Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.2.
4.1. Installer and image creation
A new and improved way to create blueprints and images in the image builder web console
With this enhancement, you have access to a unified version of the image builder tool and a significant improvement in your user experience.
Notable enhancements in the image builder dashboard GUI include:
- You can now customize your blueprints with all the customizations previously supported only in the CLI, such as kernel, file system, firewall, locale, and other customizations.
-
You can import blueprints by either uploading or dragging the blueprint in the
.JSON
or.TOML
format and create images from the imported blueprint. -
You can also export or save your blueprints in the
.JSON
or.TOML
format. - Access to a blueprint list that you can sort, filter, and is case-sensitive.
With the image builder dashboard, you can now access your blueprints, images, and sources by navigating through the following tabs:
- Blueprint - Under the Blueprint tab, you can now import, export, or delete your blueprints.
Images - Under the Images tab, you can:
- Download images.
- Download image logs.
- Delete images.
Sources - Under the Sources tab, you can:
- Download images.
- Download image logs.
- Create sources for images.
- Delete images.
Jira:RHELPLAN-139448
Ability to create customized files and directories in the /etc
directory
With this enhancement, two new blueprint customizations are available. The [[customizations.files]]
and the [[customizations.directories]]
blueprint customizations enable you to create customized files and directories in the /etc
directory of your image. Currently, you can use these customization only in the /etc
directory.
The [[customizations.directories]]
enables you to:
- Create new directories
- Set user and group ownership for the directory
- Set the mode permission in the octal format
With the [[customizations.files]]
blueprint customizations you can:
-
Create new files under the parent
/
directory - Modifying existing files - this overrides the existing content
- Set user and group ownership for the file you are creating
- Set the mode permission in the octal format
The new blueprint customizations are supported by all the image types, such as edge-container
, edge-commit
, among others. The customizations not supported in the blueprints used to create Installer images, such as edge-raw-image
, edge-installer
, and edge-simplified-installer
.
Jira:RHELPLAN-147428
Ability to specify user in a blueprint for simplified-installer
images
Previously, when creating a blueprint for a simplified-installer image, you could not specify a user in the blueprint customization, because the customization was not used and was discarded. With this update, when you create an image from the blueprint, this blueprint creates a user under the /usr/lib/passwd
directory and a password under the /usr/etc/shadow
directory during installation time. You can log in to the device with the username and the password you created for the blueprint. Note that after you access the system, you need to create users, for example, using the useradd
command.
Jira:RHELPLAN-149091
Support for 64-bit ARM for .vhd
images built with image builder
Previously, Microsoft Azure .vhd
images created with the image builder tool were not supported on 64-bit ARM architectures. This update adds support for 64-bit ARM Microsoft Azure .vhd
images and now you can build your .vhd
images using image builder and upload them to the Microsoft Azure cloud.
Jira:RHELPLAN-139424
Minimal RHEL installation now installs only the s390utils-core
package
In RHEL 8.4 and later, the s390utils-base
package is split into an s390utils-core
package and an auxiliary s390utils-base
package. As a result, setting the RHEL installation to minimal-environment
installs only the necessary s390utils-core
package and not the auxiliary s390utils-base
package. If you want to use the s390utils-base
package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base
using a kickstart file.
Bugzilla:1932480
4.2. RHEL for Edge
Ignition support in RHEL for Edge Simplified images
With this enhancement, you can add an Ignition file to the Simplified Installer images by customizing your blueprint. Both GUI and CLI have support for the Ignition customization. RHEL for Edge uses the Ignition provisioning utility to inject the user configuration into the images at an early stage of the boot process. On the first boot, Ignition reads its configuration either from a remote URL or a file embedded in the Simplified Installer image and applies that configuration into the image.
Jira:RHELPLAN-139659
Simplified Installer images can now be composed without the FDO customization section in the blueprint
Previously, to build a RHEL for Edge Simplified Installer image, you had to add details to the FIDO device onboarding (FDO) customization section. Otherwise, the image build would fail. With this update, the FDO customization in blueprints is now optional, and you can build RHEL for Edge Simplified Installer image with no errors.
Jira:RHELPLAN-139655
Red Hat build of MicroShift enablement for RHEL for Edge images
With this enhancement, you can enable Red Hat build of MicroShift services in a RHEL for Edge system. By using the [[customizations.firewalld.zones]]
blueprint customization, you can add support for firewalld
sources in the blueprint customization. For that, specify a name for the zone and a list of sources in that specific zone. Sources can be of the form source[/mask]|MAC|ipset:ipset
.
The following is a blueprint example on how to configure and customize support for Red Hat build of MicroShift services in a RHEL for Edge system.
[[packages]] name = "microshift" version = "*" [customizations.services] enabled = ["microshift"] [[customizations.firewall.zones]] name = "trusted" sources = ["10.42.0.0/16", "169.254.169.1"]
The Red Hat build of MicroShift installation requirements, such as firewall policies, MicroShift RPM, systemd
service, enable you to create a deployment ready for production to achieve workload portability to a minimum field deployed edge device and by default LVM device mapper enablement.
Jira:RHELPLAN-136489
4.3. Software management
New dnf offline-upgrade
command for offline updates on RHEL
With this enhancement, you can apply offline updates to RHEL by using the new dnf offline-upgrade
command from the DNF system-upgrade
plug-in.
The dnf system-upgrade
command included in the system-upgrade
plug-in is not supported on RHEL.
Applying advisory security filters to dnf offline-upgrade
is now supported
With this enhancement, the new functionality for advisories filtering has been added. As a result, you can now download packages and their dependencies only from the specified advisory by using the dnf offline-upgrade
command with advisory security filters (--advisory
, --security
, --bugfix
, and other filters).
The unload_plugins
function is now available for the DNF API
With this enhancement, a new unload_plugins
function has been added to the DNF API to allow plug-ins unloading.
Note that you must first run the init_plugins
function, and then run the unload_plugins
function.
New --nocompression
option for rpm2archive
With this enhancement, the --nocompression
option has been added to the rpm2archive
utility. You can use this option to avoid compression when directly unpacking an RPM package.
Bugzilla:2150804
4.4. Shells and command-line tools
ReaR is now fully supported also on the 64-bit IBM Z architecture
Basic Relax and Recover (ReaR) functionality, previously available on the 64-bit IBM Z architecture as a Technology Preview, is fully supported with the rear
package version 2.6-17.el9 or later. You can create a ReaR rescue image on the IBM Z architecture in the z/VM environment only. Backing up and recovering logical partitions (LPARs) is not supported at the moment. ReaR supports saving and restoring disk layout only on Extended Count Key Data (ECKD) direct access storage devices (DASDs). Fixed Block Access (FBA) DASDs and SCSI disks attached through Fibre Channel Protocol (FCP) are not supported for this purpose. The only output method currently available is Initial Program Load (IPL), which produces a kernel and an initial ramdisk (initrd) compatible with the zIPL
bootloader.
For more information, see Using a ReaR rescue image on the 64-bit IBM Z architecture.
Bugzilla:2046653
systemd
rebased to version 252
The systemd
package has been upgraded to version 252. Notable changes include:
-
You can specify the default timeout when waiting for device units to activate by using the
DefaultDeviceTimeoutSec=
option insystem.conf
anduser.conf
files. -
At shutdown,
systemd
now logs about processes blocking unmounting of file systems. - You can now use drop-ins for transient units too.
-
You can use size suffixes, such as K, M, G, T and others in the
ConditionMemory=
option. -
You can list automount points by using the
systemctl list-automounts
command. -
You can use the
systemd-logind
utility to stop an idle session after a preconfigured timeout by using theStopIdleSessionSec=
option. -
The
systemd-udev
utility now creates theinfiniband by-path
andinfiniband by-ibdev
links for Infiniband verbs devices. -
The
systemd-tmpfiles
utility now gracefully handles the absent source ofC
copy. -
The
systemd-repart
utility now generatesdm-verity
partitions, including signatures.
Updated systemd-udevd
assigns consistent network device names to InfiniBand interfaces
Introduced in RHEL 9, the new version of the systemd
package contains the updated systemd-udevd
device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd
.
You can define custom naming rules for naming InfiniBand interfaces by following the Renaming IPoIB devices procedure.
For more details of the naming scheme, see the systemd.net-naming-scheme(7)
man page.
4.5. Infrastructure services
chrony
rebased to version 4.3
The chrony
suite has been updated to version 4.3. Notable enhancements over version 4.2 include:
-
Added long-term quantile-based filtering of Network Time Protocol (NTP) measurements. You can enable this feature by adding the
maxdelayquant
option to thepool
,server
, orpeer
directive. -
Added the selection log to provide more information about
chronyd
selection of sources. You can enable the selection log by adding theselection
option to thelog
directive. - Improved synchronization stability when using the hardware timestamping and Pulse-Per-Second Hardware Clock (PHC) reference clocks.
- Added support for the system clock stabilization using a free-running stable clock, for example, Temperature Compensated Crystal Oscillator (TCXO), Oven-Controlled Crystal Oscillator (OCXO), or an atomic clock.
- Increased the maximum polling rate to 128 messages per second.
frr
rebased to version 8.3.1
The frr
package for managing dynamic routing stack has been updated to version 8.3.1. Notable changes over version 8.2.2 include:
Added a new set of commands to interact with the Border Gateway Protocol (BGP):
-
the
set as-path replace
command to replace the Autonomous System (AS) path attribute of a BGP route with a new value. -
the
match peer
command to match a specific BGP peer or group when configuring a BGP route map. -
the
ead-es-frag evi-limit
command to set a limit on the number of Ethernet A-D per EVI fragments that can be sent in a given period of time in EVPN. -
the
match evpn route-type
command to take specific actions on certain types of EVPN routes, such as route-target, route-distinguisher, or MAC/IP routes.
-
the
-
Added the
show thread timers
command in the VTYSH command-line interface for interacting with FRR daemons. -
Added the
show ip ospf reachable-routers
command to display a list of routers that are currently reachable through the OSPF protocol. Added new commands to interact with the Protocol Independent Multicast (PIM) daemon:
-
the
debug igmp trace detail
command to enable debugging for Internet Group Management Protocol (IGMP) messages with detailed tracing. -
the
ip pim passive
command to to configure the interface as passive, not sending PIM messages.
-
the
-
Added new outputs for the
show zebra
command, such as ECMP, EVPN, MPLS statuses. -
Added the
show ip nht mrib
command to the ZEBRA component to display multicast-related information from themroute
table in the kernel.
vsftpd
rebased to version 3.0.5
The Very Secure FTP Daemon (vsftpd
) provides a secure method of transferring files between hosts. The vsftpd
package has been updated to version 3.0.5. Notable changes and enhancements include the following SSL modernizations:
-
By default, the
vsftpd
utility now requires the use of TLS version 1.2 or later for secure connections. -
The
vsftpd
utility is now compatible with the latest FileZilla client.
The frr
package now contains targeted SELinux policy
Due to the fast development of the frr
package for managing dynamic routing stack, new features and access vector cache (AVC) issues arose frequently. With this enhancement, the SELinux rules are now packaged together with FRR to address any issues faster. SELinux adds an additional level of protection to the package by enforcing mandatory access control policies.
powertop
rebased to version 2.15
The powertop
package for improving the energy efficiency has been updated to version 2.15. Notable changes and enhancements include:
-
Several Valgrind errors and possible buffer overrun have been fixed to improve the
powertop
tool stability. - Improved compatibility with Ryzen processors and Kaby Lake platforms.
- Enabled Lake Field, Alder Lake N, and Raptor Lake platforms support.
- Enabled Ice Lake NNPI and Meteor Lake mobile and desktop support.
Bugzilla:2044132
The systemd-sysusers
utility is available in the chrony
, dhcp
, radvd
, and squid
packages
The systemd-sysusers
utility creates system users and groups during package installation and removes them during a removal of the package. With this enhancement, the following packages contain the systemd-sysusers
utility in their scriptlets:
-
chrony
, -
dhcp
, -
radvd
, -
squid
.
Jira:RHELPLAN-136485
New synce4l
package for frequency synchronization is now available
SyncE (Synchronous Ethernet) is a hardware feature that enables PTP clocks to achieve precise synchronization of frequency at the physical layer. SyncE is supported in certain network interface cards (NICs) and network switches.
With this enhancement, the new synce4l
package is now available, which provides support for SyncE. As a result, Telco Radio Access Network (RAN) applications can now achieve more efficient communication due to more accurate time synchronization.
Bugzilla:2143264
tuned
rebased to version 2.20.0
The TuneD utility for optimizing the performance of applications and workloads has been updated to version 2.20.0. Notable changes and enhancements over version 2.19.0 include:
- An extension of API enables you to move devices between plug-in instances at runtime.
The
plugin_cpu
module, which provides fine-tuning of CPU-related performance settings, introduces the following enhancements:-
The
pm_qos_resume_latency_us
feature enables you to limit the maximum time allowed for each CPU to transition from an idle state to an active state. -
TuneD adds support for the
intel_pstate
scaling driver, which provides scaling algorithms to tune the systems’ power management based on different usage scenarios.
-
The
- The socket API to control TuneD through a Unix domain socket is now available as a Technology Preview. See Socket API for TuneD available as a Technology Preview for more information.
Bugzilla:2133815, Bugzilla:2113925, Bugzilla:2118786, Bugzilla:2095829
4.6. Security
Libreswan rebased to 4.9
The libreswan
packages have been upgraded to version 4.9. Notable changes over the previous version include:
-
Support for the
{left,right}pubkey=
options to theaddconn
andwhack
utilities - KDF self-tests
Show host’s authentication key (
showhostkey
):- Support for ECDSA public keys
-
New
--pem
option to print PEM encoded public key
The Internet Key Exchange Protocol Version 2 (IKEv2):
- Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) support
- EAP-only Authentication support
The
pluto
IKE daemon:-
Support for
maxbytes
andmaxpacket
counters
-
Support for
Bugzilla:2128669
OpenSSL rebased to 3.0.7
The OpenSSL packages have been rebased to version 3.0.7, which contains various bug fixes and enhancements. Most notably, the default provider now includes the RIPEMD160
hash function.
libssh
now supports smart cards
You can now use smart cards through Public-Key Cryptography Standard (PKCS) #11 Uniform Resource Identifier (URI). As a result, you can use smart cards with the libssh
SSH library and with applications that use libssh
.
libssh
rebased to 0.10.4
The libssh
library, which implements the SSH protocol for secure remote access and file transfer between machines, has been updated to version 0.10.4.
New features:
- Support for OpenSSL 3.0 has been added.
- Support for smart cards has been added.
-
Two new configuration options
IdentityAgent
andModuliFile
have been added.
Other notable changes include:
- OpenSSL versions older than 1.0.1 are no longer supported
- By default, Digital Signature Algorithm (DSA) support has been disabled at build time.
- The SCP API has been deprecated.
-
The
pubkey
andprivatekey
APIs have been deprecated.
SELinux user-space packages updated to 3.5
The SELinux user-space packages libselinux
, libsepol
, libsemanage
, checkpolicy
, mcstrans
, and policycoreutils
, which includes the sepolicy
utility, have been updated to version 3.5. Notable enhancements and bug fixes include:
The
sepolicy
utility:- Added missing booleans to man pages
- Several Python and GTK updates
-
Added a workaround to
libselinux
that reduces heap memory usage by thePCRE2
library The
libsepol
package:- Rejects attributes in type AV rules for kernel policies
- No longer writes empty class definitions, which allows simpler round-trip tests
- Stricter policy validation
-
The
fixfiles
script unmounts temporary bind mounts on theSIGINT
signal - Many code and spelling bugs fixed
-
Removed dependency on the deprecated Python module
distutils
and the installation using PIP -
The
semodule
option--rebuild-if-modules-changed
renamed to--refresh
- Translation updated for generated descriptions and improved handling of unsupported languages
- Fixed many static code analysis bugs, fuzzer problems, and compiler warnings
Bugzilla:2145224, Bugzilla:2145228, Bugzilla:2145229, Bugzilla:2145226, Bugzilla:2145230, Bugzilla:2145231
OpenSCAP rebased to 1.3.7
The OpenSCAP packages have been rebased to upstream version 1.3.7. This version provides various bug fixes and enhancements, most notably:
- Fixed error when processing OVAL filters (RHBZ#2126882)
-
OpenSCAP no longer emits invalid empty
xmlfilecontent
items if XPath does not match (RHBZ#2139060) -
Prevented
Failed to check available memory
errors (RHBZ#2111040)
SCAP Security Guide rebased to 0.1.66
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.66. This version provides various enhancements and bug fixes, most notably:
- New CIS RHEL9 profiles
-
Deprecation of rule
account_passwords_pam_faillock_audit
in favor ofaccounts_passwords_pam_faillock_audit
New SCAP rule for idle session termination
New SCAP rule logind_session_timeout
has been added to the scap-security-guide
package in ANSSI-BP-028 profiles for Enhanced and High levels. This rule uses a new feature of the systemd
service manager and terminates idle user sessions after a certain time. This rule provides automatic configuration of a robust idle session termination mechanism which is required by multiple security policies. As a result, OpenSCAP can automatically check the security requirement related to terminating idle user sessions and, if necessary, remediate it.
scap-security-guide
rules for Rsyslog log files are compatible with RainerScript logs
Rules in scap-security-guide
for checking and remediating ownership, group ownership, and permissions of Rsyslog log files are now also compatible with the RainerScript syntax. Modern systems already use the RainerScript syntax in Rsyslog configuration files and the respective rules were not able to recognize this syntax. As a result, scap-security-guide
rules can now check and remediate ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.
Keylime rebased to 6.5.2
The keylime
packages have been rebased to upstream version - keylime-6.5.2-5.el9. This version contains various enhancements and bug fixes, most notably the following:
- Addressed vulnerability CVE-2022-3500
- The Keylime agent no longer fails IMA attestation when one scripts is executed quickly after another RHBZ#2138167
-
Fixed segmentation fault in the
/usr/share/keylime/create_mb_refstate
script RHBZ#2140670 -
Registrar no longer crashes during EK validation when the
require_ek_cert
option is enabled RHBZ#2142009
Clevis accepts external tokens
With the new -e
option introduced to the Clevis automated encryption tool, you can provide an external token ID to avoid entering your password during cryptsetup
. This feature makes the configuration process more automated and convenient, and is useful particularly for packages such as stratis
that use Clevis.
Rsyslog TLS-encrypted logging now supports multiple CA files
With the new NetstreamDriverCaExtraFiles
directive, you can specify a list of additional certificate authority (CA) files for TLS-encrypted remote logging. Note that the new directive is available only for the ossl
(OpenSSL) Rsyslog network stream driver.
Rsyslog privileges are limited
The privileges of the Rsyslog log processing system are now limited to only the privileges explicitly required by Rsyslog. This minimizes security exposure in case of a potential error in input resources, for example, a networking plugin. As a result, Rsyslog has the same functionality but does not have unnecessary privileges.
SELinux policy allows Rsyslog to drop privileges at start
Because the privileges of the Rsyslog log processing system are now more limited to minimize security exposure (RHBZ#2127404), the SELinux policy has been updated to allow the rsyslog
service to drop privileges at start.
Tang now uses systemd-sysusers
The Tang network presence server now adds system users and groups through the systemd-sysusers
service instead of shell scripts containing useradd
commands. This simplifies checking of the system user list, and you can also override definitions of system users by providing sysuser.d
files with higher priority.
opencryptoki
rebased to 3.19.0
The opencryptoki
package has been rebased to version 3.19.0, which provides many enhancements and bug fixes. Most notably, opencryptoki
now supports the following features:
- IBM-specific Dilithium keys
- Dual-function cryptographic functions
-
Cancelling active session-based operations by using the new
C_SessionCancel
function, as described in the PKCS #11 Cryptographic Token Interface Base Specification v3.0 -
Schnorr signatures through the
CKM_IBM_ECDSA_OTHER
mechanism -
Bitcoin key derivation through the
CKM_IBM_BTC_DERIVE
mechanism - EP11 tokens in IBM z16 systems
Bugzilla:2110314
SELinux now confines mptcpd
and udftools
With this update of the selinux-policy
packages, SELinux confines the following services:
-
mptcpd
-
udftools
Bugzilla:1972222
fapolicyd now provides filtering of the RPM database
With the new configuration file /etc/fapolicyd/rpm-filter.conf
, you can customize the list of RPM-database files that the fapolicyd
software framework stores in the trust database. This way, you can block certain applications installed by RPM or allow an application denied by the default configuration filter.
Jira:RHEL-192
GnuTLS can add and remove padding during decryption and encryption
The implementation of certain protocols requires PKCS#7 padding during decryption and encryption. The gnutls_cipher_encrypt3
and gnutls_cipher_decrypt3
block cipher functions have been added to GnuTLS to transparently handle padding. As a result, you can now use these functions in combination with the GNUTLS_CIPHER_PADDING_PKCS7
flag to automatically add or remove padding if the length of the original plaintext is not a multiple of the block size.
NSS no longer support RSA keys shorter than 1023 bits
The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:
- Generate RSA keys shorter than 1023 bits.
- Sign or verify RSA signatures with RSA keys shorter than 1023 bits.
- Encrypt or decrypt values with RSA key shorter than 1023 bits.
The Extended Master Secret
TLS Extension is now enforced on FIPS-enabled systems
With the release of the RHSA-2023:3722 advisory, the TLS Extended Master Secret
(EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected.
Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3.
In addition, connecting from a FIPS-enabled RHEL client to a hypervisor such as VMWare ESX now fails with a Provider routines::ems not enabled
error if the hypervisor uses TLS 1.2 without EMS. To work around this problem, update the hypervisor to support TLS 1.3 or TLS 1.2 with the EMS extension. For VMWare vSphere, this means version 8.0 or later.
For more information, see TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2.
4.7. Networking
NetworkManager rebased to version 1.42.2
The NetworkManager
packages have been upgraded to upstream version 1.42.2, which provides a number of enhancements and bug fixes over the previous version:
- Ethernet bonds support source load balancing.
-
NetworkManager can manage connections on the
loopback
device. - Support for IPv4 equal-cost multi-path (ECMP) routes was added.
-
Support for
802.1ad
tagging in Virtual Local Area Networks (VLANs) connections was added. -
The
nmtui
application supports Wi-Fi WPA-Enterprise, Ethernet with 802.1X authentication, and MACsec connection profiles. - NetworkManager rejects DHCPv6 leases if all addresses fail IPv6 duplicate address detection (DAD).
For further information about notable changes, read the upstream release notes.
Introduction of the weight
property in ECMP routing with NetworkManager
With this update, RHEL 9 supports a new property weight
when defining IPv4 Equal-Cost Multi-Path (ECMP) routes. You can configure multipath routing using NetworkManager to load-balance and stabilize network traffic. This allows for multiple paths to be used for data transmission between two nodes, which improves the network efficiency and provides redundancy in the event of a link failure. Conditions for using the weight
property include:
- The valid values are 1-256.
-
Define multiple next-hop routes as single-hop routes with the
weight
property. -
If you do not set
weight
, NetworkManager cannot merge the routes into an ECMP route.
NetworkManager update brings improved flexibility for DNS configuration across multiple networks
With this update, you can use the existing [global-dns]
section in the /etc/Networkmanager/NetworkManager.conf
file to configure DNS options without specifying the nameserver
value in the [global-dns-domain-*]
section. This enables you to configure DNS options in the /etc/resolv.conf
file while still relying on the DNS servers provided by the network connection for actual DNS resolution. As a result, the feature makes it easier and more flexible to manage your DNS settings when connecting to different networks with different DNS servers. Especially when you use the /etc/resolv.conf
file to configure DNS options.
NetworkManager now supports a new vlan.protocol
property
With this update, the vlan
interface type now accepts a new protocol
property. The property type is string. The accepted values are either 802.1Q
(default), or 802.1ad
. The new property specifies which VLAN protocol controls the tag identifier for encapsulation.
NetworkManager now allows VLAN configuration over unmanaged interface
With this enhancement, you can use an unmanaged networking interface as a base interface when configuring virtual LAN (VLAN) with NetworkManager. As a result, the VLAN base interface remains intact unless changed explicitly through the nmcli device set enp1s0 managed true
command or other API of NetworkManager.
Configuring Multipath TCP using NetworkManager is now fully supported
With this update, the NetworkManager utility provides you with the Multipath TCP (MPTCP) functionality. You can use nmcli
commands to control MPTCP and make its settings persistent.
For more information, see:
The NetworkManager utility now supports activating connections on the loopback
interface
Administrators can manage the loopback
interface to:
-
Add extra IP addresses to the
loopback
interface - Define DNS configuration
- Define a special route, which does not bind to an interface
- Define a route rule, which is not interface-related
-
Change Maximum Transmission Unit (MTU) size of the
loopback
interface
The balance-slb
bonding mode is now supported
The new balance-slb
bonding mode Source load balancing requires no switch configuration. The balance-slb
divides traffic on the source ethernet address using xmit_hash_policy
=vlan+srcmac
, and NetworkManager adds necessary nftables
rules for traffic filtering. As a result, you can now create bond profiles with the balance-slb
option enabled by using NetworkManager.
firewalld
rebased to version 1.2
The firewalld
package has been upgraded to version 1.2, which provides multiple enhancements. Notable changes include:
- Support for new services (for example netdata, IPFS)
-
Fail-safe mode to ensure that the system remains protected and that network communication is not disrupted if the
firewalld
service encounters an error during its startup -
Tab-completion in command-line (CLI) for some of the
firewalld
policy commands
The firewalld
now supports the startup failsafe mechanism
With this enhancement, firewalld
will fall back to failsafe defaults in case of a startup failure. This feature protects the host in case of invalid configurations or other startup issues. As a result, even if the user configuration is invalid, hosts running firewalld
are now startup failsafe.
conntrack-tools
rebased to version 1.4.7
The conntrack-tools
package has been upgraded to version 1.4.7, which provides multiple bug fixes and enhancements. Notable changes include:
-
Adds the
IPS_HW_OFFLOAD
flag, which specifies offloading of aconntrack
entry to the hardware -
Adds
clash_resolve
andchaintoolong
statistical counters - Supports filtering events by IP address family
-
Accepts yes or no as synonyms to on or off in the
conntrackd.conf
file -
Supports user space helper auto-loading upon daemon startup. Users do not have to manually run the
nfct add helper
commands -
Removes the
-o userspace
command option and always tags user space triggered events - Logs external inject problems as warning only
- Ignores conntrack ID when looking up cache entries to allow for stuck old ones to be replaced
-
Fixes broken parsing of IPv6
M-SEARCH
requests in thessdp cthelper
module -
Eliminates the need for lazy binding technique in the
nfct
library - Sanitizes protocol value parsing, catch invalid values
The nmstate
API now supports IPv6 link-local addresses as DNS servers
With this enhancement, you can use the nmstate
API to set IPv6 link-local addresses as DNS servers. Use the <link-local_address>%<interface>
format, for example:
dns-resolver: config: server: - fe80::deef:1%enp1s0
The nmstate
API now supports MPTCP flags
This update enhances the nmstate
API with support for MultiPath TCP (MPTCP) flags. As a result, you can use nmstate
to set MPTCP address flags on interfaces with static or dynamic IP addresses.
The min-mtu
and max-mtu
properties added to MTU on all interfaces
Previously, an exception message was not clear enough to understand the supported MTU ranges. This update introduces the min-mtu
and max-mtu
properties to all interfaces. As a result, nmstate
will indicate the supported MTU range when the desired MTU is out of range.
NetworkManager now allows VLAN configuration over unmanaged interface
With this enhancement, you can use an unmanaged networking interface as a base interface when configuring virtual LAN (VLAN) with NetworkManager. As a result, the VLAN base interface remains intact unless changed explicitly through the nmcli device set enp1s0 managed true
command or other API of NetworkManager.
The balance-slb
bonding mode is now supported
The new balance-slb
bonding mode Source load balancing requires no switch configuration. The balance-slb
divides traffic on the source Ethernet address using xmit_hash_policy
=vlan+srcmac
, and NetworkManager adds necessary nftables
rules for traffic filtering. As a result, you can now create bond profiles with the balance-slb
option enabled by using NetworkManager.
A new weight
property in Nmstate
This update introduces the weight
property in the Nmstate API and tooling suite. You can use weight
to specify the relative weight of each path in the Equal Cost Multi-Path routes (ECMP) group. The weight is a number between 1 and 256. As a result, weight
property in Nmstate provides greater flexibility and control over traffic distribution in an ECMP group.
xdp-tools
rebased to version 1.3.1
The xdp-tools
packages have been upgraded to upstream version 1.3.1, which provides a number of enhancements and bug fixes over the previous version:
The following utilities have been added:
-
xdp-bench
: Performs XDP benchmarks on the receive side. -
xdp-monitor
: Monitors XDP errors and statistics using kernel trace points. -
xdp-trafficgen
: Generates and sends traffic through the XDP driver hook.
-
The following features have been added to the
libxdp
library:-
The
xdp_multiprog__xdp_frags_support()
,xdp_program__set_xdp_frags_support()
, andxdp_program__xdp_frags_support()
functions have been added to support loading programs with XDPfrags
support, a feature that is also known asmultibuffer XDP
. -
The library performs proper reference counting when attaching programs to
AF_XDP
sockets. As a result, the application no longer has to manually detach XDP programs when using sockets. Thelibxdp
library detaches the program now automatically when the program is no longer used. The following functions have been added to the library:
-
xdp_program__create()
for creatingxdp_program
objects -
xdp_program__clone()
for cloning anxdp_program
reference -
xdp_program__test_run()
for running XDP programs through theBPF_PROG_TEST_RUN
kernel API
-
-
When the
LIBXDP_BPFFS_AUTOMOUNT
environment variable is set, thelibxdp
library now supports automatically mounting of abpffs
virtual file system if none is found. A subset of the library features can now also function when nobpffs
is mounted.
-
The
Note that this version also changes the version number of the XDP dispatcher program that is being loaded on the network devices. This means that you can not use a previous and a new version of libxdp
and xdp-tools
at the same time. The libxdp
1.3 library will display old versions of the dispatcher, but not automatically upgrade them. Additionally, after loading a program with libxdp
1.3, older versions will not interoperate with the newer one.
iproute
rebased to version 6.1.0
The iproute
package has been upgraded to version 6.1.0, which provides multiple bug fixes and enhancements. Notable changes include:
Supports reading the
vdpa
device statisticsIllustration of statistics reading for the
virtqueue
data structure at index 1:# vdpa dev vstats show vdpa-a qidx 1 vdpa-a: vdpa-a: queue_type tx received_desc 321812 completed_desc 321812
Illustration of statistics reading for the
virtqueue data
structure at index 16:# vdpa dev vstats show vdpa-a qidx 16 vdpa-a: queue_type control_vq received_desc 17 completed_desc 17
- Updates the corresponding manual pages
The kernel now logs the listening address in SYN flood messages
This enhancement adds the listening IP address to SYN flood messages:
Possible SYN flooding on port <ip_address>:<port>.
As a result, if many processes are bound to the same port on different IP addresses, administrators can now clearly identify the affected socket.
Bugzilla:2143850
Introduction of new nmstate
attributes for the VLAN interface
With this update of the nmstate
framework, the following VLAN attributes were introduced:
-
registration-protocol
: VLAN Registration Protocol. The valid values aregvrp
(GARP VLAN Registration Protocol),mvrp
(Multiple VLAN Registration Protocol), andnone
. -
reorder-headers
: reordering of output packet headers. The valid values aretrue
andfalse
. -
loose-binding
: loose binding of the interface to the operating state of its primary device. The valid values aretrue
andfalse
.
Your YAML configuration file can look similar to the following example:
--- interfaces: - name: eth1.101 type: vlan state: up vlan: base-iface: eth1 id: 101 registration-protocol: mvrp loose-binding: true reorder-headers: true
Jira:RHEL-19142
4.8. Kernel
Kernel version in RHEL 9.2
Red Hat Enterprise Linux 9.2 is distributed with the kernel version 5.14.0-284.11.1.
The 64k page size kernel is now available
In addition to the RHEL 9 for ARM kernel which supports 4k pages, Red Hat now offers an optional kernel package that supports 64k pages: kernel-64k
.
The 64k page size kernel is a useful option for large datasets on ARM platforms. It enables better performance for some types of memory- and CPU-intensive operations.
You must choose page size on 64-bit ARM architecture systems at the time of installation. You can install kernel-64k
only by Kickstart by adding the kernel-64k
package to the package list in the Kickstart
file.
For more information on installing kernel-64k
, see Automatically installing RHEL.
Bugzilla:2153073
virtiofs
support for kexec-tools
enabled
This enhancement adds the virtiofs
feature for kexec-tools
by introducing the new option, virtiofs myfs
, where myfs
is a variable tag name to set in the qemu
command line, for example, -device vhost-user-fs-pci,tag=myfs
The virtiofs
file system implements a driver that allows a guest to mount a directory that has been exported on the host. By using this enhancement, you can save the virtual machine’s vmcore
dump file to:
-
A
virtiofs
shared directory. -
The sub-directory, such as
/var/crash
, when the root file system is avirtiofs
shared directory. -
A different
virtiofs
shared directory, when the virtual machine’s root file system is avirtiofs
shared directory.
The kexec-tools
package now adds improvements on remote kdump
targets
With this enhancement, the kexec-tools
package adds significant bug fixes and enhancements. The most notable changes include:
-
Optimized memory consumption for
kdump
by enabling only the required network interfaces. Improved network efficiency for
kdump
in events of connection timeout failures.The default wait time for a network to establish is 10 minutes maximum. This removes the need to pass
dracut
parameters, such asrd.net.timeout.carrier
orrd.net.timeout.dhcp
as a workaround to identify a carrier.
BPF rebased to version 6.0
The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.0 with multiple enhancements. This update enables all the BPF features that depend on the BPF Type Format (BTF) for kernel modules. Such features include the usage of BPF trampolines for tracing, the availability of the Compile Once - Run Everywhere (CO-RE) mechanism, and several networking-related features. Furthermore, the kernel modules now contain debugging information, which means that you no longer need to install debuginfo
packages to inspect the running modules.
For more information on the complete list of BPF features available in the running kernel, use the bpftool feature
command.
Jira:RHELPLAN-133650
The rtla
meta-tool adds the osnoise
and timerlat
tracers for improved tracing capabilities
The Real-Time Linux Analysis (rtla
) is a meta-tool that includes a set of commands that analyze the real-time properties of Linux. rtla
leverages kernel tracing capabilities to provide precise information about the properties and root causes of unexpected system results. rtla
currently adds support for osnoise
and timerlat
tracer commands:
-
The
osnoise
tracer reports information about operating system noise. -
The
timerlat
tracer periodically prints the timer latency at the timer IRQ handler and the thread handler.
Note that to use the timerlat
feature of rtla
, you must disable admission control by using the sysctl -w kernel.sched_rt_runtime_us=-1
script.
Bugzilla:2075216
The argparse
module of Tuna now supports configuring CPU sockets
With this enhancement, you can specify a specific CPU socket when you have multiple CPU sockets. You can view the help usage by using the -h
on a subcommand, for example, tuna show_threads -h
.
To configure a specific CPU socket, specify the -S
option with each tuna
command where you need to use CPU sockets:
tuna <command> [-S CPU_SOCKET_LIST]
For example, use tuna show_threads -S 2,3
to view the threads or tuna show_irqs -S 2,3
to view attached interrupt requests (IRQs).
As a result, this enhancement facilitates CPU usage based on CPU sockets without the need to specify each CPU individually.
The output format for cgroups
and irqs
in Tuna is improved to provide better readability
With this enhancement, the tuna show_threads
command output for the cgroup
utility is now structured based on the terminal size. You can also configure additional spacing to the cgroups
output by adding the new -z
or --spaced
option to the show_threads
command.
As a result, the cgroups
output now has an improved readable format that is adaptable to your terminal size.
A new command line interface has been added to the tuna
tool in real-time
This enhancement adds a new command line interface to the tuna
tool, which is based on the argparse
parsing module. With this update, you can now perform the following tasks:
- Change the attributes of the application and kernel threads.
- Operate on interrupt requests (IRQs) by name or number.
- Operate on tasks or threads by using the process identifier.
- Specify CPUs and sets of CPUs with the CPU or the socket number.
By using the tuna -h
command, you can print the command line arguments and their corresponding options. For each command, there are optional arguments, which you can view with the tuna <command> -h
command.
As a result, tuna
now provides an interface with a more standardized menu of commands and options that is easier to use and maintain than the command line interface.
The rteval
command output now includes the program loads and measurement threads information
The rteval
command now displays a report summary with the number of program loads, measurement threads, and the corresponding CPU that ran these threads. This information helps to evaluate the performance of a real-time kernel under load on specific hardware platforms.
The rteval
report is written to an XML file along with the boot log for the system and saved to the rteval-<date>-N-tar.bz2
compressed file. The date
specifies the report generation date and N
is the counter for the Nth run.
To generate an rteval
report, enter the following command:
# rteval --summarize rteval-<date>-N.tar.bz2
The -W
and --bucket-width
options has been added to the oslat
program to measure latency
With this enhancement, you can specify a latency range for a single bucket at nanoseconds accuracy. Widths that are not multiples of 1000 nanoseconds indicate nanosecond precision. By using the new options, -W
or --bucket-width
, you can modify the latency interval between buckets to measure latency within sub-microseconds delay time.
For example to set a latency bucket width of 100 nanoseconds for 32 buckets over a duration of 10 seconds to run on CPU range of 1-4 and omit zero bucket size, run the following command:
# oslat -b 32 -D 10s -W 100 -z -c 1-4
Note that before using the option, you must determine what level of precision is significant in relation to the error measurement.
The NVMe/FC
transport protocol enabled as the kdump
storage target
The kdump
mechanism now provides the support for Nonvolatile Memory Express (NVMe) over Fibre Channel (NVMe/FC) protocol as the dump target. With this update, you can configure kdump
to save kernel crash dump files on NVMe/FC storage targets.
As a result, kdump
can capture and save the vmcore
file on NVMe/FC
in the event of a kernel crash without timeout
or reconnect
errors.
For more information on NVMe/FC configuration, see Managing storage devices
Bugzilla:2080110
The crash-utility
tool has been rebased to version 8.0.2
The crash-utility
, which analyzes an active system state or after a kernel crash, has been rebased to version 8.0.2. The notable change includes adding support for multiqueue(blk-mq)
devices. By using the dev -d
or dev -D
command, you can display the disk I/O statistics for multiqueue(blk-mq)
devices.
openssl-ibmca
rebased to version 2.3.1
The dynamic OpenSSL engine and provider for IBMCA on 64-bit IBM Z architecture have been rebased to upstream version 2.3.1. Users of RHEL 9 are recommended to use the OpenSSL provider to ensure compatibility with future updates of OpenSSL. The engine functionality has been deprecated in OpenSSL version 3.
Bugzilla:2110378
Secure Execution guest dump encryption with customer keys
This new feature allows hypervisor-initiated dumps for Secure Execution guests to collect kernel crash information from KVM in scenarios in which the kdump
utility does not work. Note that hypervisor-initiated dumps for Secure Execution is designed for the IBM Z Series z16 and LinuxONE Emperor 4 hardware.
Bugzilla:2044204
The TSN protocol for real-time has been enabled on the ADL-S platform
With this enhancement, the IEEE Time Sensitive Networking (TSN) specification enables time synchronization and deterministic processing of real-time workloads over the network on Intel Alder Lake S (ADL-S) platform. It supports the following network devices:
- A discrete 2.5GbE MAC-PHY combo with TSN support: Intel® i225/i226
-
An integrated 2.5GbE MAC in the SOC with 3rd party PHY chips from Marvell, Maxlinear and TI covering the 1GbE and 2.5Gbe speed, is available on select
skus
and SOCs.
With the TSN protocol, you can manage deterministic applications scheduling, preemption, and accurate time synchronization type workloads in embedded implementations. These implementations need dedicated, specialized, and proprietary networks, while workloads run on standard Ethernet, Wi-Fi, and 5G networks.
As a result, TSN provides improved capabilities for:
- Hardware: Intel based systems used for implementing real-time workloads in IoT
- Deterministic and time sensitive applications
Bugzilla:2100606
The Intel ice
driver rebased to version 6.0.0
The Intel ice
driver has been upgraded to upstream version 6.0.0, which provides a number of enhancements and bug fixes over previous versions. The notable enhancements include:
-
Point-to-Point Protocol over Ethernet (
PPPoE
) protocol hardware offload -
Inter-Integrated Circuit (
I2C
) protocol write command -
VLAN Tag Protocol Identifier (
TPID
) filters in the Ethernet switch device driver model (switchdev
) -
Double VLAN tagging in
switchdev
Bugzilla:2104468
Option to write data for gnss
module is now available
This update provides the option of writing data to the gnss
receiver. Previously, gnss
was not fully configurable. With this enhancement, all gnss
functions are now available.
Bugzilla:2111048
Hosting Secure Boot certificates for IBM zSystems
Starting with IBM z16 A02/AGZ and LinuxONE Rockhopper 4 LA2/AGL, you can manage certificates used to validate Linux kernels when starting the system with Secure Boot enabled on the Hardware Management Console (HMC). Notably:
- You can load certificates in a system certificate store using the HMC in DPM and classic mode from an FTP server that can be accessed by the HMC. It is also possible to load certificates from a USB device attached to the HMC.
- You can associate certificates stored in the certificate store with an LPAR partition. Multiple certificates can be associated with a partition and a certificate can be associated with multiple partitions.
- You can de-associate certificates in the certificate store from a partition by using HMC interfaces.
- You can remove certificates from the certificate store.
- You can associate up to 20 certificates with a partition.
The built-in firmware certificates are still available. In particular, as soon as you use the user-managed certificate store, the built-in certificates will no longer be available.
Certificate files loaded into the certificate store must meet the following requirements:
-
They have the
PEM-
orDER-encoded X.509v3
format and one of the following filename extensions:.pem
,.cer
,.crt
, or.der
. - They are not expired.
- The key usage attribute must be Digital Signature.
- The extended key usage attribute must contain Code Signing.
A firmware interface allows a Linux kernel running in a logical partition to load the certificates associated with this partition. Linux on IBM Z stores these certificates in the .platform
keyring, allowing the Linux kernel to verify kexec
kernels and third party kernel modules to be verified using certificates associated with that partition.
It is the responsibility of the operator to only upload verified certificates and to remove certificates that have been revoked.
The Red Hat Secureboot 302
certificate that you need to load into the HMC is available at Product Signing Keys.
Bugzilla:2190123
zipl
support for Secure Boot IPL and dump on 64-bit IBM Z
With this update, the zipl
utility supports List-Directed IPL and List-Directed dump from Extended Count Key Data (ECKD) Direct Access Storage Devices (DASD) on the 64-bit IBM Z architecture. As a result, Secure Boot for RHEL on IBM Z also works with the ECKD type of DASDs.
Bugzilla:2044200
rtla
rebased to version 6.6 of the upstream kernel
source code
The rtla
utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added the
-C
option to specify additional control groups forrtla
threads to run in, apart from the mainrtla
thread. -
Added the
--house-keeping
option to placertla
threads on a housekeeping CPU and to put measurement threads on different CPUs. -
Added support to the
timerlat
tracer so that you can runtimerlat hist
andtimerlat top
threads in user space.
Jira:RHEL-18359
4.9. File systems and storage
nvme-cli
rebased to version 2.2.1
The nvme-cli
packages have been upgraded to version 2.2.1, which provide multiple bug fixes and enhancements. Notable changes include:
-
Added the new
nvme show-topology
command, which displays the topology of all NVMe subsystems. -
Dropped the
libuuid
dependency. -
The
uint128
data fields are displayed correctly. -
Updated the
libnvme
dependency to version 1.2.
Bugzilla:2139753
libnvme
rebased to version 1.2
The libnvme
packages have been upgraded to version 1.2, which provide multiple bug fixes and enhancements. The most notable change is a dropped dependency of the libuuid
library.
Stratis enforces consistent block size in pools
Stratis now enforces a consistent block size in pools to address potential edge case problems that can occur when mixed block size devices exist within a pool. With this enhancement, users can no longer create a pool or add new devices that have a different block size from the existing devices in the pool. As a result, there is a reduced risk of pool failure.
Support for existing disk growth within the Stratis pool
Previously, when a user added new disks to the RAID array, the size of the RAID array would generally increase. However, in all cases, Stratis ignored the increase in size and continued to use only the space that was available on the RAID array when it was first added to the pool. As a result, Stratis was unable to identify the new device, and users could not increase the size of the pool.
With this enhancement, Stratis now identifies any pool device members that have expanded in size. As a result, users can now issue a command to expand the pool based on their requirements.
Stratis now supports the growth of existing disks within its pool, in addition to the existing feature of growing the pool by adding new disks.
Improved functionality of the lvreduce
command
With this enhancement, when the logical volume (LV) is active, the lvreduce
command checks if reducing the LV size would damage any file system present on it. If a file system on the LV requires reduction, and the lvreduce resizefs
option has not been enabled, then the LV will not be reduced.
Additionally, new options are now available to control the handling of file systems while reducing an LV. These options provide users with greater flexibility and control when using the lvreduce
command.
Direct I/O alignment information for statx
was added
This update introduces a new mask value, "STATX_DIOALIGN"
, to the statx(2)
call. When this value is set in the stx_mask
field, it requests stx_dio_mem_align
and stx_dio_offset_align
values, which indicate the required alignment (in bytes) for user memory buffers and file offsets and I/O segment lengths for direct I/O (O_DIRECT) on this file, respectively. If direct I/O is not supported on the file, both values will be 0. This interface is now implemented for block devices as well as for files on the xfs and ext4 filesystems in RHEL9.
Bugzilla:2150284
NFSv4.1 session trunking discovery
With this update, the client can use multiple connections to the same server and session, resulting in faster data transfer. When an NFS client mounts a multi-homed NFS server with different IP addresses, only one connection is used by default, ignoring the rest. To improve performance, this update adds support for the trunkdiscovery
and max_connect
mount options, which enable the client to test each connection and associate multiple connections with the same NFSv4.1+ server and session.
Bugzilla:2066372
NFS IO sizes can now be set as a multiples of PAGE_SIZE for TCP and RDMA
This update allows users to set NFS IO sizes as a multiples of PAGE_SIZE
for TCP and RDMA connections. This offers greater flexibility in optimizing NFS performance for some architectures.
Bugzilla:2107347
nfsrahead
has been added to RHEL 9
With the introduction of the nfsrahead
tool, you can use it to modify the readahead
value for NFS mounts, and thus affect the NFS read performance.
4.10. High availability and clusters
New enable-authfile
Booth configuration option
When you create a Booth configuration to use the Booth ticket manager in a cluster configuration, the pcs booth setup
command now enables the new enable-authfile
Booth configuration option by default. You can enable this option on an existing cluster with the pcs booth enable-authfile
command. Additionally, the pcs status
and pcs booth status
commands now display warnings when they detect a possible enable-authfile
misconfiguration.
pcs
can now run the validate-all
action of resource and stonith agents
When creating or updating a resource or a STONITH device, you can now specify the --agent-validation
option. With this option, pcs
uses an agent’s validate-all
action, when it is available, in addition to the validation done by pcs
based on the agent’s metadata.
4.11. Dynamic programming languages, web and database servers
Python 3.11 available in RHEL 9
RHEL 9.2 introduces Python 3.11, provided by the new package python3.11
and a suite of packages built for it, as well as the ubi9/python-311
container image.
Notable enhancements compared to the previously released Python 3.9 include:
- Significantly improved performance.
-
Structural Pattern Matching using the new
match
keyword (similar toswitch
in other languages). - Improved error messages, for example, indicating unclosed parentheses or brackets.
- Exact line numbers for debugging and other use cases.
- Support for defining context managers across multiple lines by enclosing the definitions in parentheses.
-
Various new features related to type hints and the
typing
module, such as the newX | Y
type union operator, variadic generics, and the newSelf
type. - Precise error locations in tracebacks pointing to the expression that caused the error.
-
A new
tomllib
standard library module which supports parsing TOML. -
An ability to raise and handle multiple unrelated exceptions simultaneously using Exception Groups and the new
except*
syntax.
Python 3.11 and packages built for it can be installed in parallel with Python 3.9 on the same system.
To install packages from the python3.11
stack, use, for example:
# dnf install python3.11 # dnf install python3.11-pip
To run the interpreter, use, for example:
$ python3.11 $ python3.11 -m pip --help
See Installing and using Python for more information.
Note that Python 3.11 will have a shorter life cycle than Python 3.9, which is the default Python implementation in RHEL 9; see Red Hat Enterprise Linux Application Streams Life Cycle.
nodejs:18
rebased to version 18.14 with npm
rebased to version 9
The updated Node.js 18.14
includes a SemVer major upgrade of npm
from version 8 to version 9. This update was necessary due to maintenance reasons and may require you to adjust your npm
configuration.
Notably, auth-related settings that are not scoped to a specific registry are no longer supported. This change was made for security reasons. If you used unscoped authentication configurations, the supplied token was sent to every registry listed in the .npmrc
file.
If you use unscoped authentication tokens, generate and supply registry-scoped tokens in your .npmrc
file.
If you have configuration lines using _auth
, such as //registry.npmjs.org/:_auth
in your .npmrc
files, replace them with //registry.npmjs.org/:_authToken=${NPM_TOKEN}
and supply the scoped token that you generated.
For a complete list of changes, see the upstream changelog.
git
rebased to version 2.39.1
The Git
version control system has been updated to version 2.39.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.31.
Notable enhancements include:
-
The
git log
command now supports a format placeholder for thegit describe
output:git log --format=%(describe)
The
git commit
command now supports the--fixup<commit>
option which enables you to fix the content of the commit without changing the log message. With this update, you can also use:-
The
--fixup=amend:<commit>
option to change both the message and the content. -
The
--fixup=reword:<commit>
option to update only the commit message.
-
The
-
You can use the new
--reject-shallow
option with thegit clone
command to disable cloning from a shallow repository. -
The
git branch
command now supports the--recurse-submodules
option. You can now use the
git merge-tree
command to:- Test if two branches can merge.
- Compute a tree that would result in the merge commit if the branches were merged.
-
You can use the new
safe.bareRepository
configuration variable to filter out bare repositories.
git-lfs
rebased to version 3.2.0
The Git Large File Storage (LFS)
extension has been updated to version 3.2.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.13.
Notable changes include:
-
Git LFS
introduces a pure SSH-based transport protocol. -
Git LFS
now provides a merge driver. -
The
git lfs fsck
utility now additionally checks that pointers are canonical and that expected LFS files have the correct format. - Support for the NT LAN Manager (NTLM) authentication protocol has been removed. Use Kerberos or Basic authentication instead.
A new module stream: nginx:1.22
The nginx 1.22
web and proxy server is now available as the nginx:1.22
module stream. This update provides a number of bug fixes, security fixes, new features, and enhancements over the previously released version 1.20.
New features:
nginx
now supports:-
OpenSSL 3.0 and the
SSL_sendfile()
function when using OpenSSL 3.0. - The PCRE2 library.
-
POP3 and IMAP pipelining in the
mail
proxy module.
-
OpenSSL 3.0 and the
-
nginx
now passes theAuth-SSL-Protocol
andAuth-SSL-Cipher
header lines to the mail proxy authentication server.
Enhanced directives:
-
Multiple new directives are now available, such as
ssl_conf_command
andssl_reject_handshake
. -
The
proxy_cookie_flags
directive now supports variables. -
nginx
now supports variables in the following directives:proxy_ssl_certificate
,proxy_ssl_certificate_key
,grpc_ssl_certificate
,grpc_ssl_certificate_key
,uwsgi_ssl_certificate
, anduwsgi_ssl_certificate_key
. -
The
listen
directive in the stream module now supports a newfastopen
parameter, which enablesTCP Fast Open
mode for listening sockets. -
A new
max_errors
directive has been added to themail
proxy module.
Other changes:
nginx
now always returns an error if:-
The
CONNECT
method is used. -
Both
Content-Length
andTransfer-Encoding
headers are specified in the request. - The request header name contains spaces or control characters.
-
The
Host
request header line contains spaces or control characters.
-
The
-
nginx
now blocks all HTTP/1.0 requests that include theTransfer-Encoding
header. -
nginx
now establishes HTTP/2 connections using the Application Layer Protocol Negotiation (ALPN) and no longer supports the Next Protocol Negotiation (NPN) protocol.
To install the nginx:1.22
stream, use:
# dnf module install nginx:1.22
For more information, see Setting up and configuring NGINX.
For information about the length of support for the nginx
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Bugzilla:2096174
mod_security
rebased to version 2.9.6
The mod_security
module for the Apache HTTP Server has been updated to version 2.9.6, which provides new features, bug fixes, and security fixes over the previously available version 2.9.3.
Notable enhancements include:
-
Adjusted parser activation rules in the
modsecurity.conf-recommended
file. -
Enhancements to the way
mod_security
parses HTTP multipart requests. -
Added a new
MULTIPART_PART_HEADERS
collection. - Added microsec timestamp resolution to the formatted log timestamp.
- Added missing Geo Countries.
New packages: tomcat
RHEL 9.2 introduces the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.
Bugzilla:2160511
A new module stream: postgresql:15
RHEL 9.2 introduces PostgreSQL 15
as the postgresql:15
module stream. PostgreSQL 15
provides a number of new features and enhancements over version 13. Notable changes include:
You can now access
PostgreSQL
JSON data by using subscripts. Example query:SELECT ('{ "postgres": { "release": 15 }}'::jsonb)['postgres']['release'];
-
PostgreSQL
now supports multirange data types and extends therange_agg
function to aggregate multirange data types. PostgreSQL
improves monitoring and observability:-
You can now track progress of the
COPY
commands and Write-ahead-log (WAL) activity. -
PostgreSQL
now provides statistics on replication slots. -
By enabling the
compute_query_id
parameter, you can now uniquely track a query through severalPostgreSQL
features, includingpg_stat_activity
orEXPLAIN VERBOSE
.
-
You can now track progress of the
PostgreSQL
improves support for query parallelism by the following:- Improved performance of parallel sequential scans.
-
The ability of SQL Procedural Language (
PL/pgSQL
) to execute parallel queries when using theRETURN QUERY
command. -
Enabled parallelism in the
REFRESH MATERIALIZED VIEW
command.
-
PostgreSQL
now includes the SQL standardMERGE
command. You can useMERGE
to write conditional SQL statements that can include theINSERT
,UPDATE
, andDELETE
actions in a single statement. -
PostgreSQL
provides the following new functions for using regular expressions to inspect strings:regexp_count()
,regexp_instr()
,regexp_like()
, andregexp_substr()
. -
PostgreSQL
adds thesecurity_invoker
parameter, which you can use to query data with the permissions of the view caller, not the view creator. This helps you ensure that view callers have the correct permissions for working with the underlying data. -
PostgreSQL
improves performance, namely in its archiving and backup facilities. -
PostgreSQL
adds support for theLZ4
andZstandard
(zstd
) lossless compression algorithms. -
PostgreSQL
improves its in-memory and on-disk sorting algorithms. -
The updated
postgresql.service
systemd unit file now ensures that thepostgresql
service is started after the network is up.
The following changes are backwards incompatible:
The default permissions of the public schema have been modified. Newly created users need to grant permission explicitly by using the
GRANT ALL ON SCHEMA public TO myuser;
command. For example:postgres=# CREATE USER mydbuser; postgres=# GRANT ALL ON SCHEMA public TO mydbuser; postgres=# \c postgres mydbuser postgres=$ CREATE TABLE mytable (id int);
-
The
libpq
PQsendQuery()
function is no longer supported in pipeline mode. Modify affected applications to use thePQsendQueryParams()
function instead.
See also Using PostgreSQL.
To install the postgresql:15
stream, use:
# dnf module install postgresql:15
If you want to upgrade from an earlier postgresql
stream within RHEL 9, migrate your PostgreSQL
data as described in Migrating to a RHEL 9 version of PostgreSQL.
For information about the length of support for the postgresql
module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
4.12. Compilers and development tools
openblas
rebased to version 0.3.21
The OpenBLAS library has been updated to version 0.3.21. This update includes performance optimalization patches for the IBM POWER10 platform.
Bugzilla:2112099
A new module stream: swig:4.1
RHEL 9.2 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.1 as the swig:4.1
module stream available in the CodeReady Linux Builder (CRB) repository. Note that packages included in the CodeReady Linux Builder repository are unsupported.
Compared to SWIG 4.0
released in RHEL 9.0, SWIG 4.1
:
-
Adds support for
Node.js
versions 12 to 18 and removes support forNode.js
versions earlier than 6. -
Adds support for
PHP 8
. -
Handles
PHP
wrapping entirely throughPHP
C API and no longer generates a.php
wrapper by default. -
Supports only
Perl 5.8.0
and later versions. -
Adds support for
Python
versions 3.9 to 3.11. -
Supports only
Python 3.3
and laterPython 3
versions, andPython 2.7
. -
Provides fixes for various memory leaks in
Python
-generated code. - Improves support for the C99, C++11, C++14, and C++17 standards and starts implementing the C++20 standard.
-
Adds support for the C++
std::unique_ptr
pointer class. - Includes several minor improvements in C++ template handling.
- Fixes C++ declaration usage in various cases.
To install the swig:4.1
module stream:
- Enable the CodeReady Linux Builder (CRB) repository.
Install the module stream:
# dnf module install swig:4.1
New package: jmc
in the CRB repository
RHEL 9.2 introduces the JDK Mission Control (JMC) profiler for HotSpot JVMs version 8.2.0, available as the jmc
package in the CodeReady Linux Builder (CRB) repository for the AMD and Intel 64-bit architectures.
To install JMC, you must first enable the CodeReady Linux Builder (CRB) repository.
Note that packages included in the CRB repository are unsupported.
OpenJDK service attributes now available in FIPS mode
Previously, cryptographic services and algorithms available for OpenJDK in FIPS mode were too strictly filtered and resulted in unavailable service attributes. With this enhancement, these service attributes are now available in FIPS mode.
Performance Co-Pilot rebased to version 6.0
Performance Co-Pilot (PCP
) has been updated to version 6.0. Notable improvements include:
Version 3 PCP archive support:
This includes support for instance domain change-deltas, Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones support, and 64-bit file offsets used throughout for larger (beyond 2GB) individual volumes.
This feature is currently opt-in via the
PCP_ARCHIVE_VERSION
setting in the/etc/pcp.conf
file.Version 2 archives remain the default.
Only OpenSSL is used throughout PCP. Mozilla NSS/NSPR use has been dropped:
This impacts
libpcp
,PMAPI
clients andPMCD
use of encryption. These elements are now configured and used consistently withpmproxy
HTTPS support andredis-server
, which were both already using OpenSSL.New nanosecond precision timestamp
PMAPI
calls forPCP
library interfaces that make use of timestamps.These are all optional, and full backward compatibility is preserved for existing tools.
The following tools and services have been updated:
pcp2elasticsearch
- Implemented authentication support.
pcp-dstat
-
Implemented support for the
top-alike
plugins. pcp-htop
- Updated to the latest stable upstream release.
pmseries
-
Added
sum
,avg
,stdev
,nth_percentile
,max_inst
,max_sample
,min_inst
andmin_sample
functions. pmdabpf
- Added CO-RE (Compile Once - Run Everywhere) modules and support for AMD64, Intel 64-bit, 64-bit ARM, and IBM Power Systems.
pmdabpftrace
-
Moved example autostart scripts to the
/usr/share
directory. pmdadenki
- Added support for multiple active batteries.
pmdalinux
-
Updates for the latest
/proc/net/netstat
changes. pmdaopenvswitch
- Added additional interface and coverage statistics.
pmproxy
- Request parameters can now be sent in the request body.
pmieconf
-
Added several
pmie
rules for Open vSwitch metrics. pmlogger_farm
- Added a default configuration file for farm loggers.
pmlogger_daily_report
- Some major efficiency improvements.
grafana
rebased to version 9.0.9
The grafana
package has been rebased to version 9.0.9. Notable changes include:
- The time series panel is now the default visualization option, replacing the graph panel
- New heatmap panel
- New Prometheus and Loki query builder
- Updated Grafana Alerting
- Multiple UI/UX and performance improvements
- License changed from Apache 2.0 to GNU Affero General Public License (AGPL)
The following are offered as opt-in experimental features:
- New bar chart panel
- New state timeline panel
- New status history panel
- New histogram panel
For more information, see: What’s new in Grafana v9.0 and What’s new in Grafana v8.0.
Bugzilla:2116847
grafana-pcp
rebased to version 5.1.1
The grafana-pcp
package has been rebased to version 5.1.1. Notable changes include:
- Query editor
- added buttons to disable rate conversion and time utilization conversion.
- Redis
-
removed the deprecated
label_values(metric, label)
function. - Redis
- fixed the network error for metrics with many series (requires Performance Co-Pilot v6+).
- Redis
-
set the
pmproxy
API timeout to 1 minute.
Bugzilla:2116848
Updated GCC Toolset 12
GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream
repository.
Notable changes introduced in RHEL 9.2 include:
- The GCC compiler has been updated to version 12.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
-
annobin
has been updated to version 11.08.
The following tools and versions are provided by GCC Toolset 12:
Tool | Version |
---|---|
GCC | 12.2.1 |
GDB | 11.2 |
binutils | 2.38 |
dwz | 0.14 |
annobin | 11.08 |
To install GCC Toolset 12, run the following command as root:
# dnf install gcc-toolset-12
To run a tool from GCC Toolset 12:
$ scl enable gcc-toolset-12 tool
To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:
$ scl enable gcc-toolset-12 bash
For more information, see GCC Toolset 12.
The updated GCC compiler is now available for RHEL 9.2
The system GCC compiler, version 11.3.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.
The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.
For usage information, see Developing C and C++ applications in RHEL 9.
LLVM Toolset rebased to version 15.0.7
LLVM Toolset has been updated to version 15.0.7. Notable changes include:
-
The
-Wimplicit-function-declaration
and-Wimplicit-int
warnings are enabled by default in C99 and newer. These warnings will become errors by default in Clang 16 and beyond.
Rust Toolset rebased to version 1.66.1
Rust Toolset has been updated to version 1.66.1. Notable changes include:
-
The
thread::scope
API creates a lexical scope in which local variables can be safely borrowed by newly spawned threads, and those threads are all guaranteed to exit before the scope ends. -
The
hint::black_box
API adds a barrier to compiler optimization, which is useful for preserving behavior in benchmarks that might otherwise be optimized away. -
The
.await
keyword now makes conversions with theIntoFuture
trait, similar to the relationship betweenfor
andIntoIterator
. - Generic associated types (GATs) allow traits to include type aliases with generic parameters, enabling new abstractions over both types and lifetimes.
-
A new
let
-else
statement allows binding local variables with conditional pattern matching, executing a divergentelse
block when the pattern does not match. -
Labeled blocks allow
break
statements to jump to the end of the block, optionally including an expression value. -
rust-analyzer
is a new implementation of the Language Server Protocol, enabling Rust support in many editors. This replaces the formerrls
package, but you might need to adjust your editor configuration to migrate torust-analyzer
. -
Cargo has a new
cargo remove
subcommand for removing dependencies fromCargo.toml
.
Go Toolset rebased to version 1.19.6
Go Toolset has been updated to version 1.19.6. Notable changes include:
Security fixes to the following packages:
-
crypto/tls
-
mime/multipart
-
net/http
-
path/filepath
-
Bug fixes to:
-
The
go
command - The linker
- The runtime
-
The
crypto/x509
package -
The
net/http
package -
The
time
package
-
The
Bugzilla:2175173
The tzdata
package now includes the /usr/share/zoneinfo/leap-seconds.list
file
Previously, the tzdata
package only shipped the /usr/share/zoneinfo/leapseconds
file. Some applications rely on the alternate format provided by the /usr/share/zoneinfo/leap-seconds.list
file and, as a consequence, would experience errors.
With this update, the tzdata
package now includes both files, supporting applications that rely on either format.
Bugzilla:2157982
4.13. Identity Management
SSSD support for converting home directories to lowercase
With this enhancement, you can now configure SSSD to convert user home directories to lowercase. This helps to integrate better with the case-sensitive nature of the RHEL environment. The override_homedir
option in the [nss]
section of the /etc/sssd/sssd.conf
file now recognizes the %h
template value. If you use %h
as part of the override_homedir
definition, SSSD replaces %h
with the user’s home directory in lowercase.
Jira:RHELPLAN-139430
SSSD now supports changing LDAP user passwords with the shadow
password policy
With this enhancement, if you set ldap_pwd_policy
to shadow
in the /etc/sssd/sssd.conf
file, LDAP users can now change their password stored in LDAP. Previously, password changes were rejected if ldap_pwd_policy
was set to shadow
as it was not clear if the corresponding shadow
LDAP attributes were being updated.
Additionally, if the LDAP server cannot update the shadow
attributes automatically, set the ldap_chpass_update_last_change
option to True
in the /etc/sssd/sssd.conf
file to indicate to SSSD to update the attribute.
Bugzilla:1507035
IdM now supports the min_lifetime
parameter
With this enhancement, the min_lifetime
parameter has been added to the /etc/gssproxy/*.conf
file. The min_lifetime
parameter triggers the renewal of a service ticket in case its remaining lifetime is lower than this value.
By default its value is 15 seconds. For network volume clients such as NFS, to reduce the risk of losing access in case the KDC is momentarily unavailable, set this value to 60 seconds.
The ipapwpolicy
ansible-freeipa
module now supports new password policy options
With this update, the ipapwpolicy
module included in the ansible-freeipa
package supports additional libpwquality
library options:
maxrepeat
- Specifies the maximum number of the same character in sequence.
maxsequence
- Specifies the maximum length of monotonic character sequences (abcd).
dictcheck
- Checks if the password is a dictionary word.
usercheck
- Checks if the password contains the username.
If any of the new password policy options are set, the minimum length of passwords is 6 characters. The new password policy settings are applied only to new passwords.
In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator do not apply. To ensure consistent behavior, upgrade all servers to RHEL 8.4 and later.
Jira:RHELPLAN-137416
IdM now supports the ipanetgroup
Ansible management module
As an Identity Management (IdM) system administrator, you can integrate IdM with NIS domains and netgroups. Using the ipanetgroup
ansible-freeipa
module, you can achieve the following:
- You can ensure that an existing IdM netgroup contains specific IdM users, groups, hosts and host groups and nested IdM netgroups.
- You can ensure that specific IdM users, groups, hosts and host groups and nested IdM netgroups are absent from an existing IdM netgroup.
- You can ensure that a specific netgroup is present or absent in IdM.
Jira:RHELPLAN-137411
New ipaclient_configure_dns_resolver
and ipaclient_dns_servers
Ansible ipaclient
role variables specifying the client’s DNS resolver
Previously, when using the ansible-freeipa
ipaclient
role to install an Identity Management (IdM) client, it was not possible to specify the DNS resolver during the installation process. You had to configure the DNS resolver before the installation.
With this enhancement, you can specify the DNS resolver when using the ipaclient
role to install an IdM client with the ipaclient_configure_dns_resolver
and ipaclient_dns_servers
variables. Consequently, the ipaclient
role modifies the resolv.conf
file and the NetworkManager
and systemd-resolved
utilities to configure the DNS resolver on the client in a similar way that the ansible-freeipa
ipaserver
role does on the IdM server. As a result, configuring DNS when using the ipaclient
role to install an IdM client is now more efficient.
Using the ipa-client-install
command-line installer to install an IdM client still requires configuring the DNS resolver before the installation.
Jira:RHELPLAN-137406
Using the ipaclient
role to install an IdM client with an OTP requires no prior modification of the Ansible controller
Previously, the kinit
command on the Ansible controller was a prerequisite for obtaining a one-time-password (OTP) for Identity Management (IdM) client deployment. The need to obtain the OTP on the controller was a problem for Red Hat Ansible Automation Platform (AAP), where the krb5-workstation
package was not installed by default.
With this update, the request for the administrator’s TGT is now delegated to the first specified or discovered IdM server. As a result, you can now use an OTP to authorize the installation of an IdM client with no additional modification of the Ansible controller. This simplifies using the ipaclient
role with AAP.
Jira:RHELPLAN-137403
IdM now enforces the presence of the MS-PAC structure in Kerberos tickets
Starting with RHEL 9.2, to increase security, Identity Management (IdM) and MIT Kerberos now enforce the presence of the Privilege Attribute Certificate (MS-PAC) structure in the Kerberos tickets issued by the RHEL IdM Kerberos Distribution Center (KDC).
In November 2022, in response to CVE-2022-37967, Microsoft introduced an extended signature that is calculated over the whole MS-PAC structure rather than over the server checksum. Starting with RHEL 9.2, the Kerberos tickets issued by IdM KDC now also contain the extended signature.
The presence of the extended signature is not yet enforced in IdM.
Jira:RHELPLAN-159146
New realm configuration template for KDC enabling FIPS 140-3-compliant key encryption
This update provides a new, EXAMPLE.COM
, example realm configuration in the /var/kerberos/krb5kdc/kdc.conf
file. It brings two changes:
-
The FIPS 140-3-compliant
AES HMAC SHA-2
family is added to the list of supported types for key encryption. -
The encryption type of the KDC master key is switched from
AES 256 HMAC SHA-1
toAES 256 HMAC SHA-384
.
This update is about standalone MIT realms. Do not change the Kerberos Distribution Center (KDC) configuration in RHEL Identity Management.
Using this configuration template is recommended for new realms. The template does not affect any realm already deployed. If you are planning to upgrade the configuration of your realm according to the template, consider the following points:
For upgrading the master key, changing the setting in the KDC configuration is not enough. Follow the process described in the MIT Kerberos documentation: https://web.mit.edu/kerberos/krb5-1.20/doc/admin/database.html#updating-the-master-key
Adding the AES HMAC SHA-2
family to the supported types for key encryption is safe at any point because it does not affect existing entries in the KDC. Keys will be generated only when creating new principals or when renewing credentials. Note that keys of this new type cannot be generated based on existing keys. To make these new encryption types available for a certain principal, its credentials have to be renewed, which means renewing keytabs for service principals too.
The only case where principals should not feature an AES HMAC SHA-2
key is the Active Directory (AD) cross-realm ticket-granting ticket (TGT) ones. Because AD does not implement RFC8009, it does not use the AES HMAC SHA-2
encryption types family. Therefore, a cross-realm TGS-REQ using an AES HMAC SHA-2
-encrypted cross-realm TGT would fail. The best way to keep the MIT Kerberos client from using AES HMAC SHA-2
against AD is to not provide AES HMAC SHA-2
keys for the AD cross-realm principals. To do so, ensure that you create the cross-realm TGT entries with an explicit list of key encryption types that are all supported by AD:
kadmin.local <<EOF add_principal +requires_preauth -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 -pw [password] krbtgt/[MIT realm]@[AD realm] add_principal +requires_preauth -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 -pw [password] krbtgt/[AD realm]@[MIT realm] EOF
To ensure the MIT Kerboros clients use the AES HMAC SHA-2
encryption types, you must also set these encryption types as permitted
in both the client and the KDC configuration. On RHEL, this setting is managed by the crypto-policy system. For example, on RHEL 9, hosts using the DEFAULT
crypto-policy allow AES HMAC SHA-2
and AES HMAC SHA-1
encrypted tickets, while hosts using the FIPS
crypto-policy only accept AES HMAC SHA-2
ones.
Configure pam_pwhistory
using a configuration file
With this update, you can configure the pam_pwhistory
module in the /etc/security/pwhistory.conf
configuration file. The pam_pwhistory
module saves the last password for each user in order to manage password change history. Support has also been added in authselect
which allows you to add the pam_pwhistory
module to the PAM stack.
Bugzilla:2126640, Bugzilla:2142805
IdM now supports new Active Directory certificate mapping templates
Active Directory (AD) domain administrators can manually map certificates to a user in AD using the altSecurityIdentities
attribute. There are six supported values for this attribute, though three mappings are now considered insecure. As part of May 10,2022 security update, once this update is installed on a domain controller, all devices are in compatibility mode. If a certificate is weakly mapped to a user, authentication occurs as expected but a warning message is logged identifying the certificates that are not compatible with full enforcement mode. As of November 14, 2023 or later, all devices will be updated to full enforcement mode and if a certificate fails the strong mapping criteria, authentication will be denied.
IdM now supports the new mapping templates, making it easier for an AD administrator to use the new rules and not maintain both. IdM now supports the following new mapping templates :
-
Serial Number:
LDAPU1:(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<SR>{serial_number!hex_ur})
-
Subject Key Id:
LDAPU1:(altSecurityIdentities=X509:<SKI>{subject_key_id!hex_u})
-
User SID:
LDAPU1:(objectsid={sid})
If you do not want to reissue certificates with the new SID extension, you can create a manual mapping by adding the appropriate mapping string to a user’s altSecurityIdentities
attribute in AD.
samba
rebased to version 4.17.5
The samba
packages have been upgraded to upstream version 4.17.5, which provides bug fixes and enhancements over the previous version. The most notable changes:
- Security improvements in previous releases impacted the performance of the Server Message Block (SMB) server for high meta data workloads. This update improves he performance in this scenario.
-
The
--json
option was added to thesmbstatus
utility to display detailed status information in JSON format. -
The
samba.smb.conf
andsamba.samba3.smb.conf
modules have been added to thesmbconf
Python API. You can use them in Python programs to read and, optionally, write the Samba configuration natively.
Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Red Hat does not support downgrading tdb
database files.
After updating Samba, use the testparm
utility to verify the /etc/samba/smb.conf
file.
For further information about notable changes, read the upstream release notes before updating.
ipa-client-install
now supports authentication with PKINIT
Previously, the ipa-client-install
supported only password based authentication. This update provides support to ipa-client-install
for authentication with PKINIT.
For example:
ipa-client-install --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem --pkinit-anchor=FILE:/path/to/cacerts.pem
To use the PKINIT authentication, you must establish trust between IdM and the CA chain of the PKINIT certificate. For more information see the ipa-cacert-manage(1)
man page. Also, the certificate identity mapping rules must map the PKINIT certificate of the host to a principal that has permission to add or modify a host record. For more information see the ipa certmaprule-add
man page.
Red Hat IdM and Certificate System now support the EST protocol
Enrollment over Secure Transport (EST) is a new Certificate System subsystem feature that is specified in RFC 7030 and it is used to provision certificates from a Certificate Authority (CA). EST implements the server side of the operation, such as /getcacerts
, /simpleenroll
, and /simplereenroll
.
Note that Red Hat supports both EST and the original Simple Certificate Enrollment Protocol (SCEP) in Certificate System.
Enhance negative cache usage
This update improves the SSSD performance for lookups by Security Identifier (SID). It now stores non-existing SIDs in the negative cache for individual domains and requests the domain that the SID belongs to.
Directory server now supports ECDSA private keys for TLS
Previously, you could not use cryptographic algorithms that are stronger than RSA to secure Directory Server connections. With this enhancement, Directory Server now supports both ECDSA and RSA keys.
Directory Server now supports extended logging of search operations
Previously, records in the access log did not show why some search operations had a very big etime
value. With this release, you can enable logging of statistics such as a number of index lookups (database read operations) and overall duration of index lookups per each search operation. These statistical records can help to analyze why the etime
value can be so resource expensive.
Bugzilla:1859271
The NUNC_STANS error logging level was replaced by the new 1048576
logging level
Previously, you could not easily debug password policy issues. With the new 1048576
logging level for the error log, you can now check the following password policy information:
- Which local policy rejects or allows a password update.
- The exact syntax violation.
Directory Server introduces the security log
To properly track issues over time, Directory Server now has a specialized log that maintains security data. The security log does not rotate quickly and consumes less disk resources in comparison to the access log that has all the information, but requires expensive parsing to get the security data.
The new server log records security events such as authentication events, authorization issues, DoS/TCP attacks, and other events.
Directory Server stores the security log in the /var/log/dirsrv/slapd-instance_name/
directory along with other log files.
Directory Server now can compress archived log files
Previously, archived log files were not compressed. With this release, you can enable access, error, audit, audit fail log, security log files compression to save disk space. Note that only security log file compression is enabled by default.
Use the following new configuration attributes in the cn=config
entry to manage the compression:
-
nsslapd-accesslog-compress
for the access log -
nsslapd-errorlog-compress
for the error log -
nsslapd-auditlog-compress
for the audit log -
nsslapd-auditfaillog-compress
for the audit fail log -
nsslapd-securelog-compress
for the security log
Bugzilla:1132524
New pamModuleIsThreadSafe
configuration option is now available
When a PAM module is thread-safe, you can improve the PAM authentication throughput and response time of that specific module, by setting the new pamModuleIsThreadSafe
configuration option to yes
:
pamModuleIsThreadSafe: yes
This configuration applies on the PAM module configuration entry (child of cn=PAM Pass Through Auth,cn=plugins,cn=config
).
Use pamModuleIsThreadSafe
option in the dse.ldif
configuration file or the ldapmodify
command. Note that the ldapmodify
command requires you to restart the server.
Directory Server can now import a certificate bundle
Previously, when you tried to add a certificate bundle by using the dsconf
or dsctl
utility, the procedure failed with an error, and the certificate bundle was not imported. Such behavior was caused by the certutil
utility that could import only one certificate at a time. With this update, Directory Server works around the issue with the certutil
, and a certificate bundle is added successfully.
Default behavior change: Directory Server now returns a DN in exactly the same spelling as it was added to the database
With the new nsslapd-return-original-entrydn
parameter under the cn=config
entry, you can manage how Directory Server returns the distinguished name (DN) of entries during search operations.
By default, the nsslapd-return-original-entrydn
parameter is set to on
, and Directory Server returns the DN exactly how it was originally added to the database. For example, you added or modified the entry uid=User,ou=PEople,dc=ExaMPlE,DC=COM
, and with the setting turned on, Directory Server returns the same spelling of the DN for the entry: uid=User,ou=PEople,dc=ExaMPlE,DC=COM
.
When the nsslapd-return-original-entrydn
parameter is set to off
, Directory Server generates the entry DN by putting together a Relative DN (RDN) of the entry and the base DN that is stored in the database suffix configuration under cn=userroot,cn=ldbm database,cn=plugins,cn=config
. If you set the base DN to ou=people,dc=example,dc=com
, and the nsslapd-return-original-entrydn
setting is off
, Directory Server returns uid=User,ou=people,dc=example,dc=com
during searches and not the spelling of the DN when you added the entry to the database.
MIT Kerberos supports the Ticket and Extended KDC MS-PAC signatures
With this update, MIT Kerberos, which is used by Red Hat, implements support for two types of the Privilege Attribute Certificate (PAC) signatures introduced by Microsoft in response to recent CVEs. Specifically, the following signatures are supported:
Ticket signature
- Released in KB4598347
- Addressing CVE-2020-17049, also known as the "Bronze-Bit" attack
Extended KDC signature
- Released in KB5020805
- Addressing CVE-2022-37967
See also RHSA-2023:2570 and krb5-1.20.1-6.el9
.
New nsslapd-auditlog-display-attrs
configuration parameter for the Directory Server audit log
Previously, the distinguished name (DN) was the only way to identify the target entry in the audit log event. With the new nsslapd-auditlog-display-attrs
parameter, you can configure Directory Server to display additional attributes in the audit log, providing more details about the modified entry..
For example, if you set the nsslapd-auditlog-display-attrs
parameter to cn
, the audit log displays the entry cn
attribute in the output. To include all attributes of a modified entry, use an asterisk (*
) as the parameter value.
For more information, see nsslapd-auditlog-display-attrs.
4.14. Desktop
Disable swipe to switch workspaces
Previously, swiping up or down with three fingers always switched the workspace on a touch screen. With this release, you can disable the workspace switching.
For details, see Disabling swipe to switch workspaces.
Wayland is now enabled on Aspeed GPUs
Previously, the Aspeed GPU driver did not perform well enough to run a Wayland session. To work around that problem, the Wayland session was disabled for Aspeed GPUs.
With this release, the driver performance has been significantly improved and the Wayland session is now responsive. As a result, the Wayland session is now enabled on Aspeed GPUs by default.
Custom right-click menu on the desktop
You can now customize the menu that opens when you right-click the desktop background. You can create custom entries in the menu that run arbitrary commands.
To customize the menu, see Customizing the right-click menu on the desktop.
4.15. The web console
Certain cryptographic subpolicies are now available in the web console
This update of the RHEL web console extends the options in the Change crypto policy
dialog. Besides the four system-wide cryptographic policies, you can also apply the following subpolicies through the graphical interface now:
-
DEFAULT:SHA1
is theDEFAULT
policy with theSHA-1
algorithm enabled. -
LEGACY:AD-SUPPORT
is theLEGACY
policy with less secure settings that improve interoperability for Active Directory services. -
FIPS:OSPP
is theFIPS
policy with further restrictions inspired by the Common Criteria for Information Technology Security Evaluation standard.
Jira:RHELPLAN-137505
The web console now performs additional steps for binding LUKS-encrypted root volumes to NBDE
With this update, the RHEL web console performs additional steps required for binding LUKS-encrypted root volumes to Network-Bound Disk Encryption (NBDE) deployments. After you select an encrypted root file system and a Tang server, you can skip adding the rd.neednet=1
parameter to the kernel command line, installing the clevis-dracut
package, and regenerating an initial ramdisk (initrd
). For non-root file systems, the web console now enables the remote-cryptsetup.target
and clevis-luks-akspass.path
systemd
units, installs the clevis-systemd
package, and adds the _netdev
parameter to the fstab
and crypttab
configuration files. As a result, you can now use the graphical interface for all Clevis-client configuration steps when creating NBDE deployments for automated unlocking of LUKS-encrypted root volumes.
Jira:RHELPLAN-139125
4.16. Red Hat Enterprise Linux system roles
Routing rule is able to look up a route table by its name
With this update, the rhel-system-roles.network
RHEL system role supports looking up a route table by its name when you define a routing rule. This feature provides quick navigation for complex network configurations where you need to have different routing rules for different network segments.
The network
system role supports setting a DNS priority value
This enhancement adds the dns_priority
parameter to the RHEL network
system role. You can set this parameter to a value from -2147483648
to 2147483647
. The default value is 0
. Lower values have a higher priority. Note that negative values cause the system role to exclude other configurations with a greater numeric priority value. Consequently, in presence of at least one negative priority value, the system role uses only DNS servers from connection profiles with the lowest priority value.
As a result, you can use the network
system role to define the order of DNS servers in different connection profiles.
New IPsec customization parameters for the vpn
RHEL system role
Because certain network devices require IPsec customization to work correctly, the following parameters have been added to the vpn
RHEL system role:
Do not change the following parameters without advanced knowledge. Most scenarios do not require their customization.
Furthermore, for security reasons, encrypt a value of the shared_key_content
parameter by using Ansible Vault.
Tunnel parameters:
-
shared_key_content
-
ike
-
esp
-
ikelifetime
-
salifetime
-
retransmit_timeout
-
dpddelay
-
dpdtimeout
-
dpdaction
-
leftupdown
-
Per-host parameters:
-
leftid
-
rightid
-
As a result, you can use the vpn
role to configure IPsec connectivity to a wide range of network devices.
The selinux
RHEL system role now supports the local
parameter
This update of the selinux
RHEL system role introduces support for the local
parameter. By using this parameter, you can remove only your local policy modifications and preserve the built-in SELinux policy.
The ha_cluster
system role now supports automated execution of the firewall
, selinux
, and certificate
system roles
The ha_cluster RHEL system role now supports the following features:
- Using the
firewall
andselinux
system roles to manage port access -
To configure the ports of a cluster to run the
firewalld
andselinux
services, you can set the new role variablesha_cluster_manage_firewall
andha_cluster_manage_selinux
totrue
. This configures the cluster to use thefirewall
andselinux
system roles, automating and performing these operations within theha_cluster
system role. If these variables are set to their default value offalse
, the roles are not performed. With this release, the firewall is no longer configured by default, because it is configured only whenha_cluster_manage_firewall
is set totrue
. - Using the
certificate
system role to create apcsd
private key and certificate pair -
The
ha_cluster
system role now supports theha_cluster_pcsd_certificates
role variable. Setting this variable passes on its value to thecertificate_requests
variable of thecertificate
system role. This provides an alternative method for creating the private key and certificate pair forpcsd
.
The postfix
RHEL system role can now use the firewall
and selinux
RHEL system roles to manage port access
With this enhancement, you can automate managing port access by using the new role variables postfix_manage_firewall
and postfix_manage_selinux
:
-
If they are set to
true
, each role is used to manage the port access. -
If they are set to
false
, which is default, the roles do not engage.
The vpn
RHEL system role can now use the firewall
and selinux
roles to manage port access
With this enhancement, you can automate managing port access in the vpn
RHEL system role through the firewall
and selinux
roles. If you set the new role variables vpn_manage_firewall
and vpn_manage_selinux
to true
, the roles manage port access.
The logging
RHEL system role now supports port access and generation of the certificates
With this enhancement, you can use the logging role to manage ports access and generate certificates with new role variables. If you set the new role variables logging_manage_firewall
and logging_manage_selinux
to true
, the roles manage port access. The new role variable for generating certificates is logging_certificates
. The type and usage are the same as the certificate
role certificate_requests
. You can now automate these operations directly by using the logging
role.
The metrics
RHEL system role now can use the firewall
role and the selinux
role to manage port access
With this enhancement, you can control access to ports. If you set the new role variables metrics_manage_firewall
and metrics_manage_firewall
to true
, the roles manage port access. You can now automate and perform these operations directly by using the metrics
role.
The nbde_server
RHEL system role now can use the firewall
and selinux
roles to manage port access
With this enhancement, you can use the firewall
and selinux
roles to manage ports access. If you set the new role variables nbde_server_manage_firewall
and nbde_server_manage_selinux
to true
, the roles manage port access. You can now automate these operations directly by using the nbde_server
role.
The initscripts
network provider supports route metric configuration of the default gateway
With this update, you can use the initscripts
network provider in the rhel-system-roles.network
RHEL system role to configure the route metric of the default gateway.
The reasons for such a configuration could be:
- Distributing the traffic load across the different paths
- Specifying primary routes and backup routes
- Leveraging routing policies to send traffic to specific destinations through specific paths
The cockpit
RHEL system role integration with the firewall
, selinux
, and certificate
roles
This enhancement enables you to integrate the cockpit
role with the firewall
role and the selinux
role to manage port access and the certificate
role to generate certificates.
To control the port access, use the new cockpit_manage_firewall
and cockpit_manage_selinux
variables. Both variables are set to false
by default and are not executed. Set them to true
to allow the firewall
and selinux
roles to manage the RHEL web console service port access. The operations will then be executed within the cockpit
role.
Note that you are responsible for managing port access for firewall and SELinux.
To generate certificates, use the new cockpit_certificates
variable. The variable is set to false
by default and is not executed. You can use this variable the same way you would use the certificate_request
variable in the certificate
role. The cockpit
role will then use the certificate
role to manage the RHEL web console certificates.
New RHEL system role for direct integration with Active Directory
The new rhel-system-roles.ad_integration
RHEL system role was added to the rhel-system-roles
package. As a result, administrators can now automate direct integration of a RHEL system with an Active Directory domain.
New Ansible Role for Red Hat Insights and subscription management
The rhel-system-roles
package now includes the remote host configuration (rhc
) system role. This role enables administrators to easily register RHEL systems to Red Hat Subscription Management (RHSM) and Satellite servers. By default, when you register a system by using the rhc
system role, the system connects to Red Hat Insights. With the new rhc
system role, administrators can now automate the following tasks on the managed nodes:
- Configure the connection to Red Hat Insights, including automatic update, remediations, and tags for the system.
- Enable and disable repositories.
- Configure the proxy to use for the connection.
- Set the release of the system.
For more information about how to automate these tasks, see Using the RHC system role to register the system.
Added support for the cloned MAC address
Cloned MAC address is the MAC address of the device WAN port which is the same as the MAC address of the machine. With this update, users can specify the bonding or bridge interface with the MAC address or the strategy such as random
or preserve
to get the default MAC address for the bonding or bridge interface.
Microsoft SQL Server Ansible role supports asynchronous high availability replicas
Previously, Microsoft SQL Server Ansible role supported only primary, synchronous, and witness high availability replicas. Now, you can set the mssql_ha_replica_type
variable to asynchronous
to configure it with asynchronous replica type for a new or existing replica.
Microsoft SQL Server Ansible role supports the read-scale cluster type
Previously, Microsoft SQL Ansible role supported only the external cluster type. Now, you can configure the role with a new variable mssql_ha_ag_cluster_type
. The default value is external
, use it to configure the cluster with Pacemaker. To configure the cluster without Pacemaker, use the value none
for that variable.
Microsoft SQL Server Ansible role can generate TLS certificates
Previously, you needed to generate a TLS certificate and a private key on the nodes manually before configuring the Microsoft SQL Ansible role. With this update, the Microsoft SQL Server Ansible role can use the redhat.rhel_system_roles.certificate
role for that purpose. Now, you can set the mssql_tls_certificates
variable in the format of the certificate_requests
variable of the certificate
role to generate a TLS certificate and a private key on the node.
Microsoft SQL Server Ansible role supports configuring SQL Server version 2022
Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and version 2019. This update provides you with the support for SQL Server version 2022 for Microsoft SQL Ansible role. Now, you can set mssql_version
value to 2022
for configuring a new SQL Server 2022 or upgrading SQL Server from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to version 2022 is unavailable.
Microsoft SQL Server Ansible role supports configuration of the Active Directory authentication
With this update, the Microsoft SQL Ansible role supports configuration of the Active Directory authentication for an SQL Server. Now, you can configure the Active Directory authentication by setting variables with the mssql_ad_
prefix.
The journald
RHEL system role is now available
The journald
service collects and stores log data in a centralized database. With this enhancement, you can use the journald
system role variables to automate the configuration of the systemd
journal, and configure persistent logging by using the Red Hat Ansible Automation Platform.
The ha_cluster
system role now supports quorum device configuration
A quorum device acts as a third-party arbitration device for a cluster. A quorum device is recommended for clusters with an even number of nodes. With two-node clusters, the use of a quorum device can better determine which node survives in a split-brain situation. You can now configure a quorum device with the ha_cluster
system role, both qdevice
for a cluster and qnetd
for an arbitration node.
4.17. Virtualization
Hardware cryptographic devices can now be automatically hot-plugged
Previously, it was only possible to define cryptographic devices for passthrough if they were present on the host before the mediated device was started. Now, you can define a mediated device matrix that lists all the cryptographic devices that you want to pass through to your virtual machine (VM). As a result, the specified cryptographic devices are automatically passed through to the running VM if they become available later. Also, if the devices become unavailable, they are removed from the VM, but the guest operating system keeps running normally.
Bugzilla:1871126
Improved performance for PCI passthrough devices on IBM Z
With this update, the PCI passthrough implementation on IBM Z hardware has been enhanced through multiple improvements to I/O handling. As a result, PCI devices passed through to KVM virtual machines (VMs) on IBM Z hosts now have significantly better performance.
In addition, ISM devices can now be assigned to VMs on IBM Z hosts.
Bugzilla:1871143
New package: passt
This update adds the passt
package, which makes it possible to use the passt
user-mode networking back end for virtual machines.
For more information on using passt
, see Configuring the passt user-space connection.
Bugzilla:2131015
zPCI device assignment
It is now possible to attach zPCI devices as pass-through devices to virtual machines (VMs) hosted on RHEL running on IBM Z hardware. For example, thís enables the use of NVMe flash drives in VMs.
Jira:RHELPLAN-59528
New package: python-virt-firmware
This update adds the python-virt-firmware
package, which contains tools for handling Open Virtual Machine Firmware (OVMF) firmware images. You can use these tools for example for the following:
- Printing the content of firmware images
-
Updating the
edk2
variables store - Handling secure boot key enrolment without booting up the virtual machine in QEMU
As a result, these make it easier to build OVMF images.
Bugzilla:2089785
4.18. Supportability
The sos
utility is moving to a 4-week update cadence
Instead of releasing sos
updates with RHEL minor releases, the sos
utility release cadence is changing from 6 months to 4 weeks. You can find details about the updates for the sos
package in the RPM changelog every 4 weeks or you can read a summary of sos
updates in the RHEL Release Notes every 6 months.
The sos clean
command now obfuscates IPv6 addresses
Previously, the sos clean
command did not obfuscate IPv6 addresses, leaving some customer-sensitive data in the collected sos
report. With this update, sos clean
detects and obfuscates IPv6 addresses as expected.
4.19. Containers
New podman
RHEL System Role is now available
Beginning with Podman 4.2, you can use the podman
System Role to manage Podman configuration, containers, and systemd
services that run Podman containers.
Jira:RHELPLAN-118705
Podman now supports events for auditing
Beginning with Podman v4.4, you can gather all relevant information about a container directly from a single event and journald
entry. To enable Podman auditing, modify the container.conf
configuration file and add the events_container_create_inspect_data=true
option to the [engine]
section. The data is in JSON format, the same as from the podman container inspect
command. For more information, see How to use new container events and auditing features in Podman 4.4.
Jira:RHELPLAN-136602
The container-tools
meta-package has been updated
The container-tools
RPM meta-package, which contains the Podman, Buildah, Skopeo, crun and runc tools are now available. This update applies a series of bug fixes and enhancements over the previous version.
Notable changes in Podman v4.4 include:
- Introduce Quadlet, a new systemd-generator that easily creates and maintains systemd services using Podman.
-
A new command,
podman network update
, has been added, which updates networks for containers and pods. -
A new command,
podman buildx version
, has been added, which shows the buildah version. - Containers can now have startup healthchecks, allowing a command to be run to ensure the container is fully started before the regular healthcheck is activated.
-
Support a custom DNS server selection using the
podman --dns
command. - Creating and verifying sigstore signatures using Fulcio and Rekor is now available.
- Improved compatibility with Docker (new options and aliases).
-
Improved Podman’s Kubernetes integration - the commands
podman kube generate
andpodman kube play
are now available and replace thepodman generate kube
andpodman play kube
commands. Thepodman generate kube
andpodman play kube
commands are still available but it is recommended to use the newpodman kube
commands. -
Systemd-managed pods created by the
podman kube play
command now integrate with sd-notify, using theio.containers.sdnotify
annotation (orio.containers.sdnotify/$name
for specific containers). -
Systemd-managed pods created by
podman kube play
can now be auto-updated, using theio.containers.auto-update
annotation (orio.containers.auto-update/$name
for specific containers).
Podman has been upgraded to version 4.4, for further information about notable changes, see upstream release notes.
Jira:RHELPLAN-136607
Aardvark and Netavark now support custom DNS server selection
The Aardvark and Netavark network stack now support custom DNS server selection for containers instead of the default DNS servers on the host. You have two options for specifying the custom DNS server:
-
Add the
dns_servers
field in thecontainers.conf
configuration file. -
Use the new
--dns
Podman option to specify an IP address of the DNS server.
The --dns
option overrides the values in the container.conf
file.
Jira:RHELPLAN-138024
Skopeo now supports generating sigstore key pairs
You can use the skopeo generate-sigstore-key
command to generate a sigstore public/private key pair. For more information, see skopeo-generate-sigstore-key
man page.
Jira:RHELPLAN-151481
Toolbox is now available
With the toolbox
utility, you can use the containerized command-line environment without installing troubleshooting tools directly on your system. Toolbox is built on top of Podman and other standard container technologies from OCI. For more information, see toolbx.
Jira:RHELPLAN-150266
Container images now have a two-digit tag
In RHEL 9.0 and RHEL 9.1, container images had a three-digit tag. Starting from RHEL 9.2, container images now have a two-digit tag.
Jira:RHELPLAN-147982
The capability for multiple trusted GPG keys for signing images is available
The /etc/containers/policy.json
file supports a new keyPaths
field which accepts a list of files containing the trusted keys. Because of this, the container images signed with Red Hat’s General Availability and Beta GPG keys are now accepted in the default configuration.
For example:
"registry.redhat.io": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"] } ]
Jira:RHELPLAN-129327
Podman now supports the pre-execution hooks
The root-owned plugin scripts located in the /usr/libexec/podman/pre-exec-hooks
and /etc/containers/pre-exec-hooks
directories define a fine-control over container operations, especially blocking unauthorized actions.
The /etc/containers/podman_preexec_hooks.txt
file must be created by an administrator and can be empty. If /etc/containers/podman_preexec_hooks.txt
does not exist, the plugin scripts will not be executed. If all plugin scripts return zero value, then the podman
command is executed, otherwise, the podman
command exits with the inherited exit code.
Red Hat recommends using the following naming convention to execute the scripts in the correct order: DDD-plugin_name.lang
, for example 010-check-group.py
. Note that the plugin scripts are valid at the time of creation. Containers created before plugin scripts are not affected.
Bugzilla:2119200
The sigstore signatures are now available
Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The sigstore signatures are stored in the container registry together with the container image without the need to have a separate signature server to store image signatures.
Jira:RHELPLAN-74672
Toolbox can create RHEL 9 containers
Previously, the Toolbox utility only supported RHEL UBI 8 images. With this release, Toolbox now also supports RHEL UBI 9. As a result, you can create a Toolbox container based on RHEL 8 or 9.
The following command creates a RHEL container based on the same RHEL release as your host system:
$ toolbox create
Alternatively, you can create a container with a specific RHEL release. For example, to create a container based on RHEL 9.2, use the following command:
$ toolbox create --distro rhel --release 9.2
New package: passt
This update adds the passt
package, which makes it possible to use the pasta
rootless networking back end for containers.
In comparison to the Slirp
connection, which is currently used as default for unprivileged networking by Podman, pasta
provides the following enhancements:
- Improved throughput and better support for IPv6, which includes support for the Neighbor Discovery Protocol (NDP) and for DHCPv6
- The ability to configure port forwarding of TCP and UDP ports on IPv6
To use pasta
to connect a Podman container, use the --network pasta
command-line option.