Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.4.

4.1. Installer and image creation

Support to add customized files for SCAP security profile to a blueprint

With this enhancement, you can now add customized tailoring options for a profile to the osbuild-composer blueprint customizations by using the following options:

selected for the list of rules that you want to add
unselected for the list of rules that you want to remove

With the default org.ssgproject.content rule namespace, you can omit the prefix for rules under this namespace. For example: the org.ssgproject.content_grub2_password and grub2_password are functionally equivalent.

When you build an image from that blueprint, it creates a tailoring file with a new tailoring profile ID and saves it to the image as /usr/share/xml/osbuild-oscap-tailoring/tailoring.xml. The new profile ID will have _osbuild_tailoring appended as a suffix to the base profile. For example, if you use the cis base profile, xccdf_org.ssgproject.content_profile_cis_osbuild_tailoring.

Jira:RHELDOCS-17792^[1]

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a Kickstart file.

Bugzilla:1932480^[1]

4.2. Security

Keylime verifier and registrar containers available

You can now configure Keylime server components, the verifier and registrar, as containers. When configured to run inside a container, the Keylime registrar monitors the tenant systems from the container without any binaries on the host. The container deployment provides better isolation, modularity, and reproducibility of Keylime components.

Jira:RHELDOCS-16721^[1]

libkcapi now provides an option for specifying target file names in hash-sum calculations

This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c option, for example:

$ sha256hmac -c <hmac_file> -T <target_file>

Jira:RHEL-15298^[1]

Finer control over MACs in SSH with crypto-policies

You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (crypto-policies). With this update, the crypto-policies option ssh_etm has been converted into a tri-state etm@SSH option. The previous ssh_etm option has been deprecated.

You can now set ssh_etm to one of the following values:

ANY: Allows both encrypt-then-mac and encrypt-and-mac MACs.
DISABLE_ETM: Disallows encrypt-then-mac MACs.
DISABLE_NON_ETM: Disallows MACs that do not use encrypt-then-mac.

Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.

Jira:RHEL-15925

The semanage fcontext command no longer reorders local modifications

The semanage fcontext -l -C command lists local file context modifications stored in the file_contexts.local file. The restorecon utility processes the entries in the file_contexts.local from the most recent entry to the oldest. Previously, semanage fcontext -l -C listed the entries in an incorrect order. This mismatch between processing order and listing order caused problems when managing SELinux rules. With this update, semanage fcontext -l -C displays the rules in the correct and expected order, from the oldest to the newest.

Jira:RHEL-24462^[1]

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

nvme-stas
rust-afterburn
rust-coreos-installer
bootc

As a result, these services do not run with the unconfined_service_t SELinux label anymore, and run successfully in SELinux enforcing mode.

Jira:RHEL-12591^[1]

New SELinux policy module for the SAP HANA service

This update adds additional rules to the SELinux policy for the SAP HANA service. As a result, the service now runs successfully in SELinux enforcing mode in the sap_unconfined_t domain.

Jira:RHEL-21452

The glusterd SELinux module moved to a separate glusterfs-selinux package

With this update, the glusterd SELinux module is maintained in the separate glusterfs-selinux package. The module is therefore no longer part of the selinux-policy package. For any actions that concern the glusterd module, install and use the glusterfs-selinux package.

Jira:RHEL-1548

The fips.so library for OpenSSL provided as a separate package

OpenSSL uses the fips.so shared library as a FIPS provider. With this update, the latest version of fips.so submitted to the National Institute of Standards and Technology (NIST) for certification is in a separate package to ensure that future versions of OpenSSL use certified code or code undergoing certification.

Jira:RHEL-23474^[1]

The chronyd-restricted service is confined by the SELinux policy

This update adds additional rules to the SELinux policy that confine the new chronyd-restricted service. As a result, the service now runs successfully in SELinux.

Jira:RHEL-18219

OpenSSL adds a drop-in directory for provider configuration

The OpenSSL TLS toolkit supports provider APIs for installation and configuration of modules that provide cryptographic algorithms. With this update, you can place provider-specific configuration in separate .conf files in the /etc/pki/tls/openssl.d directory without modifying the main OpenSSL configuration file.

Jira:RHEL-17193

SELinux user-space components rebased to 3.6

The SELinux user-space components libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans library package have been rebased to 3.6. This version provides various bug fixes, optimizations and enhancements, most notably:

Added support for deny rules in CIL.
Added support for notself and other keywords in CIL.
Added the getpolicyload binary that prints the number of policy reloads performed on the current system.

Jira:RHEL-16233

GnuTLS rebased to 3.8.3

The GnuTLS package has been rebased to upstream version 3.8.3 This version provides various bug fixes and enhancements, most notably:

The gnutls_hkdf_expand function now accepts only arguments with lengths less than or equal to 255 times hash digest size, to comply with RFC 5869 2.3.
Length limit for TLS PSK usernames has been increased to 65535 characters.
The gnutls_session_channel_binding API function performs additional checks when GNUTLS_CB_TLS_EXPORTER is requested accordingly to RFC 9622 4.2.
The GNUTLS_NO_STATUS_REQUEST flag and the %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension on the client side.
GnuTLS now checks the contents of the Change Cipher Spec message to be equal to 1 when the TLS version is older than 1.3.
ClientHello extensions order is randomized by default.
GnuTLS now supports EdDSA key generation on PKCS #11 tokens, which previously did not work.

Jira:RHEL-14891^[1]

nettle rebased to 3.9.1

The nettle library package has been rebased to 3.9.1. This version provides various bug fixes, optimizations and enhancements, most notably:

Added balloon password hashing
Added SIV-GCM authenticated encryption mode
Added Offset Codebook Mode authenticated encryption mode
Improved performance of the SHA-256 hash function on 64-bit IBM Z, AMD and Intel 64-bit architectures
Improved performance of the Poly1305 hash function on IBM Power Systems, Little Endian, AMD and Intel 64-bit architectures

Jira:RHEL-14890^[1]

p11-kit rebased to 0.25.3

The p11-kit packages have been updated to upstream version 0.25.3. The packages contain the p11-kit tool for managing PKCS #11 modules, the trust tool for operating on the trust policy store, and the p11-kit library. Notable enhancements include the following:

Added support for PKCS #11 version 3.0
The pkcs11.h header file:
- Added ChaCha20/Salsa20, Poly1305 and IBM-specific mechanisms and attributes
- Added AES-GCM mechanism parameters for message-based encryption
The p11-kit tool:
- Added utility commands to list and manage objects of a token (list-tokens, list-mechanisms, list-objects, import-object, export-object, delete-object, and generate-keypair)
- Added utility commands to manage PKCS#11 profiles of a token (list-profiles, add-profile, and delete-profile)
- Added the print-config command for printing merged configuration
The trust tool:
- Added the check-format command to validate the format of .p11-kit files

Jira:RHEL-14834^[1]

libkcapi rebased to 1.4.0

The libkcapi library, which provides access to the Linux kernel crypto API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:

Added the sm3sum and sm3hmac tools.
Added the kcapi_md_sm3 and kcapi_md_hmac_sm3 APIs.
Added SM4 convenience functions.
Fixed support for link-time optimization (LTO).
Fixed LTO regression testing.
Fixed support for AEAD encryption of an arbitrary size with kcapi-enc.

Jira:RHEL-5367^[1]

User and group creation in OpenSSH uses the sysusers.d format

Previously, OpenSSH used static useradd scripts. With this update, OpenSSH uses the sysusers.d format to declare system users, which makes it possible to introspect system users.

Jira:RHEL-5222

OpenSSH limits artificial delays in authentication

OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit on such delays when remote authentication takes too long, for example in privilege access management (PAM) processing.

Jira:RHEL-2469^[1]

stunnel rebased to 5.71

The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71.

Notable new features include:

Added support for modern PostgreSQL clients.
You can use the protocolHeader service-level option to insert custom connect protocol negotiation headers.
You can use the protocolHost option to control the client SMTP protocol negotiation HELO/EHLO value.
Added client-side support for Client-side protocol = ldap.
You can now configure session resumption by using the service-level sessionResume option.
Added support to request client certificates in server mode with CApath (previously, only CAfile was supported).
Improved file reading and logging performance.
Added support for configurable delay for the retry option.
In client mode, OCSP stapling is requested and verified when verifyChain is set.
In server mode, OCSP stapling is always available.
Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting OCSPrequire = no.

Jira:RHEL-2468^[1]

New options for dropping capabilities in Rsyslog

You can now configure Rsyslog’s behavior when dropping capabilities by using the following global options:

libcapng.default: Determines Rsyslog’s actions when it encounters errors while dropping capabilities. The default value is on, which caused Rsyslog to exit if an error related to libcapng-related occurs.
libcapng.enable: Determines whether Rsyslog drops capabilities during startup. If this option is disabled, libcapng.default has no impact.

Jira:RHEL-943^[1]

audit rebased to 3.1.2

The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:

The auparse library now interprets unnamed and anonymous sockets.
You can use the new keyword this-hour in the start and end options of the ausearch and aureport tools.
Support for the io_uring asynchronous I/O API has been added.
User-friendly keywords for signals have been added to the auditctl program.
Handling of corrupt logs in auparse has been improved.
The ProtectControlGroups option is now disabled by default in the auditd service.
Rule checking for the exclude filter has been fixed.
The interpretation of OPENAT2 fields has been enhanced.
The audispd af_unix plugin has been moved to a standalone program.
The Python binding has been changed to prevent setting Audit rules from the Python API. This change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).

Jira:RHEL-14896^[1]

Rsyslog rebased to 8.2310

The Rsyslog log processing system has been rebased to upstream version 8.2310. This update introduces significant enhancements and bug fixes. Most notable enhancements include:

Customizable TLS/SSL encryption settings: In previous versions, configuring TLS/SSL encryption settings for separate connections was limited to global settings. With the latest version, you can now define unique TLS/SSL settings for each individual connection in Rsyslog. This includes specifying different CA certificates, private keys, public keys, and CRL files for enhanced security and flexibility. For detailed information and usage, see documentation provided in the rsyslog-doc package.
Refined capability dropping feature: You can now set additional options that relate to capability dropping. You can disable capability dropping by setting the libcapng.enable global option to off. For more information, see RHEL-943.

Jira:RHEL-937, Jira:RHEL-943

SCAP Security Guide rebased to 0.1.72

The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:

CIS profiles are updated to align with the latest benchmarks.
The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
STIG profiles are aligned with the latest DISA STIG policies.

For additional information, see the SCAP Security Guide release notes.

Jira:RHEL-21425

4.3. RHEL for Edge

Support for building FIPS enabled RHEL for Edge images

This enhancement adds support for building FIPS enabled RHEL for Edge images for the following images types:

edge-installer
edge-simplified-installer
edge-raw-image
edge-ami
edge-vsphere

Important

You can enable FIPS mode only during the image provisioning process. You cannot change to FIPS mode after the non-FIPS image build starts.

Jira:RHELDOCS-17263^[1]

4.4. Shells and command-line tools

openCryptoki rebased to version 3.22.0

The opencryptoki package has been updated to version 3.22.0. Notable changes include:

Added support for the AES-XTS key type by using the CPACF protected keys.
Added support for managing certificate objects.
Added support for public sessions with the no-login option.
Added support for logging in as the Security Officer (SO).
Added support for importing and exporting the Edwards and Montgomery keys.
Added support for importing the RSA-PSS keys and certificates.
For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update adds checks to the key generation and import process to ensure this.
Various bug fixes have been implemented.

Jira:RHEL-11412^[1]

4.5. Infrastructure services

synce4l rebased to version 1.0.0

The synce4l protocol has been updated to version 1.0.0. This update adds support for kernel Digital Phase Locked Loop (DPLL) interface.

Jira:RHEL-10089^[1]

chrony rebased to version 4.5

The chrony suite has been updated to version 4.5. Notable changes include:

Added support for the AES-GCM-SIV cipher to shorten Network Time Security (NTS) cookies to improve reliability of NTS over the internet, where some providers block or limit the rate of longer Network Time Protocol (NTP) messages.
Added periodic refresh of IP addresses of NTP sources specified by hostname. The default interval is two weeks and it can be disabled by adding refresh 0 parameter to the chrony.conf file.
Improved automatic replacement of unreachable NTP sources.
Improved logging of important changes made by the chronyc utility.
Improved logging of source selection failures and falsetickers.
Added the hwtstimeout directive to configure timeout for late hardware transmit timestamps.
Added experimental support for corrections provided by Precision Time Protocol (PTP) transparent clocks to reach accuracy of PTP with hardware timestamping.
Added the chronyd-restricted service as an alternative service for minimal client-only configurations where the chronyd service can be started without root privileges.
Fixed the presend option in interleaved mode.
Fixed reloading of modified sources specified by IP address from the sourcedir directories.

Jira:RHEL-6522

linuxptp rebased to version 4.2

The linuxptp protocol has been updated to version 4.2. Notable changes include:

Added support for multiple domains in the phc2sys utility.
Added support for notifications on clock updates and changes in the Precision Time Protocol (PTP) parent dataset, for example, clock class.
Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.

Jira:RHEL-2026

4.6. Networking

The nft utility can now reset nftables rule-contained states

With this enhancement, you can use the nft reset command to reset nftables rule-contained states. For example, use this feature to reset counter and quota statement values.

Jira:RHEL-5980^[1]

Marvell Octeon PCIe Endpoint Network Interface Controller driver is available

This enhancement has added the octeon_ep driver. You can use it for networking of Marvell’s Octeon PCIe Endpoint network interface cards. The host drivers act as PCI Express (PCIe) endpoint network interface (NIC) to support Marvell OCTEON TX2 CN106XX, a 24 N2 cores Infrastructure Processor Family. By using OCTEON TX2 driver as a PCIe NIC, you can use OCTEON TX2 as a PCIe endpoint in various products: security firewalls, 5G Open Radio Access Network (ORAN) and Virtual RAN (VRAN) applications and data processing offloading applications.

Currently, you can use it with the following devices:

Network controller: Cavium, Inc. Device b100
Network controller: Cavium, Inc. Device b200
Network controller: Cavium, Inc. Device b400
Network controller: Cavium, Inc. Device b900
Network controller: Cavium, Inc. Device ba00
Network controller: Cavium, Inc. Device bc00
Network controller: Cavium, Inc. Device bd00

Jira:RHEL-9308^[1]

NetworkManager now supports configuring the switchdev mode for advanced hardware offload

With this enhancement, you can configure the following new properties in NetworkManager connection profiles:

sriov.eswitch-mode
sriov.eswitch-inline-mode
sriov.eswitch-encap-mode

With these properties, you can configure the eSwitch of smart network interface controllers (Smart NICs). For example, use the sriov.eswitch-mode setting to change the mode from legacy SR-IOV to switchdev to use advanced hardware offload features.

Jira:RHEL-1441

NetworkManager supports changing ethtool channel settings

A network interface can have multiple interrupt request (IRQs) and associated packet queues called channels. With this enhancement, NetworkManager connection profiles can specify the number of channels to assign to an interface through connection properties ethtool.channels-rx,ethtool.channels-tx,ethtool.channels-other, and ethtool.channels-combined.

Jira:RHEL-1471^[1]

Nmstate can now create a YAML file to revert settings

With this enhancement, Nmstate can create a "revert configuration file" that contains the differences between the current network settings and a YAML file with the new configuration that you want to apply. If the settings do not work as expected after you applied the YAML file, you can use the revert configuration file to restore the previous settings:

Create a YAML file, for example, new.yml with the configuration that you want to apply.
Create a revert configuration file that contains the differences between intended settings in new.yml and the current state:
```
# nmstatectl gr new.yml > revert.yml
```
Apply the configuration from new.yml.
If you want now to switch back to the previous state, apply revert.yml.

Alternatively, you can use the NetworkState::generate_revert(current) call if you use the Nmstate API to create a revert configuration.

Jira:RHEL-1434

Nmstate API configures VPN connection based on IPsec configuration

The Libreswan utility is an implementation of IPsec for configuring VPNs. With this update, by using nmstatectl, you can configure IPsec-based authentication types along with configuration modes (tunnel and transport) and network layouts (host-to-subnet, host-to-host, subnet-to-subnet).

Jira:RHEL-1605

nmstate now supports the priority bond property

With this update, you can set the priority of bond ports in the nmstate framework by using the priority property in the ports-config section of the configuration file. An example YAML file can look as follows:

---
interfaces:
- name: bond99
  type: bond
  state: up
  link-aggregation:
    mode: active-backup
    ports-config:
    - name: eth2
       priority: 15

When an active port within the bonded interface is down, the RHEL kernel elects the next active port that has the highest numerical value in the priority property from the pool of all backup ports.

The priority property is relevant for the following modes of the bond interface:

active-backup
balance-tlb
balance-alb

Jira:RHEL-1438^[1]

NetworkManager wifi connections support a new MAC address-based privacy option

With this enhancement, you can configure NetworkManager to associate a random-generated MAC address with the Service Set Identifier (SSID) of a wifi network. This enables you to permanently use a random but consistent MAC address for a wifi network even if you delete a connection profile and re-create it. To use this new feature, set the 802-11-wireless.cloned-mac-address property of a wifi connection profile to stable-ssid.

Jira:RHEL-16470

Introduction of new nmstate attributes for the VLAN interface

With this update of the nmstate framework, the following VLAN attributes were introduced:

registration-protocol: VLAN Registration Protocol. The valid values are gvrp (GARP VLAN Registration Protocol), mvrp (Multiple VLAN Registration Protocol), and none.
reorder-headers: reordering of output packet headers. The valid values are true and false.
loose-binding: loose binding of the interface to the operating state of its primary device. The valid values are true and false.

Your YAML configuration file can look similar to the following example:

---
interfaces:
  - name: eth1.101
    type: vlan
    state: up
    vlan:
      base-iface: eth1
      id: 101
      registration-protocol: mvrp
      loose-binding: true
      reorder-headers: true

Jira:RHEL-19142

ipv4.dhcp-client-id set to none prevents sending a client-identifier

If the client-identifier option is not set in NetworkManager, then the actual value depends on the type of DHCP clients in use, such as NetworkManager internal DHCP client or dhclient. Generally, DHCP clients send a client-identifier. Therefore, in almost all cases, you do not need to set the none option. As a result, this option is only useful in case of some unusual DHCP server configurations that require clients to not send a client-identifier.

Jira:RHEL-1469

nmstate now supports creating MACsec interfaces

With this update, the users of the nmstate framework can configure MACsec interfaces to protect their communication on Layer 2 of the Open Systems Interconnection (OSI) model. As a result, there is no need to encrypt individual services later on Layer 7. Also, the feature eliminates associated challenges such as managing large amounts of certificates for each endpoint.

For more information, see Configuring a MACsec connection using nmstatectl.

Jira:RHEL-1420

netfilter update

The kernel package has been upgraded to version 5.14.0-405 in RHEL 9. As a result, the rebase also provided multiple enhancements and bug fixes in the netfilter component of the RHEL kernel. The most notable change includes:

The nftables subsystem is able to match various inner header fields of the tunnel packets. This enables more granular and effective control over network traffic, especially in environments where tunneling protocols are used.

Jira:RHEL-16630^[1]

firewalld now avoids unnecessary firewall rule flushes

The firewalld service does not remove all existing rules from the iptables configuration if both following conditions are met:

firewalld is using the nftables backend.
There are no firewall rules created with the --direct option.

This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration with other software.

Jira:RHEL-427^[1]

The ss utility adds visibility improvement to TCP bound-inactive sockets

The iproute2 suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:

ss --all: to dump all sockets including TCP bound-inactive ones
ss --bound-inactive: to dump only bound-inactive sockets

Jira:RHEL-21223^[1]

The Nmstate API now supports SR-IOV VLAN 802.1ad tagging

With this enhancement, you can now use the Nmstate API to enable hardware-accelerated Single-Root I/O Virtualization (SR-IOV) Virtual Local Area Network (VLAN) 802.1ad tagging on cards whose firmware supports this feature.

Jira:RHEL-1425

The TCP Illinois congestion algorithm kernel module is re-enabled

TCP Illinois is a variant of the TCP protocol. Customers such as Internet Service Providers (ISP) experience sub-optimal performance without TCP Illinois algorithm and network traffic does not scale well even when using Bandwidth and Round-trip propagation time (BBR) algorithm that results into high latency. As a result, TCP Illinois algorithm can produce slightly higher average throughput, fairer network resources allocation, and compatibility.

Jira:RHEL-5736^[1]

The iptables utility rebased to version 1.8.10

The iptables utility defines rules for packet filtering to manage firewall. This utility has been rebased. Notable changes include:

Notable features:

Add support for newer chunk types in sctp match
Align ip6tables opt-in column if empty helps when piping output to jc --iptables
Print numeric protocol numbers with --numeric for a more stable output
More translations for *tables-translate utilities with improved output formatting
Several manual page improvements

Notable fixes:

iptables-restore error messages incorrectly pointing at the COMMIT line
Broken -p Length match in ebtables
Broken ebtables among match when used in multiple rules restored through ebtables-restore
Program could crash when renaming a chain depending on the number of chains already present
Non-critical memory leaks
Missing broute table support in ebtables after the switch to nft-variants
Broken ip6tables rule counter setting with '-c' option
Unexpected error message when listing a non-existent chain
Potential false-positive ebtables rule comparison if among match is used
Prohibit renaming a chain to an invalid name
Stricter checking of "chain lines" in iptables-restore input to detect invalid chain names
Non-functional built-in chain policy counters

Jira:RHEL-14147

nftables rebased to version 1.0.9

The nftables utility has been upgraded to version 1.0.9, which provides multiple bug fixes and enhancements. Notable changes include:

Improvements to the --optimize command option
Extended the Python nftables class
Improved behavior when dealing with rules created by iptables-nft
Support accessing fields of vxlan-encapsulated headers
Initial support for GRE, Geneve, and GRETAP protocols
New reset rule(s) commands to reset rule counters, quotas
New destroy command deletes things only if they exist
New last statement recording when it has seen a packet for the last time
Add and remove devices from netdev-family chains
New meta broute expression to emulate ebtables' broute functionality
Fixed miscellaneous memory leaks
Fixed wrong location in error messages in corner-cases
Set and map statements missing in JSON output

Jira:RHEL-14191

firewalld rebased to version 1.3

The firewalld package has been upgraded to version 1.3, which provides multiple bug fixes and enhancements. Notable changes include:

New reset-to-defaults CLI option: This option resets configuration of the firewalld service to defaults. This allows users to erase firewalld configuration and start over with the default settings.
Enable the --add-masquerade CLI option for policies with ingress-zone=ZONE, where ZONE has interfaces assigned with the --add-interface CLI option. This removes a restriction and enables usage of interfaces (instead of sources) in common scenarios.

The reasons to introduce these features:

reset-to-defaults was implemented to reset the firewall to the default configuration.
Using interfaces allows change of IP address without impacting firewall configuration.

As a result, users can perform the following actions:

Reset the configuration
Combine --add-maquerade with --add-interface while using policies

Jira:RHEL-14485

4.7. Kernel

Kernel version in RHEL 9.4

Red Hat Enterprise Linux 9.4 is distributed with the kernel version 5.14.0-427.13.1.

rteval now supports adding and removing arbitrary CPUs from the default measurement CPU list

With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This option covers the most common use case of a real-time application running on isolated CPUs. Other use cases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus.

Jira:RHEL-9912^[1]

rtla rebased to version 6.6 of the upstream kernel source code

The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:

Added the -C option to specify additional control groups for rtla threads to run in, apart from the main rtla thread.
Added the --house-keeping option to place rtla threads on a housekeeping CPU and to put measurement threads on different CPUs.
Added support to the timerlat tracer so that you can run timerlat hist and timerlat top threads in user space.

Jira:RHEL-10079^[1]

cyclicdeadline now supports generating a histogram of latencies

With this release, the cyclicdeadline utility supports generating a histogram of latencies. You can use this feature to get more insight into the frequency of latency spikes of different sizes, rather than getting just one worst-case number.

Jira:RHEL-9910^[1]

SGX is now fully supported

Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.

The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:

Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
Dynamic addition of regular enclave pages to an initialized enclave.
Expanding an initialized enclave to accommodate more threads.
Removing regular and TCS pages from an initialized enclave.

In this release, SGX moves from Technology Preview to a fully supported feature.

Bugzilla:2041883^[1]

The Intel data streaming accelerator driver is now fully supported

The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

In this release, IDXD moves from a Technology Preview to a fully supported feature.

Jira:RHEL-10097^[1]

The eBPF facility has been rebased to Linux kernel version 6.6

Notable changes and enhancements include:

New dynamic pointers (dynptrs) of the skb and xdp type, which enable for more ergonomic and less brittle iteration through data and variable-sized accesses in BPF programs.
A new BPF netfilter program type and minimal support to hook BPF programs to netfilter hooks, such as prerouting or forward.
Multiple improvements to kernel pointers (kptrs):
- You can use kptrs in more map types.
- RCU semantics are enabled for task kptrs.
- New reference-counted local kptrs useful for adding a node to both the BPF list and rbtree.
At load time, BPF programs can detect whether a particular kfunc exists or not.
Several new kfuncs for working with dynptrs, cgroups, sockets, and cpumasks.
New BPF links for attaching multiple uprobes and usdt probes, which is significantly faster and saves extra file descriptors (FDs).
The BPF map element count is enabled for all program types.
The memory usage reporting for all BPF map types is more precise.
The bpf_fib_lookup BPF helper includes the routing table ID.
The BPF_OBJ_PIN and BPF_OBJ_GET commands support O_PATH FDs.

Jira:RHEL-10691^[1]

The libbpf-tools package is now available on IBM Z

The libbpf-tools package, which provides command line tools for the BPF Compiler Collection (BCC), is now available on the IBM Z architecture. As a result, you can now use commands from libbpf-tools on IBM Z.

Jira:RHEL-16325^[1]

4.8. Boot loader

DEP/NX support in the pre-boot stage

The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.

This release adds DEP/NX support in the GRUB and shim boot loaders. This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might start certain attacks without the DEP/NX protection.

Jira:RHEL-10288^[1]

4.9. File systems and storage

Setting a filesystem size limit is now supported

With this update, users can now set a filesystem size limit when creating or modifying a filesystem. The stratisd service enables dynamic filesystem growth, but excessive expansion of an XFS filesystem can cause significant performance issues. The addition of this feature addresses potential performance issues that might occur when growing XFS filesystems beyond a certain threshold. By setting a filesystem size limit, users can prevent such issues and ensure optimal performance. Additionally, this feature enables better pool monitoring and maintenance by allowing users to impose an upper limit on a filesystem’s size, ensuring efficient resource allocation.

Jira:RHEL-12898

Converting a standard LV to a thin LV by using lvconvert is now possible

By specifying a standard logical volume (LV) as a thin pool data, you can now convert a standard LV to a thin LV by using the lvconvert command. With this update, you can convert existing LVs to use the thin provisioning facility.

Jira:RHEL-8357

multipathd now supports detecting FPIN-Li events for NVMe devices

Previously, the multipathd command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.

With this update, multipathd supports detecting FPIN-Li events for both SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric connection, while other paths are available. This helps to avoid IO delays in such situations.

Jira:RHEL-6678

max_retries option is now added to the defaults section of multipath.conf

This enhancement adds the max_retries option to the defaults section of the multipath.conf file. By default this option is unset, and uses the SCSI layer’s default value of 5 retries. The valid values for this option is from 0 to 5. When this option is set, it overrides the default value of the max_retries sysfs attribute for SCSI devices. This attribute controls the number of times the SCSI layer retries I/O commands before returning failure when it encounters certain error types.

If users encounter an issue where multipath’s path checkers return success but I/O to a device is hanging, they can set this option to decrease the time before the I/O will be retried down another path.

Jira:RHEL-1729^[1]

auto_resize option is now added to the defaults section of multipath.conf

Previously, to resize a multipath device, you had to manually run the multipathd resize map <name> command. With this update, the auto_resize option is now added to the defaults section of the multipath.conf file. This option controls when the multipathd command can automatically resize a multipath device. The following are the different values for auto_resize:

By default, auto_resize is set to never. In this case, multipathd works without any change.
If auto_resize is set to grow_only, multipathd automatically resizes the multipath device when the device’s paths have grown in size.
If auto_resize is set to grow_shrink, multipathd automatically shrinks the multipath device when the device’s paths are decreased in size.

As a result, when this option is enabled, you no longer need to manually resize your multipath devices.

Jira:RHEL-986^[1]

Changes to Arcus NVMeoFC multipath.conf settings are now included in kernel

Device-mapper-multipath now has a built-in configuration for the HPE Alletra 9000 NVMeFC array. Arcus added support for ANA (Asymmetric Namespace Access) for NVMeoFC. This is similar to ALUA for SCSI. A change in the multipath.conf is required for a RHEL host to use this feature and send only I/O to ANA optimized paths when available. Without this change, device mapper was sending I/O to both ANA optimized and ANA non-optimized paths.

Note

This change is only for NVMeoFC. FCP multipath.conf content already had this setting for supporting ALUA previously.

Jira:RHEL-1830

stratis-cli rebased to version 3.6.0

The stratis-cli package has been upgraded to version 3.6.0. Notable bug fixes and enhancements include:

The stratis-cli command-line interface supports an additional option to set the file system size limit on creation. The set-size-limit and unset-size-limit are two new file system commands, which sets or unsets the file system size limit after creating a file system.
stratis-cli now incorporates password verification when it is used to set a key in the kernel keyring by using a manual entry.
stratis-cli now supports specifying a pool either by name or by UUID when stopping a pool.
stratis-cli also gets updates with various internal improvements, and now enforces a requirement of at least the python 3.9 version in its package configuration.

Jira:RHEL-2265^[1]

boom rebased to version 1.6.0

The boom package has been upgraded to version 3.6.0. Notable enhancements include:

Support for multi-volume snapshot boot syntax supported by the systemd command.
The new --mount and --no-fstab options are added to specify additional volumes to mount at the boot entry.

Jira:RHEL-16813

NVMe-FC Boot from SAN is now fully supported

The Non-volatile Memory Express (NVMe) over Fibre Channel (NVMe/FC) Boot, which was introduced in Red Hat Enterprise Linux 9.2 as a Technology Preview, is now fully supported. Some NVMe/FC host bus adapters support a NVMe/FC boot capability. For more information on programming a Host Bus Adapter (HBA) to enable NVMe/FC boot capability, see the NVMe/FC host bus adapter manufacturer’s documentation.

Jira:RHEL-1492^[1]

4.10. High availability and clusters

pcs support for ISO 8601 duration specification for time properties

The pcs command-line interface now allows you to specify values for Pacemaker time properties according to the ISO 8601 duration specification standard.

Jira:RHEL-7672

Support for new pscd Web UI features

The pscd Web UI now supports the following features:

Moving a cluster resource off the node on which it is currently running
Banning a resource from running on a node
Displaying cluster status that shows the age of the cluster status and when the cluster state is being reloaded
Requesting a reload of the cluster status display

Jira:RHEL-7582, Jira:RHEL-7739

TLS cipher list now defaults to system-wide crypto policy

Previously, the pcsd TLS cipher list was set to DEFAULT:!RC4:!3DES:@STRENGTH by default. With this update, the cipher list is defined by the system-wide crypto policy by default. The TLS ciphers accepted by the pcsd daemon might change with this upgrade, depending on the currently set crypto policy. For more information about the crypto policies framework, see the crypto-policies(7) man page.

Jira:RHEL-7724

4.11. Dynamic programming languages, web and database servers

Python 3.12 available in RHEL 9

RHEL 9.4 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, and the ubi9/python-312 container image.

Notable enhancements compared to the previously released Python 3.11 include:

Python introduces a new type statement and new type parameter syntax for generic classes and functions.
Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
Python now provides a unique per-interpreter global interpreter lock (GIL).
You can now use the buffer protocol from Python code.
To improve security, the built-in hashlib implementations of the SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with formally verified code from the HACL* project. The built-in implementations remain available as fallback if OpenSSL does not provide them.
Dictionary, list, and set comprehensions in CPython are now inlined. This significantly increases the speed of a comprehension execution.
CPython now supports the Linux perf profiler.
CPython now provides stack overflow protection on supported platforms.

Python 3.12 and packages built for it can be installed in parallel with Python 3.9 and Python 3.11 on the same system.

To install packages from the python3.12 stack, use, for example:

# dnf install python3.12
# dnf install python3.12-pip

To run the interpreter, use, for example:

$ python3.12
$ python3.12 -m pip --help

See Installing and using Python for more information.

For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-14941

A new environment variable in Python to control parsing of email addresses

To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.

This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you set this variable to true, the previous, less strict parsing behavior is the default for the entire system:

export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true

However, individual calls to the affected functions can still enable stricter behavior.

You can achieve the same result by creating the /etc/python/email.cfg configuration file with the following content:

[email_addr_parsing]
PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true

For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.

Jira:RHELDOCS-17369^[1]

A new module stream: ruby:3.3

RHEL 9.4 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. This version provides several performance improvements, bug and security fixes, and new features over Ruby 3.1 distributed with RHEL 9.1.

Notable enhancements include:

You can use the new Prism parser instead of Ripper. Prism is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language.
YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it provides major performance improvements.
The Regexp matching algorithm has been improved to reduce the impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities.
The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
A new M:N thread scheduler is now available.

Other notable changes:

You must now use the Lrama LALR parser generator instead of Bison.
Several deprecated methods and constants have been removed.
The Racc gem has been promoted from a default gem to a bundled gem.

To install the ruby:3.3 module stream, use:

# dnf module install ruby:3.3

If you want to upgrade from an earlier ruby module stream, see Switching to a later stream.

For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-17089^[1]

A new module stream: php:8.2

RHEL 9.4 adds PHP 8.2 as a new php:8.2 module stream.

Improvements in this release include:

Readonly classes
Several new stand-alone types
A new Random extension
Constraints in traits

To install the php:8.2 module stream, use the following command:

# dnf module install php:8.2

If you want to upgrade from the php:8.1 stream, see Switching to a later stream.

For details regarding PHP usage on RHEL 9, see Using the PHP scripting language.

For information about the length of support for the php module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-14699^[1]

The name() method of the perl-DateTime-TimeZone module now returns the time zone name

The perl-DateTime-TimeZone module has been updated to version 2.62, which changed the value that is returned by the name() method from the time zone alias to the main time zone name.

For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API related to time zone name and alias.

Jira:RHEL-35685

A new module stream: nginx:1.24

The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides several bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.

New features and changes related to Transport Layer Security (TLS):

Encryption keys are now automatically rotated for TLS session tickets when using shared memory in the ssl_session_cache directive.
Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
You can now disable looking up IPv4 addresses while resolving by using the ipv4=off parameter of the resolver directive.
nginx now supports the $proxy_protocol_tlv_* variables, which store the values of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol.
The ngx_http_gzip_static_module module now supports byte ranges.

Other changes:

Header lines are now represented as linked lists in the internal API.
nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and uwsgi back ends in the $r->header_in() method of the ngx_http_perl_module, and during lookups of the $http_..., $sent_http_..., $sent_trailer_..., $upstream_http_..., and $upstream_trailer_... variables.
nginx now displays a warning if protocol parameters of a listening socket are redefined.
nginx now closes connections with lingering if pipelining was used by the client.
The logging level of various SSL errors has been lowered, for example, from Critical to Informational.

To install the nginx:1.24 stream, use:

# dnf module install nginx:1.24

To upgrade from the nginx 1.22 stream, switch to a later stream.

For more information, see Setting up and configuring NGINX.

For information about the length of support for the nginx module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-14713^[1]

A new module stream: mariadb:10.11

MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available version 10.5 include:

A new sys_schema feature.
Atomic Data Definition Language (DDL) statements.
A new GRANT ... TO PUBLIC privilege.
Separate SUPER and READ ONLY ADMIN privileges.
A new UUID database data type.
Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires correctly configured SSL to start.
Support for the natural sort order through the natural_sort_key() function.
A new SFORMAT function for arbitrary text formatting.
Changes to the UTF-8 charset and the UCA-14 collation.
systemd socket activation files available in the /usr/share/ directory. Note that they are not a part of the default configuration in RHEL as opposed to upstream.
Error messages containing the MariaDB string instead of MySQL.
Error messages available in the Chinese language.
Changes to the default logrotate file.
For MariaDB and MySQL clients, the connection property specified on the command line (for example, --port=3306), now forces the protocol type of communication between the client and the server, such as tcp, socket, pipe, or memory.

For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5 and MariaDB 10.11.

For more information about MariaDB, see Using MariaDB.

To install the mariadb:10.11 stream, use:

# dnf module install mariadb:10.11

If you want to upgrade from MariaDB 10.5, see Upgrading from MariaDB 10.5 to MariaDB 10.11.

For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-3638

A new module stream: postgresql:16

RHEL 9.4 introduces PostgreSQL 16 as the postgresql:16 module stream. PostgreSQL 16 provides several new features and enhancements over version 15.

Notable enhancements include:

Enhanced bulk loading improves performance.
The libpq library now supports connection-level load balancing. You can use the new load_balance_hosts option for more efficient load balancing.
You can now create custom configuration files and include them in the pg_hba.conf and pg_ident.conf files.
PostgreSQL now supports regular expression matching on database and role entries in the pg_hba.conf file.

Other changes include:

PostgreSQL is no longer distributed with the postmaster binary. Users who start the postgresql server by using the provided systemd unit file (the systemctl start postgres command) are not affected by this change. If you previously started the postgresql server directly through the postmaster binary, you must now use the postgres binary instead.
PostgreSQL no longer provides documentation in PDF format within the package. Use the online documentation instead.

4.12. Compilers and development tools

LLVM Toolset rebased to version 17.0.6

LLVM Toolset has been updated to version 17.0.6.

Notable enhancements include:

The opaque pointers migration is now completed.
Removed support for the legacy pass manager in middle-end optimization.

Clang changes:

C++20 coroutines are no longer considered experimental.
Improved code generation for the std::move function and similar in unoptimized builds.

For more information, see the LLVM and Clang upstream release notes.

Jira:RHEL-9283

Rust Toolset rebased to version 1.75.0

Rust Toolset has been updated to version 1.75.0.

Notable enhancements include:

Constant evaluation time is now unlimited
Cleaner panic messages
Cargo registry authentication
async fn and opaque return types in traits

Jira:RHEL-12963

Go Toolset rebased to version 1.21.0

Go Toolset has been updated to version 1.21.0.

Notable enhancements include:

min, max, and clear built-ins have been added.
Official support for profile guided optimization has been added.
Package initialization order is now more precisely defined.
Type inferencing is improved.
Backwards compatibility support is improved.

For more information, see the Go upstream release notes.

Jira:RHEL-11871^[1]

Clang resource directory moved

The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17 to /usr/lib/clang/17.

Jira:RHEL-9346

elfutils rebased to version 0.190

The elfutils package has been updated to version 0.190. Notable improvements include:

The libelf library now supports relative relocation (RELR).
The libdw library now recognizes .debug_[ct]u_index sections.
The eu-readelf utility now supports a new -Ds, --use-dynamic --symbol option to show symbols through the dynamic segment without using ELF sections.
The eu-readelf utility can now show .gdb_index version 9.
A new eu-scrlines utility compiles a list of source files associated with a specified DWARF or ELF file.
A debuginfod server schema has changed for a 60% compression in file name representation (this requires reindexing).

Jira:RHEL-12489

systemtap rebased to version 5.0

The systemtap package has been updated to version 5.0. Notable enhancements include:

Faster and more reliable kernel-user transport.
Extended DWARF5 debuginfo format support.

Jira:RHEL-12488

Updated GCC Toolset 13

GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

Notable changes introduced in RHEL 9.4 include:

The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
binutils now support AMD CPUs based on the znver5 core through the -march=znver5 compiler switch.
annobin has been updated to version 12.32.
The annobin plugin for GCC now defaults to using a more compressed format for the notes that it stores in object files, resulting in smaller object files and faster link times, especially in large, complex programs.

The following tools and versions are provided by GCC Toolset 13:

Tool	Version
GCC	13.2.1
GDB	12.1
binutils	2.40
dwz	0.14
annobin	12.32

To install GCC Toolset 13, run the following command as root:

# dnf install gcc-toolset-13

To run a tool from GCC Toolset 13:

$ scl enable gcc-toolset-13 tool

To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:

$ scl enable gcc-toolset-13 bash

For more information, see GCC Toolset 13 and Using GCC Toolset.

Jira:RHEL-23798^[1]

Compiling with GCC and the -fstack-protector flag no longer fails to guard dynamic stack allocations on 64-bit ARM

Previously, on the 64-bit ARM architecture, the system GCC compiler with the -fstack-protector flag failed to detect a buffer overflow in functions containing a C99 variable-length array or an alloca()-allocated object. Consequently, an attacker could overwrite saved registers on the stack. With this update, the buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled with the system GCC are more secure.

Jira:RHEL-17638^[1]

GCC Toolset 13: Compiling with GCC and the -fstack-protector flag no longer fails to guard dynamic stack allocations on 64-bit ARM

Previously, on the 64-bit ARM architecture, the GCC compiler with the -fstack-protector flag failed to detect a buffer overflow in functions containing a C99 variable-length array or an alloca()-allocated object. Consequently, an attacker could overwrite saved registers on the stack. With this update, the buffer overflow detection on 64-bit ARM has been fixed. As a result, applications compiled with GCC are more secure.

Jira:RHEL-16998

pcp updated to version 6.2.0

The pcp package has been updated to version 6.2.0. Notable improvements include:

pcp-htop now supports user-defined tabs.
pcp-atop now supports a new bar graph visualization mode.
OpenMetrics PMDA metric labels and logging are improved.
Additional Linux kernel virtual memory metrics have been added.
New tools:
- pmlogredact
- pcp-buddyinfo
- pcp-meminfo
- pcp-netstat
- pcp-slabinfo
- pcp-zoneinfo

Jira:RHEL-2317^[1]

A new grafana-selinux package

Previously, the default installation of grafana-server ran as an unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t SELinux type.

Jira:RHEL-7505

papi supports new processor microarchitectures

With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:

AMD Zen 4
4th Generation Intel® Xeon® Scalable Processors

Jira:RHEL-9333^[1], Jira:RHEL-9335, Jira:RHEL-9334

New package: maven-openjdk21

The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.

Jira:RHEL-13046^[1]

New package: libzip-tools

RHEL 9.4 introduces the libzip-tools package, which provides utilities such as zipcmp, zipmerge, and ziptool.

Jira:RHEL-17567

cmake rebased to version 3.26

The cmake package has been updated to version 3.26. Notable improvements include:

Added support for the C17 and C18 language standards.
cmake can now query the /etc/os-release file for operating system identification information.
Added support for the CUDA 20 and nvtx3 libraries.
Added support for the Python stable application binary interface.
Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.

Jira:RHEL-7393

valgrind updated to 3.22

The valgrind package has been updated to version 3.22. Notable improvements include:

valgrind memcheck now checks that the values given to the C functions memalign, posix_memalign, and aligned_alloc, and the C++17 aligned new operator are valid alignment values.
valgrind memcheck now supports mismatch detection for C++14 sized and C++17 aligned new and delete operators.
Added support for lazy reading of DWARF debugging information, resulting in faster startup when debuginfo packages are installed.

Jira:RHEL-12490

libabigail rebased to version 2.4

The libabigail package has been updated to version 2.4.

Notable enhancements include:

The abidiff tool now supports comparing two sets of binaries.
Added support for suppressing harmless change reports related to flexible array data members.
Improved support for suppressing harmless change reports about enum types.
Improved representation of changes to anonymous enum, union, and struct types.

Jira:RHEL-12491

4.13. Identity Management

A new passwordless authentication method is available in SSSD

With this update, you can enable and configure passwordless authentication in SSSD to use a biometric device that is compatible with the FIDO2 specification, for example a YubiKey. You must register the FIDO2 token in advance and store this registration information in the user account in RHEL IdM, Active Directory, or an LDAP store. RHEL implements FIDO2 compatibility with the libfido2 library, which currently only supports USB-based tokens.

Jira:RHELDOCS-17841^[1]

The ansible-freeipa ipauser and ipagroup modules now support a new renamed state

With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change the group name of an existing IdM group.

Jira:RHEL-4962

Identity Management users can now use external identity providers to authenticate to IdM

With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.

If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 9.1 or later.

Jira:RHELPLAN-169666^[1]

ipa rebased to version 4.11

The ipa package has been updated from version 4.10 to 4.11. Notable changes include:

Support for FIDO2-based passkeys.
Initial implementation of resource-based constrained delegation (RBCD) for Kerberos services.
Context manager for ipalib.api to automatically configure, connect, and disconnect.
The installation of an IdM replica now occurs against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests.
The ansible-freeipa package has been rebased from version 1.11 to 1.12.1.
The ipa-healthcheck package has been rebased from version 0.12 to 0.16.

For more information, see the upstream release notes.

Jira:RHEL-11652

Deleting expired KCM Kerberos tickets

Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy command.

Jira:SSSD-6216

IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules

With this update, the ansible-freeipa package now contains the following modules:

idoverrideuser: Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP server, for example, the user login name, home directory, certificate, or SSH keys.
idoverridegroup: Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of the group, its GID, or description.
idview: Allows you to organize user and group ID overrides and apply them to specific IdM hosts.

In the future, you will be able to use these modules to enable AD users to use smart cards to log in to IdM.

Jira:RHEL-16934

The idp Ansible module allows associating IdM users with external IdPs

With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user.

After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.

Jira:RHEL-16939

getcert add-ca returns a new return code if a certificate is already present or tracked

With this update, the getcert command returns a specific return code, 2, if you try to add or track a certificate that is already present or tracked. Previously, the command returned return code 1 on any error condition.

Jira:RHEL-22302

The delegation of DNS zone management is now enabled in ansible-freeipa

You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the dnszone module to configure a per-zone access delegation permission.

Jira:RHEL-19134

Enforcing OTP usage for all LDAP clients

With the release of the RHBA-2024:2558 advisory, in RHEL IdM, you can now set the default behavior for LDAP server authentication of user accounts with two-factor (OTP) authentication configured. If OTP is enforced, LDAP clients cannot authenticate against an LDAP server using single factor authentication (a password) for users that have associated OTP tokens. This method is already enforced through the Kerberos backend by using a special LDAP control with OID 2.16.840.1.113730.3.8.10.7 without any data.

To enforce OTP usage for all LDAP clients, administrators can use the following command:
```
$ ipa config-mod --addattr ipaconfigstring=EnforceLDAPOTP
```
To change back to the previous OTP behavior for all LDAP clients, use the following command:
```
$ ipa config-mod --delattr ipaconfigstring=EnforceLDAPOTP
```

Jira:RHEL-23377^[1]

The runasuser_group parameter is now available in ansible-freeipa ipasudorule

With this update, you can set Groups of RunAs Users for a sudo rule by using the ansible-freeipa ipasudorule module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.

Jira:RHEL-19130

389-ds-base rebased to version 2.4.5

The 389-ds-base package has been updated to version 2.4.5. Notable bug fixes and enhancements over version 2.3.4 include:

Jira:RHEL-15907

Transparent Huge Pages are now disabled by default for the ns-slapd process

When large database caches are used, Transparent Huge Pages (THP) can have a negative effect on Directory Server performance under heavy load, for example, high memory footprint, high CPU usage and latency spikes. With this enhancement, a new THP_DISABLE=1 configuration option was added to the /usr/lib/systemd/system/dirsrv@.service.d/custom.conf drop-in configuration file for the dirsrv systemd unit to disable THP for the ns-slapd process.

In addition, the Directory Server health check tool now detects the THP settings. If you enabled THP system-wide and for the Directory Server instance, the health check tool informs you about the enabled THP and prints recommendations on how to disable them.

Jira:RHEL-5142

The new lastLoginHistSize configuration attribute is now available for the Account Policy plug-in

Previously, when a user did a successful bind, only the time of the last login was available. With this update, you can use the new lastLoginHistSize configuration attribute to manage a history of successful logins. By default, the last five successful logins are saved.

Note that for the lastLoginHistSize attribute to collect statistics of successful logins, you must enable the alwaysRecordLogin attribute for the Account Policy plug-in.

For more details, see lastLoginHistSize.

Jira:RHEL-5133^[1]

The new notes=M message in the access log to identify MFA binds

With this update, when you configure the two-factor authentication for user accounts by using a pre-bind authentication plug-in, such as MFA plug-in, the Directory Server log files record the following messages during BIND operations:

The access log records the new notes=M note message:

[time_stamp] conn=1 op=0 BIND dn="uid=jdoe,ou=people,dc=example,dc=com" method=128 version=3
[time_stamp] conn=1 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000111632 optime=0.006612223 etime=0.006722325 notes=M details="Multi-factor Authentication" dn="uid=jdoe,ou=people,dc=example,dc=com"

The security log records the new SIMPLE/MFA bind method:

{ "date": "[time_stamp] ", "utc_time": "1709327649.232748932", "event": "BIND_SUCCESS", "dn": "uid=djoe,ou=people,dc=example,dc=com", "bind_method": "SIMPLE\/MFA", "root_dn": false, "client_ip": "::1", "server_ip": "::1", "ldap_version": 3, "conn_id": 1, "op_id": 0, "msg": "" }

Note that for the access and security logs to record such messages, the pre-bind authentication plug-in must set the flag by using the SLAPI API if a bind was part of this plug-in.

Jira:RHELDOCS-17838^[1]

The new inchainMatch matching rule is now available

With this update, a client application can use the new inchainMatch matching rule to search for the ancestry of an LDAP entry. The member, manager, parentOrganization, and memberof attributes can be used with the inchainMatch matching rule and the following searches can be performed:

Find all direct or indirect groups in which a user is a member.
Find all direct or indirect users whose manager is a certain user.
Find all direct or indirect organizations an entry belongs to.
Finds all direct or indirect members of a certain group.

Note that for performance reasons, you must index the member, manager, parentOrganization, and memberof attributes if the client application performs searches against these attributes by using the inchainMatch matching rule.

Directory Server uses the In Chain plug-in that is enabled by default to implement the inchainMatch matching rule. However, because inchainMatch is expensive to compute, an access control instruction (ACI) limits the matching rule usage.

For more details, refer to Using inchainMatch matching rule to find the ancestry of an LDAP entry.

Jira:RHELDOCS-17256^[1]

The HAProxy protocol is now supported for the 389-ds-base package

Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.

If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:

[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4

For more details, see nsslapd-haproxy-trusted-ip.

Jira:RHEL-5130

samba rebased to version 4.19.4

The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:

Command-line options in the smbget utility have been renamed and removed for a consistent user experience. However, this can break existing scripts or jobs that use the utility. See the smbget --help command and smbget(1) man page for further details about the new options.
If the winbind debug traceid option is enabled, the winbind service now logs, additionally, the following fields:
- traceid: Tracks the records belonging to the same request.
- depth: Tracks the request nesting level.
Samba no longer uses its own cryptography implementations and, instead, now fully uses cryptographic functionality provided by the GnuTLS library.
The directory name cache size option was removed.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

Jira:RHEL-16476

Identity Management API is now fully supported

The Identity Management (IdM) API was available as a Technology Preview in RHEL 9.2. Since RHEL 9.3, it has been fully supported.

Users can use existing tools and scripts even if the IdM API is enhanced to enable multiple versions of API commands. These enhancements do not change the behavior of a command in an incompatible way. This has the following benefits:

Administrators can use previous or later versions of IdM on the server than on the managing client.
Developers can use a specific version of an IdM call, even if the IdM version changes on the server.

The communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.

NOTE: While IdM API provides a JSON-RPC interface, this type of access is not supported. Red Hat recommends accessing the API with Python instead. Using Python automates important parts such as the metadata retrieval from the server, which allows listing all available commands.

Bugzilla:1513934

4.14. The web console

RHEL web console can now generate Ansible and shell scripts

In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to implement a specific kdump configuration on multiple systems.

Jira:RHELDOCS-17060^[1]

Simplified managing storage and resizing partitions on Storage

The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.

Jira:RHELDOCS-17056^[1]

4.15. Red Hat Enterprise Linux system roles

The ad_integration RHEL system role now supports configuring dynamic DNS update options

With this update, the ad_integration RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:

When the identity provider comes online (always).
At a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours.

You can change these and other settings using the new variables in ad_integration. For example, you can set ad_dyndns_refresh_interval to 172800 to change the DNS record refresh interval to 48 hours. For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/ directory.

Jira:RHELDOCS-17372^[1]

The Storage RHEL system roles now support shared LVM device management

The RHEL system roles now support the creation and management of shared logical volumes and volume groups.

Jira:RHEL-1535

Microsoft SQL Server 2022 available on RHEL 9

The mssql-server system role is now available on RHEL 9. The role adds two variables:

mssql_run_selinux_confined to control whether to run SQL Server as a confined application or not. If set to true, the role installs the mssql-server-selinux package. If set to false, the role removes the mssql-server-selinux package. Default setting is true for RHEL 9 managed nodes and false for other managed nodes.
mssql_manage_selinux to control whether to configure SELinux. When set to true, the variable configures the enforcing or permissive mode based on the value of the mssql_run_selinux_confined variable.

Jira:RHEL-16342

The rhc system role now supports RHEL 7 systems

You can now manage RHEL 7 systems by using the rhc system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc system role.

Using the rhc_insights.remediation parameter has no impact on RHEL 7 systems as the Insights Remediation feature is currently not available on RHEL 7.

Jira:RHEL-16976

New RHEL system role for configuring fapolicyd

With the new fapolicyd RHEL system role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.

Jira:RHEL-16542

The RHEL system roles now support LVM snapshot management

With this enhancement, you can use the new snapshot RHEL system role to create, configure, and manage LVM snapshots.

Jira:RHEL-16552

The Nmstate API and the network RHEL system role now support new route types

With this enhancement, you can use the following route types with the Nmstate API and the network RHEL system role:

blackhole
prohibit
unreachable

Jira:RHEL-19579^[1]

The ad_integration RHEL system role now supports custom SSSD domain configuration settings

Previously, when using the ad_integration RHEL system role, it was not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

Jira:RHEL-17668

The ad_integration RHEL system role now supports custom SSSD settings

Previously, when using the ad_integration RHEL system role, it was not possible to add custom settings to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.

Jira:RHEL-21133

New rhc_insights.display_name option in the rhc role to set display names

You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.

Jira:RHEL-16964

New RHEL system role for configuring fapolicyd

Jira:RHEL-16541

New logging_preserve_fqdn variable for the logging RHEL system role

Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog entries.

Jira:RHEL-15932

The logging role supports general queue and general action parameters in output modules

Previously, it was not possible to configure general queue parameters and general action parameters with the logging role. With this update, the logging RHEL system role supports configuration of general queue parameters and general action parameters in output modules.

Jira:RHEL-15439

The postgresql RHEL system role now supports PostgreSQL 16

The postgresql RHEL system role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.

For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.

Jira:RHEL-18962

Support for creation of volumes without creating a file system

With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted option.

Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode is disabled.

Jira:RHEL-16212

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

Enablement of the repositories containing resilient storage packages, such as dlm or gfs2. A Resilient Storage subscription is needed to access the repository.
Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
Configuration of node attributes.

For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL system role.

Jira:RHEL-15876^[1], Jira:RHEL-22106, Jira:RHEL-15910

ForwardToSyslog flag is now supported in the journald system role

In the journald RHEL system role, the journald_forward_to_syslog variable controls whether the received messages should be forwarded to the traditional syslog daemon or not. The default value of this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log files.

Jira:RHEL-21117

New rhc_insights.ansible_host option in the rhc role to set Ansible hostnames

You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host parameter. When set, the parameter changes the ansible_host configuration in the /etc/insights-client/insights-client.conf file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.

Jira:RHEL-16974

New mssql_ha_prep_for_pacemaker variable

Previously, the microsoft.sql.server RHEL system role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and you want to use another HA solution.

Jira:RHEL-19091

The sshd role now configures certificate-based SSH authentications

With the sshd RHEL system role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.

Jira:RHEL-5972

Use the logging_max_message_size parameter instead of rsyslog_max_message_size in the logging system role

Previously, even though the rsyslog_max_message_size parameter was not supported, the logging RHEL system role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log messages.

Jira:RHEL-15037

ratelimit_burst variable is only used if ratelimit_interval is set in logging system role

Previously, in the logging RHEL system role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also required to set ratelimit_interval.

With this enhancement, if ratelimit_interval is not set, the role does not set ratelimit.burst. If you want to set ratelimit.burst, you must set both ratelimit_interval and ratelimit_burst variables.

Jira:RHEL-19046

selinux role now prints a message when specifying a non-existent module

With this release, the selinux RHEL system role prints an error message when you specify a non-existent module in the selinux_modules.path variable.

Jira:RHEL-19043

selinux role now supports configuring SELinux in disabled mode

With this update, the selinux RHEL system role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.

Jira:RHEL-15870

The metrics RHEL system role now supports configuring PMIE webhooks

With this update, you can automatically configure the`global webhook_endpoint` PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL system role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.

Jira:RHEL-13760

The bootloader RHEL system role

This update introduces the bootloader RHEL system role. You can use this feature for stable and consistent configuration of bootloaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory.

Jira:RHEL-16336

4.16. Virtualization

Virtualization is now supported on ARM 64

This update introduces support for creating KVM virtual machines on systems that use ARM 64 (also known as AArch64) CPUs. Note, however, that certain virtualization features and functionalities that are available on AMD64 and Intel 64 systems might work differently or be unsupported on ARM 64.

For details, see How virtualization on ARM 64 differs from AMD 64 and Intel 64.

Jira:RHEL-14097

External snapshots for virtual machines

This update introduces the external snapshot mechanism for virtual machines (VMs), which replaces the previously deprecated internal snapshot mechanism. As a result, you can create, delete, and revert to VM snapshots that are fully supported. External snapshots work more reliably both in the command-line interface and in the RHEL web console. This also applies to snapshots of running VMs, known as live snapshots.

Note, however, that some commands and utilities might still create internal snapshots. To verify that your snapshot is fully supported, ensure that it is configured as external. For example:

# virsh snapshot-dumpxml VM-name snapshot-name | grep external
<disk name='vda' snapshot='external' type='file'>

Jira:RHEL-7528

RHEL now supports Multi-FD migration of virtual machines

With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.

It is recommended to use this feature on high-speed networks (20 Gbps and higher).

Jira:RHELDOCS-16970^[1]

VM migration now supports post-copy preemption

Post-copy live migrations of virtual machines (VM) now use the postcopy-preempt feature, which improves the performance and stability of these migrations.

Jira:RHEL-13004^[1], Jira:RHEL-7100

Secure Execution VMs on IBM Z now support cryptographic coprocessors

With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.

By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now use hardware encryption without compromising the security of the VM.

Jira:RHEL-11597^[1]

4th Generation AMD EPYC processors supported on KVM guests

Support for 4th Generation AMD EPYC processors (also known as AMD Genoa) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use 4th Generation AMD EPYC processors.

Jira:RHEL-7568

New virtualization features in the RHEL web console

With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:

Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the ~/.ssh/authorized_keys file of the designated non-root user on the newly created VM, which provides you with an immediate SSH access to the specified user account.
Select a pre-formatted block device type when creating a new storage pool. This is a more robust alternative to a physical disk device type, as it prevents unintentional reformatting of a raw disk device.

This update also changes some default behavior in the Virtual Machines page:

In the Add disk dialog, the Always attach option is now set by default.
The Create snapshot action now uses an external snapshot insted of an internal snapshot, which is deprecated in RHEL 9. External snapshots are more reliable and also work for raw images, not just for qcow2 images. You can also select a memory snapshot file location if you want to retain the memory state of the running VM.

Jira:RHELDOCS-17000^[1]

virtio-mem is now supported on AMD64 and Intel 64 systems

With this update, RHEL 9 introduces support for the virtio-mem feature on AMD64 and Intel 64 systems. With virtio-mem, you can dynamically add or remove host memory in virtual machines (VMs).

For more information on virtio-mem, see: Adding and removing virtual machine memory by using virtio-mem

Jira:RHELDOCS-17053^[1]

You can now replace SPICE with VNC in the web console

With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).

Because the support for the SPICE protocol has been removed in RHEL 9, VMs that use the SPICE protocol fail to start on a RHEL 9 host. For example, RHEL 8 VMs use SPICE by default, so you must switch from SPICE to VNC for a successful migration to RHEL 9.

Jira:RHEL-17434

Improved I/O performance for virtio-blk disk devices

With this update, you can configure a separate IOThread for each virtqueue in a virtio-blk disk device. This configuration improves performance for virtual machines with multiple CPUs during intensive I/O workloads.

Jira:RHEL-7416

VNC viewer correctly initializes a VM display after live migration of ramfb

This update enhances the ramfb framebuffer device, which you can configure as a primary display for a virtual machine (VM). Previously, ramfb was unable to migrate, which resulted in VMs that use ramfb showing a blank screen after live migration. Now, ramfb is compatible with live migration. As a result, you see the VM desktop display when the migration completes.

Jira:RHEL-7478

4.17. RHEL in cloud environments

RHEL instances on EC2 now support IPv6 IMDS connections

With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet.

Jira:RHEL-7278

New cloud-init clean option for deleting generated configuration files

The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary configuration files generated by cloud-init on your instance. For example, to delete cloud-init configuration files that define network setup, use the following command:

cloud-init clean --configs network

Jira:RHEL-7311^[1]

4.18. Containers

Podman now supports containers.conf modules

You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the TOML format.

These modules are located in the following directories, or their subdirectories:

For rootless users: $HOME/.config/containers/containers.conf.modules
For root users: /etc/containers/containers.conf.modules, or /usr/share/containers/containers.conf.modules

You can load the modules on-demand with the podman --module <your_module_name> command to override the system and user configuration files. Working with modules involve the following facts:

You can specify modules multiple times by using the --module option.
If <your_module_name> is the absolute path, the configuration file will be loaded directly.
The relative paths are resolved relative to the three module directories mentioned previously.
Modules in $HOME override those in the /etc/ and /usr/share/ directories.

For more information, see the upstream documentation.

Jira:RHELPLAN-167829^[1]

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:

Notable changes in Podman v4.9:

You can now use Podman to load the modules on-demand by using the podman --module <your_module_name> command and to override the system and user configuration files.
A new podman farm command with a set of the create, set, remove, and update subcommands has been added. With these commands, you can farm out builds to machines running podman for different architectures.
A new podman-compose command has been added, which runs Compose workloads by using an external compose provider such as Docker compose.
The podman build command now supports the --layer-label and --cw options.
The podman generate systemd command is deprecated. Use Quadlet to run containers and pods under systemd.
The podman build command now supports Containerfiles with the HereDoc syntax.
The podman kube play command now supports a new --publish-all option. Use this option to expose all containerPorts on the host.

For more information about notable changes, see upstream release notes.

Jira:RHELPLAN-167796^[1]

The Podman v4.9 RESTful API now displays data of progress

With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.

Jira:RHELPLAN-167823^[1]

Toolbx is now available

With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi9.4/toolbox:latest image.

Jira:RHELDOCS-16241^[1]

SQLite is now fully supported as a default database backend for Podman

With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 9.4. If you upgrade from a previous RHEL version, the default backend is BoltDB.

If you have explicitly configured the database backend by using the database_backend option in the containers.conf file, then Podman will continue to use the specified backend.

Jira:RHELPLAN-168180^[1]

Administrators can set up isolation for firewall rules by using nftables

You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables installed. With this enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated firewall rules.

Jira:RHELDOCS-16955^[1]

Containerfile now supports multi-line instructions

You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of image layers caused by performing multiple RUN directives.

For example, the original Containerfile can contain the following RUN directives:

RUN dnf update
RUN dnf -y install golang
RUN dnf -y install java

Instead of multiple RUN directives, you can use the HereDoc notation:

RUN <<EOF
dnf update
dnf -y install golang
dnf -y install java
EOF

Jira:RHELPLAN-168185^[1]

The gvisor-tap-vsock package is now available

The gvisor-tap-vsock package is an alternative to the libslirp user-mode networking library and VPNKit tools and services. It is written in Go and based on the network stack of gVisor. Compared to libslirp, the gvisor-tap-vsock librarysupports a configurable DNS server and dynamic port forwarding. You can use the gvisor-tap-vsock networking library for podman-machine virtual machines. The podman machine command for managing virtual machines is currently unsupported on Red Hat Enterprise Linux.

Jira:RHELPLAN-167396^[1]

Chapter 4. New features

4.1. Installer and image creation

4.2. Security

4.3. RHEL for Edge

4.4. Shells and command-line tools

4.5. Infrastructure services

4.6. Networking

4.7. Kernel

4.8. Boot loader

4.9. File systems and storage

4.10. High availability and clusters

4.11. Dynamic programming languages, web and database servers

4.12. Compilers and development tools

4.13. Identity Management

4.14. The web console

4.15. Red Hat Enterprise Linux system roles

4.16. Virtualization

4.17. RHEL in cloud environments

4.18. Containers

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links