Red Hat SummitChapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.7.
4.1. Installer and image creation
New boot menu entry for fips=1 added to ISO installations
With this update, the DVD and Boot ISO image installations provide a new boot menu entry for setting the fips=1 kernel boot option. This simplifies the process, as enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. By using this boot option, you start the installation with the fips=1 kernel parameter and you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.
The blueprint file customization now supports a URI field for referencing files from external sources
This update adds the URI field support to the blueprint file customization structure. As a result, you can reference and source files from external locations rather than only those included directly in the blueprint, providing more flexible customization of the build system and a more adaptable build experience.
Jira:RHELDOCS-21016[1]
RHEL image builder supports a new image type vagrant-libvirt for vagrant
With this update, RHEL image builder supports the libvirt hypervisor, and you can easily run RHEL virtual machines by using Vagrant. This enhancement provides pre-configured images to ensure a consistent and streamlined setup. It also grants sudo privileges to the vagrant user within the Vagrant box, making it easier to manage and execute administrative tasks. These enhancements deliver a more efficient and seamless experience when working with RHEL virtual machines in Vagrant environments.
Jira:RHELDOCS-21025[1]
RHEL Image Builder GUI supports modularized content discovery
Starting from RHEL 9.7, RHEL Image Builder Graphical User Interface (GUI) supports modularized content discovery. This capability introduces the following enhancements:
- When creating RHEL OS images, you can use the RHEL Image Builder GUI to discover and include modularized content from various repositories, including RHEL AppStream and third-party repositories, for example, Extra Packages for Enterprise Linux (EPEL).
-
Enhanced modularity support in RHEL. Application Streams leverage DNF modularity and
modulemdmetadata to provide flexible package management. You can specify version streams and use case profiles in the modules with support for default streams and profiles. -
DNF modularity implementation updates. The
@character syntax for specifying RPM groups enables and installs module streams, providing compatibility for kickstart files.
Jira:RHELDOCS-21026[1]
RHEL Image Builder now supports WSL2 images
You can now use the RHEL image builder to create Windows Subsystem for Linux (WSL2). The image type is available in the wsl format, and to consume the image, deploy it by double-clicking the generated file.
Jira:RHELDOCS-20633[1]
A new rhel9/bootc-image-builder container image is generally available in RHEL
The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.
Jira:RHELDOCS-17733[1]
The bootc-image-builder tool is generally available in RHEL
The bootc-image-builder tool, now generally available in RHEL, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc-image-builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc-image-builder every time a new update is required.
Jira:RHELDOCS-17468[1]
composefs read-only file system supports bootc/ostree and podman projects
The composefs read-only file system is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images at runtime. As a result, you have a fully verified file-system tree mounted, with opportunistic fine-grained sharing of identical files.
Jira:RHEL-18157[1]
4.2. Security
NSS rebased to 3.112
The NSS cryptographic toolkit packages have been rebased to upstream version 3.112, which provides many improvements and fixes. Most notably, the following:
- Added support for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA), which is a post-quantum cryptography (PQC) standard.
- Added hybrid support for SSL for the MLKEM1024 key encapsulation mechanism.
The following known issues occur in this version:
- Updating the NSS database password corrupts the ML-DSA seed. For more information, see RHEL-114443.
RHEL 9.7 crypto-policies supports post-quantum cryptography
With this update of the system-wide cryptographic policies, you can enable support for post-quantum cryptography (PQC) through the new PQ subpolicy. The most notable changes in RHEL 9.7 crypto-policies include:
-
After you apply the PQ subpolicy, for example, by using the
update-crypto-policies --set DEFAULT:PQcommand, hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and pure Module-Lattice-Based Digital Signature Standard (ML-DSA) post-quantum cryptographic algorithms are enabled in LEGACY, DEFAULT, FUTURE, and FIPS cryptographic policies with the highest priorities. - The PQC algorithms are enabled for the Sequoia PGP tool in all policies with the PQ subpolicy.
- The new OpenSSL group selection syntax prioritizes post-quantum groups over classical ones if you enable the PQ subpolicy. You can revert this behavior only by disabling all PQ groups.
- The ML-DSA-44, ML-DSA-65, and ML-DSA-87 PQC algorithms are enabled for NSS TLS connections in all cryptographic policies with the PQ subpolicy.
-
The PQ subpolicy also enables the
mlkem768x25519,secp256r1mlkem768, andsecp384r1mlkem1024hybrid ML-KEM groups for NSS TLS negotiations.
Jira:RHEL-91839, Jira:RHEL-103963, Jira:RHEL-106866, Jira:RHEL-103786, Jira:RHEL-97764
OpenSSL rebased to 3.5
OpenSSL is rebased to upstream version 3.5. This version provides important fixes and enhancements, most notably the following:
- Added support for the ML-KEM, ML-DSA, and SLH-DSA post-quantum algorithms.
- Added the hybrid ML-KEM algorithms to the default TLS group list.
- Enhanced TLS configuration options.
- Added support for the QUIC transport protocol according to the IETF RFC 9000 draft.
- Added support for opaque symmetric key objects in the form of the EVP_SKEY data structure.
- Disabled the SHA-224 digest.
-
SHAKE-128 and SHAKE-256 implementations no longer have a default digest length. Therefore, these algorithms cannot be used with the
EVP_DigestFinal/_ex()function unless thexoflenparameter is set. - Added a capability for a client to send multiple key shares in TLS 1.3 connections.
Jira:RHEL-80854[1]
OpenSSL supports sslkeylogfile
OpenSSL supports the sslkeylogfile format for TLS. As a result, you can log all secrets produced by SSL connections by setting the SSLKEYLOGFILE environment variable.
Enabling the SSLKEYLOGFILE variable poses an explicit security risk. Recording the exchanged keys during an SSL session allows anyone with read access to the file to decrypt application traffic sent over that session. Use this feature only in test and debug environments.
Hybrid ML-KEM cryptography works in FIPS mode
With this release, Hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) post-quantum cryptographic algorithms are supported in FIPS mode of RHEL. OpenSSL is able to fetch the Elliptic Curve Diffie-Hellman (ECDH) part of the new hybrid post-quantum groups from the FIPS provider when the system is running in FIPS mode. As a result, the OpenSSL library uses FIPS-compliant cryptography for the ECDH part of the hybrid post-quantum key exchanges. When you set the system to the FIPS:PQ cryptographic policy, the hybrid post-quantum groups are enabled and used by default by OpenSSL servers and clients.
crypto-policies support Ed25519 in NSS
With this update to the system-wide cryptographic policies, support for the SHA-512 variant of the Edwards-curve Digital Signature Algorithm (EdDSA), Ed25519, is available for Network Security Services (NSS). As a result, crypto-policies enable Ed25519 in DEFAULT, LEGACY, and FUTURE policies for NSS by default.
New package: rust-rpm-sequoia
RHEL 9.7 introduces the rust-rpm-sequoia package to support quantum-resistant signatures in RPM packages through the multisig DNF plug-in. This addition enables you to verify OpenPGP v6 signatures in RPM packages signed with post-quantum cryptographic (PQC) algorithms.
Jira:RHEL-126412[1]
SCAP Security Guide rebased to 0.1.78
For additional information, see the SCAP Security Guide release notes.
The SELinux policy adds rules and type for the qgs daemon
The qgs daemon was added to RHEL with the linux-sgx package, which supports TDX confidential virtualization. The qgs daemon communicates with QEMU over a UNIX domain socket when the guest OS requests attestation of the virtual machine (VM). To make this possible, the SELinux policy adds a new qgs_t type, access rules, and permissions.
Three RHEL services removed from SELinux permissive mode
The following SELinux domains for RHEL services have been removed from SELinux permissive mode:
-
powerprofiles_t -
samba_bgqd_t -
switcheroo_control_t
Previously, these services from packages recently added to RHEL 10 were temporarily set to SELinux permissive mode, which allows gathering information about additional denials while the rest of the system is in SELinux enforcing mode. This temporary setting has now been removed, and as a result, these services now run in SELinux enforcing mode.
Jira:RHEL-82674[1]
tuned-ppd confined in the SELinux policy
RHEL 9.7 adds additional rules to the SELinux policy that confine the tuned-ppd service. Before this update, the service ran with the unconfined_service_t SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule. With this update, the service is no longer unconfined and runs successfully in SELinux enforcing mode.
Keylime rebased to version 7.12.1
The Keylime packages have been rebased to upstream version 7.12.1. The most important fixes and enhancements include:
- Implemented security fix for CVE-2025-1057 addressing vulnerability of the registrar component when updated to version 7.12.0.
- Added support for named measured boot policies, which makes policy organization easier.
- Fixed resource handling in webhook operations.
- Fixed certificate generation to follow the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) standards according to RFC 5280.
SELinux assigns a particular type to /dev/diag
With this update, the diagnostic_device_t type is assigned to the /dev/diag device in the SELinux policy. As a result, SELinux can properly control access to the device.
Jira:RHEL-95342[1]
OpenSSL PKCS #11 provider adds support for Ex=RSA ciphers
This update of the OpenSSL PKCS #11 provider enables the use of PKCS #11 tokens with OpenSSL without relying on deprecated functionality. This alternative resolves the unsupported RSA padding mode issue, ensuring seamless use of Ex=RSA ciphers with hardware security modules (HSMs) on RHEL 9. This results in eliminating TLS handshake failures and providing secure communication when establishing TLS 1.2 connections with OpenSSL and PKCS #11 tokens.
New package: fips-provider-next
The fips-provider-next package provides the next version of the FIPS provider that is submitted to the National Institute of Standards and Technology (NIST) for validation. The package is not installed by default because the openssl-fips-provider package is the validated OpenSSL FIPS provider. To switch from openssl-fips-provider to fips-provider-next:
dnf swap openssl-fips-provider fips-provider-next
# dnf swap openssl-fips-provider fips-provider-nextRsyslog imuxsock provides the new ratelimit.discarded counter
With this update, the imuxsock Rsyslog module includes a new counter, ratelimit.discarded, which tracks the number of messages dropped due to rate-limiting on the Unix socket. This enhancement provides administrators with visibility into message loss due to rate-limiting, enabling them to fine-tune their rate-limiting settings and prevent critical logs from being discarded.
Rsyslog imfile provides the new deleteStateOnFileMove option
With this update, the new deleteStateOnFileMove parameter has been added to the imfile module, available as both a module-level and a per-action option. This enhancement addresses the issue of orphaned state files accumulating in the spool/ directory when monitored log files are rotated or moved. By enabling this parameter, you can automatically clean up these obsolete files when log files are moved, preventing disk space from being wasted and simplifying management.
Jira:RHEL-92262[1]
4.3. Subscription management
Simplified status for systems registered to SCA-enabled organizations
Before this update, when registered to a Simple Content Access (SCA) enabled organization, the subscription-manager status command reported Overall Status: Disabled and System Purpose Status: Disabled. Because this status was confusing and often misinterpreted as an error, the status report has been simplified. Now the Overall Status reports either Registered or Not registered and System Purpose Status has been eliminated.
For more information on SCA, see Simple Content Access.
Jira:RHEL-84890[1]
4.4. Software management
dnf4 can be used to run DNF commands
With this update, you can enter either dnf or dnf4 to run DNF commands.
DNF can verify RPMv6 signatures on RPM packages
Quantum-safe cryptography guarantees integrity and origin of software. However, in quantum computing, standard asymmetric cryptography algorithms, such as RSA, are no longer relevant. With this update, you can use the new multisig DNF plugin to verify RPMv6 signatures on RPM packages, in addition to standard RPMv4 signatures. RPMv6 signatures can be based on quantum-safe algorithms, such as ML-DSA.
To verify RPMv6 signatures, you can install the multisig plugin through the python3-dnf-plugin-multisig RPM package.
Successful verification is a prerequisite for installing, reinstalling, upgrading, or downgrading packages from a repository that has the gpgcheck option set to True.
createrepo_c supports zstd
This enhancement adds support for the Zstandard (zstd) compression algorithm for createrepo_c commands. As a result, createrepo_c can read and generate metadata compressed with zstd.
dnf marks transient transactions in DNF history
The dnf history info command shows whether a transaction was persistent or transient. As a result, it is easier to keep track of package changes, especially on systems with many transient packages.
RPM records a checksum of the original package during installation
With this update, RPM records the SHA256 and SHA512 digests of the entire .rpm package during its installation. You can then retrieve these digests from the RPM database to verify that the installed package corresponds to a specific .rpm file. As a result, you can improve the integrity of your RHEL system by retrospectively verifying that the installed package set matches, bit-by-bit, a known set of .rpm packages, such as the ones available in a DNF repository.
To print the package digests of an installed package, use the following command:
rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" <package_name>
$ rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" <package_name>
You can also customize which digest types are recorded in the database by configuring the new %_pkgverify_digests macro, for example:
%_pkgverify_digests 8:10
%_pkgverify_digests 8:10RPM supports spec-local file attributes and dependency generators
File attributes and their dependency generators are usually shipped in separate packages that you must install prior to building a package that uses these attributes. However, you might need a file attribute to take effect during the build of the package that ships this attribute. You might also need the file attribute just for building the package, without shipping the attribute at all.
With this update, you can register spec-local file attributes and generators by performing the following actions:
-
Define the
%_local_file_attrsmacro.%_local_file_attrsaccepts a colon-separated list of new attribute names to register directly in yourspecfile. -
Define one or more dependency generator macros for each attribute, such as
%__NAME_providesor%__NAME_path, whereNAMEis the name of the local file attribute.
RPM then uses the file attributes for dependency generation when the spec file is built. As a result, you can create build-time file attributes that are not necessarily meant for installation.
For example, the following spec file snippet generates the provides for each packaged file by using the foobar.sh script bundled with your package’s sources:
Source1: foobar.sh
[...]
%define _local_file_attrs foobar
%define __foobar_provides %{SOURCE1}
%define __foobar_path .*
Source1: foobar.sh
[...]
%define _local_file_attrs foobar
%define __foobar_provides %{SOURCE1}
%define __foobar_path .*New $releasever_major and $releasever_minor variables
The new $releasever_major and $releasever_minor variables are available to better support the Extra Packages for Enterprise Linux (EPEL) repository and other repositories that distribute content per major version of RHEL instead of per minor version. These variables are automatically derived from the $releasever variable or the system-release(releasever_major) and system-release(releasever_minor) virtual provides. As a result, you can use $releasever_major and $releasever_minor to create repository configuration files that work across multiple major or minor versions of RHEL.
4.5. Shells and command-line tools
openCryptoki provided in version 3.25.0
The openCryptoki packages are provided in version 3.25.0. Support has been added for the following:
In EP11:
- PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms
- PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP
- PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms
- Opaque secure key blob import via C_CreateObject
In ICA/Soft:
- PKCS#11 v3.0 SHAKE key derivation
- The CKM_AES_KEY_WRAP[_*] mechanisms
- The CKM_ECDH_AES_KEY_WRAP mechanism
- Key wrapping with AES-GCM
In CCA:
- CCA AES CIPHER secure key types
- The CKM_ECDH1_DERIVE mechanism
- Newer CCA versions on s390x and non-s390x platforms
- CKM_AES_GCM for single-part operations only
- CCA/Soft/ICA: The CKM_RSA_AES_KEY_WRAP mechanism.
- P11KMIP: Added a tool for importing and exporting PKCS#11 keys to a KMIP server.
- ICA: Report mechanisms depending on whether libica is in FIPS mode.
Jira:RHEL-73344[1]
GIMP rebased to 3.0.4
The GNU Image Manipulation Program (GIMP) has been rebased to stable upstream version 3.0.4 in RHEL 9.7.
Jira:RHEL-40106[1]
4.6. Infrastructure services
RHEL is now equipped with dyninst version 13.0.0
The dyninst framework is rebased to upstream version 13.0.0 This version offers the following list of enhancements:
- improved support for AMD GPU binaries.
- improved parsing of x86 instructions and C++ DWARF constructs.
For more information, see the upstream documentation.
RHEL is now equipped with SystemTap version 5.3
SystemTap is rebased to version 5.3, and its multithreaded parsing capability now improves startup performance by reducing initialization time by several seconds.
elfutils is now rebased to version 0.193
elfutils 0.193 is now available in RHEL 9.7. The notable changes in this update include:
-
debuginfodnow supports CORS (webapp access) in the web API and provides a--corsoption. The new--listen-addressoption enables binding the HTTP listen socket to a specific IPv4 or IPv6 address. Thedebuginfodclient now cachesx-debuginfod-*HTTP headers alongside downloaded files. -
libdwlibrary adds thedwarf_languageanddwarf_language_lower_boundfunctions, with improved support for DWARF6 language metadata and new language constants for Nim, Dylan, Algol68, V, and Mojo. Thedwarf_srclangfunction is forward-compatible with DWARF6 language constants. -
libdwfl_stacktraceexperimental interface can unwind stack samples into call chains and cache ELF data for multiple processes. This interface initially supportsperf_eventsstack sample data and is provided as a Technology Preview. -
libelflibrary has a more robust implementation ofelf_scnshndxfor ELF files with more than 64K sections. -
readelftool improves handling of corrupt ELF data. The output of the--section-headersoption now includes a key to explain section flag meanings.
valgrind has been upgraded to upstream version 3.25.1
The upgrade from version 3.24.0 (RHEL 9.6) to the upstream version 3.25.1 (RHEL 9.7) provides the following notable enhancements:
- Added support for zstd-compressed debug sections.
- Extended support to Linux syscalls: landlock*, io_pgetevents, open_tree, move_mount, fsopen, fsconfig, fsmount, fspick, userfaultfd.
-
Enhanced file-descriptor tracking:
--track-fds=yesand--track-fds=allapply the same behavior to inherited file descriptors as to standard input, standard output, and standard error. -
New option
--modify-fds=high(use with--track-fds=yes) allocates higher-numbered descriptors first to help detect descriptor reuse issues. -
Helgrind configuration: warnings for
pthread_cond_signalandpthread_cond_broadcastwith an unlocked mutex are now controlled by--check-cond-signal-mutex=yes|no(default: no).
Architecture-specific enhancements:
-
New IBM Z (
s390x) NNPA hardware support.
valgrind package split into subpackages for flexible installation
Before this update, the valgrind package included all components in a single package. As a consequence, you had to install features that you did not need.
With this update, the valgrind package has been split into multiple subpackages. As a result, you can install only the required components you require, such as the core valgrind functionality, postprocessing scripts, GDB integration, or documentation.
Jira:RHEL-75468[1]
Valkey 8 is now available
Valkey 8, an advanced key-value store, is now available in RHEL. It functions as a data structure server, allowing keys to store various data types, for example:
- Strings
- Hashes
- Lists
- Sets
- Sorted sets
Valkey is fully compatible with clients and serves as an alternative to Redis.
Jira:RHEL-89978[1]
fs.protected_regular and fs.protected_fifos sysctls parameters are enabled by default
Previously, in the RHEL 9 kernel the fs.protected_regular and fs.protected_fifos sysctls parameters were added to make some data spoofing attacks harder. Now, these parameters are enabled by default which improves the security for installations. To disable these sysctls parameters, add the following lines in the /etc/sysctl.d/60-protected.conf file:
-
fs.protected_regular = 0 -
fs.protected_fifos = 0
Jira:RHEL-50534[1]
The BrowseOptionsUpdate directive is now available in RHEL
The BrowseOptionsUpdate directive determines the source and update frequency of default printing options. It specifies whether the system retrieves options from a local system or a remote printing server, and if it updates them at service startup, at certain intervals, or not at all.
You can now add the BrowseOptionsInterval directive and its value to the /etc/cups/cups-browsed.conf file to achieve the required behavior. The directive offers these values:
-
None(default): A local file, created from previous sessions, loads default options. -
Static: Thecups-browsedservice retrieves default options from the remote server when it starts. -
Dynamic: The system updates default options according to theBrowseIntervalvalue, also defined in the/etc/cups/cups-browsed.conffile.
Note: You need to restart the service after changing the BrowseOptionsInterval directive values.
Jira:RHEL-6519[1]
RHEL 10 provides gpsd in version 3.26.1
In RHEL 10, the gpsd tools package is provided in version 3.26.1. This version offers improved support for u-blox receivers.
Jira:RHEL-90132[1]
4.7. Networking
Nmstate can assign settings to network interfaces based on PCI addresses
With this enhancement, you can use Nmstate to set up network interfaces based on their PCI address instead of a device name. Use this feature to ensure consistent configuration across nodes in a cluster. For further details, see Configuring an Ethernet connection with a dynamic IP address by using nmstatectl with a device path and Configuring an Ethernet connection with a static IP address by using nmstatectl with a device path.
Bond configurations in Nmstate support optimization settings
With this enhancement, the Nmstate API supports the following bond options:
-
lacp_active: Defines whether or not the Linux kernel periodically sends Link Aggregation Control Protocol Data Unit (LACPDU) frames. You can use this setting only in the 802.3ad bond mode. -
ns_ip6_target: Lists the IPv6 addresses to use as IPv6 monitoring peers when you set thearp_intervalparameter to a value larger than 0.
As a result, administrators can use these settings to optimize a network bond to ensure stable connections, efficient bandwidth, and IPv6 compatibility.
nmtui now supports configuring the loopback interface
NetworkManager already supports configuring the loopback interface by using the nmcli utility. This enhancement adds the same functionality to the nmtui application. As a result, you can configure IP addresses and routes on the loopback interface.
The NetworkManager-libreswan plugin supports using the Libreswan default values
With this enhancement, you can set the no-nm-default property in Libreswan VPN connection profiles to true to use Libreswan’s instead of NetworkManager’s default values. This ensures the compatibility with configurations defined for native Libreswan. As a result, you can now, for example, configure subnet-to-subnet tunnels.
NetworkManager now supports fixed subnet IDs for downstream interfaces when using IPv6 prefix delegation
With this enhancement, you can now specify a fixed subnet ID for downstream interfaces in NetworkManager when you use IPv6 prefix delegation. In previous releases, when you rebooted the system, the subnet ID for these interfaces could change. With a fixed subnet ID, IPv6 addresses assigned to devices in the downstream network do not change when you reboot the RHEL host.
An NBFT parser was added to nm-initrd-generator
NVMe Boot Firmware Table (NBFT) is a standard method for firmware to pass network and storage configuration from the pre-boot environment directly to the operating system by using an ACPI table. The nm-initrd-generator utility now uses this parser to automatically detect and apply this configuration, and creates the necessary connections without manual setup. This implementation replaces the 95nvmf module in dracut and relies on systemd automation for a more streamlined and robust boot sequence.
Nmstate now supports configuring FEC settings for network interfaces
With this enhancement, you can now use Nmstate to apply Forward Error Correction (FEC) modes, such as RS-FEC, Base-R and Disabled to interfaces. These settings are crucial for improving data transmission reliability by detecting and correcting errors without retransmission. As a result, you can now use Nmstate to apply FEC settings instead of manually configuring them or using platform-specific tools.
Jira:RHEL-80725[1]
Nmstate now supports the mtu and quickack route options
With this enhancement, you can use Nmstate to set the mtu and quickack route options. These settings are important for optimizing the network performance if the maximum transmission unit is different from the default and for tuning the TCP acknowledgment behavior. As a result, you now have more precise control over network traffic behavior.
The mlx5 driver now supports symmetric OR-XOR RSS hash
With this enhancement, the default transform (xfrm) for Receive Side Scaling (RSS) is now symmetric-or-xor.
Due to this new default, modifying the rx-flow-hash setting by using the ethtool utility now requires one of the following actions:
-
Set
rx-flow-hashto a value that is compatible with symmetric hashing:sdfn,sd, orfn. Set
xfrmtononebefore setting a differentrx-flow-hashvalue, for example:ethtool -X enp0s1 xfrm none ethtool -N enp0s1 rx-flow-hash udp4 n
# ethtool -X enp0s1 xfrm none # ethtool -N enp0s1 rx-flow-hash udp4 nCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Jira:RHEL-73517[1]
ModemManager rebased to version 1.22
The ModemManager packages have been upgraded to upstream version 1.22. This version includes bug fixes and support for additional devices.
For a complete list of changes, see the upstream release notes.
Nmstate now supports egress and ingress priority mapping for VLAN interfaces
NetworkManager already supports configuring traffic priority mapping for VLAN interfaces. With this enhancement, the Nmstate library can also handle both egress and ingress priority quality of service (QoS) mapping rules. As a result, you can use Nmstate to create VLANs and define bidirectional priority mapping, helping manage traffic more precisely and efficiently.
Nmstate now supports configuring routes by using a MAC address instead of an interface name
With Nmstate, you can create a network connection by assigning it to the MAC address of an interface. With this enhancement, you can use the profile name instead of the interface name in the next-hop-interface parameter in the routing configuration. With this feature, you can create static routes without knowing the interface name.
New network packet drop reasons and MIB counters
The kernel’s networking stack now provides more detailed reasons when it drops network packets. This enhancement also adds two new Management Information Base (MIB) counters: LINUX_MIB_PAWS_TW_REJECTED and LINUX_MIB_PAWS_OLD_ACK. As a result, debugging and diagnosing network problems, is now easier.
Jira:RHEL-88890[1]
The fwctl subsystem has been added to the kernel
If the kernel lock-down feature is enabled, the kernel does not allow access to resource0 files in the /sys/ directory and PCI config spaces for security reasons. The fwctl kernel subsystem manages communication with the firmware in software-defined devices, such as the mlx5 network interface controller. This subsystem establishes a standardized and secure Remote Procedure Call (RPC) interface, that enables user-space applications to interact with device firmware for diagnostics, configuration, and updates. In addition to the new subsystem, the mstflint utility now also uses the fwctl subsystem, and the utility functions fully in these secure environments.
Jira:RHEL-86016[1]
The ice driver now supports reducing the MSI-X vector usage for a PF to free vectors for associated VF
With this enhancement, you can now reduce the Message Signaled Interrupts eXtended (MSI-X) vectors allocated to a physical function (PF) to ensure that a sufficient number of vectors are available for associated virtual functions (VFs). For details, see Reducing the MSI-X vector usage for a physical function to free vectors for associated virtual functions.
Jira:RHEL-63642[1]
iproute rebased to version 6.14.0
The iproute package has been updated to upstream version 6.14.0.
Notable enhancements:
-
The
ip nexthopcommand supports 16-bitnexthopweights. -
The
ip link rmnetcommand supports flag handling. -
The
ip lwtunnelcommand supports setting and getting the 'tunsrc' attribute. -
The
ip monitorcommand adds support for monitoring multicast addresses (ip monitor maddress). -
The
ip rulecommand supports the 'dscp' selector. -
The
ip rulecommand supports flow labels. -
The
ip routecommand supports IPv6 flow labels. -
The
ip addressandip link showcommands support the 'down' filter. -
The
tc flowerfilter supports matching on tunnel metadata. -
The
tc fqqueuing discipline supports theTCA_FQ_OFFLOAD_HORIZONattribute. -
The
tcutility supports theHold/Releasemechanism in Time-Sensitive Networking (TSN) as specified in the IEEE 802.1Q-2018 standard. -
The
rdma monitorcommand adds support for monitoring Remote Direct Memory Access (RDMA) events. -
The
vdpautility supports setting the MAC address. - Several man pages were improved.
Notable bug fixes:
- Some memory leaks were fixed.
-
The error checking of the
ip netconfcommand was fixed to prevent unnecessarily strict errors. -
Custom
iproute2settings in the/etc/iproute2/directory work as expected.
4.8. Kernel
Kernel version in RHEL 9.7
Red Hat Enterprise Linux 9.7 is distributed with the kernel version 5.14.0-611.5.1.
Added support for virtio devices
Before this update, virtio devices inside of KVM guests were all listed as type generic-ccw. With this enhancement, you can easily identify which device type is connected at which device number by using the lszdev command:
This enhancement also introduces additional chpstat fixes for Red Hat Enterprise Linux 9.4 and 9.6, improving DPU utilization scaling in reports (s390utils and s390-tools).
Jira:RHEL-73342[1]
kpatch-dnf plugin is updated with improved kernel management
Before this update, the kpatch-dnf plugin did not align kernel upgrades with kpatch support. As a consequence, administrators might install or upgrade to kernels that were not supported by kpatch, thereby increasing the risk of running unsupported kernels and reducing system stability.
With this update, the kpatch-dnf plugin enables administrators to focus kernel updates on those supported by kpatch. As a result, system upgrades are more reliable, and overall stability is improved.
Jira:RHEL-85579[1]
Arm SPE support extended to Neoverse-V2 and Cortex CPUs in the kernel
The Arm SPE feature support in kernel has been extended to include Neoverse-V2 and Cortex CPUs. As a result, users can now access Arm SPE capabilities for improved observability and analysis when running workloads on Neoverse-V2 and Cortex CPUs.
Jira:RHEL-60216[1]
Intel Arrow Lake U RAPL energy events support in kernel
Before this update, the Intel Arrow Lake U microarchitecture did not support RAPL (Running Average Power Limit) energy performance counters in the kernel package. As a result, users could not monitor or measure energy consumption for Arrow Lake U systems using standard perf tooling.
With this update, support for RAPL energy events is added for Arrow Lake U in the kernel package. The perf tool identifies power consumption events for Arrow Lake U platforms. You can now monitor energy usage for CPU cores, GPUs, packages, and system domains.
Jira:RHEL-53585[1]
Added support for core energy counters in kernel
The kernel supports per-core energy measurement on AMD CPUs. The Power Management Unit (PMU) exposes the power_core PMU and the energy-core event so that you can monitor energy consumption for each CPU core. This enhancement aligns with AMD per‑core energy counter capabilities.
Jira:RHEL-52654[1]
Perf support for Intel Clearwater Forest core counters
Before this update, you could not monitor hardware events on Intel Clearwater Forest CPUs by using perf core counters. With this update, the perf package recognizes the Clearwater Forest Performance Monitoring Unit (PMU). It provides named core events, including Topdown Level 1 metrics, such as front‑end bound, back‑end bound, retiring, and slots. Perf also uses architectural process event‑based sampling (PEBS) on this microarchitecture to provide low‑overhead sampling of selected events. As a result, you can collect core counter data and perform Top-down analyses on Clearwater Forest systems.
Jira:RHEL-47454[1]
Adaptive PEBS enables counter snapshotting support in perf on Intel Panther Lake
Before this update, the Linux kernel’s perf tool relied on software-based sample reads to collect performance event data, which introduced minor timing gaps and additional overhead when reading counters after an event overflow. With this update, adaptive PEBS counter snapshotting is available on Intel Panther Lake CPUs. This hardware feature enables the kernel to capture programmable counters, fixed-function counters, and performance metrics directly in the PEBS record using the PEBS format version 6.
As a result, counter snapshotting provides a more accurate and lower-overhead alternative to software sample reads, improving performance monitoring and analysis capabilities.
Jira:RHEL-47444[1]
Intel Trace Hub supports Intel Panther Lake
This update adds Intel Trace Hub device IDs for the Panther Lake platforms (P, H, and U). The systems based on Panther Lake can use Intel Trace Hub features for debugging and tracing.
Jira:RHEL-47424[1]
Perf uncore event support for Intel Clearwater Forest
Before this update, uncore event monitoring was not available for Intel Clearwater Forest microarchitecture. With this update, the perf package supports uncore event monitoring on Clearwater Forest systems. As a result, you can perform advanced performance analysis and debugging on supported hardware.
Jira:RHEL-45095[1]
Intel Arrow Lake H microarchitecture support added to intel_th
Before this update, Intel Trace Hub did not recognize Arrow Lake H NPK device IDs, which limited trace and debugging capabilities for systems that use this hardware. With this update, the intel_th package supports the Intel Arrow Lake H microarchitecture in Intel Trace Hub. As a result, you have enhanced tracing and debugging features on Arrow Lake H platforms.
Jira:RHEL-20110[1]
PerfMon support enabled for Intel Arrow Lake H in kernel
With this update, the kernel package provides PerfMon support for Core, Uncore, Cstate, and MSR features on the Intel Arrow Lake H microarchitecture. As a result, you can monitor and analyze performance metrics specific to Arrow Lake H systems by using the perf tool.
Jira:RHEL-20094[1]
Enhanced pstore functionality in virtual and cloud environments
The pstore kernel feature, which saves crash and panic information persistently, is now easier to use in virtualized environments and cloud platforms. With this release, you can enable the use of EFI variables for pstore without the efi_pstore.pstore_disable=0 kernel parameter while the system is running:
echo "N" > /sys/module/efi_pstore/parameters/pstore_disable
$ echo "N" > /sys/module/efi_pstore/parameters/pstore_disable
This enhancement simplifies the activation and post-crash data retrieval for pstore, improving troubleshooting and system reliability in environments where the ACPI ERST method is unavailable.
Jira:RHEL-2564[1]
The default measurement module for rteval is now rtla timerlat for better tracing of problem latencies
With this enhancement, you should be able to easily identify the source of problem latencies. The desired cyclictest measurement module can be chosen using the rteval.config file.
Jira:RHEL-97540[1]
KVM modules are integrated into the Realtime Kernel package
This update removes the generation of KVM module packages for the Realtime Kernel in RHEL, aligning with the decision to make the Realtime Kernel a deployment option for base RHEL. This change streamlines the deployment process, integrating KVM modules directly into the Realtime Kernel package and eliminating the separate kernel-rt-kvm package. As a result, users will experience a more seamless and efficient setup when deploying the Realtime Kernel on RHEL, improving the overall user experience.
Jira:RHEL-76757[1]
kernel supports Shadow Stack (SHSTK) Ring 3 kernel
Before this update, the kernel package did not support Shadow Stack (SHSTK) in Ring 3 for x86_64 architectures. As a consequence, user-space applications could be vulnerable to control flow hijacking attacks.
With this update, the kernel package introduces Control-flow Enforcement Technology (CET) Shadow Stack support for Ring 3. This enhancement provides a hardware-enforced secondary stack that cannot be directly modified by applications. As a result, applications running on supported Intel Sapphire Rapids processors now have improved protection against control flow attacks in the user space.
Jira:RHEL-15599[1]
python-drgn rebased to version 0.0.31
python-drgn has been rebased to version 0.0.31. This update introduces several enhancements and new features:
-
Added support for
debuginfod, which enables automatic retrieval of debugging information from debuginfod servers. - A new Module API, which provides improved extensibility and integration capabilities.
- Kernel stack unwinding without debugging symbols, allowing stack traces to be generated even when debug symbols are unavailable.
For a complete list of changes, see the upstream changelogs:
crash rebased to 9.0.0
The crash package, which provides a kernel analysis utility for live systems and various types of dump files, has been rebased to upstream version 9.0.0. This version provides a number of fixes and enhancements, most notably the following:
-
The internal
gdbdatabase has been updated to version 16.2. -
The
crashutility now supports cross-compilations.
Support for per-core energy tracking (RAPL perf events) for AMD CPUs
With this enhancement, the addition of the core RAPL counter support is added. As a result, the AMD systems can measure the core-level power information in addition to the package-level power information.
Jira:RHEL-23496[1]
Default configuration now disables jitter entropy source in rng-tools
The jitter entropy source is now disabled by default in rng-tools. Modern CPUs typically provide a hardware entropy source, and most virtual machines offer the /dev/hwrng device as an entropy source from the virtual host. In these environments, the jitter entropy source consumes unnecessary CPU cycles. For older hardware without a hardware entropy source, you can explicitly enable the jitter entropy source in /etc/sysconfig/rngd.
As a result, the rngd daemon no longer consumes CPU cycles unnecessarily on systems that have hardware entropy sources.
NVMf-FC kdump is now supported on the IBM Power
NVMf-FC kdump now supports the IBM Power system for running kexec-tools. This allows the capture of system memory dumps over a fiber channel network using the NVMe storage devices for high-speed and low-latency access to storage for crash dump data.
Jira:RHEL-11471[1]
4.9. Boot loader
Secure boot on aarch64 enabled through Microsoft-signed shim
The shim package for the 64-bit ARM architecture is signed by Microsoft to enable secure boot by default on platforms that trust the Microsoft UEFI CA. This aligns the ARM boot path with x86 and removes the need to add custom PK, KEK, or db entries.
Before this update, RHEL 9 on the 64-bit ARM architecture could not use secure boot on cloud and vendor platforms that rely on Microsoft’s UEFI trust chain. This blocked standard, compliant deployments, including on Google Compute Engine.
Starting from RHEL 9.7, secure boot works by default on RHEL 9 for the 64-bit ARM architecture. Direct and fallback boot paths are successful, and the associated EFI binaries are correctly signed.
Jira:RHEL-18969[1]
4.10. File systems and storage
multipathd supports file-based sockets
With this update, the multipathd daemon listens for commands on a file-based socket /run/multipathd.socket in addition to the abstract namespace socket. You can communicate with the host’s multipathd daemon from within a container by using a bind mount for the new socket file.
Jira:RHEL-78758[1]
Automatic RAID checks are enabled by default
With this update, the raid-check service is enabled by default. This ensures that raid-check.service runs automatically at scheduled intervals after the system boots, performing periodic RAID consistency checks without requiring manual intervention.
LVM RAID repairs volumes after multiple simultaneous device failures
With this enhancement, you can use the lvconvert --repair /dev/VG-name/LV-name command to reintegrate missing RAID devices back into a striped RAID (raid4, raid5, and raid6). This repair process works even when the number of temporarily missing devices exceeds the fault tolerance of the RAID level, allowing for recovery once the devices reappear. Note that you must unmount and deactivate the volume and the file system on top before repairing them.
4.11. High availability and clusters
New resource agent for managing etcd in Podman containers is available
Before this update, Red Hat High Availability did not provide a resource agent for managing etcd running in Podman containers.
With this enhancement, the new podman-etcd resource agent has been added.
As a result, you can create and manage resources for etcd running in a Podman container. This agent is a required component for the Two Node OpenShift with Fencing (TNF) solution.
The Filesystem resource agent supports the aznfs file system type
Before this update, to manage an Azure Network File System file share in a cluster, you had to configure the Filesystem resource agent with fstype=nfs. This method did not support Azure-specific features, such as Encryption in Transit.
With this update, the Filesystem resource agent supports aznfs as a file system type.
As a result, you can set fstype=aznfs when creating a Filesystem resource to manage an Azure Network File System file share. This enables support for Azure-specific features. Note that this functionality requires the aznfs client package from the Microsoft repository to be installed on all cluster nodes.
Oracle Database 23ai is supported as a cluster resource
Before this update, the Oracle database resource agent was not tested for use with the Oracle Database 23ai release. Therefore, this version was not supported as a highly available resource within a Pacemaker cluster.
With this update, the existing Oracle resource agent has been successfully tested and validated with Oracle Database 23ai.
As a result, Pacemaker supports managing Oracle Database 23ai instances, enabling fully tested high availability configurations for this version.
Jira:RHEL-85220[1]
The fence_sbd agent can automatically detect the SBD device
Before this update, when configuring a fence_sbd resource, you were required to explicitly specify the SBD device path by using the devices parameter.
With this update, the fence_sbd agent can now retrieve the device configuration from the system.
As a result, if you do not set the devices parameter when creating the fence_sbd resource, the agent automatically uses the device specified in the SBD_DEVICE variable within the /etc/sysconfig/sbd file.
Watchdog device listing provides more detailed information
Before this update, when listing available watchdog devices, the output only displayed the device path, such as /dev/watchdog0. This made it difficult for administrators to distinguish between multiple devices on the same system.
With this update, the output includes the device path, identity, and driver for each watchdog. This allows for easy identification and selection of the correct device.
pcs warns users before removing the last fencing device
Before this update, pcs allowed users to disable or remove the last fencing device from a cluster without a warning. This could inadvertently leave the cluster in an unsupported state without any STONITH or SBD fencing configured.
With this enhancement, pcs now includes a safety check to prevent the accidental removal of all fencing mechanisms.
As a result, if you attempt an action that would leave the cluster without any fencing, pcs displays an error and blocks the change by default. For example, this occurs when you try to remove the last STONITH resource while SBD is disabled. You can override this safety check to force the change if needed.
The pcs node attribute and pcs node utilization commands now support multiple output formats
Previously, the pcs node attribute and pcs node utilization commands displayed their output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.
With this enhancement, a new --output-format option has been added to the pcs node attribute and pcs node utilization commands.
As a result, you can now display the configured node attributes and utilization in one of three formats:
-
text: Displays the output in plain text. This is the default format. -
json: Displays the output in a machine-readable JSON format, which is useful for scripting and automation. -
cmd: Displays the output as a series ofpcscommands, which you can use to recreate the same configuration on a different system.
The pcs alert config command now supports multiple output formats
Previously, the pcs alert config command displayed its output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.
With this enhancement, a new --output-format option has been added to the pcs alert config command.
As a result, you can now display the configured alerts in one of three formats:
-
text: Displays the output in plain text. This is the default format. -
json: Displays the output in a machine-readable JSON format, which is useful for scripting and automation. -
cmd: Displays the output as a series ofpcscommands, which you can use to recreate the same alert configuration on a different system.
pcs automatically validates the CIB for potential issues
Previously, the pcs utility did not automatically run advanced validation checks on the Cluster Information Base (CIB). As a consequence, certain cluster misconfigurations could remain undetected during routine operations.
With this enhancement, pcs has been updated to integrate Pacemaker’s CIB validation tool into its workflow.
As a result, pcs now automatically performs a validation check and displays the results when you run the pcs status, pcs cluster edit, or pcs cluster cib-push commands.
pcs provides more detailed error messages for failed CIB updates
Previously, when a CIB update failed when using the pcs cluster edit or pcs cluster cib-push commands, the error message provided by Pacemaker was generic. It did not explain the specific reason for the failure, which made troubleshooting the invalid configuration difficult.
With this enhancement, pcs is updated to request a detailed validation check from Pacemaker upon a failed CIB push.
As a result, when a CIB update is rejected, pcs now displays a specific error message explaining what is wrong with the configuration.
A new pcs command is available for renaming a cluster
Previously, it was not possible to change the name of an existing cluster using pcs commands. Administrators had to perform a series of manual steps, which were complex and could lead to errors.
With this enhancement, the pcs cluster rename command has been introduced.
As a result, you can now easily change the name of an existing cluster. To rename your cluster, run the following command:
pcs cluster rename <new-name>
pcs cluster rename <new-name>New fence agent for Nutanix AHV virtualization is now available
Previously, Red Hat High Availability Add-On did not provide a dedicated fence agent for Nutanix Acropolis Hypervisor (AHV) environments.
With this enhancement, the fence_nutanix agent is added.
As a result, you can now configure STONITH for cluster nodes running on the Nutanix AHV platform, enabling fully supported high-availability deployments.
Jira:RHEL-68321[1]
The pcs resource meta command is improved to support bundles and prevent guest node misconfiguration
Previously, the pcs resource meta command did not support managing meta attributes for bundle resources. Additionally, the command did not prevent users from incorrectly modifying the connection parameters of a guest node, which could lead to a misconfigured resource.
With this enhancement, the pcs resource meta command has been rewritten.
As a result, you can now use pcs resource meta to update meta attributes for bundle resources. In addition to this, when using the command on a guest node, it now prevents unintended changes to connection parameters, avoiding potential misconfigurations.
The IPaddr2 resource agent now detects network link failures
Before this update, the IPaddr2 resource agent did not monitor the link state of the network interface. As a consequence, an IPaddr2 resource continued to report success on a node even if the underlying interface was in a DOWN or LOWERLAYERDOWN state, preventing the cluster from recovering the resource on another node.
With this release, the IPaddr2 agent has been enhanced to check the interface’s link status.
As a result, an IPaddr2 resource correctly fails if its network interface goes down, allowing for a proper failover. You can disable this new default behavior by setting the check_link_status=false parameter in the resource configuration.
Jira:RHEL-7688[1]
The fence_aws agent supports immediate power-off
Previously, when the fence_aws agent performed an off or reboot action, it triggered a graceful shutdown of the instance. This introduced a delay in the fencing process, as the node was not powered off immediately.
With this update, a new skip_os_shutdown parameter has been added to the fence_aws agent. This parameter is enabled by default on Y-stream releases and disabled by default on Z-stream releases.
As a result, when skip_os_shutdown is set to true, the fence_aws agent bypasses the graceful shutdown and performs an immediate hard power-off of the instance.
4.12. Dynamic programming languages, web and database servers
The PostGIS extension is available for PostgreSQL 16
This enhancement adds the PostGIS extension to PostgreSQL 16. With this extension, PostgreSQL supports geographic objects, enabling spatial queries and analysis for Geographic Information System (GIS) applications, such as mapping, geolocation, and distance calculations within a relational database.
Jira:RHEL-81603[1]
4.13. Compilers and development tools
glibc now supports sched_setattr and sched_getattr for advanced scheduler options
Previously, glibc provided access to only a limited set of Linux scheduler options through functions defined in <sched.h>. This limitation required applications to use direct system calls or Linux kernel headers to access advanced scheduling features.
With this enhancement, the extensible scheduler configuration mechanism from sched_setattr and sched_getattr is now available through the glibc <sched.h> header file. This change includes support for additional scheduling policies, such as SCHED_DEADLINE.
As a result, applications can select from a wider range of scheduling options without relying on direct system calls or kernel-specific headers, improving portability and flexibility for developers.
Jira:RHEL-56627[1]
glibc pthread_gettid_np function added to libc_nonshared.a
Previously, there was no direct method to obtain the Linux task or thread ID (TID) from a glibc pthread_t handle. The newly implemented pthread_gettid_np function, declared in <pthread.h> when _GNU_SOURCE is defined, now allows applications that require TID, such as those using sched_setattr, to retrieve the TID value directly from a pthread_t handle.
As a result, applications can now use functions that expect a TID after obtaining it from a pthread_t handle, improving compatibility and simplifying thread management.
glibc fortification support added for inet_ntop and inet_pton
Previously, the glibc APIs inet_ntop and inet_pton did not include Source Fortification support, so the compiler was unable to catch some buffer errors before running the program.
With this update, attribute access annotations have been added to inet_ntop and inet_pton, enabling the compiler to warn about potential buffer misuse. The APIs are now covered by Source Fortification, improving their security and reliability.
Jira:RHEL-44920[1]
GDB now supports IBM’s z17 CPU architecture
The gdb package is enhanced to support binaries that use new hardware instructions introduced with IBM’s z17 CPU architecture. This update enables developers and system administrators to debug applications compiled for the latest IBM Z hardware on RHEL 9.7.
Jira:RHEL-50069[1]
GCC Toolset 15 is now available
With this update, gcc-toolset-15 is now available in RHEL 9.7. The toolset includes the latest supported versions of GCC and related utilities, enabling developers to build, test, and deploy applications using up-to-date compiler technology.
Jira:RHEL-81741[1]
ELFv2 ABI support for -fpatchable-function-entry on ppc64le
Previously, the -fpatchable-function-entry option in gcc did not support the ELFv2 ABI on the ppc64le architecture, which caused NOP instructions to be generated in incorrect locations for that ABI. This issue prevented the correct use of the option when targeting ELFv2.
With this update, the -fpatchable-function-entry option can now be used on ppc64le to create programs for the ELFv2 ABI, ensuring NOPs are placed correctly and improving compatibility for users building on this platform.
Jira:RHEL-75806[1]
llvm-toolset rebased to LLVM 20
The llvm-toolset is updated to LLVM 20, delivering improved code generation, performance optimizations, and expanded language front‑end and library support across C, C++, and Rust workflows. This rebase aligns dependent components in RHEL, including rebuilds for rust, annobin, bcc, bpftrace, qt5-qttools, and mesa. The build is validated with llvm-20.1.8-3.el9.
The notable changes are:
-
Backend improvements, including fixes for the
ppc64le. - Optimizations and diagnostics enhancements in Clang and LLVM passes for general performance and reliability.
- Toolchain ecosystem refresh with coordinated package rebuilds for compatibility with LLVM 20.
- Continued deprecation of older targets consistent with upstream direction for ARM and MIPS in this stream.
Improved _r_debug extension support for debugging applications with multiple dynamic linker namespaces
The glibc package now includes the backported the _r_debug extension to support multiple namespaces. Previously, when attaching to running processes or analyzing core dumps, debuggers such as GDB could not display all loaded shared objects if the application used multiple namespaces with dlmopen or audit modules.
With this update, recent GDB versions can display shared objects across all dynamic linker namespaces, providing comprehensive debugging and analysis capabilities.
Jira:RHEL-101986[1]
Improved Exception Handling Performance in glibc
Before this update, exception handling in large applications was slow, impacting performance, particularly in environments with a high volume of users or frequent exceptions. This was due to the time spent in the __dl_iterate_phdr function, called from _Unwind_Find_FDE.
With this update, the exception handling algorithm in glibc has been improved to enhance exception processing speed. The update introduces new symbols to the ABI as part of GLIBC_2.35, including __epoll_pwait2_time64, __memcmpeq, _dl_find_object, epoll_pwait2, posix_spawn_file_actions_addtcsetpgrp_np, posix_spawnattr_tcgetpgrp_np, and posix_spawnattr_tcsetpgrp_np.
Hardening of glibc qsort behavior on memory allocation failure
When a memory allocation fails, the qsort and qsort_r functions of the glibc package use a heapsort fallback. This change improves handling of invalid comparison functions and makes performance more predictable if a memory allocation fails.
Because the fallback is not a stable sort, equal elements can appear in a different order. The C standard does not require stability.
gdb is rebased to version 16.3
This update of gdb to version 16.3 in RHEL 9.7 provides the following notable enhancements:
- Removed support for Intel MPX.
- Added support for tagged data pointers, including Intel’s Linear Address Masking (LAM) and aarch64’s Memory Tagging Extension (MTE).
- Enabled background DWARF reading for improved performance.
Enhanced Intel Process Trace (
record btrace):-
Asynchronous event printing enabled with
set record btrace pt event-tracing. -
Ptwrite payloads can now be accessed in Python as
RecordAuxiliaryobjects.
-
Asynchronous event printing enabled with
Improved Python integration:
-
Stop events now include a
detailsattribute, mirroring MI "*stopped" events. -
gdb.Progspace()no longer creates objects directly; objects must be obtained with other APIs. -
User-defined attributes can be added to
gdb.Inferiorandgdb.InferiorThreadobjects. -
Introduced new event source:
gdb.tui_enabled. -
Added
gdb.record.clear, which clears the current recording’s trace data. - Added modules for handling missing objfiles and debug information.
-
New class
gdb.missing_debug.MissingDebugInfocan be subclassed to handle missing debug information. -
New attribute
gdb.Symbol.is_artificial. - New constants for symbol lookup across multiple domains.
-
New function
gdb.notify_mi(NAME, DATA)emits custom async notifications. -
New attribute
gdb.Value.bytesfor reading and writing value contents. -
Added
gdb.interruptto simulate a CTRL-C interrupt. -
New attribute
gdb.InferiorThread.ptid_stringprovides the target ID.
-
Stop events now include a
Debug Adapter Protocol (DAP) changes:
- Updated "scopes" request to include global variables and the last return value.
- "launch" and "attach" requests can be used at any time, effective after "configurationDone".
- "variables" request no longer returns artificial symbols.
- Added "process" event and support for the "cancel" request.
- "attach" request now supports specifying the program.
- Introduced new commands for styling, language frame mismatch warnings, missing objfile handlers, and function call timeouts.
-
Enhanced and renamed several commands, including improved error handling for
disassembleand renamingset unwindonsignaltoset unwind-on-signal. -
Expanded remote packet support, including new packets for file status and memory fetch, and new stop reasons such as
clone. - Introduced per-thread event reporting options and address tagging checks.
AMD GPU pmda is now enabled for global GPU data collection
Before this update, the AMD GPU PMDA (a Performance Co-Pilot metrics agent) was not available in RHEL because the kernel lacked certain features required for full support.
With this update, users can now collect global GPU data on AMD GPUs in RHEL by using the pcp-pmda-amdgpu package.
Initial support for IBM Z z17 added to glibc
The dynamic loader in glibc is enhanced to support detecting IBM z17 CPUs or their specific features. As a result, any IBM z17-optimized libraries installed in the /usr/lib64/glibc-hwcap/z17/ directory are loaded automatically on z17 systems. This update improves hardware compatibility and performance for IBM Z z17 platforms.
Jira:RHEL-50086[1]
Rust Toolset rebased to version 1.88.0
RHEL 9.7 is distributed with Rust Toolset in version 1.88.0. This update includes the following notable enhancements:
- Rust 2024 Edition is now stable. This is a major opt-in release that enables significant language changes and is the largest edition released to date.
-
Leverage the 2024 Edition with
letchains, allowing fluent&&-chaining ofletstatements withinifandwhileconditions to reduce nesting and improve readability. -
For high-performance computing, when you enable target features, you can call multiple
std::archintrinsics directly in safe Rust, which gives you direct access to specific CPU features. -
asyncclosures are now supported, providing first-class solutions for asynchronous programming. These closures allow borrowing from captures and properly express higher-ranked function signatures with the AsyncFn traits. -
Trait upcasting allows coercing a reference to a trait object to a reference of its supertrait, simplifying common patterns, especially with the
Anytrait. - Cargo now automatically cleans its cache, removing old downloaded files not accessed in 1-3 months, which helps manage disk space.
Rust Toolset is a rolling Application Stream, and Red Hat only supports the latest version. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
tzdata includes the NEWS file
With this update, the tzdata package includes its NEWS file with each release to provide precise descriptions of timezone data changes. As a result, you can review the changes in detail. Users can review the included NEWS file to understand what changed in the update.
Jira:RHEL-105043[1]
Metrics role now supports Apache Spark metric collection and export
Previously, users could not directly collect or export Apache Spark metrics using the metrics role. With this update, the rhel-system-roles package adds support to gather and update metrics from Apache Spark. Two new boolean parameters are introduced:
-
metrics_into_spark: false This enables exporting metric values into Spark. -
metrics_from_spark: false This enables gathering metrics from Spark.
You can now both retrieve metrics from Spark and send metrics information into Spark, improving integration and monitoring capabilities for Spark workloads.
4.14. Identity Management
ipa-healthcheck now warns about expiring certificates
With this update, the ipa-healthcheck tool now evaluates user-provided HTTP, DS, and PKINIT certificates for expiration and provides warnings 28 days prior to their expiration date. This is to prevent certificate expirations going potentially unnoticed, which can lead to downtime.
Jira:RHELDOCS-20303[1]
ansible-freeipa rebased to 1.15.1
The ansible-freeipa package, which provides modules and roles to manage Red Hat Identity Management (IdM) environments, has been rebased from version 1.13.2 to 1.15.1. The update includes the following enhancement:
-
The
ansible-freeipa-collectionsubpackage ofansible-freeipais now compatible with the namespace and name of theredhat.rhel_idmcollection provided by Red Hat Ansible Automation Hub (RH AAH). If you have installed the RPM collection subpackage, you can now run playbooks that reference the AAH roles and modules. Note that internally, the namespace and names from the RPM collection subpackage are used.
Jira:RHELDOCS-21029[1]
IdM now supports UIDs up to Linux maximum UID limit for legacy systems compatibility
With this update, you can now use User and Group IDs up to 4,294,967,293, or 2^32-1. This aligns IdM’s maximum with the Linux UID limit and can be useful in rare cases where the standard IdM range, up to 2,147,483,647, is insufficient. Specifically, it enables IdM deployment alongside legacy systems that require the full 32-bit POSIX ID space.
In standard deployments, IdM reserves the 2,147,483,648 - 4,294,836,223 range for subIDS. Using the 2^31 to 2^32-1 UID range requires disabling the subID feature and therefore conflicts with modern Linux capabilities.
To enable UIDs up to 2^32-1:
Disable the subordinate ID feature:
ipa config-mod --addattr ipaconfigstring=SubID:Disable
$ ipa config-mod --addattr ipaconfigstring=SubID:DisableCopy to Clipboard Copied! Toggle word wrap Toggle overflow Remove any existing subordinate ID ranges:
ipa idrange-del <id_range>
$ ipa idrange-del <id_range>Copy to Clipboard Copied! Toggle word wrap Toggle overflow On the IdM server, ensure the internal DNA plugin configuration is correctly removed:
ipa-server-upgrade
# ipa-server-upgradeCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add a new local ID range that covers the 2^31 to 2^32-1 space. Ensure that you define RID bases for this new range so that IdM can generate SIDs properly for users and groups.
You can only disable the subordinate ID feature if no subordinate IDs have been allocated yet.
Jira:RHEL-84277[1]
Healthcheck warns if krbLastSuccessfulAuth is enabled
Enabling the krbLastSuccessfulAuth setting in the ipaConfigString attribute can lead to performance issues if large numbers of users are authenticating at the same time. Therefore, it is disabled by default. With this update, Healthcheck displays a message if krbLastSuccessfulAuth is enabled, warning about the possible performance problems.
IdM-to-IdM migration now available
IdM-to-IdM migration, previously available as a Technology Preview, is now fully supported with this release. You can use the ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, from one IdM server to another. This can be useful, for example, when moving IdM from a development or staging environment into a production one.
Jira:RHELDOCS-19500[1]
samba rebased to version 4.22.4
The samba package has been updated to upstream version 4.22.4. This version provides bug fixes and enhancements, most notably the following:
- Samba supports Server message block version 3 (SMB3) directory leases. With this enhancement, clients can cache directory listings, which reduces network traffic and improves performance.
-
Samba supports querying domain controller (DC) information by using TCP-based LDAP or LDAPS, as an alternative to the traditional UDP method on port 389. This enhancement improves compatibility with firewall-restricted environments. You can configure the protocol by using the
client netlogon ping protocolparameter (default value:CLADP). The following configuration parameters are removed:
-
nmbd_proxy_logon: This setting was used to forward NetLogon authentication requests to a Windows NT4 primary domain controller (PDC) before Samba introduced its own NetBIOS over TCP/IP (NBT) server. -
cldap port: Connectionless Lightweight Directory Access Protocol (CLDAP) always uses UDP port 389. Additionally, the Samba code did not use this parameter consistently, so the behavior was inconsistent. -
fruit:posix_rename: This option of thevfs_fruitmodule is removed because it could result in problems with Windows clients. As a possible workaround to prevent the creation of.DS_Storefiles on network mounts, use thedefaults write com.apple.desktopservices DSDontWriteNetworkStores truecommand on MacOS.
-
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Before starting Samba, back up the database files. Samba automatically updates its tdb database files when the smbd, nmbd, or winbind services start. Red Hat does not support downgrading tdb database files.
After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.
389-ds-base rebased to version 2.7.0
The 389-ds-base package has been updated to version 2.7.0.
dsctl healthcheck now warns about creating a substring index on the membership attribute
An entry that contains a membership attribute is usually a group with many members. When changing the value set, substring index is very expensive even for a minor change like deleting a single member. Now, when you add the substring index type, dsctl healthcheck warns about possible high cost of substring index on membership attributes and displays the following error message:
DSMOLE0002. If the substring index is configured for a membership attribute, the removal of a member from the large group can be slow.
Jira:RHEL-81141[1]
Custom matching rules in the Attribute Uniqueness plug-in to search uniqueness attributes
With this update, in Attribute Uniqueness plug-in configuration, you can specify a matching rule for the attribute you want to enforce uniqueness on. For example, when you want to override the attribute’s syntax from case exact or case ignore.
Specify attributes and their matching rules in the plugin configuration, as follows:
uniqueness-attribute-name: <attribute>:<Matching rule OID>:
uniqueness-attribute-name: <attribute>:<Matching rule OID>:
Before this update, if you used the attribute cn with a case exact syntax, the Attribute Uniqueness plug-in could not find a matching value if the case was different between the two values being compared. Now you can set the matching rule and make it case ignore and the plug-in will see that the values match:
uniqueness-attribute-name: cn:caseIgnoreMatch:
uniqueness-attribute-name: cn:caseIgnoreMatch:Jira:RHEL-109034[1]
cockpit-session-recording rebased to 20-1.el9
The cockpit-session-recording package, which records user sessions that are conducted through the Cockpit web interface, is rebased to upstream version 20-1.el9. The package has been migrated to PatternFly 6 user interface system design.
ACME server adds support for the ES256 signature algorithm
Previously, the Automatic Certificate Management Environment (ACME) server did not support the ES256 signature algorithm for JSON Web Key (JWK) validation. This lack of support prevented certain clients, such as the Caddy web server, from successfully obtaining certificates.
With this update, the ACME server has been enhanced to support the ES256 signature algorithm for JWK validation.
As a result, the server can interoperate with clients that use ES256, such as the Caddy web server, allowing them to successfully obtain certificates and establish secure HTTPS communication.
HSM is now fully supported in IdM
Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.
IdM relies on the networking features of the HSM to share the keys between machines to create replicas. The HSM provides additional security without visibly affecting most IdM operations. When using low-level tooling the certificates and keys are handled differently but this is seamless for most users.
Migration of an existing CA or KRA to an HSM-based setup is not supported. You need to reinstall the CA or KRA with keys on the HSM.
You need the following:
- A supported HSM.
- The HSM Public-Key Cryptography Standard (PKCS) #11 library.
- An available slot, token, and the token password.
To install a CA or KRA with keys stored on an HSM, you must specify the token name and the path to the PKCS #11 library. For example:
ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra
ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kraJira:RHELDOCS-21376[1]
4.15. Desktop
OpenGL and Vulkan are supported by default in Toolbox containers based on UBI
OpenGL and Vulkan now work by default inside Toolbox containers created from updated UBI-based toolbox images, matching the behavior on RHEL Workstation hosts. This includes only the free software drivers provided by Mesa, not proprietary ones like NVIDIA.
Toolbx containers aim to replicate the RHEL Workstation environment. Previously, users had to manually install Mesa-related packages to enable OpenGL and Vulkan support, which was not intuitive or documented.
As a result, OpenGL and Vulkan applications can run inside Toolbox containers without additional configuration, improving usability and consistency with the host system.
Low Disk Space notifications include a mount point in the web console
The Low Disk Space notifications include the mount point when multiple volumes have the same name. This enhancement reduces ambiguity about which specific file system requires more space.
Jira:RHEL-11910[1]
4.16. The web console
cockpit rebased to version 344
The cockpit packages have been rebased to version 344, which provides many improvements and fixes compared to version 334 in RHEL 9.6, most notably:
- Improved UI to the new style based on the PatternFly 6 design system.
- Added support for the SMART (Self-Monitoring, Analysis and Reporting Technology) standard and the Stratis 3.8+ pool format in the Storage component.
- Improved graphical VNC, control VNC, and serial consoles in the Virtual machines component.
- Added support for IPv6 addresses for WireGuard VPNs in the Networking component.
-
All web console pages can be branded through the
branding.cssstyle-sheet file.
new subpackage: cockpit-ws-selinux
The SELinux policy for the cockpit_ws processes is provided in a separate subpackage cockpit-ws-selinux. This prevents the RHEL web console from failing when run on a system without SELinux installed, because the package manager installs the selinux_policy packages as dependencies. See the cockpit_ws_selinux(8) man page on your system for more information.
4.17. Red Hat Enterprise Linux System Roles
The ad_integration RHEL system role can control the SSSD domain section naming and consolidate duplicates
With this update, users can control the name of the section used in the SSSD config file for the domain or realm-specific settings, as managed by the ad_dyndns_update and ad_integration_sssd_custom_settings parameters. By default, the ad_integration role uses the lower case of the ad_integration_realm variable. However if users want to use the actual case of ad_integration_realm, users can use a new option ad_integration_sssd_realm_preserve_case = true to preserve the case of the realm. This may leave the SSSD config file with multiple sections for the realm. Use the new ad_integration_sssd_remove_duplicate_sections setting to consolidate all of the settings from the multiple sections into the chosen section. As a result, the ad_integration system role can manage domain and realm sections in the SSSD config file correctly.
Jira:RHEL-99089[1]
The journald RHEL system role can monitor disk space
With this update, you can configure the SystemKeepFree option in the journald.conf journal service to set a maximum size for the system journal. This improves overall system stability and performance. As a result, you can use the journald_system_keep_free variable to configure size limit. The value is specified in megabytes. There is no default value - by default, it will use the journald default value.
Jira:RHEL-95874[1]
metrics role supports enabling additional PCP domains
With this update, the rhel-system-roles package introduces the metrics_optional_domains variable in the metrics RHEL system role. Users can specify a list of additional PCP domains to be activated, in addition to those that are automatically managed by the metrics role. As a result, users can enable the domains they require for their specific use cases, improving flexibility in data collection and monitoring.
Jira:RHEL-104659[1]
Introduced a variable MaxRetention to configure the maximum retention parameter for journald
With this update, users can configure the maximum retention parameter for journald, enabling time-based deletion of journal files. This enhancement provides flexibility in managing log data according to specific data retention policies, allowing both time-based log deletion and size-based deletion. It helps with compliance with data retention requirements and improves overall system performance by preventing excessive log storage.
Jira:RHEL-102637[1]
The podman role generates all TOML compliant configuration file
Before this update, the current Jinja-based formatter did not support many TOML features, including tables and inline tables, which were required to configure all aspects of podman. With this enhancement, all features of TOML are supported by using a true TOML formatter instead of a simple Jinja template. As a result, the podman role can generate any TOML compliant configuration file that podman can use.
The podman role needs to preserve certain features of the old formatter. Therefore, the TOML formatter is disabled by default. For the particular use cases that you need to use the old formatter for and information about how you can convert your inventory data in order to use the new and improved formatter, see the README file.
To use the new TOML formatter in all cases, set the podman_use_new_toml_formatter to true:
podman_use_new_toml_formatter: true
podman_use_new_toml_formatter: trueThe firewall RHEL system role now supports including other services
With this enhancement, you can include other services when you use the firewall RHEL system role to create firewalld service definitions. For example, you can create a service webserver that includes the http and https services. If you then enable the webserver service, firewalld open the ports defined in http and https services. For further details, see Creating a custom firewalld service by using the firewall RHEL system role.
Ability to configure the default kernel in rhel-system-roles
Previously, users could not specify which kernel should be set as the default during system boot. This limitation prevented administrators from easily managing the default kernel selection during automation.
With this update, the rhel-system-roles package allows configuring the default bootloader kernel using a new default option. Users can now designate a single kernel as the default by setting the default boolean parameter in kernel settings. The system validates that only one kernel can be marked as default, and applies the selection using grubby --set-default as required.
This enhancement improves flexibility and simplifies automation when managing kernel versions in RHEL.
Metrics role now supports Apache Spark metric collection and export
Previously, users could not directly collect or export Apache Spark metrics using the metrics role. With this update, the rhel-system-roles package adds support to gather and export metrics from Apache Spark. Two new boolean parameters are introduced:
-
metrics_into_spark: false This enables exporting metric values into Spark. -
metrics_from_spark: false This enables gathering metrics from Spark.
You can now both retrieve metrics from Spark and send metrics information into Spark, improving integration and monitoring capabilities for Spark workloads.
Enables IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role
With this update, users can customize the chronyd configuration when IPv6 is disabled on a node. The enhancement provides two options: add a setting to the timesync role to disable IPv6, or pass a parameter to set the OPTIONS value for chronyd. These options enable IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role. This improves time synchronization accuracy and stability for environments where IPv6 is disabled.
4.18. Virtualization
virtio-mem is available on IBM Z
With this update, virtio-mem, a paravirtualized memory device, can be used on IBM Z hardware. By using virtio-mem, you can dynamically add or remove host memory in virtual machines.
Jira:RHEL-72976[1]
New command for IBM Z hosts: virsh hypervisor-cpu-models
This update introduces the virsh hypervisor-cpu-models command. You can use this command on the IBM Z architecture to display which CPU models your hypervisor recognizes.
Jira:RHEL-11435[1]
Performance-enhanced PCI translation for IBM Z guests
With this update, virtual machines (VMs) on IBM Z hosts can use identity-mapped direct memory access (DMA) for PCI devices. This feature significantly improves the performance of PCI device passthrough. Note that to use the feature, your system must be configured as follows:
-
The
iommu.passthrough=1parameter must be set up on the kernel command line of the VM. - The VM must have fully NUMA-pinned memory.
- The RHEL host system must not be using logical partitioning (LPAR).
Jira:RHEL-11431[1]
New features for virtual machines on 64-bit ARM hosts
The following features are now supported for virtual machines on RHEL hosts that use the 64-bit ARM architecture(aarch64):
- Live snapshots
Pre-copy migration with the following options:
- TLS encryption and XBZRLE compression
- Dirty rate monitoring
- Auto-converge
Multi-FD migration with the following options:
- TLS encryption and XBZRLE compression
- Auto-converge
- Zero-copy
Post-copy migration with the following options:
- TLS encryption and XBZRLE compression
- Recovery
- Preemption
-
Live migration with
virtiofs - Backward migration from RHEL 10.1 to RHEL 9.7
Jira:RHELDOCS-20781[1]
4.19. RHEL in cloud environments
OTel collector on RHEL supports TPM device
The OpenTelemetry (OTel) Collector on RHEL supports the Trusted Platform Module (TPM) device. With this feature, OTel Collector can read transport layer security (TLS) certificates from the TPM device.
Jira:RHELDOCS-20446[1]
Enhanced automatic registration for eligible RHEL images
With this update, RHEL instances based on eligible images from eligible marketplaces automatically receive content and updates from Red Hat content delivery network (CDN) instead of the Red Hat Update Infrastructure (RHUI). The RHUI repositories are turned off by default.
This ensures automatic access to latest updates for users of subscribed RHEL instances.
For additional details, see Understanding auto-registration.
Jira:RHELDOCS-21241[1]
New package: azure-vm-utils
This update adds the azure-vm-utils package, which provides a collection of utilities and udev rules to optimize the experience of using RHEL 9 as a guest operating system on Microsoft Azure.
Jira:RHEL-88789[1]
RHEL is available on Azure confidential VMs
You can create and run RHEL confidential virtual machines (CVMs) on Microsoft Azure by using RHEL CVM images. The images support full disk encryption through the Confidential OS disk encryption feature in Azure.
Jira:RHELPLAN-139800[1]
Enhanced automatic registration for eligible RHEL images
When purchasing certain eligible cloud marketplace subscriptions for RHEL 9.6 or later and for RHEL 10.0 or later, an improved version of the auto-registration function is available.
With the enhanced auto-registration, any RHEL instances on the eligible marketplaces will be automatically registered to Red Hat and automatically receive content updates from Red Hat Update Infrastructure (RHUI) after you establish a trusted connection between your Red Hat account and your account for the respective cloud platform, even if you did not have the trusted connection when you set launched the instance.
For additional details, see Understanding auto-registration.
Jira:RHELDOCS-19664[1]
4.20. Supportability
sos now collects the Satellite metrics file for improved support diagnostics
The foreman-installer plugin of sos now collects the satellite_metrics.yml file located at /var/lib/foreman-maintain/ directory. It provides insight into which features of Satellite are in use and in what scale.
4.21. Containers
A new rhel9/valkey-8 container image is generally available in RHEL
The newly available rhel9/valkey-8 container image allows atomic operations and supports various data types like strings, hashes, lists, sets, and sorted sets. The image offers high performance because of its in-memory dataset, which can be persisted to disk or by appending commands to a log.
Jira:RHELDOCS-20639[1]
Improved support for reproducible container builds
Reproducible builds ensure that a given set of inputs consistently generates the same output. This enhancement addresses several factors that previously complicated reproducibility in container image builds. While using -source-date-epoch and -rewrite-timestamp improves the reproducibility of builds and better aligns with common practices like setting and looking for $SOURCE_DATE_EPOCH, it cannot guarantee complete reproducibility.
New artifact endpoints for Podman RESTFUL API
Podman RESTFUL API includes new artifact endpoints, enabling programmatic management of OCI artifacts. This enhancement simplifies integration of OCI artifact operations into existing systems and scripts.
The Container Tools packages have been updated
The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version v1.41.0, and Skopeo has been updated to version 1.20.0.
Podman release v5.6 contains the following notable bug fixes and enhancements over the previous version:
-
A new set of commands for managing Quadlets has been added as
podman quadlet install(install a new Quadlet for the current user),podman quadlet list(list installed Quadlets),podman quadlet print(print the contents of a Quadlet file), andpodman quadlet rm(remove a Quadlet). -
The
podman kube playcommand can restrict container execution to specific CPU cores and specific memory nodes using theio.podman.annotations.cpuset/$ctrnameandio.podman.annotations.memory-nodes/$ctrnameannotations. -
The
podman kube playcommand supports thelifecycle.stopSignalfield in Pod YAML, allowing the signal used to stop containers to be specified. -
The
podman volume importandpodman volume exportcommands are available in the remote Podman client. -
The
podman volume createcommand accepts two new options,--uidand--gid, to set the UID and GID the volume will be created with. -
The
podman secret createcommand has a new option,--ignore, causing the command to succeed even if a secret with the given name already exists. -
The
podman pullcommand has a new option,--policy, to configure pull policy. -
The
podman updatecommand has a new option,--latest, to update the latest container instead of specifying a specific container. -
A full set of API endpoints for interacting with artifacts has been added, including inspecting artifacts (
GET /libpod/artifacts/{name}/json), listing all artifacts (GET /libpod/artifacts/json), pulling an artifact (POST /libpod/artifacts/pull), removing an artifact (DELETE /libpod/artifacts/{name}), adding an artifact (or appending to an existing artifact) from a tar file in the request body (POST /libpod/artifacts/add), pushing an artifact to a registry (/libpod/artifacts/{name}/push), and retrieving the contents of an artifact (GET /libpod/artifacts/{name}/extract). -
A new command has been added,
podman artifact extract, to copy some or all of the contents of an OCI artifact to a location on disk. -
The
--mountoption topodman create,podman run, andpodman pod createsupports a new mount type,--mount type=artifact, to mount OCI artifacts into containers. -
The
podman artifact addcommand features two new options,--appendto add new files to an existing artifact, and--file-typeto specify the MIME type of the file added to the artifact. -
The
podman artifact rmcommand features a new option,--all, to remove all artifacts in the local store. -
The
podman kube generateandpodman kube playcommands supports a new annotation,io.podman.annotation.pids-limit/$containername, preserving the PID limit for containers acrosskube generateandkube play. -
Quadlet
.containerunits support three new keys,Memory=(set maximum memory for the created container),ReloadCmd(execute a command via systemdExecReload), andReloadSignal(kill the container with the given signal via systemdExecReload). -
Quadlet
.container,.image, and.buildunits support two new keys,Retry(number of times to retry pulling image on failure) andRetryDelay(delay between retries). -
Quadlet
.podunits support a new key,HostName=, to set the pod’s hostname. -
Quadlet files support a new option,
UpheldBy, in theInstallsection, corresponding to the systemdUpholdsoption. -
The names of Quadlet units specified as systemd dependencies are automatically translated, for example
Wants=my.containeris valid.
For more information about notable changes, see upstream release notes.
The ADD and COPY instructions now support the --link option
Buildah and Podman now support the --link flag for ADD and COPY instructions in Containerfiles, which causes the new content to be added as its own layer in the built image.
New container images are available
The new container images are listed in the Red Hat Ecosystem Catalog:
-
ubi-stig: the Universal Base Image with STIG hardening as a secure foundation for containerized applications, middleware, and utilities. -
valkey-8: an advanced key-value store available as a container, uses an in-memory dataset to achieve its outstanding performance. It is often referred to as a data structure server because keys can contain strings, hashes, lists, sets, and sorted sets. -
gcc-toolset-15-toolchain: a base image with essential libraries and tools used to build C and C++ applications. -
nodejs-24: provides a base platform for building and running various Node.js 24 applications and frameworks. It is built on Chrome’s JavaScript runtime, it facilitates fast, scalable network applications through an event-driven, non-blocking I/O model, ideal for data-intensive real-time distributed applications. -
nodejs-24-minimal: provides a base platform for running various Node.js 24 applications and frameworks. It is built on Chrome’s JavaScript runtime, it facilitates fast, scalable network applications through an event-driven, non-blocking I/O model, ideal for data-intensive real-time distributed applications. -
dotnet-100,dotnet-100-aspnet,dotnet-100-runtime: The .NET 100 images, including base, ASP.NET, and runtime versions, are now available.
Jira:RHELDOCS-21211[1]
RHEL image mode supports creating root-level directories and symlinks at runtime
With this release, you can use RHEL image mode to create root-level directories and symbolic links after system deployment, then return the filesystem to read-only mode. As a result, you can use a single base image across multiple deployment environments with different file system requirements.
Jira:RHELDOCS-21230[1]
bootc-image-builder uses the local container storage by default
With this release, the bootc-image-builder tool operates in local mode by default, which means it no longer pulls container images from remote registries. To build disk images, you must pre-load the base bootc container image in the local container registry of the system before building disk images. If you have existing workflows that relied on automatic image pulling, you must update them. This change improves security by reducing external network dependencies during the build process.
Jira:RHELDOCS-21218[1]
4.22. RHEL Lightspeed
The command-line assistant supports image mode for RHEL
With this enhancement, you can customize your Containerfile to include the command-line-assistant package, create a disk image from a container image, and boot a system with that image. As a result, the system image has the command-line assistant preinstalled, and you can use it after you register your system with subscription-manager.
Jira:RHELDOCS-20546[1]
The command-line assistant context limit increased to 32KB input
Before this update, the command-line assistant had a 2KB input context limit, causing it to fail when input exceeded this limit. As a consequence, user experience was limited, preventing thorough log analysis due to the 2KB input context limit. With this release, the command-line assistant input context limit has been increased from 2KB to 32KB. As a result, the command-line assistant now supports larger input contexts, enabling better log analysis and potential issue detection.
Jira:RHELDOCS-20421[1]
The command-line assistant for RHEL Lightspeed has better error handling and exit codes
With this enhancement, the command-line assistant brings better error handling and exit codes, such as:
- Output different error messages based on different types of errors that can occur during CLA runtime.
- Try to output an error message that corresponds to the actual cause of the error, and log it.
- Implement different exit codes based on different types of issues.
Jira:RHELDOCS-21313[1]
Command-line assistant -w option displays current output
Before this update, when you tried to use the -w option without the current enable-capture mode, the command-line assistant incorrectly displayed output from an earlier session. With this update, the terminal capture log file is actively verified before outputting from the -w option. As a result, the mentioned problem is fixed, and the displayed output is accurate.
Jira:RHELDOCS-21315[1]
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}