.
10.4. Security
SHA-1 is deprecated for cryptographic purposes
The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.
Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created using SHA-1 because these use cases do not currently pose security risks. SHA-1 also can be used in limited cases connected with important interoperability and compatibility concerns, such as Kerberos and WPA-2. See the List of RHEL applications using cryptography that is not compliant with FIPS 140-3 section in the RHEL 9 Security hardening document for more details.
If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic signatures, you can enable it by entering the following command:
# update-crypto-policies --set DEFAULT:SHA1
Alternatively, you can switch the system-wide crypto policies to the LEGACY
policy. Note that LEGACY
also enables many other algorithms that are not secure.
Jira:RHELPLAN-110763
fapolicyd.rules
is deprecated
The /etc/fapolicyd/rules.d/
directory for files containing allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules
file. The fagenrules
script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules
file. Rules in /etc/fapolicyd/fapolicyd.trust
are still processed by the fapolicyd
framework but only for ensuring backward compatibility.
SCP is deprecated in RHEL 9
The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The SCP API remains available for the RHEL 9 lifecycle but using it reduces system security.
-
In the
scp
utility, SCP is replaced by the SSH File Transfer Protocol (SFTP) by default. - The OpenSSH suite does not use SCP in RHEL 9.
-
SCP is deprecated in the
libssh
library.
Jira:RHELPLAN-99136
Digest-MD5 in SASL is deprecated
The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated, and it might be removed from the cyrus-sasl
packages in a future major release.
Bugzilla:1995600
OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1
The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems.
The implementations of the following algorithms have been moved to the legacy provider in OpenSSL: MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1.
See the /etc/pki/tls/openssl.cnf
configuration file for instructions on how to load the legacy provider and enable support for the deprecated algorithms.
/etc/system-fips
is now deprecated
Support for indicating FIPS mode through the /etc/system-fips
file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1
parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check
command.
Jira:RHELPLAN-103232
libcrypt.so.1
is now deprecated
The libcrypt.so.1
library is now deprecated, and it might be removed in a future version of RHEL.
OpenSSL requires padding for RSA encryption in FIPS mode
OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not use padding but is still supported.
10.5. Networking
Network teams are deprecated in RHEL 9
The teamd
service and the libteam
library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.
Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and teams, that have similar functions. The bonding code has a high customer adoption, is robust, and has an active community development. As a result, the bonding code receives enhancements and updates.
For details about how to migrate a team to a bond, see Migrating a network team configuration to network bond.
Bugzilla:1935544
NetworkManager connection profiles in ifcfg
format are deprecated
In RHEL 9.0 and later, connection profiles in ifcfg
format are deprecated. The next major RHEL release will remove the support for this format. However, in RHEL 9, NetworkManager still processes and updates existing profiles in this format if you modify them.
By default, NetworkManager now stores connection profiles in keyfile format in the /etc/NetworkManager/system-connections/
directory. Unlike the ifcfg
format, the keyfile format supports all connection settings that NetworkManager provides. For further details about the keyfile format and how to migrate profiles, see NetworkManager connection profiles in keyfile format.
Bugzilla:1894877
The iptables
back end in firewalld
is deprecated
In RHEL 9, the iptables
framework is deprecated. As a consequence, the iptables
backend and the direct interface
in firewalld
are also deprecated. Instead of the direct interface
you can use the native features in firewalld
to configure the required rules.
10.6. Kernel
ATM encapsulation is deprecated in RHEL 9
Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is deprecated in Red Hat Enterprise Linux 9.
For more information, see PPP Over AAL5, Multiprotocol Encapsulation over ATM Adaptation Layer 5, and Classical IP and ARP over ATM.
The kexec_load
system call for kexec-tools
has been deprecated
The kexec_load
system call, which loads the second kernel, will not be supported in future RHEL releases. The kexec_file_load
system call replaces kexec_load
and is now the default system call on all architectures.
Bugzilla:2113873
Network teams are deprecated in RHEL 9
The teamd
service and the libteam
library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.
Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and teams, that have similar functions. The bonding code has a high customer adoption, is robust, and has an active community development. As a result, the bonding code receives enhancements and updates.
For details about how to migrate a team to a bond, see Migrating a network team configuration to network bond.
Bugzilla:2013884
10.7. File systems and storage
lvm2-activation-generator
and its generated services removed in RHEL 9.0
The lvm2-activation-generator
program and its generated services lvm2-activation
, lvm2-activation-early
, and lvm2-activation-net
are removed in RHEL 9.0. The lvm.conf event_activation
setting, used to activate the services, is no longer functional. The only method for auto activating volume groups is event based activation.
10.8. Dynamic programming languages, web and database servers
libdb
has been deprecated
RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb
) version 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is available under the AGPLv3 license, which is more restrictive.
The libdb
package is deprecated as of RHEL 9 and might not be available in future major RHEL releases.
In addition, cryptographic algorithms have been removed from libdb
in RHEL 9 and multiple libdb
dependencies have been removed from RHEL 9.
Users of libdb
are advised to migrate to a different key-value database. For more information, see the Knowledgebase article Available replacements for the deprecated Berkeley DB (libdb) in RHEL.
Bugzilla:1927780, Jira:RHELPLAN-80695, Bugzilla:1974657
10.9. Compilers and development tools
Smaller size of keys than 2048 are deprecated by openssl
3.0
Key sizes smaller than 2048 bits are deprecated by openssl
3.0 and no longer work in Go’s FIPS mode.
Some PKCS1
v1.5 modes are now deprecated
Some PKCS1
v1.5 modes are not approved in FIPS-140-3
for encryption and are disabled. They will no longer work in Go’s FIPS mode.
Bugzilla:2092016
10.10. Identity Management
SHA-1
in OpenDNSSec is now deprecated
OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1
algorithm. The use of the SHA-1
algorithm is no longer supported. With the RHEL 9 release, SHA-1
in OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is not supported standalone.
The SSSD implicit files provider domain is disabled by default
The SSSD implicit files
provider domain, which retrieves user information from local files such as /etc/shadow
and group information from /etc/groups
, is now disabled by default.
To retrieve user and group information from local files with SSSD:
Configure SSSD. Choose one of the following options:
Explicitly configure a local domain with the
id_provider=files
option in thesssd.conf
configuration file.[domain/local] id_provider=files ...
Enable the
files
provider by settingenable_files_domain=true
in thesssd.conf
configuration file.[sssd] enable_files_domain = true
Configure the name services switch.
# authselect enable-feature with-files-provider
Jira:RHELPLAN-100639
-h
and -p
options were deprecated in OpenLDAP client utilities.
The upstream OpenLDAP project has deprecated the -h
and -p
options in its utilities, and recommends using the -H
option instead to specify the LDAP URI. As a consequence, RHEL 9 has deprecated these two options in all OpenLDAP client utilities. The -h
and -p
options will be removed from RHEL products in future releases.
Jira:RHELPLAN-137660
The SSSD files
provider has been deprecated
The SSSD files
provider has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The files
provider might be removed from a future release of RHEL.
Jira:RHELPLAN-139805
The nsslapd-idlistscanlimit
parameter is deprecated and its default value has been changed
With the new filter reordering optimization, the nsslapd-idlistscanlimit
attribute impact on search performance is more harmful than helpful. As a result, the attribute is deprecated. Additionally, the default value has been changed to 2147483646
(unlimited).
The SMB1 protocol is deprecated in Samba
Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is deprecated and will be removed in a future release.
To improve the security, by default, SMB1 is disabled in the Samba server and client utilities.
Jira:RHELDOCS-16612
10.11. Desktop
GTK 2 is now deprecated
The legacy GTK 2 toolkit and the following, related packages have been deprecated:
-
adwaita-gtk2-theme
-
gnome-common
-
gtk2
-
gtk2-immodules
-
hexchat
Several other packages currently depend on GTK 2. These have been modified so that they no longer depend on the deprecated packages in a future major RHEL release.
If you maintain an application that uses GTK 2, Red Hat recommends that you port the application to GTK 4.
Jira:RHELPLAN-131882
LibreOffice is deprecated
The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, and 9.
As a replacement for the RPM packages, Red Hat recommends that you install LibreOffice from either of the following sources provided by The Document Foundation:
- The official Flatpak package in the Flathub repository: https://flathub.org/apps/org.libreoffice.LibreOffice.
- The official RPM packages: https://www.libreoffice.org/download/download-libreoffice/.
Jira:RHELDOCS-16300
10.12. Graphics infrastructures
Motif has been deprecated
The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif community is inactive.
The following Motif packages have been deprecated, including their development and debugging variants:
-
motif
-
openmotif
-
openmotif21
-
openmotif22
Additionally, the motif-static
package has been removed.
Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new features compared to Motif.
Jira:RHELPLAN-98983
10.13. Red Hat Enterprise Linux system roles
The network
system role displays a deprecation warning when configuring teams on RHEL 9 nodes
The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network
RHEL system role on a RHEL 8 control node to configure a network team on RHEL 9 nodes, shows a warning about the deprecation.
10.14. Virtualization
SecureBoot image verification using SHA1-based signatures is deprecated
Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) executables has become deprecated. Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later.
Bugzilla:1935497
Limited support for virtual machine snapshots
Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, which negatively impacts the hypervisor performance for certain workloads.
Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does not recommend using VM snapshots in a production environment. However, a new VM snapshot mechanism is under development and is planned to be fully implemented in a future minor release of RHEL 9.
Jira:RHELPLAN-15509, Bugzilla:1621944
The virtual floppy driver has become deprecated
The isa-fdc
driver, which controls virtual floppy disk devices, is now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy disk devices in VMs hosted on RHEL 9.
qcow2-v2 image format is deprecated
With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot create disk images in the qcow2-v2 format.
Instead of qcow2-v2, Red Hat strongly recommends using qcow2-v3. To convert a qcow2-v2 image to a later format version, use the qemu-img amend
command.
virt-manager has been deprecated
The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL web console, also known as Cockpit, is intended to become its replacement in a subsequent release. It is, therefore, recommended that you use the web console for managing virtualization in a GUI. Note, however, that some features available in virt-manager may not be yet available in the RHEL web console.
Jira:RHELPLAN-10304
libvirtd
has become deprecated
The monolithic libvirt
daemon, libvirtd
, has been deprecated in RHEL 9, and will be removed in a future major release of RHEL. Note that you can still use libvirtd
for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly introduced modular libvirt
daemons. For instructions and details, see the RHEL 9 Configuring and Managing Virtualization document.
Jira:RHELPLAN-113995
Legacy CPU models are now deprecated
A significant number of CPU models have become deprecated and will become unsupported for use in virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows:
- For Intel: models prior to Intel Xeon 55xx and 75xx Processor families (also known as Nehalem)
- For AMD: models prior to AMD Opteron G4
- For IBM Z: models prior to IBM z14
To check whether your VM is using a deprecated CPU model, use the virsh dominfo
utility, and look for a line similar to the following in the Messages
section:
tainted: use of deprecated configuration settings deprecated configuration: CPU model 'i486'
RDMA-based live migration is deprecated
With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) has become deprecated. As a result, it is still possible to use the rdma://
migration URI to request migration over RDMA, but this feature will become unsupported in a future major release of RHEL.
Jira:RHELPLAN-153267
10.15. Containers
Running RHEL 9 containers on a RHEL 7 host is not supported
Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.
For more information, see Red Hat Enterprise Linux Container Compatibility Matrix.
Jira:RHELPLAN-100087
SHA1 hash algorithm within Podman has been deprecated
The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or later have to be restarted if they are joined to a network (and not just using slirp4netns
) to ensure they can connect to containers started after the upgrade.
Bugzilla:2069279
rhel9/pause
has been deprecated
The rhel9/pause
container image has been deprecated.
The CNI network stack has been deprecated
The Container Network Interface (CNI) network stack will be deprecated in a future minor version. Previously, containers connected to the single Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark network stack with Podman and other Open Container Initiative (OCI) container management applications. The Netavark network stack for Podman is also compatible with advanced Docker functionalities. Containers in multiple networks can access containers on any of those networks.
For more information, see Switching the network stack from CNI to Netavark.
Jira:RHELPLAN-147725
10.16. Deprecated packages
This section lists packages that have been deprecated and will probably not be included in a future major release of Red Hat Enterprise Linux.
For changes to packages between RHEL 8 and RHEL 9, see Changes to packages in the Considerations in adopting RHEL 9 document.
The support status of deprecated packages remains unchanged within RHEL 9. For more information about the length of support, see Red Hat Enterprise Linux Life Cycle and Red Hat Enterprise Linux Application Streams Life Cycle.
The following packages have been deprecated in RHEL 9:
- iptables-devel
- iptables-libs
- iptables-nft
- iptables-nft-services
- iptables-utils
- libdb
- mcpp
- mod_auth_mellon
- motif
- motif-devel
- python3-pytz
- xorg-x11-server-Xorg