Chapter 3. New features

Added Kickstart support for CA certificates to enable encrypted DNS configuration during installation

Support for the %certificate section in the Kickstart file is added to enable the installation of CA certificates into the installation program environment and the installed system. This simplifies the setup process and ensures that the encrypted DNS is operational after installation, reducing manual configuration and security gaps. The certificates are inlined in the Base64 ASCII format and imported through the --dir and --filename options. This enhancement facilitates encrypted DNS configuration as part of Zero Trust Architecture requirements. The encrypted DNS set up during installation ensures secure DNS resolution from the start, improving security and compliance in automated deployments.

RHEL image builder supports creating disk images with advanced partitioning

With this enhancement, RHEL image builderl gained more options for customizing partitioning and creating disk images with advanced partitioning layout. You can create disk images with custom mountpoints, including custom mount options, LVM-based partitions and LVM-based SWAP to, for example, change the size of the / and the /boot directories by using a blueprint file.

bootc-image-builder now supports creating image mode disk images with advanced partitioning

With this enhancement, the bootc-image-builder tool gained more options for customizing partitioning and creating disk images with advanced partitioning layout. You can use the bootc-image-builder tool to create disk images of image-mode RHEL with custom mountpoints, including custom mount options, LVM-based partitions and LVM-based SWAP to, for example, change the size of the / and the /boot directories by using the config.toml.

The bootc image builder tool is generally available in RHEL

The bootc image builder tool, now is generally available in RHEL, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc image builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc image builder every time a new update is required.

pcsd now provides the --disable-polkit option

With this update, you can turn off loading the PolicyKit authorization framework by starting the pcsd service with the --disable-polkit option. Running pcsd without polkit enables accessing PKCS #11 devices in limited environments such as the initial RAM disk. As a result, the Clevis decryption client can use a PKCS #11 device for automated unlocking LUKS-encrypted volumes at boot time.

ssh now provides a link with additional details about SSH login error messages

In case of an early error, the ssh command-line tool provides a link to the Red Hat Customer Portal page that contains additional details about common error messages and steps for resolving them. This helps troubleshoot SSH login problems when you use interactive mode.

pkcs-tool now shows object URI

With this update, the pkcs11-tool -L and pkcs11-tool -O commands contain the uri: field in their outputs. You can use the URI information when configuring the pkcs11 Clevis pin for automated unlocking LUKS-encrypted drives with PKCS #11 devices.

CBC ciphers can now be blocked in crypto-policies

With this update, crypto-policies uses the openssl -CBC CipherString directive. As a result, CBC cipher suites are disabled in OpenSSL if none of them are enabled in crypto-policies.

nettle rebased to 3.10.1

The nettle library package has been rebased to upstream version 3.10.1. This version provides various bug fixes, optimizations and enhancements, most notably:

Rsyslog rebased to 8.2412.0

The rsyslog packages have been rebased to upstream version 8.2412.0 in RHEL 9.6. Among other fixes and enhancements, you can bind a ruleset to the imjournal module. With this optimization, log messages can be filtered and processed at the input stage, which reduces the load on the main message queue. This minimizes resource utilization and ensures smoother handling of high-volume logs.

OpenSCAP rebased to 1.3.12

The OpenSCAP packages have been rebased to upstream version 1.3.12. This version provides bug fixes and various enhancements. For additional information, see the OpenSCAP release notes.

Clevis rebased to version 21 with support for PKCS #11

The clevis packages have been upgraded to version 21. This version contains many enhancements and bug fixes, notably:

New Keylime policy management tool

The new keylime-policy tool integrates all management tasks of Keylime runtime policies and measured boot policies and improves the performance of generating policies.

SELinux assigns a particular type to /dev/hfi1_0

With this update, the hfi1_device_t type is assigned to the /dev/hfi1_0 device in the SELinux policy. As a result, SELinux can properly control access to the device.

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

SCAP Security Guide rebased to 0.1.76

For additional information, see the SCAP Security Guide release notes.

Keylime requires HTTPS for revocation notifications

The Keylime components require the use of the more secure HTTPS protocol for revocation notification webhooks instead of HTTP. As a consequence, the Keylime verifier now requires the revocation notification webhook server CA certificate. You can add it to the trusted_server_ca configuration option or add it to the system truststore.

Support for deploying image mode for RHEL systems by using FDO

With this enhancement, now you can deploy an image mode for RHEL systems by using the FIDO Device Onboarding (FDO) process, available as a Technology Preview, to deliver the configuration to this system. Include a Kickstart file in an ISO build to configure any part of the installation process except the base image deployment. If you use an ISO with a bootc container base image, bootc-image-builder automatically installs ostreecontainer, the command to install the container image. You can still configure anything, except the ostreecontainer command.

RHEL provides the greenboot package in version 0.15.8

The greenboot packages have been updated to version 0.15.8, which provides bug fixes and enhancements. Notable changes include:

Image mode for RHEL users can now use dnf --transient to perform package transactions that reset on reboot

Previously, Image mode for RHEL users could transiently install, remove, and upgrade packages by running the bootc usr-overlay command to unlock the system and then make changes by running DNF commands. If you use bootc usr-overlay, when the system reboots, the /usr directory overlay disappears and all changes made to it will reset. Changes to other directories, including configuration in /etc and program state in /var, persist across reboots.

Improved error message when using DNF on a locked OSTree or bootc system

OSTree and bootc systems cannot be managed by DNF by default. Previously, a DNF error message did not say that this was an expected behavior and how you could change it. With this update, DNF detects whether it runs on a read-only OSTree or bootc system and informs you where to find more details about how to manage such systems with DNF.

DNF Automatic can now notify users about a failed update

With this update, a new send_error_messages boolean option has been added to the [emitters] section of the /etc/dnf/automatic.conf configuration file. As a result, if you set send_error_messages to yes, the DNF Automatic tool notifies you about failed automatic updates by using an emitter configured in the emit_via option.

ignoreduplicates option is now available

With this enhancement, the ignoreduplicates option is added in the logrotate configuration. The option ignores any duplicate file paths in the logrotate configuration, and is not enabled by default.

maven-openjdk21 package is now available

RHEL supports running Maven with multiple Java versions, allowing users to select their preferred JDK. With this enhancement, a new maven-openjdk21 package has been added to enable seamless execution of Maven with OpenJDK 21. The notable changes include the following:

openCryptoki rebased to version 3.24.0

The openCryptoki packages are rebased to version 3.24.0. Support has been added for the following:

libva rebased to 2.22.0

The libva package is rebased to 2.22.0. Notable enhancement includes the following:

A new module stream maven 3.9 is available

A new update to the maven 3.9 package is now available. In version 3.9, maven is not compatible with maven 2. The notable enhancement include the following:

Multipath partner device is now supported

The drmgr is a utility for managing logical and physical hot plug capable resources. With this enhancement, drmgr supports hot plug addition and removal of a multipath drive.

Weak ciphers can be now disabled in CUPS configuration

Previously, when you disabled the weak cipher in the CUPS configurations, the configuration changes did not take effect. With this enhancement, if a user wants to disable a certain cryptographic algorithm via system policy, CUPS honors the system settings, if SSLOptions NoSystem is not in CUPS configuration files, and CUPS does not offer the system-wide disabled algorithm anymore.

Added support for E825C interface

Added support for Ethernet functionality of the E825C network interface for Intel Granite Rapids-D platform to the ice driver.

The i40e driver supports automatic reset behavior on MDD events

The Intel® Network Adapter Driver for PCIe* 40 Gigabit Ethernet can now reset problematic Single Root I/O Virtualization (SR-IOV) virtual functions (VFs) when it detects a malicious driver detection (MDD) event. You can activate this automatic reset behavior through the new mdd-auto-reset-vf option as in the following example command:

NetworkManager now supports configuration of FEC encoding on NIC

With this enhancement, NetworkManager supports forward error correction (FEC) encoding support on the network interface controller (NIC). By disabling FEC encoding on NIC, you will have reduced overhead of redundant data transmission and lower latency of network traffic. Configure FEC settings on NIC by using the following steps:

NetworkManager can automatically add routes to DNS servers

With the ipv4.routed-dns parameter, you can configure NetworkManager so that name servers are reachable only through the correct network interface. Apart from systemd-resolved and dnsmasq backend DNS services in NetworkManager, other backend services do not support binding name servers to the correct network interface. As a result, you can use NetworkManager to add an explicit route to the name server through the related network interface.

NetworkManager can set ipv4.dhcp-send-hostname`to `false by default

With this feature, you can set the ipv4.dhcp-send-hostname option in NetworkManager to false for all IPv4 connections. To disable this option by default, add the configuration snippet to the /etc/NetworkManager/conf.d/99-no-hostname.conf file as follows:

NetworkManager supports ip-ping-addresses and ip-ping-timeout properties for the connection setting

With this enhancement, you can add an IP address to the ip-ping-addresses and set a timeout with ip-ping-timeout settings. As a result, you can ensure that remote services, such as network file system (NFS), are mounted only after the target network is reachable.

nmstate supports the require-id-on-certificate setting on Libreswan configuration

With this enhancement, libreswan, an implementation of Internet Protocol Security (IPsec) specification, now supports the require-id-on-certificate setting for VPN configurations by using NetworkManager. With this feature, you can configure Subject Alternative Name (SAN) validation by using the require-id-on-certificate option. As a result, this implementation correctly enforces SAN validation based on the specified setting:

NetworkManager DHCP Client supports IPv6-only preferred option for DHCPv4

With this enhancement, the IPv6-only preferred option for DHCPv4 is available for NetworkManager clients for the supported DHCP server. You can use this option in two ways: globally and locally. If enabled globally, this option allows and prioritizes only IPv6 addresses in dual networks that support both IPv4 and IPv6. If enabled locally by setting the ipv6.method disabled option, IPv4 addresses assigned manually are prioritized over DHCP addresses.

xdp-tools rebased to version 1.5.1

The xdp-tools package has been upgraded to version 1.5.1, which provides multiple enhancements and bug fixes. Notable changes include:

wpa_supplicant was rebased to version 2.11

The wpa_supplicant utility has been upgraded to version 2.11, which provides multiple bug fixes and enhancements. Notable changes include:

iproute2 rebased to version 6.11.0

The iproute2 package has been upgraded to version 6.11.0, which provides multiple bug fixes and enhancements. Notable changes include:

Bonding device supports IPsec HW offload with ESN

Previously, a bonding device did not support the IPSec Hardware HW offload feature with Extended Sequence Numbers (ESN). Consequently, setting up IPsec with HW offload and ESN failed on the bonding device. With this fix, you can setup IPsec HW offload with ESN on the bonding device, considering the bond ports already support this feature. As a result, the bonding device offloads IPsec traffic correctly.

New "drop reasons" in the VXLAN implementation

In this update of the RHEL kernel, visibility patches were introduced which add new "drop reasons" in the Virtual eXtensible Local Area Networking (VXLAN) implementation. Visibility patches are important for troubleshooting problems, and thanks to these additions most of the dropped packets in VXLAN now have a reason attached to provide extra context.

Network drivers for modems in RHEL are now fully supported

In the US, device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems.

nmstate now supports configuring IPvLAN

The nmstate API now supports configuring IPvLAN, a virtual network interface, that enhances network management and container networking.

Kernel version in RHEL 9.6

Red Hat Enterprise Linux 9.6 is distributed with the kernel version 5.14.0-570.12.1.

The eBPF facility has been rebased to Linux kernel version 6.12

Notable changes and enhancements include the following:

View the number of instances of each cgroup from cgroup.stat

For cgroup v2, the cgroup.stat control file is enhanced to show the number of instances of each cgroup subsystem in the unified hierarchy, including any dying ones.

kpatch-dnf plugin is updated with improved kernel management

With the updated kpatch-dnf plugin, kernel upgrades are closely aligned with kpatch support. Administrators gain the flexibility to focus kernel updates on those supported by kpatch, leading to more reliable system upgrades and overall stability.

Containerization of the rteval utility

With this update, you can run the rteval utility with all its runtime dependencies from a container image publicly available through the Quay.io container registry. This feature also enables you to, for example:

TPM_TIS rebased to upstream 6.7 for Lenovo hardware

This release introduces an updated version of the Trusted Platform Module (TPM) Integration Services (TPM_TIS) firmware to upstream version 6.7. This update addresses stability and security enhancements for RHEL 9.6.

kdump is rebased to 6.10

This update incorporates the latest improvements, bug fixes, and features from the 6.10 kernel related to crash dumping.

Landlock, a new Linux Security Module (LSM) is released

RHEL 9.6 introduces Landlock, a new security feature that makes your containers safer. Landlock sets strict rules for processes such as Podman to limit access to the file system through the kernel API, defining rules for themselves regardless of privilege level and allowing users to create hard limits over the accessible scope of the processes.

New integration testing to validate kdump procedures to prevent system failure

With this enhancement, you can check the log file for kdump procedures after any software or hardware updates to prevent system failure. After the analysis of the output log files, the configuration entries, such as memory issues or blacklist of some drivers, are corrected to validate the kdump procedures and generate the vmcore. This ensures that the kdump procedures are validated and corrected before a system crash after any software or hardware update.

New timerlat-interval INTV_US and cyclictest-interval INTV_US options

With this enhancement, you can use the following new options of the rteval command to modify the base or periodic interval option in running timerlat or cyclictest threads:

NVMf-FC kdump is now supported on the IBM Power

NVMf-FC kdump now supports the IBM Power system for running kexec-tools. This allows the capture of system memory dumps over a fiber channel network by using the NVMe storage devices for high-speed and low-latency access to storage for crash dump data.

GRUB Boot loader has been hardened in RHEL 9.6

This enhancement includes fixes for various security flaws discovered as part of a pro-active hardening effort in the GRUB2 code. This ongoing proactive fuzzing effort of the GRUB boot loader yielded several flaws and vulnerabilities, some of which were severe enough to be CVEs, such as the following:

EROFS file system is now supported

EROFS is a lightweight generic read-only file system suitable for various read-only use cases, such as embedded devices or containers. It provides deduplication and transparent compression as options for scenarios that require them.

snapm is now available in RHEL

Snapshot Manager (snapm) is a new component designed to assist in managing system state snapshots. You can use it to roll back updates or changes, and boot into previous system snapshots. Managing snapshots across multiple volumes and configuring boot entries for snapshot boot and snapshot rollback can often be complex and prone to errors. Snapshot Manager automates these common tasks and integrates seamlessly with Boom Boot Manager, simplifying the process. With this update, you can easily take snapshots of the system state, apply updates, and revert to the previous system state if necessary.

NFS with TLS is fully supported

Network File System (NFS) with Transport Layer Security (TLS), introduced in RHEL 9.4 as a Technology Preview, is now fully supported. This feature enhances NFS security by enabling TLS for Remote Procedure Call (RPC) traffic, ensuring encrypted communication between clients and servers. For details, see Configuring an NFS server with TLS support.

VFS mnt_idmap compile-time checking changes backported

This enhancement minimizes conflicts that might occur during the backporting of subsequent fixes or features. As a result, the risk of regressions with subsequent backports is reduced.

CIFS client provides the ability to create special files under SMB shares

Common Internet File System (CIFS) client has the ability to create native Server Message Block (SMB), Network File System (NFS) or Windows Subsystem for Linux (WSL) symlinks. Use the new symlink=default|none|native|unix|mfsymlinks|sfu|nfs|wsl mount option to either completely disallow creating symlinks or to select what kind of symlinks will be created by the client. You can also create special files, such as character devices, block devices, pipes, and sockets, through NFS or WSL reparse points by using the reparse=default|none|nfs|wsl mount option. To create native Windows sockets that are supported by Windows applications on NT File System (NTFS) volumes, use the nativesocket mount option.

Deleting multiple resources with a single pcs command

Before this update, the pcs resource delete, the pcs resource remove, the pcs stonith delete and the pcs stonith remove commands supported the removal of only one resource at a time. With this update, you can now delete multiple resources at once with a single command.

New pcs tag command option for displaying cluster resource tags in text, JSON, and command formats

The pcs tag [config] command now supports the --output-format option for the following use cases:

Support for exporting fencing level configuration in JSON format and as pcs commands

The pcs stonith config and the pcs stonith level config commands now support the --output-format= option to display the fencing level configuration in JSON format and as pcs commands.

Removing Booth cluster tickets from the CIB after removal from the Booth configuration

After you remove a Booth cluster ticket by using the pcs booth ticket remove command, the state of the Booth ticket remains loaded in the Cluster Information Base (CIB). This is also the case after you remove a ticket from the Booth configuration on one site and pull the Booth configuration to another site by using the pcs booth pull command. This might cause problems when you configure a ticket constraint, because a ticket constraint can be granted even after a ticket has been removed. As a consequence, the cluster might freeze or fence a node. As of RHEL 9.6, you can prevent this by removing a Booth ticket from the CIB with the pcs booth ticket cleanup command.

A new module stream: mysql:8.4

MySQL 8.4 is now available as a new module stream, mysql:8.4. Notable enhancements over the previously available version 8.0 include:

ARGON2 password hashing is supported in PHP 8.3

PHP 8.3 is now available as the php:8.3 module stream. With this enhancement, support for the ARGON2I and ARGON2ID password hashing algorithms, provided by the openssl extension, is now available.

nginx 1.26 module stream is now available

The nginx 1.26 module stream includes various bug fixes and enhancements. Notable changes include:

New php:8.3 module stream is now available

The RHEL 9.6 adds PHP 8.3 as a new php:8.3 module stream. Notable enhancements include:

LLVM Toolset updated to 19.1.7

LLVM Toolset has been updated to version 19.1.7.

The llvm-doc package now contains only a reference to the upstream documentation.

In previous versions, the llvm-doc package contained the LLVM documentation in HTML format. With this update, the package provides only the /usr/share/doc/llvm/html/index.html file which contains a reference to the upstream documentation.

Clang and LLVM now support zstd for debug section compression

By default, Clang and LLVM tools use Zlib as the algorithm for debug section compression. With this enhancement, users can alternatively use the Zstandard (zstd) algorithm which can reach a higher compression rate than Zlib.

Rust Toolset rebased to version 1.84.1

Rust Toolset has been updated to version 1.84.1. Notable enhancements since the previously available version 1.79.0 include:

PCP rebased to version 6.3.2

Performance Co-Pilot (PCP) has been updated to version 6.3.2. Notable changes over the previously available version 6.2.2 include:

The glibc library contains improved IBM POWER10 optimizations

With this enhancement, hardware support for the IBM POWER10 platform has been improved in the glibc library. As a result, the performance of the strcmp() and memchr() APIs has been significantly improved on this platform.

valgrind rebased to version 3.24.0

The valgrind suite has been updated to version 3.24.0. Notable enhancements include:

libabigail rebased to version 2.6

The libabigail library has been updated to version 2.6. Notable changes include:

SystemTap rebased to version 5.2

The SystemTap tracing and probing tool has been updated to version 5.2.

elfutils rebased to version 0.192

The elfutils package has been updated to version 0.192. Notable improvements include:

The ld linker now detects if an application uses read, write, and execute permissions for a memory region

A memory region with read, write, and execute permissions at the same time is a potential point of attack because a buffer overflow can allow executable code to be injected into the memory and then executed.

The ld linker now detects if an application uses an executable stack

A stack that is held in an executable region of memory is a potential point of attacks if, due to a buffer overrun, executable code is placed there.

binutils now supports the arch15 extension of the IBM Z instruction set

With this enhancement, binutils supports the arch15 extensions of CPUs on the IBM Z platform. Developers can now use the new features provided by the arch15 extension in assembler source files or, when an updated compiler is available, also in compiled programs. This can result in smaller and faster programs.

The boost-devel package provides BoostConfig.cmake and other official CMake scripts

This enhancement adds BoostConfig.cmake and other official CMake scripts to the boost-devel package. CMake uses these scripts in some cases to test if boost features exists. As a result, CMake projects that test for boost features work now more robustly.

Go Toolset rebased to version 1.23

Go Toolset has been updated to version 1.23. Notable enhancements include:

glibc now supports the GB18030-2022 encoding standard

This enhancement updates the support of the GB18030 encoding standard in glibc from version 2005 to 2022. With version 2022, you can use 31 new transcoding relationships and the additional characters and code points introduced by this standard.

Go Toolset rebased to version 1.24.4

Go Toolset has been updated to version 1.24.4 with the release of the RHSA-2025:10676 advisory.

New tool to manage IdM ID range inconsistencies

With this update, Identity Management (IdM) provides the ipa-idrange-fix tool. You can use ipa-idrange-fix tool to analyze existing IdM ID ranges, identify users and groups outside these ranges, and propose to create new ipa-local ranges to include them.

Kerberos now supports the Elliptic Curve Diffie-Hellman key agreement algorithm

The Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm for PKINIT, as defined by RFC5349, is now supported. With this update, the pkinit_dh_min_bits setting in krb5.conf`file can now be configured with `P-256, P-384, or P-521 to use ECDH by default.

ansible-freeipa rebased to 1.14.5

The ansible-freeipa package has been rebased from version 1.13.2 to version 1.14.5. Notable enhancements and bug fixes include:

389-ds-base has been rebased to version 2.6.1

The 389-ds-base package has been rebased to version 2.6.1. Notable bug fixes and enhancements over version 2.5.2 include:

openldap has been rebased to version 2.6.8

The openldap package has been updated to version 2.6.8. The update includes various enhancements and bug fixes, including:

The new memberOfDeferredUpdate: on/off configuration attribute is now available in Directory Server

With this update, Directory Server introduces the new memberOfDeferredUpdate configuration attribute for the MemberOf plug-in. When set to on, the MemberOf plug-in defers the update of group members resulting in improved server responsiveness, especially if the group changes impact a large number of its members.

Directory Server now provides buffering of the error, audit, and audit fail logs

Before this update, only the access and security logs had log buffering. With this update, Directory Server provides buffering of the error, audit, and audit fail logs. Use the following settings to configure log buffering:

Directory Server now can update passwords with the CRYPT or CLEAR hashing algorithm after a successful bind

Before this update, Directory Server had a hard-coded list of hashing algorithms that were excluded from the password update during successful binds. Directory Server did not update user passwords that had the CRYPT or CLEAR hashing algorithm configured in the passwordStorageScheme attribute.

HSM is now fully supported in IdM

Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.

New SSSD option: exop_force

You can use the exop_force option to force a password change even if no grace logins are left. Previously, SSSD did not attempt password changes if the LDAP server indicated that there were no grace logins remaining. Now, if you set ldap_pwmodify_mode = exop_force in the [domain/…​] section of the sssd.conf file, SSSD tries to change the password even if no grace logins are left.

Support for group merging added in authselect

If you are using the authselect utility, you no longer need to manually edit the nssswitch.conf file to enable group merging. With this update, It is now integrated into authselect profiles, eliminating the need for manual changes.

Support for dynamic DoT updates in SSSD

SSSD now supports performing all dynamic DNS (dyndns) queries using DNS-over-TLS (DoT). You can securely update DNS records when IP addresses change, such as Identity Management (IdM) and Active Directory servers. To enable this functionality, you must install the nsupdate tool from the bind9.18-utils package.

New variable in the postfix RHEL system role: postfix_default_database_type

The postfix system role can determine the default database type used by postfix and export it as a variable postfix_default_database_type. As a result, you can set configuration parameters based on the default database type.

New variables in the microsoft.sql.server system role: mssql_tools_versions and mssql_tls_self_sign

The new mssql-tools18 package brings functionality that is not backwards-compatible with the previous versions of the mssql-tools package. Therefore the following variables have been added to the microsoft.sql.server system role to adapt to the changes:

New RHEL system role: aide

You can use the new aide RHEL system role for detecting unauthorized changes to files, directories, and system binaries. With this role, you can accomplish, for example, the following tasks:

New variable in the sudo RHEL system role: sudo_check_if_configured

The sudo RHEL system role has the following variable:

The microsoft.sql.server system role enables AES 128-bit and AES 256-bit encryption for AD users

Since version 1.1.83, the adutil utility supports the Kerberos protocol with AES 128-bit and AES 256-bit encryption when creating and modifying an Active Directory (AD) user. With this update, the microsoft.sql.server system role automates enabling AES 128-bit and AES 256-bit encryption provided by the Kerberos protocol when creating or modifying AD users. As a result, manual post-configuration tasks are not necessary.

The systemd RHEL system role can manage user units in addition to system units

With this update, the systemd RHEL system role can also manage user units. For each unit file or unit specified in systemd_unit_files, or systemd_unit_file_templates, or systemd_started_units and so on, you can add a user: name if you want that file or unit to be managed for the given user. The default is root which is used for system units.

Support for exporting corosync configuration of an existing cluster

The ha_cluster RHEL system role supports exporting the corosync configuration of an existing cluster in a format that can be fed back to the role to recreate the same cluster. If you did not use the ha_cluster RHEL system role to create your cluster, or if you have lost the original playbook for the cluster, you can use this feature to build a new playbook for the cluster.

The podman RHEL system role can manage the quadlet units of type Pod

The podman utility of version 5 added support for Pod quadlet types. Consequently, the podman RHEL system role enables you to also manage the quadlet units of type Pod.

New property added to the network RHEL system role network_connections variable: autoconnect_retries

There is no fine-grained control over the number of automatic retries to reconnect a network connection in the network RHEL system role. This limitation could be problematic for certain use cases where extending the retry process is critical, particularly in environments with unstable networks. The autoconnect_retries property added to the to the network_connections role variable configures how many times NetworkManager attempts to reconnect a network connection after an autoconnect failure. As a result, the network RHEL system role allows configuring the number of automatic reconnection attempts after an autoconnect failure by using the autoconnect_retries property in the network_connections variable. This enhancement provides greater control over network stability and performance, especially in environments with unstable networks.

New property added to the network RHEL system role network_connections variable: wait_ip

This update provides added support for the wait_ip property of the ip option in the network_connections role variable. The property specifies if the system should consider the network connection as activated only when a specific IP stack is configured. You can configure wait_ip with the following values:

The metrics RHEL system role supports Valkey as an alternative to Redis

This update provides added support for the Valkey in-memory data structure store for the metrics RHEL system role. It is an alternative to Redis, which is no longer open source and is being removed from Linux distributions. Valkey is typically used as a high-performance caching layer. It stores data in memory, which accelerates applications by caching frequently accessed data. Additionally, you can use Valkey for other performance-critical operations, for example:

New variable in the logging RHEL system role: logging_custom_templates

The following variable has been added to the logging RHEL system role:

sshd RHEL system role validates commands and configurations

The sshd role uses the quote command when using the command or shell plugins to ensure you can use these commands safely. The role also validates certain user-supplied role variables passed to these plugins. This improves the security and robustness of using the role because, without validation, user-supplied variables that contain white space could split and not function correctly.

KVM on IBM Z now supports more than one boot device

Guest operating systems running on KVM on IBM Z hosts can attempt booting from additional devices when the primary boot device is not bootable. This feature is supported for the following device types:

Virtual machines supported in RHEL for Real Time

This update introduces full support for real-time virtualization in RHEL for Real Time. You can configure the host and guest operating systems to achieve low-latency and deterministic behavior for virtual machines (VMs). This makes real-time VMs suitable for applications that require real-time performance, such as industrial automation, telecommunications, and automotive systems.

Newly supported features for virtual machines on 64-bit ARM hosts

The following features are now supported for virtual machines on RHEL hosts that use the 64-bit ARM architecture, also known as aarch64:

virt-install now supports creating VMs with SEV-SNP

You can now use the virt-install utility to create a virtual machine (VM) that uses the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature. To do so, use the launchSecurity sev-snp,policy=0x30000 option.

Support for VM live migration with shared virtiofs directory that provides write access to other parties

With this update, you can live migrate a virtual machine (VM) with a virtiofs shared directory, even if multiple other parties, such as the host and other VMs, have write access to that directory.

Virtualization support for IBM z17 processors

With this update, virtualization on RHEL adds support for the IBM z17 CPUs. As a result, virtual machines hosted on an IBM Z system with RHEL can now use new features that the z17 processors provide.

Retrievable secrets are supported for Secure Execution on IBM Z

With this update, you can use generalized host-based secrets for cryptographic devices in Secure Execution virtual machines (VMs) on IBM Z. As a result, it is no longer needed to store secrets in an initramfs image when configuring Secure Execution, which simplifies creating a secure VM image. Note that this feature is currently only supported on IBM z17 processors.

Virtualization support for Intel Xeon v6 processors

With this update, virtualization on RHEL 9 adds support for the Intel Xeon v6 processors, formerly known as Sierra Forest. As a result, virtual machines hosted on RHEL 9 can now use the SierraForest CPU model and use new features that the processors provide.

RHEL supports live migrating a VM with a Mellanox virtual function

With this update, you can perform live migration of a virtual machine (VM) with an attached virtual function (VF) of a Mellanox networking device.

Intel TDX in RHEL guests

The Intel Trust Domain Extension (TDX) feature is now fully supported in RHEL 9.5 and later when used as a guest operating system. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 guests, called trust domains (TDs). This increases the isolation of the RHEL guest from the host, and makes it significantly more difficult for the host to access the data on the RHEL guest.

Unified Kernel Image for RHEL is fully supported

Unified Kernel Image (UKI) for RHEL, which was introduced in RHEL 9.2 as a Technology Preview, is now fully supported. To use RHEL UKI, you must first install the kernel-uki-virt package. RHEL UKI can enhance SecureBoot protection in virtualized and cloud environments.

WSL images of RHEL 8 - 10 are available on the Customer Portal

RHEL 8, RHEL 9, and RHEL 10 images for the Windows Subsystem for Linux (WSL) can now be downloaded from the Red Hat Customer Portal. These images are available for all RHEL subscriptions, including no-cost developer subscriptions. By using the WSL images, you can create RHEL instances on your Windows system.

RHEL on HPE can run up to 4096 vCPUs

With this feature, a RHEL virtual machine (VM) instance running with the RHEL KVM hypervisor on Hewlett Packard Enterprise Compute Scale-Up Server now supports up to 4096 virtual CPUs, 32 sockets, and 64 TB of memory to handle in-memory databases and other large compute intensive workloads.

Enhanced automatic registration for eligible RHEL images

When purchasing certain eligible cloud marketplace subscriptions for RHEL 9.6 or later and for RHEL 10.0 or later, an improved version of the auto-registration function is available.

The plugin option names now use only hyphens instead of underscores

To ensure consistency across sos global options, the plugin option names now use only hyphens instead of underscores For example, the networking plugin namespace_pattern option is now namespace-pattern and must be specified by using the --plugin-option networking.namespace-pattern=<pattern> syntax.

The --api-url option is now available

With the --api-url option you can call another API as required. For example, the API for an OpenShift Container Platform cluster. Example: sos collect --cluster-type=ocp --cluster-option ocp.api-url=_<API_URL> --alloptions.

The new --skip-cleaning-files option is now available

The --skip-cleaning-files option for the sos report command allows you to skip cleaning selected files. The option supports globs and wildcards. Example: sos report -o host --batch --clean --skip-cleaning-files 'hostname'.

Podman supports pushing and pulling images compressed with zstd:chunked

You can push images compressed with the zstd:chunked format to reduce the image size and use partial pulls.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is now available. The Buildah has been updated to version 1.39.0, Skopeo has been updated to version 1.18.0. Podman v5.4 contains the following notable bug fixes and enhancements over the previous version:

Enhanced health check output configuration is now available in Podman

Podman now offers enhanced configurability for health check outputs on a per-container basis. Before this update, health check outputs were limited to the five most recent executions, each capped at 500 characters, accessible only by using the podman inspect command. You can now adjust the amount of health check output stored for each container, allowing for more comprehensive debugging information when needed. This feature is particularly beneficial for diagnosing intermittent health check failures without disrupting the running service. Additionally, to address concerns about sensitive data and storage efficiency, you can opt to limit or disable health check output storage for specific containers.

Deploying a container image by using a single command is now available

You can deploy a container image into a RHEL cloud instance by using a signal command. The system-reinstall-bootc command installs performs the following actions:

Creating custom bootc images from scratch is now supported

You can create bootc images from scratch and fully control the contents of the image and tailor the system environment to meet specific requirements. With the bootc-base-imgectl command, you can create custom bootc images based on an existing bootc base image. Bootc Image from Scratch are derived from container images and do not automatically receive updates from the default base image. To include such updates, you must incorporate them manually as part of your container pipeline. Additionally, you can use the rechunk subcommand in bootc-base-imgectl on any bootc container image to optimize or restructure the image as needed.

A new image build progressing bar available for bootc-image-builder

Previously, you could not check if an image build was progressing by looking into the logs. With this enhancement, you can check the progress of the image build that you created by using bootc-image-builder. You can revert to the previous behavior by using the --progress=verbose argument when building images.

The command-line assistant powered by RHEL Lightspeed is generally available in RHEL

The command-line assistant powered by RHEL Lightspeed is available within the RHEL command line. The generative AI that powers the assistant is trained on information from the RHEL product documentation and Red Hat Knowledgebase, and can help you to understand, configure, and troubleshoot your RHEL systems in a more accessible way, whether you are new to RHEL or already an experienced user.

The command line assistant supports using the systemd-creds as a password store manager

The command-line assistant powered by RHEL Lightspeed integrates command line assistant daemon (clad) by using the systemd-creds, a password store manager shipped with RHEL. This means that you can securely store your passwords by using databases such as PostgreSQL or MySQL as your history backend. As a result, you can use the tool for listing, showing, encrypting and decrypting unit credentials in a secure manner.