Chapter 7. Technology previews
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
7.1. Installer and image creation
NVMe over TCP for RHEL installation is now available as a Technology Preview
With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.
Jira:RHEL-10216[1]
Installation of bootable OSTree native containers is now available as a Technology Preview
The ostreecontainer
Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer
:
- graphical, text, or cmdline
- ostreecontainer
- clearpart, zerombr
- autopart
- part
- logvol, volgroup
- reboot and shutdown
- lang
- rootpw
- sshkey
-
bootloader - Available only with the
--append
optional parameter. - user
When you specify a group within the user command, the user account can be assigned only to a group that already exists in the container image. Kickstart commands not listed here are allowed to be used with ostreecontainer
command, however, they are not guaranteed to work as expected with package-based installations.
However, the following Kickstart commands are unsupported together with ostreecontainer
:
- %packages (any necessary packages must be already available in the container image)
-
url (if there is a need to fetch a
stage2
image for installation, for example, PXE installations, useinst.stage2=
on the kernel instead of providing a url forstage2
inside the Kickstart file) - liveimg
- vnc
- authconfig and authselect (provide relevant configuration in the container image instead)
- module
- repo
- zipl
- zfcp
Installation of bootable OSTree native containers is not supported in interactive installations that use partial Kickstart files.
Note: When customizing a mount point, you must define the mount point in the /mnt
directory and ensure that the mount point directory exists inside /var/mnt
in the container image.
Jira:RHEL-2250[1]
Boot loader installation and configuration via bootupd
/ bootupctl
in Anaconda is now available as a Technology Preview
As the ostreecontainer
Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration via the bootupd
/bootupctl
tool contained within the container image, even without an explicit boot loader configuration in Kickstart.
Jira:RHEL-17205[1]
The bootc image builder
tool is available as a Technology Preview
The bootc image builder
tool, now available as a Technology Preview, works as a container to easily create and deploy compatible disk images from the bootc
container inputs. After running your container image with bootc image builder
, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc image builder
every time a new update is required.
Jira:RHELDOCS-17468[1]
A new rhel9/bootc-image-builder
container image is available as a Technology Preview
The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.
Jira:RHELDOCS-17733[1]
7.2. Security
gnutls
now uses kTLS as a Technology Preview
The updated gnutls
packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko
kernel module using the modprobe
command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt
for the system-wide cryptographic policies with the following content:
[global] ktls = true
Note that the current version does not support updating traffic keys through TLS KeyUpdate
messages, which impacts the security of AES-GCM ciphersuites. See the RFC 7841 - TLS 1.3 document for more information.
Bugzilla:2108532[1]
OpenSSL clients can use the QUIC protocol as a Technology Preview
OpenSSL can use the QUIC transport layer network protocol on the client side with the rebase to OpenSSL version 3.2.2 as a Technology Preview.
Jira:RHELDOCS-18935[1]
The io_uring
interface is available as a Technology Preview
io_uring
is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled
sysctl variable to any one of the following values:
0
-
All processes can create
io_uring
instances as usual. 1
-
io_uring
creation is disabled for unprivileged processes. Theio_uring_setup
fails with the-EPERM
error unless the calling process is privileged by theCAP_SYS_ADMIN
capability. Existingio_uring
instances can still be used. 2
-
io_uring
creation is disabled for all processes. Theio_uring_setup
always fails with-EPERM
. Existingio_uring
instances can still be used. This is the default setting.
An updated version of the SELinux policy to enable the mmap
system call on anonymous inodes is also required to use this feature.
By using the io_uring
command pass-through, an application can issue commands directly to the underlying hardware, such as nvme
.
Jira:RHEL-11792[1]
7.3. RHEL for Edge
FDO now provides storing and querying Owner Vouchers from a SQL backend as a Technology Preview
With this Technology Preview, FDO manufacturer-server
, onboarding-server
, and rendezvous-server
are available for storing and querying Owner Vouchers from a SQL backend. As a result, you can select a SQL datastore in the FDO servers options, along with credentials and other parameters, to store the Owner Vouchers.
Jira:RHELDOCS-17752[1]
7.4. Shells and command-line tools
GIMP available as a Technology Preview in RHEL 9
GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp
package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.
In RHEL 9, you can install gimp
easily as an RPM package.
Bugzilla:2047161[1]
7.5. Infrastructure services
Socket API for TuneD available as a Technology Preview
The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf
file.
7.6. Networking
UDP encapsulation in packet offload mode is now available as a Technology Preview
With IPsec packet offload, the kernel can offload the entire IPsec encapsulation process to a NIC to reduce the workload. With this update, the packet offload has been improved by supporting User Datagram Protocol (UDP) encapsulation of ipsec
tunnels when in packet offload mode.
Jira:RHEL-30141[1]
WireGuard VPN is available as a Technology Preview
WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.
For further details, see Setting up a WireGuard VPN.
Bugzilla:1613522[1]
kTLS available as a Technology Preview
RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. kTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.
Bugzilla:1570255[1]
The systemd-resolved
service is available as a Technology Preview
The systemd-resolved
service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.
Note that systemd-resolved
is an unsupported Technology Preview.
The PRP and HSR protocols are now available as a Technology Preview
This update adds the hsr
kernel module that provides the following protocols:
- Parallel Redundancy Protocol (PRP)
- High-availability Seamless Redundancy (HSR)
The IEC 62439-3 standard defines these protocols, and you can use this feature to configure zero-loss redundancy in Ethernet networks.
Bugzilla:2177256[1]
NetworkManager and the Nmstate API support MACsec hardware offload
You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface card.
Note that this feature is an unsupported Technology Preview.
NetworkManager
enables configuring HSR and PRP interfaces
High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager
service through the nmcli
utility and the DBus message system.
Offloading IPsec encapsulation to a NIC is now available as a Technology Preview
This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.
Note that offloading the IPsec encapsulation process to a NIC also reduces the ability of the kernel to monitor and filter such packets.
Bugzilla:2178699[1]
The Soft-iWARP driver is available as a Technology Preview
Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.
Bugzilla:2023416[1]
rvu_af
, rvu_nicpf
, and rvu_nicvf
available as Technology Preview
The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:
rvu_nicpf
- Marvell OcteonTX2 NIC Physical Function driver
rvu_nicvf
- Marvell OcteonTX2 NIC Virtual Function driver
rvu_nicvf
- Marvell OcteonTX2 RVU Admin Function driver
Bugzilla:2040643[1]
Network drivers for modems in RHEL are available as Technology Preview
Device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat Enterprise Linux provides the drivers for the following modems with limited functionality as a Technology Preview:
- Qualcomm MHI WWAM MBIM - Telit FN990Axx
- Intel IPC over Shared Memory (IOSM) - Intel XMM 7360 LTE Advanced
- Mediatek t7xx (WWAN) - Fibocom FM350GL
- Intel IPC over Shared Memory (IOSM) - Fibocom L860GL modem
Jira:RHELDOCS-16760[1], Jira:RHEL-6564, Bugzilla:2110561, Bugzilla:2123542, Bugzilla:2222914
Segment Routing over IPv6 (SRv6) is available as a Technology Preview
The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.
Bugzilla:2186375[1]
kTLS rebased to version 6.3
The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.3, kTLS was rebased to the 6.3 upstream version, and notable changes include:
- Added the support for 256-bit keys with TX device offload
- Delivered various bug fixes
Bugzilla:2183538[1]
7.7. Kernel
SGX available as a Technology Preview
Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:
- Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
- Dynamic addition of regular enclave pages to an initialized enclave.
- Expanding an initialized enclave to accommodate more threads.
- Removing regular and TCS pages from an initialized enclave.
Bugzilla:1660337[1]
python-drgn
available as a Technology Preview
The python-drgn
package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn
offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.
Jira:RHEL-6973[1]
The IAA crypto driver is now available as a Technology Preview
The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.
The iaa_crypto
driver, which offloads compression and decompression operations from the CPU, has been introduced in RHEL 9.4 as a Technology Preview. It supports compression and decompression compatible with the DEFLATE compression standard described in RFC 1951. The iaa_crypto
driver is designed to work as a layer underneath higher-level compression devices such as zswap
.
For details about the IAA crypto driver, see:
Jira:RHEL-20145[1]
7.8. File systems and storage
NVMe-oF Discovery Service features are now fully supported
The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014 was introduced in Red Hat Enterprise Linux 9.0 as a Technology Preview, is now fully supported. To preview these features, use the nvme-cli 2.0
package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.
Bugzilla:2021672[1]
nvme-stas
package available as a Technology Preview
The nvme-stas
package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf
) and Manual configuration.
This package consists of two daemons, Storage Appliance Finder (stafd
) and Storage Appliance Connector (stacd
).
Bugzilla:1893841[1]
7.9. Dynamic programming languages, web and database servers
A new nodejs:22
module stream available as a Technology Preview
A new module stream, nodejs:22
, is now available as a Technology Preview. A future update will provide a Long Term Support (LTS) version of Node.js 22
, which will be fully supported.
Node.js 22
included in RHEL 9.5 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 20
available since RHEL 9.3.
Notable changes include:
-
The
V8
JavaScript engine has been upgraded to version 12.4. -
The
V8 Maglev
compiler is now enabled by default on architectures where it is available (AMD and Intel 64-bit architectures and the 64-bit ARM architecture). -
Maglev
improves performance for short-lived CLI programs. -
The
npm
package manager has been upgraded to version 10.8.1. -
The
node --watch
mode is now considered stable. Inwatch
mode, changes in watched files cause theNode.js
process to restart. -
The browser-compatible implementation of
WebSocket
is now considered stable and enabled by default. As a result, a WebSocket client to Node.js is available without external dependencies. -
Node.js
now includes an experimental feature for execution of scripts frompackage.json
. To use this feature, execute thenode --run <script-in-package.json>
command.
To install the nodejs:22
module stream, enter:
# dnf module install nodejs:22
If you want to upgrade from the nodejs20
stream, see Switching to a later stream.
For information about the length of support for the nodejs
Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
7.10. Compilers and development tools
jmc-core
and owasp-java-encoder
available as a Technology Preview
RHEL 9 is distributed with the jmc-core
and owasp-java-encoder
packages as Technology Preview features for the AMD and Intel 64-bit architectures.
jmc-core
is a library providing core APIs for Java Development Kit (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, and libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP).
The owasp-java-encoder
package provides a collection of high-performance low-overhead contextual encoders for Java.
Note that since RHEL 9.2, jmc-core
and owasp-java-encoder
are available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See How to enable and make use of content within CodeReady Linux Builder for more information.
libabigail
: Flexible array conversion warning-suppression available as a Technology Preview
As a Technology Preview, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:
[suppress_type] type_kind = struct has_size_change = true has_strict_flexible_array_data_member_conversion = true
Jira:RHEL-16629[1]
7.11. Identity Management
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
HSM support is available as a Technology Preview
Hardware Security Module (HSM) support is now available in Identity Management (IdM) as a Technology Preview. You can store your key pairs and certificates for your IdM CA and KRA on an HSM. This adds physical security to the private key material.
IdM relies on the networking features of the HSM to share the keys between machines to create replicas. The HSM provides additional security without visibly affecting most IPA operations. When using low-level tooling the certificates and keys are handled differently but this is seamless for most users.
Migration of an existing CA or KRA to an HSM-based setup is not supported. You need to reinstall the CA or KRA with keys on the HSM.
You need the following:
- A supported HSM
- The HSM PKCS #11 library
- An available slot, token, and the token password
To install a CA or KRA with keys stored on an HSM, you must specify the token name and the path to the PKCS #11 library. For example:
ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra
Jira:RHELDOCS-17465[1]
LMDB database type is available in Directory Server as a Technology Preview
The Lightning Memory-Mapped Database (LMDB) is available in Directory Server as an unsupported Technology Preview.
Currently, you can use only the command line to migrate or install instances with LMDB.
To migrate existing instances from Berkeley Database (BDB) to LMDB, use the dsctl instance_name dblib bdb2mdb
command that sets the nsslapd-backend-implement
parameter value to mdb
. Note that this command does not clean up the old data. You can revert the database type by changing nsslapd-backend-implement
back to bdb
. For more details, see Migrating the database type from BDB to LMDB on an existing DS instance.
- Important
- Before migrating existing instances from BDB to LMDB, backup your databases. For more details, see Backing up Directory Server.
To create a new instance with the LMDB, you can use either of the following methods:
-
In the interactive installer, set
mdb
in the Choose whether mdb or bdb is used line. For more details, see Creating an instance using the interactive installer. -
In the
.inf
file, setdb_lib = mdb
in the [slapd] section. For more details, see Creating a.inf
file for a Directory Server instance installation.
Directory Server stores LMDB settings under the cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config
entry that includes with the following new configuration parameters:
nsslapd-mdb-max-size
sets the database maximum size in bytes.Important: Make sure that
nsslapd-mdb-max-size
is high enough to store all intended data. However, the parameter size must not be too high to impact the performance because the database file is memory-mapped.-
nsslapd-mdb-max-readers
sets the maximum number of read operations that can be opened at the same time. Directory Server autotunes this setting. -
nsslapd-mdb-max-dbs
sets the maximum number of named database instances that can be included within the memory-mapped database file.
Along with the new LMDB settings, you can still use the nsslapd-db-home-directory
database configuration parameter.
In case of mixed implementations, you can have BDB and LMDB replicas in your replication topology.
Jira:RHELDOCS-19061[1]
ACME available as a Technology Preview
The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.
In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert
profile when issuing ACME certificates. The validity period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire IdM deployment.
It is recommended to enable ACME only in an IdM deployment where all servers are running RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause problems in mixed-version deployments. For example, a CA server without ACME can cause client connections to fail, because it uses a different DNS Subject Alternative Name (SAN).
Currently, RHCS does not remove expired certificates. Because ACME certificates expire after 90 days, the expired certificates can accumulate and this can affect performance.
To enable ACME across the whole IdM deployment, use the
ipa-acme-manage enable
command:# ipa-acme-manage enable The ipa-acme-manage command was successful
To disable ACME across the whole IdM deployment, use the
ipa-acme-manage disable
command:# ipa-acme-manage disable The ipa-acme-manage command was successful
To check whether the ACME service is installed and if it is enabled or disabled, use the
ipa-acme-manage status
command:# ipa-acme-manage status ACME is enabled The ipa-acme-manage command was successful
Bugzilla:2084181[1]
IdM-to-IdM migration is available as a Technology Preview
IdM-to-IdM migration is available in Identity Management as a Technology Preview. You can use a new ipa-migrate
command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.
Jira:RHELDOCS-18408[1]
7.12. Desktop
GNOME for the 64-bit ARM architecture available as a Technology Preview
The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.
You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can manage the server using graphical applications.
A limited set of graphical applications is available on 64-bit ARM. For example:
- The Firefox web browser
-
Red Hat Subscription Manager (
subscription-manager-cockpit
) -
Firewall Configuration (
firewall-config
) -
Disk Usage Analyzer (
baobab
)
Using Firefox, you can connect to the Cockpit service on the server.
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.
Jira:RHELPLAN-27394[1]
GNOME for the IBM Z architecture available as a Technology Preview
The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.
You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage the server using graphical applications.
A limited set of graphical applications is available on IBM Z. For example:
- The Firefox web browser
-
Red Hat Subscription Manager (
subscription-manager-cockpit
) -
Firewall Configuration (
firewall-config
) -
Disk Usage Analyzer (
baobab
)
Using Firefox, you can connect to the Cockpit service on the server.
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.
Jira:RHELPLAN-27737[1]
7.13. The web console
The RHEL web console can now manage WireGuard connections
Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.
Jira:RHELDOCS-17520[1]
7.14. Virtualization
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.
Jira:RHELDOCS-17040[1]
AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines
As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.
In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.
RHEL 9.5 and later also provides the Secure Nested Paging (SEV-SNP) feature as Technology Preview. SNP enhances SEV and SEV-ES by improving its memory integrity protection, which helps prevent hypervisor-based attacks, such as data replay or memory re-mapping.
Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Similarly, SEV-SNP works only on 4rd generation AMD EPYC CPUs (codenamed Genoa) or later. Also note that RHEL 9 includes SEV, SEV-ES, and SEV-SNP encryption, but not the SEV, SEV-ES, and SEV-SNP security attestation and live migration.
Jira:RHELPLAN-65217[1]
Intel TDX in RHEL guests
As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump
, and enabling TDX will cause kdump
to fail on the VM.
Bugzilla:1955275[1]
A unified kernel image of RHEL is now available as a Technology Preview
As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.
UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong SecureBoot capabilities are required. The UKI is available as a kernel-uki-virt
package in RHEL 9 repositories.
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Bugzilla:2142102[1]
CPU clusters on 64-bit ARM
As a Technology Preview, you can now create KVM virtual machines that use multiple 64-bit ARM CPU clusters in their CPU topology.
Jira:RHEL-7043[1]
Live migrating a VM with a Mellanox virtual function is now available as a Technology Preview
As a Technology Preview, you can now live migrate a virtual machine (VM) with an attached virtual function (VF) of a Mellanox networking device.
This feature is currently available only on a Mellanox CX-7 networking device. The VF on the Mellanox CX-7 networking device uses a new mlx5_vfio_pci
driver, which adds functionality that is necessary for the live migration, and libvirt
binds the new driver to the VF automatically.
Jira:RHEL-13007[1]
7.15. RHEL in cloud environments
RHEL is now available on Azure confidential VMs as a Technology Preview
With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt
package in RHEL 9 repositories.
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Jira:RHELPLAN-139800[1]
7.16. Containers
composefs
filesystem is available as a Technology Preview
composefs
is the default backend for container storage. The key technologies composefs
uses are:
- OverlayFS as the kernel interface
- Enhanced Read-Only File System (EROFS) for a mountable metadata tree
-
The
fs-verity
feature (optional) from the lower filesystem
Key advantages of composefs
:
-
Separation between metadata and data.
composefs
does not store any persistent data. The underlying metadata and data files are stored in a valid lower Linux filesystem such asext4
,xfs
,btrfs
, and so on. -
Mounting multiple
composefs
with a shared storage. - Data files are shared in the page cache to enable multiple container images to share their memory.
-
Support
fs-verity
validation of the content files.
The podman-machine
command is unsupported
The podman-machine
command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.
Jira:RHELDOCS-16861[1]
A new rhel9/rhel-bootc
container image is available as a Technology Preview
The rhel9/rhel-bootc
container image is now available in the Red Hat Container Registry as a Technology Preview. With the RHEL bootable container images, you can build, test, and deploy an operating system exactly as a container. The RHEL bootable container images differ from the existing application Universal Base Images (UBI) thanks to the following enhancements: RHEL bootable container images contain additional components necessary to boot, such as, kernel, initrd, bootloader, firmware, between others. There are no changes to existing container images. For more information, see Red Hat Ecosystem Catalog.
Jira:RHELDOCS-17803[1]
Pushing and pulling images compressed with zstd:chunked
is available as a Technology Preview
The zstd:chunked
compression is now available as a Technology Preview.